[Buildroot] [PATCH v5 00/24] SELinux Buildroot Additions

[Buildroot] [PATCH v5 00/24] SELinux Buildroot Additions

[Clayton Shotwell]

### Highlevel updates in v5 of these patches
* Creation of a common selinux board files folder
* Cleanup of custom patchwork with additional description on
  upstream status
* Removed python-pyxml package
* Reworked audit patches
* Many musl and uclibc build failure and path poisoning fixes


### What's SELinux?

Security-Enhanced Linux (SELinux) is a Linux feature that provides
a variety of security policies, including U.S. Department of Defense
style mandatory access controls (MAC), through the use of Linux
Security Modules (LSM) in the Linux kernel. It is not a Linux
distribution, but rather a set of modifications that can be applied
to Unix-like operating systems, such as Linux and BSD.

Running SELinux under a Linux distribution requires three things:
An SELinux enabled kernel, SELinux Userspace tools and libraries,
and SELinux Policies (mostly based on the Reference Policy). Some
common Linux programs will also need to be patched/compiled with
SELinux features. (Credit Archlinux wiki)

### What's in this patchset?

This patchset adds the required userspace tools, libraries, example
QEMU target, existing package modifications, and initial policy
to Buildroot.
The design approach took a minimalist view to the selinux capability.
The necessary packages have been added but all the ways in which they
could be used (target vs host) are not exposed. One example is
the audit2allow framework that requires python. This is currently
setup for "host only use" to post analyze audit service output. It
could also be setup for target use but it would require the target
to have python and other supporting libs present.
Another aspect that utilized known SELinux capable applications
was for init and logging. We choose to use sysvinit and rsyslog
instead of the busybox applet version. This simplified getting
this initial configuration pulled together.
Lastly, the building of libselinux was limited to a set of
architectures and libraries that have been tested. An area for
future work will be to enable broader use.

Some references to help with the review of this patchset.
Arch and Gentoo implementation and design details:
  https://wiki.archlinux.org/index.php/SELinux
  http://wiki.gentoo.org/wiki/SELinux
  http://wiki.gentoo.org/wiki/SELinux/Installation

### Details of changes from previous patchsets

This is a new round of patches based on the v5 patchset from
last year. The changes since v4 consist of:
 * The removal of on target policy debugging using audit2allow.
   The host tools have been setup to provide offline capability
   for analyzing audit output.
 * The example qemu configuration defaults to using full versions
   of applications instead of the busybox applets. This simplified
   the configuration but as a side effect grew the filesystem size.
   There is definitely opportunity to slim down the approach to
   just using busybox applets (I've still included the patches
   that enable the capability to create individual applets).
 * Added documentation of the qemu target to that targets readme
 * Updated for structural changes (OPTS vs OPT, patch naming,
   improvements to existing packages)
 * Autobuilder was modified to run against our upstreaming
   branch and has has logged a couple weeks of builds and almost
   all of the issues are resolved against the current upstream.

Since Refpolicy is heavily tailored for a projects use, the
package exposed options of using the provided version with
patches or a custom GIT repo. Here's a bit more detail on
those assumptions.
  * Refpolicy as the package defines with default patches
    plus possibly some global patches applied. Using a default
    modules config file provided in the package folder or
    provided by the user.
  * Refpolicy looking at specific git repo revisions. Using a
    modules config file from within that git repo.
  * Repolicy using src override which assumes the same as the
    git repo case for where the modules config file originates.

### What's next:

* Testing out support for using busybox applets instead of
  sysvinit/util-linux/etc.
* qemu targets for ARM and PPC


Clayton Shotwell (6):
  sepolgen: new package
  refpolicy: new package
  qemu x86 selinux: base br defconfig
  squashfs: Add xattr support
  mtd: Add xattr support
  cpio: new package

Matt Weber (18):
  sqlite: Add host build support
  setools: new package
  python-pyparsing: Add host build option
  audit: new package
  policycoreutils: new package
  busybox: applets as individual binaries
  busybox: selinux support
  linux-pam: selinux support
  busybox: added linux-pam support
  sysvinit: added libselinux dependency
  dbus: selinux file context support
  openssh: selinux and pam support
  util-linux: selinux, audit, and pam support
  vim: selinux support
  rsyslog: fix config file comment style
  qemu x86 selinux: added common selinux support files
  libsemanage: cleanup python use and license definition
  bash: added option to disable locale support

 board/common_selinux/busybox-selinux.config        | 1058 ++++++++++++++++++++
 board/common_selinux/post_build.sh                 |   30 +
 .../common_selinux/skeleton/etc/audit/auditd.conf  |   32 +
 .../skeleton/etc/audit/rules.d/audit.rules         |    3 +
 board/common_selinux/skeleton/etc/fstab            |   15 +
 board/common_selinux/skeleton/etc/inittab          |   29 +
 board/common_selinux/skeleton_permissions.txt      |   26 +
 board/qemu/x86/linux-4.0-selinux.config            |   77 ++
 board/qemu/x86/readme.txt                          |   17 +
 configs/qemu_x86_selinux_defconfig                 |   67 ++
 package/Config.in                                  |    9 +
 package/Config.in.host                             |    1 +
 package/audit/0001-Enable-cross-compiling.patch    |  773 ++++++++++++++
 package/audit/0002-Remove-zos-remote-plugin.patch  |   54 +
 ...03-Default-ADDR_NO_RANDOMIZE-if-not-found.patch |   44 +
 ...004-Do-not-call-posix_fallocate-on-uClibc.patch |   45 +
 ...fix-header-detection-when-cross-compiling.patch |   46 +
 package/audit/Config.in                            |   17 +
 package/audit/S01auditd                            |  169 ++++
 package/audit/audit.hash                           |    2 +
 package/audit/audit.mk                             |   47 +
 package/bash/Config.in                             |   10 +
 package/bash/bash.mk                               |    9 +
 ...s-Add-installation-of-individual-binaries.patch |  103 ++
 ...ags-strip-non-l-arguments-returned-by-pkg.patch |   28 +
 package/busybox/Config.in                          |   15 +
 package/busybox/busybox.mk                         |   58 ++
 package/cpio/0001-stdio.in.patch                   |   19 +
 package/cpio/0002-CVE-2014-9112.patch              |  218 ++++
 package/cpio/0003-testsuite-CVE-2014-9112.patch    |   36 +
 .../0004-check_for_symlinks-CVE-2015-1197.patch    |  158 +++
 package/cpio/0005-stat.patch                       |   31 +
 package/cpio/Config.in                             |    6 +
 package/cpio/Config.in.host                        |    6 +
 package/cpio/cpio.mk                               |   13 +
 package/dbus/S30dbus                               |    4 +
 package/dbus/dbus.mk                               |   14 +
 package/libsemanage/Config.in                      |   10 -
 package/libsemanage/libsemanage.mk                 |   54 +-
 package/linux-pam/linux-pam.mk                     |   58 +-
 package/linux-pam/system-auth.pamd                 |   15 +
 package/mtd/mtd.mk                                 |   15 +-
 package/openssh/openssh.mk                         |   16 +
 .../policycoreutils/0001-cross-compile-fixes.patch |  332 ++++++
 package/policycoreutils/Config.in                  |   53 +
 package/policycoreutils/policycoreutils.hash       |    2 +
 package/policycoreutils/policycoreutils.mk         |  107 ++
 package/python-pyparsing/python-pyparsing.mk       |    1 +
 package/refpolicy-contrib/Config.in                |   20 +
 package/refpolicy-contrib/refpolicy-contrib.mk     |   18 +
 .../0001-Fix-awk-references-to-use-variable.patch  |   42 +
 package/refpolicy/Config.in                        |   91 ++
 package/refpolicy/S00selinux                       |  136 +++
 package/refpolicy/config                           |    8 +
 package/refpolicy/modules.conf                     |  406 ++++++++
 package/refpolicy/refpolicy.hash                   |    2 +
 package/refpolicy/refpolicy.mk                     |  118 +++
 package/rsyslog/rsyslog.mk                         |    4 +
 package/sepolgen/sepolgen.hash                     |    2 +
 package/sepolgen/sepolgen.mk                       |   30 +
 package/setools/0001-cross-compile-fixes.patch     |  125 +++
 package/setools/Config.in                          |   25 +
 package/setools/setools.hash                       |    4 +
 package/setools/setools.mk                         |   85 ++
 package/sqlite/sqlite.mk                           |    1 +
 package/squashfs/squashfs.mk                       |   12 +-
 ...1-Fix-SELinux-compile-flags-and-libraries.patch |   44 +
 package/sysvinit/sysvinit.mk                       |    5 +
 package/util-linux/util-linux.mk                   |   27 +
 package/vim/vim.mk                                 |    7 +
 70 files changed, 5115 insertions(+), 49 deletions(-)
 create mode 100644 board/common_selinux/busybox-selinux.config
 create mode 100755 board/common_selinux/post_build.sh
 create mode 100644 board/common_selinux/skeleton/etc/audit/auditd.conf
 create mode 100644 board/common_selinux/skeleton/etc/audit/rules.d/audit.rules
 create mode 100755 board/common_selinux/skeleton/etc/fstab
 create mode 100755 board/common_selinux/skeleton/etc/inittab
 create mode 100755 board/common_selinux/skeleton_permissions.txt
 create mode 100644 board/qemu/x86/linux-4.0-selinux.config
 create mode 100644 configs/qemu_x86_selinux_defconfig
 create mode 100644 package/audit/0001-Enable-cross-compiling.patch
 create mode 100644 package/audit/0002-Remove-zos-remote-plugin.patch
 create mode 100644 package/audit/0003-Default-ADDR_NO_RANDOMIZE-if-not-found.patch
 create mode 100644 package/audit/0004-Do-not-call-posix_fallocate-on-uClibc.patch
 create mode 100644 package/audit/0005-fix-header-detection-when-cross-compiling.patch
 create mode 100644 package/audit/Config.in
 create mode 100644 package/audit/S01auditd
 create mode 100644 package/audit/audit.hash
 create mode 100644 package/audit/audit.mk
 create mode 100644 package/busybox/0002-applets-Add-installation-of-individual-binaries.patch
 create mode 100644 package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
 create mode 100644 package/cpio/0001-stdio.in.patch
 create mode 100644 package/cpio/0002-CVE-2014-9112.patch
 create mode 100644 package/cpio/0003-testsuite-CVE-2014-9112.patch
 create mode 100644 package/cpio/0004-check_for_symlinks-CVE-2015-1197.patch
 create mode 100644 package/cpio/0005-stat.patch
 create mode 100644 package/cpio/Config.in
 create mode 100644 package/cpio/Config.in.host
 create mode 100644 package/cpio/cpio.mk
 mode change 100755 => 100644 package/dbus/S30dbus
 create mode 100644 package/linux-pam/system-auth.pamd
 create mode 100644 package/policycoreutils/0001-cross-compile-fixes.patch
 create mode 100644 package/policycoreutils/Config.in
 create mode 100644 package/policycoreutils/policycoreutils.hash
 create mode 100644 package/policycoreutils/policycoreutils.mk
 create mode 100644 package/refpolicy-contrib/Config.in
 create mode 100644 package/refpolicy-contrib/refpolicy-contrib.mk
 create mode 100644 package/refpolicy/0001-Fix-awk-references-to-use-variable.patch
 create mode 100755 package/refpolicy/Config.in
 create mode 100644 package/refpolicy/S00selinux
 create mode 100644 package/refpolicy/config
 create mode 100644 package/refpolicy/modules.conf
 create mode 100644 package/refpolicy/refpolicy.hash
 create mode 100755 package/refpolicy/refpolicy.mk
 create mode 100644 package/sepolgen/sepolgen.hash
 create mode 100644 package/sepolgen/sepolgen.mk
 create mode 100644 package/setools/0001-cross-compile-fixes.patch
 create mode 100644 package/setools/Config.in
 create mode 100644 package/setools/setools.hash
 create mode 100644 package/setools/setools.mk
 create mode 100644 package/sysvinit/0001-Fix-SELinux-compile-flags-and-libraries.patch

-- 
1.9.1

[Buildroot] [PATCH v5 01/24] sepolgen: new package

[Clayton Shotwell]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes v4 -> v5:
  - Fixed package name to be BR2_PACKAGE_HOST_SEPOLGEN (Suggested by
    Thomas P.)
  - No menu entry needed as host dependency aren't reflected in
    Config.in files (Suggested by Thomas P.)

Changes v3 -> v4:
  - Fixed Kconfig files, moved libsepol instead of sepolgen by
    mistake.

Changes v2 -> v3:
  - Moved Config.in to be Config.in.host as this package is now
    only used as a host dependency for the policycoreutils.

Changes v1 -> v2:
  - Moved make install install to the end of the command
  - Removed python kconfig depend since package just used for
    host building
  - Updated site to github
  - Handle Python 2 vs. Python 3 for the host package.
---
 package/sepolgen/sepolgen.hash |  2 ++
 package/sepolgen/sepolgen.mk   | 30 ++++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 package/sepolgen/sepolgen.hash
 create mode 100644 package/sepolgen/sepolgen.mk

diff --git a/package/sepolgen/sepolgen.hash b/package/sepolgen/sepolgen.hash
new file mode 100644
index 0000000..a377c66
--- /dev/null
+++ b/package/sepolgen/sepolgen.hash
@@ -0,0 +1,2 @@
+# https://github.com/SELinuxProject/selinux/wiki/Releases
+sha256 8a1c6d3a78c9b6ad3555c74def555f65a62950bf21c111c585bfc382fec3a645  sepolgen-1.1.9.tar.gz
diff --git a/package/sepolgen/sepolgen.mk b/package/sepolgen/sepolgen.mk
new file mode 100644
index 0000000..7c95866
--- /dev/null
+++ b/package/sepolgen/sepolgen.mk
@@ -0,0 +1,30 @@
+################################################################################
+#
+# sepolgen
+#
+################################################################################
+
+SEPOLGEN_VERSION = 1.1.9
+SEPOLGEN_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
+SEPOLGEN_LICENSE = GPLv2
+SEPOLGEN_LICENSE_FILES = COPYING
+
+ifeq ($(BR2_PACKAGE_PYTHON3),y)
+HOST_SEPOLGEN_DEPENDENCIES = host-python3
+HOST_SEPOLGEN_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
+	PYTHONLIBDIR=/usr/lib/python$(PYTHON3_VERSION_MAJOR)/site-packages
+else
+HOST_SEPOLGEN_DEPENDENCIES = host-python
+HOST_SEPOLGEN_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
+	PYTHONLIBDIR=/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
+endif
+
+define HOST_SEPOLGEN_BUILD_CMDS
+	$(MAKE) -C $(@D) $(HOST_SEPOLGEN_MAKE_CMDS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_SEPOLGEN_INSTALL_CMDS
+	$(MAKE) -C $(@D) $(HOST_SEPOLGEN_MAKE_CMDS) DESTDIR=$(HOST_DIR) install
+endef
+
+$(eval $(host-generic-package))
-- 
1.9.1

[Buildroot] [PATCH v5 01/24] sepolgen: new package

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Wed, 13 May 2015 16:39:14 -0500, Clayton Shotwell wrote:

> Changes v4 -> v5:
>   - Fixed package name to be BR2_PACKAGE_HOST_SEPOLGEN (Suggested by
>     Thomas P.)

This contradicts...

>   - No menu entry needed as host dependency aren't reflected in
>     Config.in files (Suggested by Thomas P.)

.. this, no? :-)

> diff --git a/package/sepolgen/sepolgen.hash b/package/sepolgen/sepolgen.hash
> new file mode 100644
> index 0000000..a377c66
> --- /dev/null
> +++ b/package/sepolgen/sepolgen.hash
> @@ -0,0 +1,2 @@
> +# https://github.com/SELinuxProject/selinux/wiki/Releases
> +sha256 8a1c6d3a78c9b6ad3555c74def555f65a62950bf21c111c585bfc382fec3a645  sepolgen-1.1.9.tar.gz
> diff --git a/package/sepolgen/sepolgen.mk b/package/sepolgen/sepolgen.mk
> new file mode 100644
> index 0000000..7c95866
> --- /dev/null
> +++ b/package/sepolgen/sepolgen.mk
> @@ -0,0 +1,30 @@
> +################################################################################
> +#
> +# sepolgen
> +#
> +################################################################################
> +
> +SEPOLGEN_VERSION = 1.1.9
> +SEPOLGEN_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
> +SEPOLGEN_LICENSE = GPLv2
> +SEPOLGEN_LICENSE_FILES = COPYING
> +
> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> +HOST_SEPOLGEN_DEPENDENCIES = host-python3
> +HOST_SEPOLGEN_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
> +	PYTHONLIBDIR=/usr/lib/python$(PYTHON3_VERSION_MAJOR)/site-packages
> +else
> +HOST_SEPOLGEN_DEPENDENCIES = host-python
> +HOST_SEPOLGEN_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
> +	PYTHONLIBDIR=/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
> +endif
> +
> +define HOST_SEPOLGEN_BUILD_CMDS
> +	$(MAKE) -C $(@D) $(HOST_SEPOLGEN_MAKE_CMDS) DESTDIR=$(HOST_DIR)
> +endef
> +
> +define HOST_SEPOLGEN_INSTALL_CMDS
> +	$(MAKE) -C $(@D) $(HOST_SEPOLGEN_MAKE_CMDS) DESTDIR=$(HOST_DIR) install
> +endef
> +
> +$(eval $(host-generic-package))

This looks good to me. Any reason not to use the latest 1.2.2 version?

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH v5 01/24] sepolgen: new package

[Clayton Shotwell]

Thomas,

On Mon, May 18, 2015 at 4:16 PM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Dear Clayton Shotwell,
>
> On Wed, 13 May 2015 16:39:14 -0500, Clayton Shotwell wrote:
>
>> Changes v4 -> v5:
>>   - Fixed package name to be BR2_PACKAGE_HOST_SEPOLGEN (Suggested by
>>     Thomas P.)
>
> This contradicts...
>
>>   - No menu entry needed as host dependency aren't reflected in
>>     Config.in files (Suggested by Thomas P.)
>
> .. this, no? :-)
>

Just a little bit. Funny how things tend to change over time.... ;)

>> diff --git a/package/sepolgen/sepolgen.hash b/package/sepolgen/sepolgen.hash
>> new file mode 100644
>> index 0000000..a377c66
>> --- /dev/null
>> +++ b/package/sepolgen/sepolgen.hash
>> @@ -0,0 +1,2 @@
>> +# https://github.com/SELinuxProject/selinux/wiki/Releases
>> +sha256 8a1c6d3a78c9b6ad3555c74def555f65a62950bf21c111c585bfc382fec3a645  sepolgen-1.1.9.tar.gz
>> diff --git a/package/sepolgen/sepolgen.mk b/package/sepolgen/sepolgen.mk
>> new file mode 100644
>> index 0000000..7c95866
>> --- /dev/null
>> +++ b/package/sepolgen/sepolgen.mk
>> @@ -0,0 +1,30 @@
>> +################################################################################
>> +#
>> +# sepolgen
>> +#
>> +################################################################################
>> +
>> +SEPOLGEN_VERSION = 1.1.9
>> +SEPOLGEN_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
>> +SEPOLGEN_LICENSE = GPLv2
>> +SEPOLGEN_LICENSE_FILES = COPYING
>> +
>> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
>> +HOST_SEPOLGEN_DEPENDENCIES = host-python3
>> +HOST_SEPOLGEN_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
>> +     PYTHONLIBDIR=/usr/lib/python$(PYTHON3_VERSION_MAJOR)/site-packages
>> +else
>> +HOST_SEPOLGEN_DEPENDENCIES = host-python
>> +HOST_SEPOLGEN_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
>> +     PYTHONLIBDIR=/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
>> +endif
>> +
>> +define HOST_SEPOLGEN_BUILD_CMDS
>> +     $(MAKE) -C $(@D) $(HOST_SEPOLGEN_MAKE_CMDS) DESTDIR=$(HOST_DIR)
>> +endef
>> +
>> +define HOST_SEPOLGEN_INSTALL_CMDS
>> +     $(MAKE) -C $(@D) $(HOST_SEPOLGEN_MAKE_CMDS) DESTDIR=$(HOST_DIR) install
>> +endef
>> +
>> +$(eval $(host-generic-package))
>
> This looks good to me. Any reason not to use the latest 1.2.2 version?

Have not had time to test the latest versions. Would it be possible to
get the initial patch set merged in and then bump versions?

Thanks,
Clayton

Clayton Shotwell
Senior Software Engineer, Rockwell Collins
clayton.shotwell at rockwellcollins.com

[Buildroot] [PATCH v5 01/24] sepolgen: new package

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Mon, 18 May 2015 16:30:35 -0500, Clayton Shotwell wrote:

> > This looks good to me. Any reason not to use the latest 1.2.2 version?
> 
> Have not had time to test the latest versions. Would it be possible to
> get the initial patch set merged in and then bump versions?

Yes, that's fine with me.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH v5 01/24] sepolgen: new package

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Wed, 13 May 2015 16:39:14 -0500, Clayton Shotwell wrote:
> From: Clayton Shotwell <clshotwe@rockwellcollins.com>
> 
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> ---
> Changes v4 -> v5:
>   - Fixed package name to be BR2_PACKAGE_HOST_SEPOLGEN (Suggested by
>     Thomas P.)
>   - No menu entry needed as host dependency aren't reflected in
>     Config.in files (Suggested by Thomas P.)

Applied to next, thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH v5 02/24] sqlite: Add host build support

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>

---
Changes v4 -> v5:
  - No changes
---
 package/sqlite/sqlite.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
index fff219a..aaf84fc 100644
--- a/package/sqlite/sqlite.mk
+++ b/package/sqlite/sqlite.mk
@@ -50,3 +50,4 @@ SQLITE_CONF_OPTS += --disable-readline
 endif
 
 $(eval $(autotools-package))
+$(eval $(host-autotools-package))
-- 
1.9.1

[Buildroot] [PATCH v5 02/24] sqlite: Add host build support

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Wed, 13 May 2015 16:39:15 -0500, Clayton Shotwell wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
> 
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> 
> ---
> Changes v4 -> v5:
>   - No changes
> ---
>  package/sqlite/sqlite.mk | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
> index fff219a..aaf84fc 100644
> --- a/package/sqlite/sqlite.mk
> +++ b/package/sqlite/sqlite.mk
> @@ -50,3 +50,4 @@ SQLITE_CONF_OPTS += --disable-readline
>  endif
>  
>  $(eval $(autotools-package))
> +$(eval $(host-autotools-package))

When adding a host package, it's always good to indicate which other
package will be using it so that it doesn't seem to be a useless change.

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH v5 02/24] sqlite: Add host build support

[Clayton Shotwell]

Thomas,

On Mon, May 18, 2015 at 4:17 PM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Dear Clayton Shotwell,
>
> On Wed, 13 May 2015 16:39:15 -0500, Clayton Shotwell wrote:
>> From: Matt Weber <matthew.weber@rockwellcollins.com>
>>
>> diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
>> index fff219a..aaf84fc 100644
>> --- a/package/sqlite/sqlite.mk
>> +++ b/package/sqlite/sqlite.mk
>> @@ -50,3 +50,4 @@ SQLITE_CONF_OPTS += --disable-readline
>>  endif
>>
>>  $(eval $(autotools-package))
>> +$(eval $(host-autotools-package))
>
> When adding a host package, it's always good to indicate which other
> package will be using it so that it doesn't seem to be a useless change.

I can add a comment to the commit stating why the host support is being added.

Thanks,
Clayton

Clayton Shotwell
Senior Software Engineer, Rockwell Collins
clayton.shotwell at rockwellcollins.com

[Buildroot] [PATCH v5 02/24] sqlite: Add host build support

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Mon, 18 May 2015 16:26:04 -0500, Clayton Shotwell wrote:

> > When adding a host package, it's always good to indicate which other
> > package will be using it so that it doesn't seem to be a useless change.
> 
> I can add a comment to the commit stating why the host support is being added.

Yes that is all what I'm asking for.

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH v5 03/24] setools: new package

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>

---
Changes v4 -> v5:
  - Added dependency on libsepol (Matt W.)
  - Removed limitation of arch it could build for  (Matt W.)
  - Removed depends on GLIBC (Matt W.)
  - Consolidated python configuration (Ryan B.)
  - Removed swig (patch and enabling), it's only needed for
    graphical apol tool (Ryan B.)
  - Added comment to cross compile patch about not upstreaming.
    The package is stable and no updates/reworking since 2013.
    Currently a 4.0 version is in the works but is a major
    build infrastructure rework when compared to 3.3.x. (Ryan B.)
  - Added comments noting why autoreconf and not libtool patch
    (Suggested by Thomas P.)
  - Added comments explaining why python on host but not target
    (Suggested by Thomas P.)
  - Add a dependency on not static libs because libselinux requires not
    static libs. (Clayton S.)
  - Added licene info (Clayton S.)
  - Added depends on C++ (Matt W.)
  - Removed largefile dependency (Clayton S.)

Changes v3 -> v4:
  - No changes

Changes v2 -> v3:
  - Fixed kconfig menu as sepolgen removal removed initial menu
    entry to add to

Changes v1 -> v2:
  - Handle Python 2 vs. Python 3 for the host package.
  - Added hash file
  - Updated download site
---
 package/Config.in                              |   4 +
 package/setools/0001-cross-compile-fixes.patch | 125 +++++++++++++++++++++++++
 package/setools/Config.in                      |  25 +++++
 package/setools/setools.hash                   |   4 +
 package/setools/setools.mk                     |  85 +++++++++++++++++
 5 files changed, 243 insertions(+)
 create mode 100644 package/setools/0001-cross-compile-fixes.patch
 create mode 100644 package/setools/Config.in
 create mode 100644 package/setools/setools.hash
 create mode 100644 package/setools/setools.mk

diff --git a/package/Config.in b/package/Config.in
index af4d2b7..60d63c5 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1337,6 +1337,10 @@ menu "Real-Time"
 	source "package/xenomai/Config.in"
 endmenu
 
+menu "Security"
+	source "package/setools/Config.in"
+endmenu
+
 menu "Shell and utilities"
 comment "Shells"
 if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
diff --git a/package/setools/0001-cross-compile-fixes.patch b/package/setools/0001-cross-compile-fixes.patch
new file mode 100644
index 0000000..1a4af0c
--- /dev/null
+++ b/package/setools/0001-cross-compile-fixes.patch
@@ -0,0 +1,125 @@
+Correct build issues to enable cross compiling.  These changes require the
+package to be auto reconfigured.
+
+These updates were not upsteamed as the 3.3.x version has stablized and they
+were only taking bug fixes.  Also the 4.0 preview has completely reworked
+the build infrastructure which will require this to be revisited.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/configure.ac b/configure.ac
+--- a/configure.ac	2013-01-16 10:36:24.000000000 -0600
++++ b/configure.ac	2013-07-12 08:22:10.380255248 -0500
+@@ -448,8 +448,9 @@
+               sepol_srcdir="")
+ if test "x${sepol_srcdir}" = "x"; then
+    sepol_srcdir=${sepol_devel_libdir}
+-   AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],,
+-      AC_MSG_ERROR([make sure libsepol-static is installed]))
++   if test ! -f ${sepol_srcdir}/libsepol.a; then
++      AC_MSG_ERROR([could not find precompiled libsepol.a])
++   fi
+ else
+    AC_MSG_CHECKING([for compatible sepol source tree])
+    sepol_version=${sepol_srcdir}/VERSION
+@@ -484,8 +485,9 @@
+    AC_CHECK_HEADER([sepol/policydb/policydb.h], , AC_MSG_ERROR([could not find sepol source tree]))
+    CFLAGS="${sepol_src_save_CFLAGS}"
+    CPPFLAGS="${sepol_src_save_CPPFLAGS}"
+-   AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],,
+-      AC_MSG_ERROR([could not find precompiled libsepol.a]))
++   if test ! -f ${sepol_srcdir}/libsepol.a; then
++      AC_MSG_ERROR([could not find precompiled libsepol.a])
++   fi
+    sepol_devel_incdir="${sepol_srcdir}/../include"
+ fi
+ SELINUX_CFLAGS="-I${sepol_devel_incdir} -I${selinux_devel_incdir}"
+@@ -578,12 +580,13 @@
+                          [AC_LANG_SOURCE([
+ #include <sepol/policydb/expand.h>
+ int main () {
+-  return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0);
++  return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0);
+ }])],
+                          AC_MSG_RESULT([yes]),
+                          AC_MSG_ERROR([this version of libsepol is incompatible with SETools]))
+     fi
+     sepol_new_expand_boolmap="yes"
++    sepol_new_user_role_mapping="yes"
+ else
+     sepol_new_expand_boolmap="no"
+ fi
+@@ -607,7 +610,8 @@
+     exit(EXIT_FAILURE);
+ }])],
+     sepol_policy_version_max=`cat conftest.data`,
+-    AC_MSG_FAILURE([could not determine maximum libsepol policy version]))
++    AC_MSG_FAILURE([could not determine maximum libsepol policy version]),
++    sepol_policy_version_max="26")
+ AC_DEFINE_UNQUOTED(SEPOL_POLICY_VERSION_MAX, ${sepol_policy_version_max}, [maximum policy version supported by libsepol])
+ CFLAGS="${sepol_save_CFLAGS}"
+ CPPFLAGS="${sepol_save_CPPFLAGS}"
+@@ -631,7 +635,7 @@
+     changequote([,])dnl
+     selinux_save_CFLAGS="${CFLAGS}"
+     CFLAGS="${SELINUX_CFLAGS} ${SELINUX_LIB_FLAG} -lselinux -lsepol ${CFLAGS}"
+-    gcc ${CFLAGS} -o conftest conftest.c >&5
++    ${CC} ${CFLAGS} -o conftest conftest.c >&5
+     selinux_policy_dir=`./conftest`
+     AC_MSG_RESULT(${selinux_policy_dir})
+     CFLAGS="${selinux_save_CFLAGS}"
+diff -urN a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c
+--- a/libqpol/src/policy_define.c	2013-01-16 10:36:24.000000000 -0600
++++ b/libqpol/src/policy_define.c	2013-07-12 08:22:10.380255248 -0500
+@@ -2135,7 +2135,7 @@
+ #ifdef HAVE_SEPOL_ROLE_ATTRS
+ 	if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
+ #elif HAVE_SEPOL_USER_ROLE_MAPPING
+-	if (role_set_expand(&roles, &e_roles, policydbp, NULL))
++	if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
+ #else
+ 	if (role_set_expand(&roles, &e_roles, policydbp))
+ #endif
+diff -urN a/m4/ac_python_devel.m4 b/m4/ac_python_devel.m4
+--- a/m4/ac_python_devel.m4	2013-01-16 10:36:22.000000000 -0600
++++ b/m4/ac_python_devel.m4	2013-07-12 08:22:10.380255248 -0500
+@@ -234,7 +234,7 @@
+ 	AC_MSG_CHECKING([consistency of all components of python development environment])
+ 	AC_LANG_PUSH([C])
+ 	# save current global flags
+-	LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
++	LIBS="$ac_save_LIBS $PYTHON_EXTRA_LIBS $PYTHON_LDFLAGS"
+ 	CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
+ 	AC_TRY_LINK([
+ 		#include <Python.h>
+diff -urN a/python/setools/Makefile.am b/python/setools/Makefile.am
+--- a/python/setools/Makefile.am	2013-01-16 10:36:22.000000000 -0600
++++ b/python/setools/Makefile.am	2013-07-12 08:22:19.200251011 -0500
+@@ -22,13 +22,13 @@
+ python-build: sesearch.c seinfo.c
+ 	@mkdir -p setools
+ 	@cp __init__.py setools
+-	LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" INCLUDES="$(QPOL_CFLAGS) $(APOL_CFLAGS)" $(PYTHON) setup.py build
++	LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" LIBDIRS="$(PYTHON_LDFLAGS)" INCLUDES="$(PYTHON_CPPFLAGS) $(QPOL_CFLAGS) $(APOL_CFLAGS)" CC="$(CC)" CFLAGS="$(CFLAGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(LDFLAGS)" $(PYTHON) setup.py build_ext
+ 
+ install-exec-hook:
+-	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr`
+ 
+ uninstall-hook: 
+-	$(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++	$(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr`
+ 
+ clean-local:
+ 	$(PYTHON) setup.py clean -a 
+--- a/python/setools/setup.py	2013-01-16 10:36:22.000000000 -0600
++++ b/python/setools/setup.py	2013-09-04 09:17:48.452916991 -0500
+@@ -8,7 +8,7 @@
+ try:
+     inc=os.getenv("INCLUDES").split(" ")    
+     INCLUDES=map(lambda x: x[2:], inc)
+-    LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split())
++    LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split()) + map(lambda x: x[2:], os.getenv("LIBDIRS").split())
+ except:
+     INCLUDES=""
+     LIBDIRS=""
diff --git a/package/setools/Config.in b/package/setools/Config.in
new file mode 100644
index 0000000..43b4b27
--- /dev/null
+++ b/package/setools/Config.in
@@ -0,0 +1,25 @@
+config BR2_PACKAGE_SETOOLS
+	bool "setools"
+	select BR2_PACKAGE_LIBSELINUX
+	select BR2_PACKAGE_SQLITE
+	select BR2_PACKAGE_LIBXML2
+	select BR2_PACKAGE_BZIP2
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on !BR2_STATIC_LIBS
+	depends on BR2_INSTALL_LIBSTDCPP
+	help
+	  SETools is an open source project designed to facilitate
+	  SELinux policy analysis. The primary tools are:
+	   * apol - analyze a SELinux policy.
+	   * seaudit - analyze audit messages from SELinux.
+	   * seaudit-report - generate highly-customized audit log
+	     reports.
+	   * sechecker - command line tool for performing modular
+	     checks on an SELinux policy.
+	   * sediff - semantic policy difference tool for SELinux.
+	   * secmds - command-line tools to analyze and search SELinux
+             policy.
+
+comment "setools needs a toolchain w/ threads, c++, dynamic library"
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS \
+		|| !BR2_INSTALL_LIBSTDCPP
diff --git a/package/setools/setools.hash b/package/setools/setools.hash
new file mode 100644
index 0000000..3fac21d
--- /dev/null
+++ b/package/setools/setools.hash
@@ -0,0 +1,4 @@
+# From https://github.com/TresysTechnology/setools3/wiki/Download
+md5	d68d0d4e4da0f01da0f208782ff04b91	setools-3.3.8.tar.bz2
+#Locally computed
+sha256	44387ecc9a231ec536a937783440cd8960a72c51f14bffc1604b7525e341e999	setools-3.3.8.tar.bz2
diff --git a/package/setools/setools.mk b/package/setools/setools.mk
new file mode 100644
index 0000000..bd4de5f
--- /dev/null
+++ b/package/setools/setools.mk
@@ -0,0 +1,85 @@
+################################################################################
+#
+# setools
+#
+################################################################################
+
+SETOOLS_VERSION = 3.3.8
+SETOOLS_SOURCE = setools-$(SETOOLS_VERSION).tar.bz2
+SETOOLS_SITE = https://raw.githubusercontent.com/wiki/TresysTechnology/setools3/files/dists/setools-$(SETOOLS_VERSION)/
+SETOOLS_DEPENDENCIES = libselinux sqlite libxml2 bzip2
+SETOOLS_INSTALL_STAGING = YES
+SETOOLS_LICENSE = GPLv2+ LGPLv2.1+
+SETOOLS_LICENSE_FILES = COPYING COPYING.GPL COPYING.LGPL
+
+# Generate the configuration script
+SETOOLS_AUTORECONF = YES
+SETOOLS_AUTORECONF_OPTS = -i -s
+# Prevent patching since autoreconf sets ltmain.sh as a symlink to
+# to host/usr/share/libtool/build-aux/ltmain.sh
+SETOOLS_LIBTOOL_PATCH = NO
+
+# Notes: Need "disable-selinux-check" so the configure does not check to see
+#        if host has selinux enabled.
+#        No python support as only the libraries and commandline tools are
+#        installed on target
+SETOOLS_CONF_OPTS = \
+	--disable-debug \
+	--disable-gui \
+	--disable-bwidget-check \
+	--disable-selinux-check \
+	--disable-swig-java \
+	--disable-swig-python \
+	--disable-swig-tcl \
+	--with-sepol-devel="$(STAGING_DIR)/usr" \
+	--with-selinux-devel="$(STAGING_DIR)/usr"
+
+HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol host-sqlite \
+	host-libxml2 host-bzip2
+
+# Generate the configuration script
+HOST_SETOOLS_AUTORECONF = YES
+HOST_SETOOLS_AUTORECONF_OPTS = -i -s
+
+# Notes: Need "disable-selinux-check" so the configure does not check to see
+#        if host has selinux enabled.
+#        Host builds with python support to enable tools for offline target
+#        policy analysis
+HOST_SETOOLS_CONF_OPTS = \
+	--disable-debug \
+	--disable-gui \
+	--disable-bwidget-check \
+	--disable-selinux-check \
+	--disable-swig-java \
+	--disable-swig-python \
+	--disable-swig-tcl \
+	--with-sepol-devel="$(HOST_DIR)/usr" \
+	--with-selinux-devel="$(HOST_DIR)/usr" \
+	PYTHON_LDFLAGS="-L$(HOST_DIR)/usr/lib/"
+
+HOST_SETOOLS_CONF_ENV += \
+	am_cv_pathless_PYTHON=python \
+	ac_cv_path_PYTHON=$(HOST_DIR)/usr/bin/python \
+	am_cv_python_platform=linux2
+
+ifeq ($(BR2_PACKAGE_PYTHON3),y)
+HOST_SETOOLS_PYTHON_VERSION=$(PYTHON3_VERSION_MAJOR)
+HOST_SETOOLS_DEPENDENCIES += host-python3
+HOST_SETOOLS_CONF_ENV += am_cv_python_version=$(PYTHON3_VERSION)
+else
+HOST_SETOOLS_PYTHON_VERSION=$(PYTHON_VERSION_MAJOR)
+HOST_SETOOLS_DEPENDENCIES += host-python
+HOST_SETOOLS_CONF_ENV += am_cv_python_version=$(PYTHON_VERSION)
+endif
+
+HOST_SETOOLS_CONF_ENV += \
+	am_cv_python_pythondir=$(HOST_DIR)/usr/lib/python$(HOST_SETOOLS_PYTHON_VERSION)/site-packages \
+	am_cv_python_pyexecdir=$(HOST_DIR)/usr/lib/python$(HOST_SETOOLS_PYTHON_VERSION)/site-packages \
+	am_cv_python_includes=-I$(HOST_DIR)/usr/include/python$(HOST_SETOOLS_PYTHON_VERSION)
+HOST_SETOOLS_CONF_OPTS += \
+	PYTHON_CPPFLAGS="-I$(HOST_DIR)/usr/include/python$(HOST_SETOOLS_PYTHON_VERSION)" \
+	PYTHON_SITE_PKG="$(HOST_DIR)/usr/lib/python$(HOST_SETOOLS_PYTHON_VERSION)/site-packages" \
+	PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil -lpython$(HOST_SETOOLS_PYTHON_VERSION)"
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))
-- 
1.9.1

[Buildroot] [PATCH v5 03/24] setools: new package

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Wed, 13 May 2015 16:39:16 -0500, Clayton Shotwell wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
> 
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> 
> ---
> Changes v4 -> v5:
>   - Added dependency on libsepol (Matt W.)
>   - Removed limitation of arch it could build for  (Matt W.)
>   - Removed depends on GLIBC (Matt W.)
>   - Consolidated python configuration (Ryan B.)
>   - Removed swig (patch and enabling), it's only needed for
>     graphical apol tool (Ryan B.)
>   - Added comment to cross compile patch about not upstreaming.
>     The package is stable and no updates/reworking since 2013.
>     Currently a 4.0 version is in the works but is a major
>     build infrastructure rework when compared to 3.3.x. (Ryan B.)
>   - Added comments noting why autoreconf and not libtool patch
>     (Suggested by Thomas P.)
>   - Added comments explaining why python on host but not target
>     (Suggested by Thomas P.)
>   - Add a dependency on not static libs because libselinux requires not
>     static libs. (Clayton S.)
>   - Added licene info (Clayton S.)
>   - Added depends on C++ (Matt W.)
>   - Removed largefile dependency (Clayton S.)

Thanks a lot for this detailed changelog, very useful.

> diff --git a/package/setools/0001-cross-compile-fixes.patch b/package/setools/0001-cross-compile-fixes.patch
> new file mode 100644
> index 0000000..1a4af0c
> --- /dev/null
> +++ b/package/setools/0001-cross-compile-fixes.patch
> @@ -0,0 +1,125 @@
> +Correct build issues to enable cross compiling.  These changes require the
> +package to be auto reconfigured.
> +
> +These updates were not upsteamed as the 3.3.x version has stablized and they
> +were only taking bug fixes.  Also the 4.0 preview has completely reworked
> +the build infrastructure which will require this to be revisited.
> +
> +Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>

The patch could have been split a bit more. But since it's not going to
go upstream as you explain here, I think it's OK as it is. At least I
would be fine with such a patch.

> diff --git a/package/setools/Config.in b/package/setools/Config.in
> new file mode 100644
> index 0000000..43b4b27
> --- /dev/null
> +++ b/package/setools/Config.in
> @@ -0,0 +1,25 @@
> +config BR2_PACKAGE_SETOOLS
> +	bool "setools"
> +	select BR2_PACKAGE_LIBSELINUX
> +	select BR2_PACKAGE_SQLITE
> +	select BR2_PACKAGE_LIBXML2
> +	select BR2_PACKAGE_BZIP2
> +	depends on BR2_TOOLCHAIN_HAS_THREADS
> +	depends on !BR2_STATIC_LIBS
> +	depends on BR2_INSTALL_LIBSTDCPP
> +	help
> +	  SETools is an open source project designed to facilitate
> +	  SELinux policy analysis. The primary tools are:
> +	   * apol - analyze a SELinux policy.
> +	   * seaudit - analyze audit messages from SELinux.
> +	   * seaudit-report - generate highly-customized audit log
> +	     reports.
> +	   * sechecker - command line tool for performing modular
> +	     checks on an SELinux policy.
> +	   * sediff - semantic policy difference tool for SELinux.
> +	   * secmds - command-line tools to analyze and search SELinux
> +             policy.
> +
> +comment "setools needs a toolchain w/ threads, c++, dynamic library"

nit of the day: C++ in uppercase.

> diff --git a/package/setools/setools.mk b/package/setools/setools.mk
> new file mode 100644
> index 0000000..bd4de5f
> --- /dev/null
> +++ b/package/setools/setools.mk
> @@ -0,0 +1,85 @@
> +################################################################################
> +#
> +# setools
> +#
> +################################################################################
> +
> +SETOOLS_VERSION = 3.3.8
> +SETOOLS_SOURCE = setools-$(SETOOLS_VERSION).tar.bz2
> +SETOOLS_SITE = https://raw.githubusercontent.com/wiki/TresysTechnology/setools3/files/dists/setools-$(SETOOLS_VERSION)/
> +SETOOLS_DEPENDENCIES = libselinux sqlite libxml2 bzip2

Here you don't list libsepol explicitly (which is OK since libselinux
depends on it), but in the host variant of setools, you do depend
explicitly on host-libsepol. Pick one of the two possibilities, but
don't mix them :)

> +SETOOLS_INSTALL_STAGING = YES
> +SETOOLS_LICENSE = GPLv2+ LGPLv2.1+
> +SETOOLS_LICENSE_FILES = COPYING COPYING.GPL COPYING.LGPL
> +
> +# Generate the configuration script

That's not explaining anything, we know what autoreconf is doing. The
question is *why*. 

> +SETOOLS_AUTORECONF = YES
> +SETOOLS_AUTORECONF_OPTS = -i -s
> +# Prevent patching since autoreconf sets ltmain.sh as a symlink to
> +# to host/usr/share/libtool/build-aux/ltmain.sh

Weird autoreconf is used all over the place by many packages, and it's
not causing this problem.

> +SETOOLS_LIBTOOL_PATCH = NO
> +
> +# Notes: Need "disable-selinux-check" so the configure does not check to see
> +#        if host has selinux enabled.
> +#        No python support as only the libraries and commandline tools are
> +#        installed on target
> +SETOOLS_CONF_OPTS = \
> +	--disable-debug \
> +	--disable-gui \
> +	--disable-bwidget-check \
> +	--disable-selinux-check \
> +	--disable-swig-java \
> +	--disable-swig-python \
> +	--disable-swig-tcl \
> +	--with-sepol-devel="$(STAGING_DIR)/usr" \
> +	--with-selinux-devel="$(STAGING_DIR)/usr"
> +
> +HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol host-sqlite \
> +	host-libxml2 host-bzip2
> +
> +# Generate the configuration script
> +HOST_SETOOLS_AUTORECONF = YES
> +HOST_SETOOLS_AUTORECONF_OPTS = -i -s
> +

i.e here (see below).

> +# Notes: Need "disable-selinux-check" so the configure does not check to see
> +#        if host has selinux enabled.
> +#        Host builds with python support to enable tools for offline target
> +#        policy analysis
> +HOST_SETOOLS_CONF_OPTS = \
> +	--disable-debug \
> +	--disable-gui \
> +	--disable-bwidget-check \
> +	--disable-selinux-check \
> +	--disable-swig-java \
> +	--disable-swig-python \
> +	--disable-swig-tcl \
> +	--with-sepol-devel="$(HOST_DIR)/usr" \
> +	--with-selinux-devel="$(HOST_DIR)/usr" \
> +	PYTHON_LDFLAGS="-L$(HOST_DIR)/usr/lib/"
> +
> +HOST_SETOOLS_CONF_ENV += \
> +	am_cv_pathless_PYTHON=python \
> +	ac_cv_path_PYTHON=$(HOST_DIR)/usr/bin/python \
> +	am_cv_python_platform=linux2
> +
> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> +HOST_SETOOLS_PYTHON_VERSION=$(PYTHON3_VERSION_MAJOR)
> +HOST_SETOOLS_DEPENDENCIES += host-python3
> +HOST_SETOOLS_CONF_ENV += am_cv_python_version=$(PYTHON3_VERSION)
> +else
> +HOST_SETOOLS_PYTHON_VERSION=$(PYTHON_VERSION_MAJOR)
> +HOST_SETOOLS_DEPENDENCIES += host-python
> +HOST_SETOOLS_CONF_ENV += am_cv_python_version=$(PYTHON_VERSION)
> +endif

This should be put a bit earlier.

> +
> +HOST_SETOOLS_CONF_ENV += \
> +	am_cv_python_pythondir=$(HOST_DIR)/usr/lib/python$(HOST_SETOOLS_PYTHON_VERSION)/site-packages \
> +	am_cv_python_pyexecdir=$(HOST_DIR)/usr/lib/python$(HOST_SETOOLS_PYTHON_VERSION)/site-packages \
> +	am_cv_python_includes=-I$(HOST_DIR)/usr/include/python$(HOST_SETOOLS_PYTHON_VERSION)
> +HOST_SETOOLS_CONF_OPTS += \
> +	PYTHON_CPPFLAGS="-I$(HOST_DIR)/usr/include/python$(HOST_SETOOLS_PYTHON_VERSION)" \
> +	PYTHON_SITE_PKG="$(HOST_DIR)/usr/lib/python$(HOST_SETOOLS_PYTHON_VERSION)/site-packages" \
> +	PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil -lpython$(HOST_SETOOLS_PYTHON_VERSION)"

So that these can be squashed with the HOST_SETOOLS_CONF_ENV and
HOST_SETOOLS_CONF_OPTS definitions. Also, I'm pretty sure we can do
something a bit better than that.

ifeq ($(BR2_PACKAGE_PYTHON3),y)
HOST_SETOOLS_DEPENDENCIES += host-python3
HOST_SETOOLS_PYTHON_VERSION = $(PYTHON3_VERSION_MAJOR)
else
HOST_SETOOLS_DEPENDENCIES += host-python
HOST_SETOOLS_PYTHON_VERSION = $(PYTHON_VERSION_MAJOR)
endif

HOST_SETOOLS_PYTHON_SITE_PACKAGES = $(HOST_DIR)/usr/lib/python$(HOST_SETOOLS_PYTHON_VERSION)/site-packages
HOST_SETOOLS_PYTHON_INCLUDES = $(HOST_DIR)/usr/include/python$(HOST_SETOOLS_PYTHON_VERSION)
HOST_SETOOLS_PYTHON_LIB = -lpython$(HOST_SETOOLS_PYTHON_VERSION)

And then:

> +HOST_SETOOLS_CONF_OPTS = \
> +	--disable-debug \
> +	--disable-gui \
> +	--disable-bwidget-check \
> +	--disable-selinux-check \
> +	--disable-swig-java \
> +	--disable-swig-python \
> +	--disable-swig-tcl \
> +	--with-sepol-devel="$(HOST_DIR)/usr" \
> +	--with-selinux-devel="$(HOST_DIR)/usr" \
> +	PYTHON_LDFLAGS="-L$(HOST_DIR)/usr/lib/" \
> +	PYTHON_CPPFLAGS="-I$(HOST_SETOOLS_PYTHON_INCLUDES)" \
> +	PYTHON_SITE_PKG="$(HOST_SETOOLS_PYTHON_SITE_PACKAGES") \
> +	PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil $(HOST_SETOOLS_PYTHON_LIB)"

> +HOST_SETOOLS_CONF_ENV += \
> +	am_cv_pathless_PYTHON=python \
> +	ac_cv_path_PYTHON=$(HOST_DIR)/usr/bin/python \
> +	am_cv_python_platform=linux2
> +	am_cv_python_version=$(HOST_SETOOLS_PYTHON_VERSION)
> +	am_cv_python_pythondir=$(HOST_SETOOLS_PYTHON_SITE_PACKAGES)
> +	am_cv_python_pyexecdir=$(HOST_SETOOLS_PYTHON_SITE_PACKAGES)
> +	am_cv_python_includes=-I$(HOST_SETOOLS_PYTHON_INCLUDES)

and there you are.

But all in all, this is looking pretty good.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH v5 03/24] setools: new package

[Clayton Shotwell]

Thomas,

On Mon, May 18, 2015 at 4:31 PM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Dear Clayton Shotwell,
>
> On Wed, 13 May 2015 16:39:16 -0500, Clayton Shotwell wrote:
>> From: Matt Weber <matthew.weber@rockwellcollins.com>
>>
>> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
>>
>> ---
>> Changes v4 -> v5:
>>   - Added dependency on libsepol (Matt W.)
>>   - Removed limitation of arch it could build for  (Matt W.)
>>   - Removed depends on GLIBC (Matt W.)
>>   - Consolidated python configuration (Ryan B.)
>>   - Removed swig (patch and enabling), it's only needed for
>>     graphical apol tool (Ryan B.)
>>   - Added comment to cross compile patch about not upstreaming.
>>     The package is stable and no updates/reworking since 2013.
>>     Currently a 4.0 version is in the works but is a major
>>     build infrastructure rework when compared to 3.3.x. (Ryan B.)
>>   - Added comments noting why autoreconf and not libtool patch
>>     (Suggested by Thomas P.)
>>   - Added comments explaining why python on host but not target
>>     (Suggested by Thomas P.)
>>   - Add a dependency on not static libs because libselinux requires not
>>     static libs. (Clayton S.)
>>   - Added licene info (Clayton S.)
>>   - Added depends on C++ (Matt W.)
>>   - Removed largefile dependency (Clayton S.)
>
> Thanks a lot for this detailed changelog, very useful.

You're very welcome.


>> +comment "setools needs a toolchain w/ threads, c++, dynamic library"
>
> nit of the day: C++ in uppercase.

Will fix for v6.

>> diff --git a/package/setools/setools.mk b/package/setools/setools.mk
>> new file mode 100644
>> index 0000000..bd4de5f
>> --- /dev/null
>> +++ b/package/setools/setools.mk
>> @@ -0,0 +1,85 @@
>> +################################################################################
>> +#
>> +# setools
>> +#
>> +################################################################################
>> +
>> +SETOOLS_VERSION = 3.3.8
>> +SETOOLS_SOURCE = setools-$(SETOOLS_VERSION).tar.bz2
>> +SETOOLS_SITE = https://raw.githubusercontent.com/wiki/TresysTechnology/setools3/files/dists/setools-$(SETOOLS_VERSION)/
>> +SETOOLS_DEPENDENCIES = libselinux sqlite libxml2 bzip2
>
> Here you don't list libsepol explicitly (which is OK since libselinux
> depends on it), but in the host variant of setools, you do depend
> explicitly on host-libsepol. Pick one of the two possibilities, but
> don't mix them :)

Good catch. I will add the dependency here.

>> +SETOOLS_INSTALL_STAGING = YES
>> +SETOOLS_LICENSE = GPLv2+ LGPLv2.1+
>> +SETOOLS_LICENSE_FILES = COPYING COPYING.GPL COPYING.LGPL
>> +
>> +# Generate the configuration script
>
> That's not explaining anything, we know what autoreconf is doing. The
> question is *why*.

I will fix the comment for v6.

>> +SETOOLS_AUTORECONF = YES
>> +SETOOLS_AUTORECONF_OPTS = -i -s
>> +# Prevent patching since autoreconf sets ltmain.sh as a symlink to
>> +# to host/usr/share/libtool/build-aux/ltmain.sh
>
> Weird autoreconf is used all over the place by many packages, and it's
> not causing this problem.

I'll try removing it and see what happens. More than likely everything
will work just fine.

>> +SETOOLS_LIBTOOL_PATCH = NO
>> +
>> +# Notes: Need "disable-selinux-check" so the configure does not check to see
>> +#        if host has selinux enabled.
>> +#        No python support as only the libraries and commandline tools are
>> +#        installed on target
>> +SETOOLS_CONF_OPTS = \
>> +     --disable-debug \
>> +     --disable-gui \
>> +     --disable-bwidget-check \
>> +     --disable-selinux-check \
>> +     --disable-swig-java \
>> +     --disable-swig-python \
>> +     --disable-swig-tcl \
>> +     --with-sepol-devel="$(STAGING_DIR)/usr" \
>> +     --with-selinux-devel="$(STAGING_DIR)/usr"
>> +
>> +HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol host-sqlite \
>> +     host-libxml2 host-bzip2
>> +
>> +# Generate the configuration script
>> +HOST_SETOOLS_AUTORECONF = YES
>> +HOST_SETOOLS_AUTORECONF_OPTS = -i -s
>> +
>
> i.e here (see below).
>
>> +# Notes: Need "disable-selinux-check" so the configure does not check to see
>> +#        if host has selinux enabled.
>> +#        Host builds with python support to enable tools for offline target
>> +#        policy analysis
>> +HOST_SETOOLS_CONF_OPTS = \
>> +     --disable-debug \
>> +     --disable-gui \
>> +     --disable-bwidget-check \
>> +     --disable-selinux-check \
>> +     --disable-swig-java \
>> +     --disable-swig-python \
>> +     --disable-swig-tcl \
>> +     --with-sepol-devel="$(HOST_DIR)/usr" \
>> +     --with-selinux-devel="$(HOST_DIR)/usr" \
>> +     PYTHON_LDFLAGS="-L$(HOST_DIR)/usr/lib/"
>> +
>> +HOST_SETOOLS_CONF_ENV += \
>> +     am_cv_pathless_PYTHON=python \
>> +     ac_cv_path_PYTHON=$(HOST_DIR)/usr/bin/python \
>> +     am_cv_python_platform=linux2
>> +
>> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
>> +HOST_SETOOLS_PYTHON_VERSION=$(PYTHON3_VERSION_MAJOR)
>> +HOST_SETOOLS_DEPENDENCIES += host-python3
>> +HOST_SETOOLS_CONF_ENV += am_cv_python_version=$(PYTHON3_VERSION)
>> +else
>> +HOST_SETOOLS_PYTHON_VERSION=$(PYTHON_VERSION_MAJOR)
>> +HOST_SETOOLS_DEPENDENCIES += host-python
>> +HOST_SETOOLS_CONF_ENV += am_cv_python_version=$(PYTHON_VERSION)
>> +endif
>
> This should be put a bit earlier.
>
>> +
>> +HOST_SETOOLS_CONF_ENV += \
>> +     am_cv_python_pythondir=$(HOST_DIR)/usr/lib/python$(HOST_SETOOLS_PYTHON_VERSION)/site-packages \
>> +     am_cv_python_pyexecdir=$(HOST_DIR)/usr/lib/python$(HOST_SETOOLS_PYTHON_VERSION)/site-packages \
>> +     am_cv_python_includes=-I$(HOST_DIR)/usr/include/python$(HOST_SETOOLS_PYTHON_VERSION)
>> +HOST_SETOOLS_CONF_OPTS += \
>> +     PYTHON_CPPFLAGS="-I$(HOST_DIR)/usr/include/python$(HOST_SETOOLS_PYTHON_VERSION)" \
>> +     PYTHON_SITE_PKG="$(HOST_DIR)/usr/lib/python$(HOST_SETOOLS_PYTHON_VERSION)/site-packages" \
>> +     PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil -lpython$(HOST_SETOOLS_PYTHON_VERSION)"
>
> So that these can be squashed with the HOST_SETOOLS_CONF_ENV and
> HOST_SETOOLS_CONF_OPTS definitions. Also, I'm pretty sure we can do
> something a bit better than that.
>
> ifeq ($(BR2_PACKAGE_PYTHON3),y)
> HOST_SETOOLS_DEPENDENCIES += host-python3
> HOST_SETOOLS_PYTHON_VERSION = $(PYTHON3_VERSION_MAJOR)
> else
> HOST_SETOOLS_DEPENDENCIES += host-python
> HOST_SETOOLS_PYTHON_VERSION = $(PYTHON_VERSION_MAJOR)
> endif
>
> HOST_SETOOLS_PYTHON_SITE_PACKAGES = $(HOST_DIR)/usr/lib/python$(HOST_SETOOLS_PYTHON_VERSION)/site-packages
> HOST_SETOOLS_PYTHON_INCLUDES = $(HOST_DIR)/usr/include/python$(HOST_SETOOLS_PYTHON_VERSION)
> HOST_SETOOLS_PYTHON_LIB = -lpython$(HOST_SETOOLS_PYTHON_VERSION)
>
> And then:
>
>> +HOST_SETOOLS_CONF_OPTS = \
>> +     --disable-debug \
>> +     --disable-gui \
>> +     --disable-bwidget-check \
>> +     --disable-selinux-check \
>> +     --disable-swig-java \
>> +     --disable-swig-python \
>> +     --disable-swig-tcl \
>> +     --with-sepol-devel="$(HOST_DIR)/usr" \
>> +     --with-selinux-devel="$(HOST_DIR)/usr" \
>> +     PYTHON_LDFLAGS="-L$(HOST_DIR)/usr/lib/" \
>> +     PYTHON_CPPFLAGS="-I$(HOST_SETOOLS_PYTHON_INCLUDES)" \
>> +     PYTHON_SITE_PKG="$(HOST_SETOOLS_PYTHON_SITE_PACKAGES") \
>> +     PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil $(HOST_SETOOLS_PYTHON_LIB)"
>
>> +HOST_SETOOLS_CONF_ENV += \
>> +     am_cv_pathless_PYTHON=python \
>> +     ac_cv_path_PYTHON=$(HOST_DIR)/usr/bin/python \
>> +     am_cv_python_platform=linux2
>> +     am_cv_python_version=$(HOST_SETOOLS_PYTHON_VERSION)
>> +     am_cv_python_pythondir=$(HOST_SETOOLS_PYTHON_SITE_PACKAGES)
>> +     am_cv_python_pyexecdir=$(HOST_SETOOLS_PYTHON_SITE_PACKAGES)
>> +     am_cv_python_includes=-I$(HOST_SETOOLS_PYTHON_INCLUDES)
>
> and there you are.

Thanks for cleaning up the python flags. I'll get that changed and
tested for v6.

Thanks,
Clayton

Clayton Shotwell
Senior Software Engineer, Rockwell Collins
clayton.shotwell at rockwellcollins.com

[Buildroot] [PATCH v5 04/24] python-pyparsing: Add host build option

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>

---
Changes v4 -> v5:
  - No changes
---
 package/python-pyparsing/python-pyparsing.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/python-pyparsing/python-pyparsing.mk b/package/python-pyparsing/python-pyparsing.mk
index 8e83f34..0f5fb71 100644
--- a/package/python-pyparsing/python-pyparsing.mk
+++ b/package/python-pyparsing/python-pyparsing.mk
@@ -12,3 +12,4 @@ PYTHON_PYPARSING_LICENSE_FILES = LICENSE
 PYTHON_PYPARSING_SETUP_TYPE = distutils
 
 $(eval $(python-package))
+$(eval $(host-python-package))
-- 
1.9.1

[Buildroot] [PATCH v5 05/24] audit: new package

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>

---
Changes v4 -> v5:
  - Removed limitation on glibc only build (Matt W.)
  - Updated static lib build option variable name (Matt W.)
  - Upgrading audit to the latest version. Switched to a simpler
    cross compile support patch that should be upstreamable (Clayton S.)
  - Cleaned up build flags and patch names (Clayton S.)
  - The xtensa architecture uclibc is missing the ADDR_NO_RANDOMIZE
    flag that is required by the audit application. Exclute the audit
    package from the xtensa architecture. (Clayton S.)
  - Add exclusion on blackfin architecture because memory fences are
    required (Clayton S.)
  - Added a dependency on the toolchain having threads (Clayton S.)
  - Add patch to fix false detection of MS_DIRSYNC in mount.h when
    crosscompiling on systems without that feature. (Clayton S.)
  - Fixed path from sbin to usr/sbin (Matt W.)

Changes v3 -> v4:
  - Added back in the Python bindings configure option instead of
    relying on a check to see if Python is enabled (suggested by
    Thomas P.)
  - Cleaned up the startup script installation step (suggested by
    Thomas P.)
  - Change the startup script order to launch the auditd first thing
    and also change the required shell to sh instead of bash.
  - Adding a dependency on comment BR2_TOOLCHAIN_USES_GLIBC

Changes v2 -> v3:
  - Changed order of patch to correct dependency issue (suggested by
    Thomas P.)
  - Changes patch naming convention (suggested by Thomas P.)
  - Added upstream submission link for patch (suggested by Thomas P.)

Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format
  - Fixed the patch naming to avoid using the version number
  - Cleaned up the patch to include a signed-off-by line
  - Changed the original Python select in the Config.in to be a check
    in the mk file
---
 package/Config.in                                  |   1 +
 package/audit/0001-Enable-cross-compiling.patch    | 773 +++++++++++++++++++++
 package/audit/0002-Remove-zos-remote-plugin.patch  |  54 ++
 ...03-Default-ADDR_NO_RANDOMIZE-if-not-found.patch |  44 ++
 ...004-Do-not-call-posix_fallocate-on-uClibc.patch |  45 ++
 ...fix-header-detection-when-cross-compiling.patch |  46 ++
 package/audit/Config.in                            |  17 +
 package/audit/S01auditd                            | 169 +++++
 package/audit/audit.hash                           |   2 +
 package/audit/audit.mk                             |  47 ++
 10 files changed, 1198 insertions(+)
 create mode 100644 package/audit/0001-Enable-cross-compiling.patch
 create mode 100644 package/audit/0002-Remove-zos-remote-plugin.patch
 create mode 100644 package/audit/0003-Default-ADDR_NO_RANDOMIZE-if-not-found.patch
 create mode 100644 package/audit/0004-Do-not-call-posix_fallocate-on-uClibc.patch
 create mode 100644 package/audit/0005-fix-header-detection-when-cross-compiling.patch
 create mode 100644 package/audit/Config.in
 create mode 100644 package/audit/S01auditd
 create mode 100644 package/audit/audit.hash
 create mode 100644 package/audit/audit.mk

diff --git a/package/Config.in b/package/Config.in
index 60d63c5..5473772 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1376,6 +1376,7 @@ endmenu
 menu "System tools"
 	source "package/acl/Config.in"
 	source "package/attr/Config.in"
+	source "package/audit/Config.in"
 if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
 	source "package/bootutils/Config.in"
 	source "package/coreutils/Config.in"
diff --git a/package/audit/0001-Enable-cross-compiling.patch b/package/audit/0001-Enable-cross-compiling.patch
new file mode 100644
index 0000000..b2c9b4c
--- /dev/null
+++ b/package/audit/0001-Enable-cross-compiling.patch
@@ -0,0 +1,773 @@
+From c30e91c2833fb5c33a238258e5902cc2dd8586d3 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Thu, 26 Mar 2015 12:26:36 -0500
+Subject: [PATCH] Enable cross compiling
+
+During the audit build, several lookup tables are generated as header
+files that are then linked in with the executables. This process is done
+by a C application that needs to be able to be run on the host. The
+current Makfile structure tries to build these executables for the
+target instead of the host where they cannot be executed. This patch
+reworks the Makefile structure to build for the correct platform.
+
+This patch is a rework of a patch posted to the audit mailing list at
+the link below.
+https://www.redhat.com/archives/linux-audit/2012-November/msg00000.html
+
+The ax_prog_cc_for_build.m4 file was obtained from GNU at the link
+below.
+http://www.gnu.org/software/autoconf-archive/ax_prog_cc_for_build.html
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ auparse/Makefile.am        | 276 ++++++++++++++++++++++++++++++---------------
+ configure.ac               |   1 +
+ lib/Makefile.am            | 133 ++++++++++++++--------
+ m4/ax_prog_cc_for_build.m4 | 125 ++++++++++++++++++++
+ 4 files changed, 397 insertions(+), 138 deletions(-)
+ create mode 100644 m4/ax_prog_cc_for_build.m4
+
+diff --git a/auparse/Makefile.am b/auparse/Makefile.am
+index 89b2d21..0fe40e0 100644
+--- a/auparse/Makefile.am
++++ b/auparse/Makefile.am
+@@ -57,208 +57,304 @@ BUILT_SOURCES = accesstabs.h captabs.h clocktabs.h clone-flagtabs.h \
+ 	seektabs.h shm_modetabs.h signaltabs.h sockoptnametabs.h \
+ 	socktabs.h sockleveltabs.h socktypetabs.h \
+ 	tcpoptnametabs.h typetabs.h umounttabs.h
+-noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \
+-	gen_clone-flagtabs_h \
+-	gen_epoll_ctls_h gen_famtabs_h \
+-	gen_fcntl-cmdtabs_h gen_flagtabs_h gen_ioctlreqtabs_h \
+-	gen_icmptypetabs_h gen_ipctabs_h gen_ipccmdtabs_h\
+-	gen_ipoptnametabs_h gen_ip6optnametabs_h gen_nfprototabs_h \
+-	gen_mmaptabs_h gen_mounttabs_h \
+-	gen_open-flagtabs_h gen_persontabs_h \
+-	gen_prctl_opttabs_h gen_pktoptnametabs_h gen_prottabs_h \
+-	gen_recvtabs_h gen_rlimit_h gen_ptracetabs_h \
+-	gen_schedtabs_h gen_seccomptabs_h \
+-	gen_seektabs_h gen_shm_modetabs_h gen_signals_h \
+-	gen_sockoptnametabs_h gen_socktabs_h gen_sockleveltabs_h \
+-	gen_socktypetabs_h gen_tcpoptnametabs_h gen_typetabs_h \
+-	gen_umounttabs_h
+-
+-gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h
+-gen_accesstabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="accesstab.h"'
++
++gen_accesstabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h
++gen_accesstabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="accesstab.h"'
++gen_accesstabs_h: $(gen_accesstabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_accesstabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ accesstabs.h: gen_accesstabs_h Makefile
+ 	./gen_accesstabs_h --i2s-transtab access > $@
+ 
+-gen_captabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h captab.h
+-gen_captabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="captab.h"'
++gen_captabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h captab.h
++gen_captabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="captab.h"'
++gen_captabs_h: $(gen_captabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_captabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ captabs.h: gen_captabs_h Makefile
+ 	./gen_captabs_h --i2s cap > $@
+ 
+-gen_clock_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h
+-gen_clock_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="clocktab.h"'
++gen_clock_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h
++gen_clock_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="clocktab.h"'
++gen_clock_h: $(gen_clock_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_clock_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ clocktabs.h: gen_clock_h Makefile
+ 	./gen_clock_h --i2s clock > $@
+ 
+-gen_clone_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
++gen_clone_flagtabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+ 	clone-flagtab.h
+-gen_clone_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="clone-flagtab.h"'
++gen_clone_flagtabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="clone-flagtab.h"'
++gen_clone-flagtabs_h: $(gen_clone_flagtabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_clone_flagtabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ clone-flagtabs.h: gen_clone-flagtabs_h Makefile
+ 	./gen_clone-flagtabs_h --i2s-transtab clone_flag > $@
+ 
+-gen_epoll_ctls_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h
+-gen_epoll_ctls_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="epoll_ctl.h"'
++gen_epoll_ctls_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h
++gen_epoll_ctls_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="epoll_ctl.h"'
++gen_epoll_ctls_h: $(gen_epoll_ctls_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_epoll_ctls_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ epoll_ctls.h: gen_epoll_ctls_h Makefile
+ 	./gen_epoll_ctls_h --i2s epoll_ctl > $@
+ 
+-gen_famtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h famtab.h
+-gen_famtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="famtab.h"'
++gen_famtabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h famtab.h
++gen_famtabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="famtab.h"'
++gen_famtabs_h: $(gen_famtabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_famtabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ famtabs.h: gen_famtabs_h Makefile
+ 	./gen_famtabs_h --i2s fam > $@
+ 
+-gen_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h flagtab.h
++gen_flagtabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h flagtab.h
+ # ../auparse/ is used to avoid using ../lib/flagtab.h
+-gen_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="../auparse/flagtab.h"'
++gen_flagtabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="../auparse/flagtab.h"'
++gen_flagtabs_h: $(gen_flagtabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_flagtabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ flagtabs.h: gen_flagtabs_h Makefile
+ 	./gen_flagtabs_h --i2s-transtab flag > $@
+ 
+-gen_fcntl_cmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
++gen_fcntl_cmdtabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+ 	fcntl-cmdtab.h
+-gen_fcntl_cmdtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="fcntl-cmdtab.h"'
++gen_fcntl_cmdtabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="fcntl-cmdtab.h"'
++gen_fcntl-cmdtabs_h: $(gen_fcntl_cmdtabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_fcntl_cmdtabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ fcntl-cmdtabs.h: gen_fcntl-cmdtabs_h Makefile
+ 	./gen_fcntl-cmdtabs_h --i2s fcntl > $@
+ 
+-gen_icmptypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h
+-gen_icmptypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="icmptypetab.h"'
++gen_icmptypetabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h
++gen_icmptypetabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="icmptypetab.h"'
++gen_icmptypetabs_h: $(gen_icmptypetabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_icmptypetabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ icmptypetabs.h: gen_icmptypetabs_h Makefile
+ 	./gen_icmptypetabs_h --i2s icmptype > $@
+ 
+-gen_ioctlreqtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ioctlreqtab.h
+-gen_ioctlreqtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ioctlreqtab.h"'
++gen_ioctlreqtabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ioctlreqtab.h
++gen_ioctlreqtabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="ioctlreqtab.h"'
++gen_ioctlreqtabs_h: $(gen_ioctlreqtabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_ioctlreqtabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ ioctlreqtabs.h: gen_ioctlreqtabs_h Makefile
+ 	./gen_ioctlreqtabs_h --i2s ioctlreq > $@
+ 
+-gen_ipctabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h
+-gen_ipctabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipctab.h"'
++gen_ipctabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h
++gen_ipctabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="ipctab.h"'
++gen_ipctabs_h: $(gen_ipctabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_ipctabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ ipctabs.h: gen_ipctabs_h Makefile
+ 	./gen_ipctabs_h --i2s ipc > $@
+ 
+-gen_ipccmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h
+-gen_ipccmdtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipccmdtab.h"'
++gen_ipccmdtabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h
++gen_ipccmdtabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="ipccmdtab.h"'
++gen_ipccmdtabs_h: $(gen_ipccmdtabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_ipccmdtabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ ipccmdtabs.h: gen_ipccmdtabs_h Makefile
+ 	./gen_ipccmdtabs_h --i2s-transtab ipccmd > $@
+ 
+-gen_ipoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h
+-gen_ipoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipoptnametab.h"'
++gen_ipoptnametabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h
++gen_ipoptnametabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="ipoptnametab.h"'
++gen_ipoptnametabs_h: $(gen_ipoptnametabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_ipoptnametabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ ipoptnametabs.h: gen_ipoptnametabs_h Makefile
+ 	./gen_ipoptnametabs_h --i2s ipoptname > $@
+ 
+-gen_ip6optnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h
+-gen_ip6optnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ip6optnametab.h"'
++gen_ip6optnametabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h
++gen_ip6optnametabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="ip6optnametab.h"'
++gen_ip6optnametabs_h: $(gen_ip6optnametabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_ip6optnametabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ ip6optnametabs.h: gen_ip6optnametabs_h Makefile
+ 	./gen_ip6optnametabs_h --i2s ip6optname > $@
+ 
+-gen_mmaptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h
+-gen_mmaptabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="mmaptab.h"'
++gen_mmaptabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h
++gen_mmaptabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="mmaptab.h"'
++gen_mmaptabs_h: $(gen_mmaptabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_mmaptabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ mmaptabs.h: gen_mmaptabs_h Makefile
+ 	./gen_mmaptabs_h --i2s-transtab mmap > $@
+ 
+-gen_mounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h
+-gen_mounttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="mounttab.h"'
++gen_mounttabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h
++gen_mounttabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="mounttab.h"'
++gen_mounttabs_h: $(gen_mounttabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_mounttabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ mounttabs.h: gen_mounttabs_h Makefile
+ 	./gen_mounttabs_h --i2s-transtab mount > $@
+ 
+-gen_nfprototabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h
+-gen_nfprototabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="nfprototab.h"'
++gen_nfprototabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h
++gen_nfprototabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="nfprototab.h"'
++gen_nfprototabs_h: $(gen_nfprototabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_nfprototabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ nfprototabs.h: gen_nfprototabs_h Makefile
+ 	./gen_nfprototabs_h --i2s nfproto > $@
+ 
+-gen_open_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
++gen_open_flagtabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+ 	open-flagtab.h
+-gen_open_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="open-flagtab.h"'
++gen_open_flagtabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="open-flagtab.h"'
++gen_open-flagtabs_h: $(gen_open_flagtabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_open_flagtabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ open-flagtabs.h: gen_open-flagtabs_h Makefile
+ 	./gen_open-flagtabs_h --i2s-transtab open_flag > $@
+ 
+-gen_persontabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h persontab.h
+-gen_persontabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="persontab.h"'
++gen_persontabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h persontab.h
++gen_persontabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="persontab.h"'
++gen_persontabs_h: $(gen_persontabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_persontabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ persontabs.h: gen_persontabs_h Makefile
+ 	./gen_persontabs_h --i2s person > $@
+ 
+-gen_ptracetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h
+-gen_ptracetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ptracetab.h"'
++gen_ptracetabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h
++gen_ptracetabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="ptracetab.h"'
++gen_ptracetabs_h: $(gen_ptracetabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_ptracetabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ ptracetabs.h: gen_ptracetabs_h Makefile
+ 	./gen_ptracetabs_h --i2s ptrace > $@
+ 
+-gen_prctl_opttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h
+-gen_prctl_opttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="prctl-opt-tab.h"'
++gen_prctl_opttabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h
++gen_prctl_opttabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="prctl-opt-tab.h"'
++gen_prctl_opttabs_h: $(gen_prctl_opttabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_prctl_opttabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ prctl_opttabs.h: gen_prctl_opttabs_h Makefile
+ 	./gen_prctl_opttabs_h --i2s prctl_opt > $@
+ 
+-gen_pktoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h
+-gen_pktoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="pktoptnametab.h"'
++gen_pktoptnametabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h
++gen_pktoptnametabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="pktoptnametab.h"'
++gen_pktoptnametabs_h: $(gen_pktoptnametabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_pktoptnametabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ pktoptnametabs.h: gen_pktoptnametabs_h Makefile
+ 	./gen_pktoptnametabs_h --i2s pktoptname > $@
+ 
+-gen_prottabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prottab.h
+-gen_prottabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="prottab.h"'
++gen_prottabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prottab.h
++gen_prottabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="prottab.h"'
++gen_prottabs_h: $(gen_prottabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_prottabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ prottabs.h: gen_prottabs_h Makefile
+ 	./gen_prottabs_h --i2s-transtab prot > $@
+ 
+-gen_recvtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h
+-gen_recvtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="recvtab.h"'
++gen_recvtabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h
++gen_recvtabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="recvtab.h"'
++gen_recvtabs_h: $(gen_recvtabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_recvtabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ recvtabs.h: gen_recvtabs_h Makefile
+ 	./gen_recvtabs_h --i2s-transtab recv > $@
+ 
+-gen_rlimit_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h
+-gen_rlimit_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="rlimittab.h"'
++gen_rlimit_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h
++gen_rlimit_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="rlimittab.h"'
++gen_rlimit_h: $(gen_rlimit_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_rlimit_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ rlimittabs.h: gen_rlimit_h Makefile
+ 	./gen_rlimit_h --i2s rlimit > $@
+ 
+-gen_schedtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h
+-gen_schedtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="schedtab.h"'
++gen_schedtabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h
++gen_schedtabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="schedtab.h"'
++gen_schedtabs_h: $(gen_schedtabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_schedtabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ schedtabs.h: gen_schedtabs_h Makefile
+ 	./gen_schedtabs_h --i2s sched > $@
+ 
+-gen_seccomptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h
+-gen_seccomptabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="seccomptab.h"'
++gen_seccomptabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h
++gen_seccomptabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="seccomptab.h"'
++gen_seccomptabs_h: $(gen_seccomptabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_seccomptabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ seccomptabs.h: gen_seccomptabs_h Makefile
+ 	./gen_seccomptabs_h --i2s seccomp > $@
+ 
+-gen_seektabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seektab.h
+-gen_seektabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="seektab.h"'
++gen_seektabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seektab.h
++gen_seektabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="seektab.h"'
++gen_seektabs_h: $(gen_seektabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_seektabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ seektabs.h: gen_seektabs_h Makefile
+ 	./gen_seektabs_h --i2s seek > $@
+ 
+-gen_shm_modetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h
+-gen_shm_modetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="shm_modetab.h"'
++gen_shm_modetabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h
++gen_shm_modetabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="shm_modetab.h"'
++gen_shm_modetabs_h: $(gen_shm_modetabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_shm_modetabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ shm_modetabs.h: gen_shm_modetabs_h Makefile
+ 	./gen_shm_modetabs_h --i2s-transtab shm_mode > $@
+ 
+-gen_signals_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h
+-gen_signals_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="signaltab.h"'
++gen_signals_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h
++gen_signals_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="signaltab.h"'
++gen_signals_h: $(gen_signals_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_signals_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ signaltabs.h: gen_signals_h Makefile
+ 	./gen_signals_h --i2s signal > $@
+ 
+-gen_sockleveltabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h
+-gen_sockleveltabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="sockleveltab.h"'
++gen_sockleveltabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h
++gen_sockleveltabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="sockleveltab.h"'
++gen_sockleveltabs_h: $(gen_sockleveltabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_sockleveltabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ sockleveltabs.h: gen_sockleveltabs_h Makefile
+ 	./gen_sockleveltabs_h --i2s socklevel > $@
+ 
+-gen_sockoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h
+-gen_sockoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="sockoptnametab.h"'
++gen_sockoptnametabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h
++gen_sockoptnametabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="sockoptnametab.h"'
++gen_sockoptnametabs_h: $(gen_sockoptnametabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_sockoptnametabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ sockoptnametabs.h: gen_sockoptnametabs_h Makefile
+ 	./gen_sockoptnametabs_h --i2s sockoptname > $@
+ 
+-gen_socktabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktab.h
+-gen_socktabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="socktab.h"'
++gen_socktabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktab.h
++gen_socktabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="socktab.h"'
++gen_socktabs_h: $(gen_socktabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_socktabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ socktabs.h: gen_socktabs_h Makefile
+ 	./gen_socktabs_h --i2s sock > $@
+ 
+-gen_socktypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h
+-gen_socktypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="socktypetab.h"'
++gen_socktypetabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h
++gen_socktypetabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="socktypetab.h"'
++gen_socktypetabs_h: $(gen_socktypetabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_socktypetabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ socktypetabs.h: gen_socktypetabs_h Makefile
+ 	./gen_socktypetabs_h --i2s sock_type > $@
+ 
+-gen_tcpoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h
+-gen_tcpoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="tcpoptnametab.h"'
++gen_tcpoptnametabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h
++gen_tcpoptnametabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="tcpoptnametab.h"'
++gen_tcpoptnametabs_h: $(gen_tcpoptnametabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_tcpoptnametabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ tcpoptnametabs.h: gen_tcpoptnametabs_h Makefile
+ 	./gen_tcpoptnametabs_h --i2s tcpoptname > $@
+ 
+-gen_typetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h typetab.h
+-gen_typetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="typetab.h"'
++gen_typetabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h typetab.h
++gen_typetabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="typetab.h"'
++gen_typetabs_h: $(gen_typetabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_typetabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ typetabs.h: gen_typetabs_h Makefile
+ 	./gen_typetabs_h --s2i type > $@
+ 
+-gen_umounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h
+-gen_umounttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="umounttab.h"'
++gen_umounttabs_h_BUILDSOURCES = ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h
++gen_umounttabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="umounttab.h"'
++gen_umounttabs_h: $(gen_umounttabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_umounttabs_h_BUILDCFLAGS) \
++		-o $@ ../lib/gen_tables.c
+ umounttabs.h: gen_umounttabs_h Makefile
+ 	./gen_umounttabs_h --i2s-transtab umount > $@
+ 
+diff --git a/configure.ac b/configure.ac
+index 727c258..c66b3e2 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -51,6 +51,7 @@ echo Checking for programs
+ AC_PROG_CC
+ AC_PROG_INSTALL
+ AC_PROG_AWK
++AX_PROG_CC_FOR_BUILD
+ 
+ echo .
+ echo Checking for header files
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index 3560a88..1e5ec9f 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -55,109 +55,146 @@ endif
+ if USE_AARCH64
+ BUILT_SOURCES += aarch64_tables.h
+ endif
+-noinst_PROGRAMS = gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \
+-	gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
+-	gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \
+-	gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \
+-	gen_s390x_tables_h gen_x86_64_tables_h
+-if USE_ALPHA
+-noinst_PROGRAMS += gen_alpha_tables_h
+-endif
+-if USE_ARM
+-noinst_PROGRAMS += gen_arm_tables_h
+-endif
+-if USE_AARCH64
+-noinst_PROGRAMS += gen_aarch64_tables_h
+-endif
+-gen_actiontabs_h_SOURCES = gen_tables.c gen_tables.h actiontab.h
+-gen_actiontabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="actiontab.h"'
++gen_actiontabs_h_BUILDSOURCES = gen_tables.c gen_tables.h actiontab.h
++gen_actiontabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="actiontab.h"'
++gen_actiontabs_h: $(gen_actiontabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_actiontabs_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ actiontabs.h: gen_actiontabs_h Makefile
+ 	./gen_actiontabs_h --lowercase --i2s --s2i action > $@
+ 
+ if USE_ALPHA
+-gen_alpha_tables_h_SOURCES = gen_tables.c gen_tables.h alpha_table.h
+-gen_alpha_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="alpha_table.h"'
++gen_alpha_tables_h_BUILDSOURCES = gen_tables.c gen_tables.h alpha_table.h
++gen_alpha_tables_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="alpha_table.h"'
++gen_alpha_tables_h : $(gen_alpha_tables_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_alpha_tables_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ alpha_tables.h: gen_alpha_tables_h Makefile
+ 	./gen_alpha_tables_h --lowercase --i2s --s2i alpha_syscall > $@
+ endif
+ 
+ if USE_ARM
+-gen_arm_tables_h_SOURCES = gen_tables.c gen_tables.h arm_table.h
+-gen_arm_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="arm_table.h"'
++gen_arm_tables_h_BUILDSOURCES = gen_tables.c gen_tables.h arm_table.h
++gen_arm_tables_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="arm_table.h"'
++gen_arm_tables_h : $(gen_arm_tables_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_arm_tables_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ arm_tables.h: gen_arm_tables_h Makefile
+ 	./gen_arm_tables_h --lowercase --i2s --s2i arm_syscall > $@
+ endif
+ 
+ if USE_AARCH64
+-gen_aarch64_tables_h_SOURCES = gen_tables.c gen_tables.h aarch64_table.h
+-gen_aarch64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="aarch64_table.h"'
++gen_aarch64_tables_h_BUILDSOURCES = gen_tables.c gen_tables.h aarch64_table.h
++gen_aarch64_tables_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="aarch64_table.h"'
++gen_aarch64_tables_h : $(gen_aarch64_tables_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_aarch64_tables_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ aarch64_tables.h: gen_aarch64_tables_h Makefile
+ 	./gen_aarch64_tables_h --lowercase --i2s --s2i aarch64_syscall > $@
+ endif
+ 
+-gen_errtabs_h_SOURCES = gen_tables.c gen_tables.h errtab.h
+-gen_errtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="errtab.h"'
++gen_errtabs_h_BUILDSOURCES = gen_tables.c gen_tables.h errtab.h
++gen_errtabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="errtab.h"'
++gen_errtabs_h : $(gen_errtabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_errtabs_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ errtabs.h: gen_errtabs_h Makefile
+ 	./gen_errtabs_h --duplicate-ints --uppercase --i2s --s2i err > $@
+ 
+-gen_fieldtabs_h_SOURCES = gen_tables.c gen_tables.h fieldtab.h
+-gen_fieldtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="fieldtab.h"'
++gen_fieldtabs_h_BUILDSOURCES = gen_tables.c gen_tables.h fieldtab.h
++gen_fieldtabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="fieldtab.h"'
++gen_fieldtabs_h : $(gen_fieldtabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_fieldtabs_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ fieldtabs.h: gen_fieldtabs_h Makefile
+ 	./gen_fieldtabs_h --duplicate-ints --lowercase --i2s --s2i field > $@
+ 
+-gen_flagtabs_h_SOURCES = gen_tables.c gen_tables.h flagtab.h
+-gen_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="flagtab.h"'
++gen_flagtabs_h_BUILDSOURCES = gen_tables.c gen_tables.h flagtab.h
++gen_flagtabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="flagtab.h"'
++gen_flagtabs_h : $(gen_flagtabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_flagtabs_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ flagtabs.h: gen_flagtabs_h Makefile
+ 	./gen_flagtabs_h --lowercase --i2s --s2i flag > $@
+ 
+-gen_ftypetabs_h_SOURCES = gen_tables.c gen_tables.h ftypetab.h
+-gen_ftypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ftypetab.h"'
++gen_ftypetabs_h_BUILDSOURCES = gen_tables.c gen_tables.h ftypetab.h
++gen_ftypetabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="ftypetab.h"'
++gen_ftypetabs_h : $(gen_ftypetabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_ftypetabs_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ ftypetabs.h: gen_ftypetabs_h Makefile
+ 	./gen_ftypetabs_h --lowercase --i2s --s2i ftype > $@
+ 
+-gen_i386_tables_h_SOURCES = gen_tables.c gen_tables.h i386_table.h
+-gen_i386_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="i386_table.h"'
++gen_i386_tables_h_BUILDSOURCES = gen_tables.c gen_tables.h i386_table.h
++gen_i386_tables_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="i386_table.h"'
++gen_i386_tables_h : $(gen_i386_tables_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_i386_tables_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ i386_tables.h: gen_i386_tables_h Makefile
+ 	./gen_i386_tables_h --duplicate-ints --lowercase --i2s --s2i \
+ 		i386_syscall > $@
+ 
+-gen_ia64_tables_h_SOURCES = gen_tables.c gen_tables.h ia64_table.h
+-gen_ia64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ia64_table.h"'
++gen_ia64_tables_h_BUILDSOURCES = gen_tables.c gen_tables.h ia64_table.h
++gen_ia64_tables_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="ia64_table.h"'
++gen_ia64_tables_h : $(gen_ia64_tables_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_ia64_tables_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ ia64_tables.h: gen_ia64_tables_h Makefile
+ 	./gen_ia64_tables_h --lowercase --i2s --s2i ia64_syscall > $@
+ 
+-gen_machinetabs_h_SOURCES = gen_tables.c gen_tables.h machinetab.h
+-gen_machinetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="machinetab.h"'
++gen_machinetabs_h_BUILDSOURCES = gen_tables.c gen_tables.h machinetab.h
++gen_machinetabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="machinetab.h"'
++gen_machinetabs_h : $(gen_machinetabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_machinetabs_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ machinetabs.h: gen_machinetabs_h Makefile
+ 	./gen_machinetabs_h --duplicate-ints --lowercase --i2s --s2i machine \
+ 		> $@
+ 
+-gen_msg_typetabs_h_SOURCES = gen_tables.c gen_tables.h msg_typetab.h
+-gen_msg_typetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="msg_typetab.h"'
++gen_msg_typetabs_h_BUILDSOURCES = gen_tables.c gen_tables.h msg_typetab.h
++gen_msg_typetabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="msg_typetab.h"'
++gen_msg_typetabs_h : $(gen_msg_typetabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_msg_typetabs_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ msg_typetabs.h: gen_msg_typetabs_h Makefile
+ 	./gen_msg_typetabs_h --uppercase --i2s --s2i msg_type > $@
+ 
+-gen_optabs_h_SOURCES = gen_tables.c gen_tables.h optab.h
+-gen_optabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="optab.h"'
++gen_optabs_h_BUILDSOURCES = gen_tables.c gen_tables.h optab.h
++gen_optabs_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="optab.h"'
++gen_optabs_h : $(gen_optabs_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_optabs_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ optabs.h: gen_optabs_h Makefile
+ 	./gen_optabs_h --i2s op > $@
+ 
+-gen_ppc_tables_h_SOURCES = gen_tables.c gen_tables.h ppc_table.h
+-gen_ppc_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ppc_table.h"'
++gen_ppc_tables_h_BUILDSOURCES = gen_tables.c gen_tables.h ppc_table.h
++gen_ppc_tables_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="ppc_table.h"'
++gen_ppc_tables_h : $(gen_ppc_tables_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_ppc_tables_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ ppc_tables.h: gen_ppc_tables_h Makefile
+ 	./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@
+ 
+-gen_s390_tables_h_SOURCES = gen_tables.c gen_tables.h s390_table.h
+-gen_s390_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390_table.h"'
++gen_s390_tables_h_BUILDSOURCES = gen_tables.c gen_tables.h s390_table.h
++gen_s390_tables_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="s390_table.h"'
++gen_s390_tables_h : $(gen_s390_tables_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_s390_tables_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ s390_tables.h: gen_s390_tables_h Makefile
+ 	./gen_s390_tables_h --lowercase --i2s --s2i s390_syscall > $@
+ 
+-gen_s390x_tables_h_SOURCES = gen_tables.c gen_tables.h s390x_table.h
+-gen_s390x_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390x_table.h"'
++gen_s390x_tables_h_BUILDSOURCES = gen_tables.c gen_tables.h s390x_table.h
++gen_s390x_tables_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="s390x_table.h"'
++gen_s390x_tables_h : $(gen_s390x_tables_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_s390x_tables_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ s390x_tables.h: gen_s390x_tables_h Makefile
+ 	./gen_s390x_tables_h --lowercase --i2s --s2i s390x_syscall > $@
+ 
+-gen_x86_64_tables_h_SOURCES = gen_tables.c gen_tables.h x86_64_table.h
+-gen_x86_64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="x86_64_table.h"'
++gen_x86_64_tables_h_BUILDSOURCES = gen_tables.c gen_tables.h x86_64_table.h
++gen_x86_64_tables_h_BUILDCFLAGS = $(CFLAGS_FOR_BUILD) '-DTABLE_H="x86_64_table.h"'
++gen_x86_64_tables_h : $(gen_x86_64_tables_h_BUILDSOURCES)
++	$(CC_FOR_BUILD) $(INCLUDES) $(gen_x86_64_tables_h_BUILDCFLAGS) \
++		-o $@ gen_tables.c
+ x86_64_tables.h: gen_x86_64_tables_h Makefile
+ 	./gen_x86_64_tables_h --lowercase --i2s --s2i x86_64_syscall > $@
+diff --git a/m4/ax_prog_cc_for_build.m4 b/m4/ax_prog_cc_for_build.m4
+new file mode 100644
+index 0000000..77fd346
+--- /dev/null
++++ b/m4/ax_prog_cc_for_build.m4
+@@ -0,0 +1,125 @@
++# ===========================================================================
++#   http://www.gnu.org/software/autoconf-archive/ax_prog_cc_for_build.html
++# ===========================================================================
++#
++# SYNOPSIS
++#
++#   AX_PROG_CC_FOR_BUILD
++#
++# DESCRIPTION
++#
++#   This macro searches for a C compiler that generates native executables,
++#   that is a C compiler that surely is not a cross-compiler. This can be
++#   useful if you have to generate source code at compile-time like for
++#   example GCC does.
++#
++#   The macro sets the CC_FOR_BUILD and CPP_FOR_BUILD macros to anything
++#   needed to compile or link (CC_FOR_BUILD) and preprocess (CPP_FOR_BUILD).
++#   The value of these variables can be overridden by the user by specifying
++#   a compiler with an environment variable (like you do for standard CC).
++#
++#   It also sets BUILD_EXEEXT and BUILD_OBJEXT to the executable and object
++#   file extensions for the build platform, and GCC_FOR_BUILD to `yes' if
++#   the compiler we found is GCC. All these variables but GCC_FOR_BUILD are
++#   substituted in the Makefile.
++#
++# LICENSE
++#
++#   Copyright (c) 2008 Paolo Bonzini <bonzini@gnu.org>
++#
++#   Copying and distribution of this file, with or without modification, are
++#   permitted in any medium without royalty provided the copyright notice
++#   and this notice are preserved. This file is offered as-is, without any
++#   warranty.
++
++#serial 8
++
++AU_ALIAS([AC_PROG_CC_FOR_BUILD], [AX_PROG_CC_FOR_BUILD])
++AC_DEFUN([AX_PROG_CC_FOR_BUILD], [dnl
++AC_REQUIRE([AC_PROG_CC])dnl
++AC_REQUIRE([AC_PROG_CPP])dnl
++AC_REQUIRE([AC_EXEEXT])dnl
++AC_REQUIRE([AC_CANONICAL_HOST])dnl
++
++dnl Use the standard macros, but make them use other variable names
++dnl
++pushdef([ac_cv_prog_CPP], ac_cv_build_prog_CPP)dnl
++pushdef([ac_cv_prog_gcc], ac_cv_build_prog_gcc)dnl
++pushdef([ac_cv_prog_cc_works], ac_cv_build_prog_cc_works)dnl
++pushdef([ac_cv_prog_cc_cross], ac_cv_build_prog_cc_cross)dnl
++pushdef([ac_cv_prog_cc_g], ac_cv_build_prog_cc_g)dnl
++pushdef([ac_cv_exeext], ac_cv_build_exeext)dnl
++pushdef([ac_cv_objext], ac_cv_build_objext)dnl
++pushdef([ac_exeext], ac_build_exeext)dnl
++pushdef([ac_objext], ac_build_objext)dnl
++pushdef([CC], CC_FOR_BUILD)dnl
++pushdef([CPP], CPP_FOR_BUILD)dnl
++pushdef([CFLAGS], CFLAGS_FOR_BUILD)dnl
++pushdef([CPPFLAGS], CPPFLAGS_FOR_BUILD)dnl
++pushdef([LDFLAGS], LDFLAGS_FOR_BUILD)dnl
++pushdef([host], build)dnl
++pushdef([host_alias], build_alias)dnl
++pushdef([host_cpu], build_cpu)dnl
++pushdef([host_vendor], build_vendor)dnl
++pushdef([host_os], build_os)dnl
++pushdef([ac_cv_host], ac_cv_build)dnl
++pushdef([ac_cv_host_alias], ac_cv_build_alias)dnl
++pushdef([ac_cv_host_cpu], ac_cv_build_cpu)dnl
++pushdef([ac_cv_host_vendor], ac_cv_build_vendor)dnl
++pushdef([ac_cv_host_os], ac_cv_build_os)dnl
++pushdef([ac_cpp], ac_build_cpp)dnl
++pushdef([ac_compile], ac_build_compile)dnl
++pushdef([ac_link], ac_build_link)dnl
++
++save_cross_compiling=$cross_compiling
++save_ac_tool_prefix=$ac_tool_prefix
++cross_compiling=no
++ac_tool_prefix=
++
++AC_PROG_CC
++AC_PROG_CPP
++AC_EXEEXT
++
++ac_tool_prefix=$save_ac_tool_prefix
++cross_compiling=$save_cross_compiling
++
++dnl Restore the old definitions
++dnl
++popdef([ac_link])dnl
++popdef([ac_compile])dnl
++popdef([ac_cpp])dnl
++popdef([ac_cv_host_os])dnl
++popdef([ac_cv_host_vendor])dnl
++popdef([ac_cv_host_cpu])dnl
++popdef([ac_cv_host_alias])dnl
++popdef([ac_cv_host])dnl
++popdef([host_os])dnl
++popdef([host_vendor])dnl
++popdef([host_cpu])dnl
++popdef([host_alias])dnl
++popdef([host])dnl
++popdef([LDFLAGS])dnl
++popdef([CPPFLAGS])dnl
++popdef([CFLAGS])dnl
++popdef([CPP])dnl
++popdef([CC])dnl
++popdef([ac_objext])dnl
++popdef([ac_exeext])dnl
++popdef([ac_cv_objext])dnl
++popdef([ac_cv_exeext])dnl
++popdef([ac_cv_prog_cc_g])dnl
++popdef([ac_cv_prog_cc_cross])dnl
++popdef([ac_cv_prog_cc_works])dnl
++popdef([ac_cv_prog_gcc])dnl
++popdef([ac_cv_prog_CPP])dnl
++
++dnl Finally, set Makefile variables
++dnl
++BUILD_EXEEXT=$ac_build_exeext
++BUILD_OBJEXT=$ac_build_objext
++AC_SUBST(BUILD_EXEEXT)dnl
++AC_SUBST(BUILD_OBJEXT)dnl
++AC_SUBST([CFLAGS_FOR_BUILD])dnl
++AC_SUBST([CPPFLAGS_FOR_BUILD])dnl
++AC_SUBST([LDFLAGS_FOR_BUILD])dnl
++])
+-- 
+1.9.1
+
diff --git a/package/audit/0002-Remove-zos-remote-plugin.patch b/package/audit/0002-Remove-zos-remote-plugin.patch
new file mode 100644
index 0000000..1c8180d
--- /dev/null
+++ b/package/audit/0002-Remove-zos-remote-plugin.patch
@@ -0,0 +1,54 @@
+From 145a6ddfc8cfcd20bbb505637e50191655128fbb Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Thu, 26 Mar 2015 12:33:10 -0500
+Subject: [PATCH] Remove zos-remote plugin
+
+The zos-remote plugin is meant to use LDAP authentication to verify a
+remote audit user. This is not a package that is available or desired in
+an embedded target. Removing the plugin from the build until it is
+able to be turned off from configure.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ audisp/plugins/Makefile.am | 2 +-
+ audisp/plugins/Makefile.in | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/audisp/plugins/Makefile.am b/audisp/plugins/Makefile.am
+index b0fa60a..3d6f4e6 100644
+--- a/audisp/plugins/Makefile.am
++++ b/audisp/plugins/Makefile.am
+@@ -22,7 +22,7 @@
+ 
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+ 
+-SUBDIRS = builtins zos-remote remote
++SUBDIRS = builtins remote
+ #SUBDIRS = builtins zos-remote
+ if HAVE_PRELUDE
+ SUBDIRS += prelude
+diff --git a/audisp/plugins/Makefile.in b/audisp/plugins/Makefile.in
+index 57da3a3..219c1f5 100644
+--- a/audisp/plugins/Makefile.in
++++ b/audisp/plugins/Makefile.in
+@@ -169,7 +169,7 @@ am__define_uniq_tagged_files = \
+   done | $(am__uniquify_input)`
+ ETAGS = etags
+ CTAGS = ctags
+-DIST_SUBDIRS = builtins zos-remote remote prelude
++DIST_SUBDIRS = builtins remote prelude
+ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ am__relativize = \
+   dir0=`pwd`; \
+@@ -336,7 +336,7 @@ top_build_prefix = @top_build_prefix@
+ top_builddir = @top_builddir@
+ top_srcdir = @top_srcdir@
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+-SUBDIRS = builtins zos-remote remote $(am__append_1)
++SUBDIRS = builtins remote $(am__append_1)
+ all: all-recursive
+ 
+ .SUFFIXES:
+-- 
+1.9.1
+
diff --git a/package/audit/0003-Default-ADDR_NO_RANDOMIZE-if-not-found.patch b/package/audit/0003-Default-ADDR_NO_RANDOMIZE-if-not-found.patch
new file mode 100644
index 0000000..66f5998
--- /dev/null
+++ b/package/audit/0003-Default-ADDR_NO_RANDOMIZE-if-not-found.patch
@@ -0,0 +1,44 @@
+From dcf9e2fcf76259ab7fcaf3086e1b67e507260aa4 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Tue, 31 Mar 2015 08:00:21 -0500
+Subject: [PATCH] Default ADDR_NO_RANDOMIZE if not found
+
+Some older toolchains do not declare ADDR_NO_RANDOMIZE. Add a check for
+it during configure and default it if it is not found.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ auparse/interpret.c | 4 ++++
+ configure.ac        | 1 +
+ 2 files changed, 5 insertions(+)
+
+diff --git a/auparse/interpret.c b/auparse/interpret.c
+index b9b8312..ef3c6d1 100644
+--- a/auparse/interpret.c
++++ b/auparse/interpret.c
+@@ -53,6 +53,10 @@
+ #include "auparse-defs.h"
+ #include "gen_tables.h"
+ 
++#if !HAVE_DECL_ADDR_NO_RANDOMIZE
++# define ADDR_NO_RANDOMIZE       0x0040000
++#endif
++
+ /* This is from asm/ipc.h. Copying it for now as some platforms
+  * have broken headers. */
+ #define SEMOP            1
+diff --git a/configure.ac b/configure.ac
+index c66b3e2..76b3b85 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -66,6 +66,7 @@ AM_PROG_CC_C_O
+ AC_CHECK_DECLS([MS_DIRSYNC], [], [], [[#include <sys/mount.h>]])
+ AC_CHECK_DECLS([AUDIT_FEATURE_VERSION], [], [], [[#include <linux/audit.h>]])
+ AC_CHECK_DECLS([AUDIT_VERSION_BACKLOG_WAIT_TIME], [], [], [[#include <linux/audit.h>]])
++AC_CHECK_DECLS([ADDR_NO_RANDOMIZE],,, [#include <sys/personality.h>])
+ 
+ ALLWARNS=""
+ ALLDEBUG="-g"
+-- 
+1.9.1
+
diff --git a/package/audit/0004-Do-not-call-posix_fallocate-on-uClibc.patch b/package/audit/0004-Do-not-call-posix_fallocate-on-uClibc.patch
new file mode 100644
index 0000000..87ea6a8
--- /dev/null
+++ b/package/audit/0004-Do-not-call-posix_fallocate-on-uClibc.patch
@@ -0,0 +1,45 @@
+From 8b65b6788140ba169edb620a2abcf438521919ed Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Wed, 1 Apr 2015 07:49:54 -0500
+Subject: [PATCH] Do not call posix_fallocate() on uClibc
+
+uClibc does not implement posix_fallocate(), and posix_fallocate() is
+mostly only a hint to the kernel that we will need such or such
+amount of space inside a file. So we just don't call posix_fallocate()
+when building against uClibc.
+
+Patch copies functionality implemented by Thomas for the
+lttng-babeltrace package.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ audisp/plugins/remote/queue.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/audisp/plugins/remote/queue.c b/audisp/plugins/remote/queue.c
+index 79eebd7..cfbee93 100644
+--- a/audisp/plugins/remote/queue.c
++++ b/audisp/plugins/remote/queue.c
+@@ -26,6 +26,7 @@
+ #include <arpa/inet.h>
+ #include <errno.h>
+ #include <fcntl.h>
++#include <features.h>
+ #include <limits.h>
+ #include <stddef.h>
+ #include <stdint.h>
+@@ -215,9 +216,11 @@ static int q_open_file(struct queue *q, const char *path)
+ 			return -1;
+ 		if (q_sync(q) != 0)
+ 			return -1;
++#ifndef __UCLIBC__
+ 		if (posix_fallocate(q->fd, 0,
+ 				    (q->num_entries + 1) * q->entry_size) != 0)
+ 			return -1;
++#endif
+ 	} else {
+ 		uint32_t file_entries;
+ 		if (full_pread(q->fd, &fh, sizeof(fh), 0) != 0)
+-- 
+1.9.1
+
diff --git a/package/audit/0005-fix-header-detection-when-cross-compiling.patch b/package/audit/0005-fix-header-detection-when-cross-compiling.patch
new file mode 100644
index 0000000..dd6600a
--- /dev/null
+++ b/package/audit/0005-fix-header-detection-when-cross-compiling.patch
@@ -0,0 +1,46 @@
+From dc1f089478991c49f6ad53eef53210db2414a832 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Wed, 8 Apr 2015 08:49:26 -0500
+Subject: [PATCH] Fix header detection when cross compiling
+
+During the build, there is a check to see if MS_DIRSYNC is defined in
+mount.h. This check is used in gen_tables.c to see if linux/fs.h needs
+to be included. When cross compiling on a system that does not have the
+MS_DIRSYNC defined in mount.h, a compile failure is generated. To
+prevent this issue, do not check for MS_DIRSYNC in the configure and
+simply check to see if MS_DIRSYNC is defined before included linux/fs.h.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ configure.ac     | 1 -
+ lib/gen_tables.c | 2 +-
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 76b3b85..4cfc276 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -63,7 +63,6 @@ AC_C_INLINE
+ AC_CHECK_SIZEOF([unsigned int])
+ AC_CHECK_SIZEOF([unsigned long])
+ AM_PROG_CC_C_O
+-AC_CHECK_DECLS([MS_DIRSYNC], [], [], [[#include <sys/mount.h>]])
+ AC_CHECK_DECLS([AUDIT_FEATURE_VERSION], [], [], [[#include <linux/audit.h>]])
+ AC_CHECK_DECLS([AUDIT_VERSION_BACKLOG_WAIT_TIME], [], [], [[#include <linux/audit.h>]])
+ AC_CHECK_DECLS([ADDR_NO_RANDOMIZE],,, [#include <sys/personality.h>])
+diff --git a/lib/gen_tables.c b/lib/gen_tables.c
+index 8606a39..9f25b50 100644
+--- a/lib/gen_tables.c
++++ b/lib/gen_tables.c
+@@ -33,7 +33,7 @@
+ #include <sys/stat.h>
+ #include <sys/personality.h>
+ #include <sys/mount.h>
+-#if !HAVE_DECL_MS_DIRSYNC
++#ifndef MS_DIRSYNC
+ #include <linux/fs.h>
+ #endif
+ #include "gen_tables.h"
+-- 
+1.9.1
+
diff --git a/package/audit/Config.in b/package/audit/Config.in
new file mode 100644
index 0000000..5cf1c26
--- /dev/null
+++ b/package/audit/Config.in
@@ -0,0 +1,17 @@
+config BR2_PACKAGE_AUDIT
+	bool "audit"
+	# needs memory fences for internal libev
+	depends on !BR2_bfin
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	help
+	  The audit package contains the user space utilities for
+	  storing and searching the audit records generated by
+	  the audit subsystem in the Linux 2.6 kernel
+
+	  Note: The z/OS remote plugin is disabled in this package
+
+	  http://people.redhat.com/sgrubb/audit/
+
+comment "audit needs a toolchain w/ threads"
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_bfin
+
diff --git a/package/audit/S01auditd b/package/audit/S01auditd
new file mode 100644
index 0000000..9083bfe
--- /dev/null
+++ b/package/audit/S01auditd
@@ -0,0 +1,169 @@
+#!/bin/sh
+#
+# auditd        This starts and stops auditd
+#
+# description: This starts the Linux Auditing System Daemon, \
+#              which collects security related events in a dedicated \
+#              audit log. If this daemon is turned off, audit events \
+#              will be sent to syslog.
+#
+# processname: /usr/sbin/auditd
+# config: /etc/sysconfig/auditd
+# config: /etc/audit/auditd.conf
+# pidfile: /var/run/auditd.pid
+#
+# Return values according to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+#
+prog="auditd"
+
+# Check that we are root ... so non-root users stop here
+test $EUID=0  ||  exit 4
+
+# Check config
+test -f /etc/sysconfig/auditd && . /etc/sysconfig/auditd
+
+RETVAL=0
+LOCK=/var/lock/subsys/auditd
+
+start(){
+   echo -n "Initializing $prog: "
+
+   if [ ! -e $LOCK ]; then
+      test -x /usr/sbin/auditd  || exit 5
+      test -f /etc/audit/auditd.conf  || exit 6
+
+      # Create dir to store log files in if one doesn't exist
+      test -d /var/log/audit || mkdir /var/log/audit -Z `matchpathcon /var/log/audit | cut -f 2`
+
+      # Run audit daemon executable
+      $prog
+      RETVAL=$?
+      if test $RETVAL = 0 ; then
+         test -d /var/lock/subsys || mkdir -p /var/lock/subsys
+         touch $LOCK
+         # Load the default rules
+         test -f /etc/audit/rules.d/audit.rules && /usr/sbin/auditctl -R /etc/audit/rules.d/audit.rules >/dev/null
+         echo "OK"
+      else
+         echo "FAILED: auditd failed to start"
+      fi
+   else
+      echo "FAILED: auditd already started, stop first"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+stop(){
+   echo -n "Uninitializing $prog: "
+   if [ -e $LOCK ]; then
+      killall -TERM $prog
+      RETVAL=$?
+      if [ $RETVAL ]; then
+         rm -f $LOCK
+         # Remove watches so shutdown works cleanly
+         if test x"$AUDITD_CLEAN_STOP" != "x" ; then
+            if test "`echo $AUDITD_CLEAN_STOP | tr 'NO' 'no'`" != "no"
+            then
+               /usr/sbin/auditctl -D >/dev/null
+            fi
+         fi
+         if test x"$AUDITD_STOP_DISABLE" != "x" ; then
+            if test "`echo $AUDITD_STOP_DISABLE | tr 'NO' 'no'`" != "no"
+            then
+               /usr/sbin/auditctl -e 0 >/dev/null
+            fi
+         fi
+         echo "OK"
+      else
+         echo "FAILED: auditd not stopped"
+      fi
+   else
+      echo "FAILED: auditd not started"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+reload(){
+   echo -n "Reloading auditd configuration: "
+   if [ -e $LOCK ]; then
+      test -f /etc/audit/auditd.conf  || exit 6
+      echo -n "Reloading configuration: "
+      killall -HUP $prog
+      RETVAL=$?
+      if [ $RETVAL ]; then
+         echo "OK"
+      else
+         echo "FAILED"
+      fi
+   else
+      echo "FAILED: auditd not started"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+rotate(){
+   echo -n "Rotating auditd logs: "
+   if [ -e $LOCK ]; then
+      killall -USR1 $prog
+      RETVAL=$?
+      if [ $RETVAL ]; then
+         echo "OK"
+      else
+         echo "FAILED"
+      fi
+   else
+      echo "FAILED: auditd not started"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+restart(){
+   test -f /etc/audit/auditd.conf  || exit 6
+   stop
+   start
+   return $RETVAL
+}
+
+condrestart(){
+   [ -e $LOCK ] && restart
+   return 0
+}
+
+# See how we were called.
+case "$1" in
+   start)
+      start
+      ;;
+   stop)
+      stop
+      ;;
+   restart)
+      restart
+      ;;
+   reload)
+      reload
+      ;;
+   rotate)
+      rotate
+      ;;
+   condrestart)
+      condrestart
+      ;;
+   *)
+      echo "Usage: $0 {start|stop|restart|condrestart|reload|rotate}"
+      RETVAL=3
+      ;;
+esac
+
+exit $RETVAL
diff --git a/package/audit/audit.hash b/package/audit/audit.hash
new file mode 100644
index 0000000..31f3ea8
--- /dev/null
+++ b/package/audit/audit.hash
@@ -0,0 +1,2 @@
+#Locally computed
+sha256	059346fa0e922faf4dcc054382b21f4845cd8c4942e82cfd0d4cd52bd2b03026	audit-2.4.1.tar.gz
diff --git a/package/audit/audit.mk b/package/audit/audit.mk
new file mode 100644
index 0000000..b1ebd0e
--- /dev/null
+++ b/package/audit/audit.mk
@@ -0,0 +1,47 @@
+################################################################################
+#
+# audit
+#
+################################################################################
+
+AUDIT_VERSION = 2.4.1
+AUDIT_SITE = http://people.redhat.com/sgrubb/audit/
+AUDIT_LICENSE = GPLv2
+AUDIT_LICENSE_FILES = COPYING
+
+AUDIT_INSTALL_STAGING = YES
+AUDIT_AUTORECONF = YES
+
+AUDIT_CONF_OPTS = --without-python
+
+ifeq ($(BR2_PACKAGE_LIBCAP_NG),y)
+	AUDIT_DEPENDENCIES += libcap-ng
+	AUDIT_CONF_OPTS += --with-libcap-ng=yes
+else
+	AUDIT_CONF_OPTS += --with-libcap-ng=no
+endif
+
+ifeq ($(BR2_armeb),y)
+	AUDIT_CONF_OPTS += --with-arm
+endif
+ifeq ($(BR2_arm),y)
+	AUDIT_CONF_OPTS += --with-arm
+endif
+ifeq ($(BR2_aarch64),y)
+	AUDIT_CONF_OPTS += --with-aarch64
+endif
+
+ifeq ($(BR2_STATIC_LIBS),y)
+	AUDIT_CONF_OPTS += --enable-shared=no
+endif
+
+define AUDIT_INSTALL_INIT_SYSV
+	$(INSTALL) -m 755 package/audit/S01auditd $(TARGET_DIR)/etc/init.d/
+endef
+
+define AUDIT_REMOVE_STARTUP_SCRIPT_DIR
+	$(RM) -rf $(TARGET_DIR)/etc/rc.d
+endef
+AUDIT_POST_INSTALL_TARGET_HOOKS += AUDIT_REMOVE_STARTUP_SCRIPT_DIR
+
+$(eval $(autotools-package))
-- 
1.9.1

[Buildroot] [PATCH v5 05/24] audit: new package

[Samuel Martin]

Hi Clayton,

On Wed, May 13, 2015 at 11:39 PM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
>
[...]

> --- /dev/null
> +++ b/package/audit/audit.mk
> @@ -0,0 +1,47 @@
> +################################################################################
> +#
> +# audit
> +#
> +################################################################################
> +
> +AUDIT_VERSION = 2.4.1
> +AUDIT_SITE = http://people.redhat.com/sgrubb/audit/
> +AUDIT_LICENSE = GPLv2
> +AUDIT_LICENSE_FILES = COPYING
> +
> +AUDIT_INSTALL_STAGING = YES
> +AUDIT_AUTORECONF = YES
> +
> +AUDIT_CONF_OPTS = --without-python
> +
> +ifeq ($(BR2_PACKAGE_LIBCAP_NG),y)
> +       AUDIT_DEPENDENCIES += libcap-ng
> +       AUDIT_CONF_OPTS += --with-libcap-ng=yes
> +else
> +       AUDIT_CONF_OPTS += --with-libcap-ng=no
> +endif
> +
> +ifeq ($(BR2_armeb),y)
> +       AUDIT_CONF_OPTS += --with-arm
> +endif
> +ifeq ($(BR2_arm),y)
> +       AUDIT_CONF_OPTS += --with-arm
> +endif
This could be condensed in:
ifeq ($(BR2_armeb)$(BR2_arm),y)
       AUDIT_CONF_OPTS += --with-arm
endif

> +ifeq ($(BR2_aarch64),y)
> +       AUDIT_CONF_OPTS += --with-aarch64
> +endif
> +
> +ifeq ($(BR2_STATIC_LIBS),y)
> +       AUDIT_CONF_OPTS += --enable-shared=no
> +endif
> +
> +define AUDIT_INSTALL_INIT_SYSV
> +       $(INSTALL) -m 755 package/audit/S01auditd $(TARGET_DIR)/etc/init.d/
> +endef
> +
> +define AUDIT_REMOVE_STARTUP_SCRIPT_DIR
> +       $(RM) -rf $(TARGET_DIR)/etc/rc.d
> +endef
> +AUDIT_POST_INSTALL_TARGET_HOOKS += AUDIT_REMOVE_STARTUP_SCRIPT_DIR
> +
> +$(eval $(autotools-package))
> --
> 1.9.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

Regards,

-- 
Samuel

[Buildroot] [PATCH v5 05/24] audit: new package

[Clayton Shotwell]

Samuel,

>> +ifeq ($(BR2_armeb),y)
>> +       AUDIT_CONF_OPTS += --with-arm
>> +endif
>> +ifeq ($(BR2_arm),y)
>> +       AUDIT_CONF_OPTS += --with-arm
>> +endif
> This could be condensed in:
> ifeq ($(BR2_armeb)$(BR2_arm),y)
>        AUDIT_CONF_OPTS += --with-arm
> endif

I can make that change.

Thanks,
Clayton

[Buildroot] [PATCH v5 05/24] audit: new package

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Wed, 13 May 2015 16:39:18 -0500, Clayton Shotwell wrote:

> Changes v4 -> v5:
>   - Removed limitation on glibc only build (Matt W.)
>   - Updated static lib build option variable name (Matt W.)
>   - Upgrading audit to the latest version. Switched to a simpler
>     cross compile support patch that should be upstreamable (Clayton
> S.)
>   - Cleaned up build flags and patch names (Clayton S.)
>   - The xtensa architecture uclibc is missing the ADDR_NO_RANDOMIZE
>     flag that is required by the audit application. Exclute the audit
>     package from the xtensa architecture. (Clayton S.)

This has probably been changed since then, because you haven't ecluded
Xtensa, but instead did a workaround to cope with ADDR_NO_RANDOMIZE
being not available.


> diff --git a/package/audit/0001-Enable-cross-compiling.patch
> b/package/audit/0001-Enable-cross-compiling.patch new file mode 100644
> index 0000000..b2c9b4c
> --- /dev/null
> +++ b/package/audit/0001-Enable-cross-compiling.patch
> @@ -0,0 +1,773 @@
> +From c30e91c2833fb5c33a238258e5902cc2dd8586d3 Mon Sep 17 00:00:00
> 2001 +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> +Date: Thu, 26 Mar 2015 12:26:36 -0500
> +Subject: [PATCH] Enable cross compiling
> +
> +During the audit build, several lookup tables are generated as header
> +files that are then linked in with the executables. This process is
> done +by a C application that needs to be able to be run on the host.
> The +current Makfile structure tries to build these executables for
> the +target instead of the host where they cannot be executed. This
> patch +reworks the Makefile structure to build for the correct
> platform. +
> +This patch is a rework of a patch posted to the audit mailing list at
> +the link below.
> +https://www.redhat.com/archives/linux-audit/2012-November/msg00000.html
> +
> +The ax_prog_cc_for_build.m4 file was obtained from GNU at the link
> +below.
> +http://www.gnu.org/software/autoconf-archive/ax_prog_cc_for_build.html
> +
> +Signed-off-by: Clayton Shotwell
> <clayton.shotwell@rockwellcollins.com> +---
> + auparse/Makefile.am        | 276
> ++++++++++++++++++++++++++++++---------------
> + configure.ac               |   1 +
> + lib/Makefile.am            | 133 ++++++++++++++--------
> + m4/ax_prog_cc_for_build.m4 | 125 ++++++++++++++++++++
> + 4 files changed, 397 insertions(+), 138 deletions(-)
> + create mode 100644 m4/ax_prog_cc_for_build.m4

This patch looks OK to me. We could potentially avoid the need for
having m4/ax_prog_cc_for_build.m4 by adding host-autoconf-archive to
the dependencies, and passing:

AUDIT_AUTORECONF_OPTS = -I $(HOST_DIR)/usr/share/autoconf-archive

however I am not sure if it's really worth the effort.

Other than that, this patch looks OK to me.

> diff --git a/package/audit/0002-Remove-zos-remote-plugin.patch
> b/package/audit/0002-Remove-zos-remote-plugin.patch new file mode
> 100644 index 0000000..1c8180d
> --- /dev/null
> +++ b/package/audit/0002-Remove-zos-remote-plugin.patch
> @@ -0,0 +1,54 @@
> +From 145a6ddfc8cfcd20bbb505637e50191655128fbb Mon Sep 17 00:00:00
> 2001 +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> +Date: Thu, 26 Mar 2015 12:33:10 -0500
> +Subject: [PATCH] Remove zos-remote plugin
> +
> +The zos-remote plugin is meant to use LDAP authentication to verify a
> +remote audit user. This is not a package that is available or
> desired in +an embedded target. Removing the plugin from the build
> until it is +able to be turned off from configure.
> +
> +Signed-off-by: Clayton Shotwell
> <clayton.shotwell@rockwellcollins.com> +---
> + audisp/plugins/Makefile.am | 2 +-
> + audisp/plugins/Makefile.in | 4 ++--
> + 2 files changed, 3 insertions(+), 3 deletions(-)

Changes to the Makefile.in are not needed, since you autoreconf the
package anyway, Makefile.in is regenerated.

Also, what about adding a --enable-zos-remote / --disable-zos-remote
option, so that this patch can be submitted upstream?

Something like:

AC_ARG_ENABLE([zos-remote],
              AS_HELP_STRING([--disable-zos-remote], [Disable the ZOS remote plugin (default: enabled)]),
              [with_zos_remote_plugin=$enableval],
              [with_zos_remote_plugin=yes])
AM_CONDITIONAL([WITH_ZOS_REMOTE], [test "$with_zos_remote_plugin" = "yes"])

> +diff --git a/audisp/plugins/Makefile.am b/audisp/plugins/Makefile.am
> +index b0fa60a..3d6f4e6 100644
> +--- a/audisp/plugins/Makefile.am
> ++++ b/audisp/plugins/Makefile.am
> +@@ -22,7 +22,7 @@
> + 
> + CONFIG_CLEAN_FILES = *.loT *.rej *.orig
> + 
> +-SUBDIRS = builtins zos-remote remote
> ++SUBDIRS = builtins remote

if WITH_ZOS_REMOTE
SUBDIRS += zos-remote
endif

> a/package/audit/0004-Do-not-call-posix_fallocate-on-uClibc.patch
> b/package/audit/0004-Do-not-call-posix_fallocate-on-uClibc.patch new
> file mode 100644 index 0000000..87ea6a8 --- /dev/null
> +++ b/package/audit/0004-Do-not-call-posix_fallocate-on-uClibc.patch
> @@ -0,0 +1,45 @@
> +From 8b65b6788140ba169edb620a2abcf438521919ed Mon Sep 17 00:00:00
> 2001 +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> +Date: Wed, 1 Apr 2015 07:49:54 -0500
> +Subject: [PATCH] Do not call posix_fallocate() on uClibc
> +
> +uClibc does not implement posix_fallocate(), and posix_fallocate() is
> +mostly only a hint to the kernel that we will need such or such
> +amount of space inside a file. So we just don't call
> posix_fallocate() +when building against uClibc.
> +
> +Patch copies functionality implemented by Thomas for the
> +lttng-babeltrace package.
> +
> +Signed-off-by: Clayton Shotwell
> <clayton.shotwell@rockwellcollins.com> +---

Using a configure.ac check would actually be a lot better.

AC_CHECK_FUNCS([posix_fallocate])

and then #ifdef HAVE_POSIX_FALLOCATE in the C source file.

This way this patch can also be submitted upstream.

> diff --git a/package/audit/Config.in b/package/audit/Config.in
> new file mode 100644
> index 0000000..5cf1c26
> --- /dev/null
> +++ b/package/audit/Config.in
> @@ -0,0 +1,17 @@
> +config BR2_PACKAGE_AUDIT
> +	bool "audit"
> +	# needs memory fences for internal libev
> +	depends on !BR2_bfin
> +	depends on BR2_TOOLCHAIN_HAS_THREADS
> +	help
> +	  The audit package contains the user space utilities for
> +	  storing and searching the audit records generated by
> +	  the audit subsystem in the Linux 2.6 kernel
> +
> +	  Note: The z/OS remote plugin is disabled in this package
> +
> +	  http://people.redhat.com/sgrubb/audit/
> +
> +comment "audit needs a toolchain w/ threads"
> +	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_bfin

This should be:

	depends on !BR2_bfin
	depends on !BR2_TOOLCHAIN_HAS_THREADS

so that the comment never appears on Blackfin, and appears on other
architectures than Blackfin when thread support is not available.

With your solution, the comment always appears on Blackfin.

> diff --git a/package/audit/S01auditd b/package/audit/S01auditd
> new file mode 100644
> index 0000000..9083bfe
> --- /dev/null
> +++ b/package/audit/S01auditd

I am not sure about this script, it seems quite complicated compared to
other init scripts in Buildroot.

> @@ -0,0 +1,169 @@
> +#!/bin/sh
> +#
> +# auditd        This starts and stops auditd
> +#
> +# description: This starts the Linux Auditing System Daemon, \
> +#              which collects security related events in a dedicated
> \ +#              audit log. If this daemon is turned off, audit
> events \ +#              will be sent to syslog.
> +#
> +# processname: /usr/sbin/auditd
> +# config: /etc/sysconfig/auditd
> +# config: /etc/audit/auditd.conf
> +# pidfile: /var/run/auditd.pid
> +#
> +# Return values according to LSB for all commands but status:
> +# 0 - success
> +# 1 - generic or unspecified error
> +# 3 - unimplemented feature (e.g. "reload")
> +# 4 - insufficient privilege
> +# 5 - program is not installed
> +# 6 - program is not configured
> +# 7 - program is not running

Do we care about LSB conformance of our init scripts?

> +#
> +prog="auditd"
> +
> +# Check that we are root ... so non-root users stop here
> +test $EUID=0  ||  exit 4

We typically don't do such checks in other init scripts.

> +
> +# Check config
> +test -f /etc/sysconfig/auditd && . /etc/sysconfig/auditd

/etc/sysconfig is clearly not something standard in Buildroot.

> +
> +RETVAL=0
> +LOCK=/var/lock/subsys/auditd
> +
> +start(){
> +   echo -n "Initializing $prog: "
> +
> +   if [ ! -e $LOCK ]; then
> +      test -x /usr/sbin/auditd  || exit 5
> +      test -f /etc/audit/auditd.conf  || exit 6
> +
> +      # Create dir to store log files in if one doesn't exist
> +      test -d /var/log/audit || mkdir /var/log/audit -Z
> `matchpathcon /var/log/audit | cut -f 2` +
> +      # Run audit daemon executable
> +      $prog

start-stop-daemon?

> +      RETVAL=$?
> +      if test $RETVAL = 0 ; then
> +         test -d /var/lock/subsys || mkdir -p /var/lock/subsys
> +         touch $LOCK
> +         # Load the default rules
> +         test -f /etc/audit/rules.d/audit.rules
> && /usr/sbin/auditctl -R /etc/audit/rules.d/audit.rules >/dev/null
> +         echo "OK"
> +      else
> +         echo "FAILED: auditd failed to start"
> +      fi
> +   else
> +      echo "FAILED: auditd already started, stop first"
> +      RETVAL=1
> +   fi
> +   return $RETVAL
> +}
> +
> +stop(){
> +   echo -n "Uninitializing $prog: "
> +   if [ -e $LOCK ]; then
> +      killall -TERM $prog

so that we can avoid this horrible killall.

> +      RETVAL=$?
> +      if [ $RETVAL ]; then
> +         rm -f $LOCK
> +         # Remove watches so shutdown works cleanly
> +         if test x"$AUDITD_CLEAN_STOP" != "x" ; then
> +            if test "`echo $AUDITD_CLEAN_STOP | tr 'NO' 'no'`" !=
> "no"
> +            then
> +               /usr/sbin/auditctl -D >/dev/null
> +            fi
> +         fi
> +         if test x"$AUDITD_STOP_DISABLE" != "x" ; then
> +            if test "`echo $AUDITD_STOP_DISABLE | tr 'NO' 'no'`" !=
> "no"
> +            then
> +               /usr/sbin/auditctl -e 0 >/dev/null
> +            fi

what is AUDITD_CLEAN_STOP and AUDITD_STOP_DISABLE ? These tests look
weird.

> +         fi
> +         echo "OK"
> +      else
> +         echo "FAILED: auditd not stopped"
> +      fi
> +   else
> +      echo "FAILED: auditd not started"
> +      RETVAL=1
> +   fi
> +   return $RETVAL
> +}
> +
> +reload(){
> +   echo -n "Reloading auditd configuration: "
> +   if [ -e $LOCK ]; then
> +      test -f /etc/audit/auditd.conf  || exit 6
> +      echo -n "Reloading configuration: "
> +      killall -HUP $prog

start-stop-daemon also allows to send a SIGHUP.

> +rotate(){
> +   echo -n "Rotating auditd logs: "
> +   if [ -e $LOCK ]; then
> +      killall -USR1 $prog

Ditto, with start-stop-daemon you can send all signals you want.

So overall, a simplified, more Buildroot style init script would be appreciated.

> b/package/audit/audit.mk new file mode 100644 index 0000000..b1ebd0e
> --- /dev/null
> +++ b/package/audit/audit.mk
> @@ -0,0 +1,47 @@
> +################################################################################
> +#
> +# audit
> +#
> +################################################################################
> +
> +AUDIT_VERSION = 2.4.1
> +AUDIT_SITE = http://people.redhat.com/sgrubb/audit/
> +AUDIT_LICENSE = GPLv2
> +AUDIT_LICENSE_FILES = COPYING
> +
> +AUDIT_INSTALL_STAGING = YES
> +AUDIT_AUTORECONF = YES

Add comment about the fact that we have AUTORECONF = YES because we're
patching configure.ac/Makefile.am.

> +
> +AUDIT_CONF_OPTS = --without-python
> +
> +ifeq ($(BR2_PACKAGE_LIBCAP_NG),y)
> +	AUDIT_DEPENDENCIES += libcap-ng
> +	AUDIT_CONF_OPTS += --with-libcap-ng=yes
> +else
> +	AUDIT_CONF_OPTS += --with-libcap-ng=no
> +endif

Don't indent inside conditions.

> +
> +ifeq ($(BR2_armeb),y)
> +	AUDIT_CONF_OPTS += --with-arm
> +endif
> +ifeq ($(BR2_arm),y)
> +	AUDIT_CONF_OPTS += --with-arm
> +endif
> +ifeq ($(BR2_aarch64),y)
> +	AUDIT_CONF_OPTS += --with-aarch64
> +endif
> +
> +ifeq ($(BR2_STATIC_LIBS),y)
> +	AUDIT_CONF_OPTS += --enable-shared=no
> +endif

Why is this needed? We already pass --disable-shared when
BR2_STATIC_LIBS=y, and --disable-shared should be identical to
--enable-shared=no.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH v5 05/24] audit: new package

[Clayton Shotwell]

Thomas,

On Thu, May 21, 2015 at 4:33 PM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Dear Clayton Shotwell,
>
> On Wed, 13 May 2015 16:39:18 -0500, Clayton Shotwell wrote:
>
>> Changes v4 -> v5:
>>   - Removed limitation on glibc only build (Matt W.)
>>   - Updated static lib build option variable name (Matt W.)
>>   - Upgrading audit to the latest version. Switched to a simpler
>>     cross compile support patch that should be upstreamable (Clayton
>> S.)
>>   - Cleaned up build flags and patch names (Clayton S.)
>>   - The xtensa architecture uclibc is missing the ADDR_NO_RANDOMIZE
>>     flag that is required by the audit application. Exclute the audit
>>     package from the xtensa architecture. (Clayton S.)
>
> This has probably been changed since then, because you haven't ecluded
> Xtensa, but instead did a workaround to cope with ADDR_NO_RANDOMIZE
> being not available.

That is correct. I will update the comment to reflect this solution.

>> diff --git a/package/audit/0001-Enable-cross-compiling.patch
>> b/package/audit/0001-Enable-cross-compiling.patch new file mode 100644
>> index 0000000..b2c9b4c
>> --- /dev/null
>> +++ b/package/audit/0001-Enable-cross-compiling.patch
>> @@ -0,0 +1,773 @@
>> +From c30e91c2833fb5c33a238258e5902cc2dd8586d3 Mon Sep 17 00:00:00
>> 2001 +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> +Date: Thu, 26 Mar 2015 12:26:36 -0500
>> +Subject: [PATCH] Enable cross compiling
>> +
>> +During the audit build, several lookup tables are generated as header
>> +files that are then linked in with the executables. This process is
>> done +by a C application that needs to be able to be run on the host.
>> The +current Makfile structure tries to build these executables for
>> the +target instead of the host where they cannot be executed. This
>> patch +reworks the Makefile structure to build for the correct
>> platform. +
>> +This patch is a rework of a patch posted to the audit mailing list at
>> +the link below.
>> +https://www.redhat.com/archives/linux-audit/2012-November/msg00000.html
>> +
>> +The ax_prog_cc_for_build.m4 file was obtained from GNU at the link
>> +below.
>> +http://www.gnu.org/software/autoconf-archive/ax_prog_cc_for_build.html
>> +
>> +Signed-off-by: Clayton Shotwell
>> <clayton.shotwell@rockwellcollins.com> +---
>> + auparse/Makefile.am        | 276
>> ++++++++++++++++++++++++++++++---------------
>> + configure.ac               |   1 +
>> + lib/Makefile.am            | 133 ++++++++++++++--------
>> + m4/ax_prog_cc_for_build.m4 | 125 ++++++++++++++++++++
>> + 4 files changed, 397 insertions(+), 138 deletions(-)
>> + create mode 100644 m4/ax_prog_cc_for_build.m4
>
> This patch looks OK to me. We could potentially avoid the need for
> having m4/ax_prog_cc_for_build.m4 by adding host-autoconf-archive to
> the dependencies, and passing:
>
> AUDIT_AUTORECONF_OPTS = -I $(HOST_DIR)/usr/share/autoconf-archive
>
> however I am not sure if it's really worth the effort.
>
> Other than that, this patch looks OK to me.

I am working on getting this submitted upstream. I would like to keep
the patch as is until I hear back from the audit maintainers.

>> diff --git a/package/audit/0002-Remove-zos-remote-plugin.patch
>> b/package/audit/0002-Remove-zos-remote-plugin.patch new file mode
>> 100644 index 0000000..1c8180d
>> --- /dev/null
>> +++ b/package/audit/0002-Remove-zos-remote-plugin.patch
>> @@ -0,0 +1,54 @@
>> +From 145a6ddfc8cfcd20bbb505637e50191655128fbb Mon Sep 17 00:00:00
>> 2001 +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> +Date: Thu, 26 Mar 2015 12:33:10 -0500
>> +Subject: [PATCH] Remove zos-remote plugin
>> +
>> +The zos-remote plugin is meant to use LDAP authentication to verify a
>> +remote audit user. This is not a package that is available or
>> desired in +an embedded target. Removing the plugin from the build
>> until it is +able to be turned off from configure.
>> +
>> +Signed-off-by: Clayton Shotwell
>> <clayton.shotwell@rockwellcollins.com> +---
>> + audisp/plugins/Makefile.am | 2 +-
>> + audisp/plugins/Makefile.in | 4 ++--
>> + 2 files changed, 3 insertions(+), 3 deletions(-)
>
> Changes to the Makefile.in are not needed, since you autoreconf the
> package anyway, Makefile.in is regenerated.

Good point. Not sure why I changed that file also.

> Also, what about adding a --enable-zos-remote / --disable-zos-remote
> option, so that this patch can be submitted upstream?
>
> Something like:
>
> AC_ARG_ENABLE([zos-remote],
>               AS_HELP_STRING([--disable-zos-remote], [Disable the ZOS remote plugin (default: enabled)]),
>               [with_zos_remote_plugin=$enableval],
>               [with_zos_remote_plugin=yes])
> AM_CONDITIONAL([WITH_ZOS_REMOTE], [test "$with_zos_remote_plugin" = "yes"])

That is probably a better solution. I'll get that implemented for v6.

>> +diff --git a/audisp/plugins/Makefile.am b/audisp/plugins/Makefile.am
>> +index b0fa60a..3d6f4e6 100644
>> +--- a/audisp/plugins/Makefile.am
>> ++++ b/audisp/plugins/Makefile.am
>> +@@ -22,7 +22,7 @@
>> +
>> + CONFIG_CLEAN_FILES = *.loT *.rej *.orig
>> +
>> +-SUBDIRS = builtins zos-remote remote
>> ++SUBDIRS = builtins remote
>
> if WITH_ZOS_REMOTE
> SUBDIRS += zos-remote
> endif
>
>> a/package/audit/0004-Do-not-call-posix_fallocate-on-uClibc.patch
>> b/package/audit/0004-Do-not-call-posix_fallocate-on-uClibc.patch new
>> file mode 100644 index 0000000..87ea6a8 --- /dev/null
>> +++ b/package/audit/0004-Do-not-call-posix_fallocate-on-uClibc.patch
>> @@ -0,0 +1,45 @@
>> +From 8b65b6788140ba169edb620a2abcf438521919ed Mon Sep 17 00:00:00
>> 2001 +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> +Date: Wed, 1 Apr 2015 07:49:54 -0500
>> +Subject: [PATCH] Do not call posix_fallocate() on uClibc
>> +
>> +uClibc does not implement posix_fallocate(), and posix_fallocate() is
>> +mostly only a hint to the kernel that we will need such or such
>> +amount of space inside a file. So we just don't call
>> posix_fallocate() +when building against uClibc.
>> +
>> +Patch copies functionality implemented by Thomas for the
>> +lttng-babeltrace package.
>> +
>> +Signed-off-by: Clayton Shotwell
>> <clayton.shotwell@rockwellcollins.com> +---
>
> Using a configure.ac check would actually be a lot better.
>
> AC_CHECK_FUNCS([posix_fallocate])
>
> and then #ifdef HAVE_POSIX_FALLOCATE in the C source file.

I will get this fixed and tested for v6.

>> diff --git a/package/audit/Config.in b/package/audit/Config.in
>> new file mode 100644
>> index 0000000..5cf1c26
>> --- /dev/null
>> +++ b/package/audit/Config.in
>> @@ -0,0 +1,17 @@
>> +config BR2_PACKAGE_AUDIT
>> +     bool "audit"
>> +     # needs memory fences for internal libev
>> +     depends on !BR2_bfin
>> +     depends on BR2_TOOLCHAIN_HAS_THREADS
>> +     help
>> +       The audit package contains the user space utilities for
>> +       storing and searching the audit records generated by
>> +       the audit subsystem in the Linux 2.6 kernel
>> +
>> +       Note: The z/OS remote plugin is disabled in this package
>> +
>> +       http://people.redhat.com/sgrubb/audit/
>> +
>> +comment "audit needs a toolchain w/ threads"
>> +     depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_bfin
>
> This should be:
>
>         depends on !BR2_bfin
>         depends on !BR2_TOOLCHAIN_HAS_THREADS
>
> so that the comment never appears on Blackfin, and appears on other
> architectures than Blackfin when thread support is not available.
>
> With your solution, the comment always appears on Blackfin.

Good catch. I'll make that change.

>> diff --git a/package/audit/S01auditd b/package/audit/S01auditd
>> new file mode 100644
>> index 0000000..9083bfe
>> --- /dev/null
>> +++ b/package/audit/S01auditd
>
> I am not sure about this script, it seems quite complicated compared to
> other init scripts in Buildroot.
>
>> @@ -0,0 +1,169 @@
>> +#!/bin/sh
>> +#
>> +# auditd        This starts and stops auditd
>> +#
>> +# description: This starts the Linux Auditing System Daemon, \
>> +#              which collects security related events in a dedicated
>> \ +#              audit log. If this daemon is turned off, audit
>> events \ +#              will be sent to syslog.
>> +#
>> +# processname: /usr/sbin/auditd
>> +# config: /etc/sysconfig/auditd
>> +# config: /etc/audit/auditd.conf
>> +# pidfile: /var/run/auditd.pid
>> +#
>> +# Return values according to LSB for all commands but status:
>> +# 0 - success
>> +# 1 - generic or unspecified error
>> +# 3 - unimplemented feature (e.g. "reload")
>> +# 4 - insufficient privilege
>> +# 5 - program is not installed
>> +# 6 - program is not configured
>> +# 7 - program is not running
>
> Do we care about LSB conformance of our init scripts?
>
>> +#
>> +prog="auditd"
>> +
>> +# Check that we are root ... so non-root users stop here
>> +test $EUID=0  ||  exit 4
>
> We typically don't do such checks in other init scripts.
>
>> +
>> +# Check config
>> +test -f /etc/sysconfig/auditd && . /etc/sysconfig/auditd
>
> /etc/sysconfig is clearly not something standard in Buildroot.
>
>> +
>> +RETVAL=0
>> +LOCK=/var/lock/subsys/auditd
>> +
>> +start(){
>> +   echo -n "Initializing $prog: "
>> +
>> +   if [ ! -e $LOCK ]; then
>> +      test -x /usr/sbin/auditd  || exit 5
>> +      test -f /etc/audit/auditd.conf  || exit 6
>> +
>> +      # Create dir to store log files in if one doesn't exist
>> +      test -d /var/log/audit || mkdir /var/log/audit -Z
>> `matchpathcon /var/log/audit | cut -f 2` +
>> +      # Run audit daemon executable
>> +      $prog
>
> start-stop-daemon?
>
>> +      RETVAL=$?
>> +      if test $RETVAL = 0 ; then
>> +         test -d /var/lock/subsys || mkdir -p /var/lock/subsys
>> +         touch $LOCK
>> +         # Load the default rules
>> +         test -f /etc/audit/rules.d/audit.rules
>> && /usr/sbin/auditctl -R /etc/audit/rules.d/audit.rules >/dev/null
>> +         echo "OK"
>> +      else
>> +         echo "FAILED: auditd failed to start"
>> +      fi
>> +   else
>> +      echo "FAILED: auditd already started, stop first"
>> +      RETVAL=1
>> +   fi
>> +   return $RETVAL
>> +}
>> +
>> +stop(){
>> +   echo -n "Uninitializing $prog: "
>> +   if [ -e $LOCK ]; then
>> +      killall -TERM $prog
>
> so that we can avoid this horrible killall.
>
>> +      RETVAL=$?
>> +      if [ $RETVAL ]; then
>> +         rm -f $LOCK
>> +         # Remove watches so shutdown works cleanly
>> +         if test x"$AUDITD_CLEAN_STOP" != "x" ; then
>> +            if test "`echo $AUDITD_CLEAN_STOP | tr 'NO' 'no'`" !=
>> "no"
>> +            then
>> +               /usr/sbin/auditctl -D >/dev/null
>> +            fi
>> +         fi
>> +         if test x"$AUDITD_STOP_DISABLE" != "x" ; then
>> +            if test "`echo $AUDITD_STOP_DISABLE | tr 'NO' 'no'`" !=
>> "no"
>> +            then
>> +               /usr/sbin/auditctl -e 0 >/dev/null
>> +            fi
>
> what is AUDITD_CLEAN_STOP and AUDITD_STOP_DISABLE ? These tests look
> weird.
>
>> +         fi
>> +         echo "OK"
>> +      else
>> +         echo "FAILED: auditd not stopped"
>> +      fi
>> +   else
>> +      echo "FAILED: auditd not started"
>> +      RETVAL=1
>> +   fi
>> +   return $RETVAL
>> +}
>> +
>> +reload(){
>> +   echo -n "Reloading auditd configuration: "
>> +   if [ -e $LOCK ]; then
>> +      test -f /etc/audit/auditd.conf  || exit 6
>> +      echo -n "Reloading configuration: "
>> +      killall -HUP $prog
>
> start-stop-daemon also allows to send a SIGHUP.
>
>> +rotate(){
>> +   echo -n "Rotating auditd logs: "
>> +   if [ -e $LOCK ]; then
>> +      killall -USR1 $prog
>
> Ditto, with start-stop-daemon you can send all signals you want.
>
> So overall, a simplified, more Buildroot style init script would be appreciated.

I'll rework for v6. This is pulled from the example auditd startup
script from inside the package and only slightly tweaked.

>> b/package/audit/audit.mk new file mode 100644 index 0000000..b1ebd0e
>> --- /dev/null
>> +++ b/package/audit/audit.mk
>> @@ -0,0 +1,47 @@
>> +################################################################################
>> +#
>> +# audit
>> +#
>> +################################################################################
>> +
>> +AUDIT_VERSION = 2.4.1
>> +AUDIT_SITE = http://people.redhat.com/sgrubb/audit/
>> +AUDIT_LICENSE = GPLv2
>> +AUDIT_LICENSE_FILES = COPYING
>> +
>> +AUDIT_INSTALL_STAGING = YES
>> +AUDIT_AUTORECONF = YES
>
> Add comment about the fact that we have AUTORECONF = YES because we're
> patching configure.ac/Makefile.am.

Will fix for v6.

>> +
>> +AUDIT_CONF_OPTS = --without-python
>> +
>> +ifeq ($(BR2_PACKAGE_LIBCAP_NG),y)
>> +     AUDIT_DEPENDENCIES += libcap-ng
>> +     AUDIT_CONF_OPTS += --with-libcap-ng=yes
>> +else
>> +     AUDIT_CONF_OPTS += --with-libcap-ng=no
>> +endif
>
> Don't indent inside conditions.

Will fix for v6.

>> +
>> +ifeq ($(BR2_armeb),y)
>> +     AUDIT_CONF_OPTS += --with-arm
>> +endif
>> +ifeq ($(BR2_arm),y)
>> +     AUDIT_CONF_OPTS += --with-arm
>> +endif
>> +ifeq ($(BR2_aarch64),y)
>> +     AUDIT_CONF_OPTS += --with-aarch64
>> +endif
>> +
>> +ifeq ($(BR2_STATIC_LIBS),y)
>> +     AUDIT_CONF_OPTS += --enable-shared=no
>> +endif
>
> Why is this needed? We already pass --disable-shared when
> BR2_STATIC_LIBS=y, and --disable-shared should be identical to
> --enable-shared=no.

Good point. I'll remove this for v6.

Thanks,
Clayton

[Buildroot] [PATCH v5 06/24] policycoreutils: new package

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>

---
Changes v4 -> v5:
  - Updated depends and removed glibc dependency (Matt W.)
  - Updated site to github (Matt W.)
  - Added host python 2/3 support (Matt W.)
  - Removed sandbox and mctrans support (Matt W.)
  - Removed restorcon init script (Matt W.)
  - Agree as optional settings were removed so menu isn't needed
    (Suggested by Ryan B. and Thomas P.)
  - added Config.in select for LIBCAP_NG (Suggested by Thomas P.)
  - cleaned up pam/audit ifeq (Suggested by Thomas P.)
  - fixed CFLAGS to include target_cflags instead of += (Suggested by
    Thomas P.)
  - Refactored lists of build/install steps into loops  (Suggested by
    Thomas P.)
  - Removed += on first host depends assignment (Suggested by Thomas P.)
  - Refactored host make opts assignments (Suggested by Thomas P.)
  - Limited to glibc because of fts.h, some uclibc toolchains have it
    others don't.  Eventually this would be good to fix with the updated
    method of file traversal. (Matt W.)
  - Gettext fixups for uclibc support.  Counter productive as we
    now limit to glibc only. (Matt W.)
  - Added musl as possible lib type (Matt W.)
  - Removed largefile dependency (Clayton S.)
  - Changed dbus-glib select to a depends on in the Config.in (suggested
    by Ryan B.)

Changes v3 -> v4:
  - Add a select for the libselinux Python bindings when debugging
    is enabled.  This will cause Python to be built for the target
    (suggested by Thomas P.)
  - Cleaned up the configure comments (suggested by Thomas).
  - Added a dependency on BR2_USE_MMU for the debugging option
    because python requires it (suggested by Thomas P.)
  - Removed the dependencies on audit and linux-pam. Both packages
    are now optional dependencies based on whether or not the package
    has been selected
  - Moved the dependency on dbus-glib to only the restorecond option
    where it is used
  - Added a INSTALL_INIT_SYSV for the restorecond daemon rather than
    just installing it directly
  - Adding a dependency on glibc
  - Removed the clean commands

Changes v2 -> v3:
  - Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and BR2_LARGEFILE
    (suggested by Thomas P.)
  - Changes patch naming convention (suggested by Thomas P.)
  - Added selects for linux-pam and audit

Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format
  - Fixed the patch naming to avoid using the version number
  - Cleaned up the patch to include a signed-off-by line
  - Changed package dependencies into selects in the config
---
 package/Config.in                                  |   1 +
 .../policycoreutils/0001-cross-compile-fixes.patch | 332 +++++++++++++++++++++
 package/policycoreutils/Config.in                  |  53 ++++
 package/policycoreutils/policycoreutils.hash       |   2 +
 package/policycoreutils/policycoreutils.mk         | 107 +++++++
 5 files changed, 495 insertions(+)
 create mode 100644 package/policycoreutils/0001-cross-compile-fixes.patch
 create mode 100644 package/policycoreutils/Config.in
 create mode 100644 package/policycoreutils/policycoreutils.hash
 create mode 100644 package/policycoreutils/policycoreutils.mk

diff --git a/package/Config.in b/package/Config.in
index 5473772..b99a7e0 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1338,6 +1338,7 @@ menu "Real-Time"
 endmenu
 
 menu "Security"
+	source "package/policycoreutils/Config.in"
 	source "package/setools/Config.in"
 endmenu
 
diff --git a/package/policycoreutils/0001-cross-compile-fixes.patch b/package/policycoreutils/0001-cross-compile-fixes.patch
new file mode 100644
index 0000000..8f47907
--- /dev/null
+++ b/package/policycoreutils/0001-cross-compile-fixes.patch
@@ -0,0 +1,332 @@
+Patch to enable cross compile build and install.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/audit2allow/Makefile b/audit2allow/Makefile
+--- a/audit2allow/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/audit2allow/Makefile	2013-08-23 09:16:21.282917254 -0500
+@@ -3,7 +3,7 @@
+ BINDIR ?= $(PREFIX)/bin
+ LIBDIR ?= $(PREFIX)/lib
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ 
+ all: ;
+ 
+diff -urN a/load_policy/Makefile b/load_policy/Makefile
+--- a/load_policy/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/load_policy/Makefile	2013-08-23 09:16:21.282917254 -0500
+@@ -3,7 +3,7 @@
+ SBINDIR ?= $(DESTDIR)/sbin
+ USRSBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ 
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+diff -urN a/Makefile b/Makefile
+--- a/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -1,8 +1,8 @@
+ SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
+ 
+-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
+ 
+-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
+ 	SUBDIRS += restorecond
+ endif
+ 
+diff -urN a/mcstrans/src/Makefile b/mcstrans/src/Makefile
+--- a/mcstrans/src/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/mcstrans/src/Makefile	2013-08-23 09:41:18.782916946 -0500
+@@ -1,22 +1,8 @@
+-ARCH = $(shell uname -i)
+-ifeq "$(ARCH)" "x86_64"
+-	# In case of 64 bit system, use these lines
+-	LIBDIR=/usr/lib64
+-else 
+-ifeq "$(ARCH)" "i686"
+-	# In case of 32 bit system, use these lines
+-	LIBDIR=/usr/lib
+-else
+-ifeq "$(ARCH)" "i386"
+-	# In case of 32 bit system, use these lines
+-	LIBDIR=/usr/lib
+-endif
+-endif
+-endif
+ # Installation directories.
+ PREFIX  ?= $(DESTDIR)/usr
+-SBINDIR ?= $(DESTDIR)/sbin
+-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
++LIBDIR  ?= $(PREFIX)/lib
++SBINDIR ?= $(PREFIX)/sbin
++INITDIR ?= $(DESTDIR)/etc/init.d
+ 
+ PROG_SRC=mcstrans.c  mcscolor.c  mcstransd.c  mls_level.c
+ PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
+@@ -40,5 +26,5 @@
+ 	install -m 755 $(INITSCRIPT).init $(INITDIR)/$(INITSCRIPT)
+ 
+ clean: 
+-	-rm -f $(OBJS) $(LOBJS) $(TARGET) $(PROG) $(PROG_OBJS) *~ \#*
++	-rm -f $(PROG) $(PROG_OBJS) *.o *~ \#*
+ 
+diff -urN a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
+--- a/mcstrans/utils/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/mcstrans/utils/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -1,24 +1,8 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
++LIBDIR  ?= $(PREFIX)/lib
+ BINDIR ?= $(PREFIX)/sbin
+ 
+-ARCH = $(shell uname -i)
+-ifeq "$(ARCH)" "x86_64"
+-        # In case of 64 bit system, use these lines
+-        LIBDIR=/usr/lib64
+-else
+-ifeq "$(ARCH)" "i686"
+-        # In case of 32 bit system, use these lines
+-        LIBDIR=/usr/lib
+-else
+-ifeq "$(ARCH)" "i386"
+-        # In case of 32 bit system, use these lines
+-        LIBDIR=/usr/lib
+-endif
+-endif
+-endif
+-
+-
+ CFLAGS ?= -Wall
+ override CFLAGS += -I../src -D_GNU_SOURCE
+ LDLIBS += -L../src ../src/mcstrans.o ../src/mls_level.o -lselinux -lpcre $(LIBDIR)/libsepol.a
+diff -urN a/newrole/Makefile b/newrole/Makefile
+--- a/newrole/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/newrole/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -3,9 +3,9 @@
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR = /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++LOCALEDIR = $(DESTDIR)/usr/share/locale
++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ # Enable capabilities to permit newrole to generate audit records.
+ # This will make newrole a setuid root program.
+ # The capabilities used are: CAP_AUDIT_WRITE.
+@@ -24,7 +24,7 @@
+ EXTRA_OBJS =
+ override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	override CFLAGS += -DUSE_PAM
+ 	EXTRA_OBJS += hashtab.o
+ 	LDLIBS += -lpam -lpam_misc
+@@ -32,7 +32,7 @@
+ 	override CFLAGS += -D_XOPEN_SOURCE=500
+ 	LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ 	override CFLAGS += -DUSE_AUDIT
+ 	LDLIBS += -laudit
+ endif
+@@ -66,7 +66,7 @@
+ 	test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
+ 	install -m $(MODE) newrole $(BINDIR)
+ 	install -m 644 newrole.1 $(MANDIR)/man1/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
+ ifeq ($(LSPP_PRIV),y)
+ 	install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
+diff -urN a/restorecond/Makefile b/restorecond/Makefile
+--- a/restorecond/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/restorecond/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -2,24 +2,29 @@
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(PREFIX)/sbin
+ LIBDIR ?= $(PREFIX)/lib
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart
+ DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services
+ 
+ autostart_DATA = sealertauto.desktop
+-INITDIR = $(DESTDIR)/etc/rc.d/init.d
++INITDIR = $(DESTDIR)/etc/init.d
+ SELINUXDIR = $(DESTDIR)/etc/selinux
+ 
+-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
++		-I$(PREFIX)/lib/dbus-1.0/include
+ DBUSLIB = -ldbus-glib-1 -ldbus-1
+ 
+ CFLAGS ?= -g -Werror -Wall -W
+-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
++		-I$(PREFIX)/lib64/glib-2.0/include -I$(PREFIX)/lib/glib-2.0/include
+ 
+ LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
+ 
+ all: restorecond
+ 
++%.o: %.c
++	$(CC) $(CFLAGS) -c -o $@ $<
++
+ restorecond.o utmpwatcher.o stringslist.o user.o watch.o: restorecond.h
+ 
+ restorecond:  ../setfiles/restore.o restorecond.o utmpwatcher.o stringslist.o user.o watch.o
+diff -urN a/run_init/Makefile b/run_init/Makefile
+--- a/run_init/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/run_init/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -4,21 +4,21 @@
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR ?= /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ 
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	override CFLAGS += -DUSE_PAM
+ 	LDLIBS += -lpam -lpam_misc
+ else
+ 	override CFLAGS += -D_XOPEN_SOURCE=500
+ 	LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ 	override CFLAGS += -DUSE_AUDIT
+ 	LDLIBS += -laudit
+ endif
+@@ -38,7 +38,7 @@
+ 	install -m 755 open_init_pty $(SBINDIR)
+ 	install -m 644 run_init.8 $(MANDIR)/man8/
+ 	install -m 644 open_init_pty.8 $(MANDIR)/man8/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
+ endif
+ 
+diff -urN a/semodule/Makefile b/semodule/Makefile
+--- a/semodule/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/semodule/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -2,7 +2,7 @@
+ PREFIX ?= $(DESTDIR)/usr
+ INCLUDEDIR ?= $(PREFIX)/include
+ SBINDIR ?= $(PREFIX)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ LIBDIR ?= $(PREFIX)/lib
+ 
+ CFLAGS ?= -Werror -Wall -W
+diff -urN a/sepolicy/Makefile b/sepolicy/Makefile
+--- a/sepolicy/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/sepolicy/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -5,25 +5,32 @@
+ BINDIR ?= $(PREFIX)/bin
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ PYTHON ?= /usr/bin/python
+ BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
+ 
+ BASHCOMPLETIONS=sepolicy-bash-completion.sh 
+ 
++PYTHON_ARGS = LDSHARED="$(CC) -shared" \
++		CROSS_COMPILING=yes              \
++		_python_sysroot=$(DESTDIR)       \
++		_python_srcdir=$(PYTHON_SRC)     \
++		_python_prefix=/usr              \
++		_python_exec_prefix=/usr
++
+ all: python-build
+ 
+ python-build: info.c search.c common.h policy.h policy.c
+-	$(PYTHON) setup.py build
++	$(PYTHON_ARGS) $(PYTHON) setup.py build
+ 
+ clean:
+ 	$(PYTHON) setup.py clean
+ 	-rm -rf build *~ \#* *pyc .#*
+ 
+ install:
+-	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++	$(PYTHON_ARGS) $(PYTHON) setup.py install --prefix=$(PREFIX)
+ 	[ -d $(BINDIR) ] || mkdir -p $(BINDIR)
+ 	install -m 755 sepolicy.py $(BINDIR)/sepolicy
+ 	-mkdir -p $(MANDIR)/man8
+diff -urN a/sestatus/Makefile b/sestatus/Makefile
+--- a/sestatus/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/sestatus/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -1,11 +1,11 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(PREFIX)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+ LIBDIR ?= $(PREFIX)/lib
+ 
+-CFLAGS = -Werror -Wall -W
++CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
+ LDLIBS = -lselinux -L$(LIBDIR)
+ 
+diff -urN a/setfiles/Makefile b/setfiles/Makefile
+--- a/setfiles/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/setfiles/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -1,24 +1,27 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(DESTDIR)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ LIBDIR ?= $(PREFIX)/lib
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ 
+-PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
+-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
++PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk '{ print $$3 }')
++ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk '{ print $$3 }')
+ 
+-CFLAGS = -g -Werror -Wall -W
++CFLAGS ?= -g -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include
+ LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+ 
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ 	override CFLAGS += -DUSE_AUDIT
+ 	LDLIBS += -laudit
+ endif
+ 
+ all: setfiles restorecon man
+ 
++%.o: %.c
++	$(CC) $(CFLAGS) -c -o $@ $<
++
+ setfiles:  setfiles.o restore.o
+ 
+ restorecon: setfiles
diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
new file mode 100644
index 0000000..733b896
--- /dev/null
+++ b/package/policycoreutils/Config.in
@@ -0,0 +1,53 @@
+config BR2_PACKAGE_POLICYCOREUTILS
+	bool "policycoreutils"
+	select BR2_PACKAGE_LIBSEMANAGE
+	select BR2_PACKAGE_LIBCAP_NG
+	select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
+	depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
+	depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # uses fts.h
+	help
+	  Policycoreutils is a collection of policy utilities (originally
+	  the "core" set of utilities needed to use SELinux, although it
+	  has grown a bit over time), which have different dependencies.
+	  sestatus, secon, run_init, and newrole only use libselinux.
+	  load_policy and setfiles only use libselinux and libsepol.
+	  semodule and semanage use libsemanage (and thus bring in
+	  dependencies on libsepol and libselinux as well). setsebool
+	  uses libselinux to make non-persistent boolean changes (via
+	  the kernel interface) and uses libsemanage to make persistent
+	  boolean changes.
+
+	  The base package will install the following utilities:
+	      load_policy
+	      newrole
+	      restorecond
+	      run_init
+	      secon
+	      semodule
+	      semodule_deps
+	      semodule_expand
+	      semodule_link
+	      semodule_package
+	      sepolgen-ifgen
+	      sestatus
+	      setfiles
+	      setsebool
+
+	  http://selinuxproject.org/page/Main_Page
+
+comment "policycoreutils needs a toolchain w/ threads, glibc or musl"
+	depends on !BR2_TOOLCHAIN_HAS_THREADS  \
+		|| !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
+
+if BR2_PACKAGE_POLICYCOREUTILS
+
+config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
+	bool "restorecond Utility"
+	depends on BR2_PACKAGE_DBUS_GLIB
+	help
+	  Enable restorecond to be built
+
+comment "restorecond needs dbus-glib"
+	depends on !BR2_PACKAGE_DBUS_GLIB
+
+endif
diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
new file mode 100644
index 0000000..575dd25
--- /dev/null
+++ b/package/policycoreutils/policycoreutils.hash
@@ -0,0 +1,2 @@
+# https://github.com/SELinuxProject/selinux/wiki/Releases
+sha256 b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5  policycoreutils-2.1.14.tar.gz
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
new file mode 100644
index 0000000..b03ea5c
--- /dev/null
+++ b/package/policycoreutils/policycoreutils.mk
@@ -0,0 +1,107 @@
+################################################################################
+#
+# policycoreutils
+#
+################################################################################
+
+POLICYCOREUTILS_VERSION = 2.1.14
+POLICYCOREUTILS_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
+POLICYCOREUTILS_LICENSE = GPLv2
+POLICYCOREUTILS_LICENSE_FILES = COPYING
+
+# gettext for load_policy.c use of libintl_* functions
+POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if $(BR2_NEEDS_GETTEXT),gettext)
+
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+	POLICYCOREUTILS_DEPENDENCIES += linux-pam
+	POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
+define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
+	$(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd $(TARGET_DIR)/etc/pam.d/newrole
+	$(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd $(TARGET_DIR)/etc/pam.d/run_init
+endef
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+	POLICYCOREUTILS_DEPENDENCIES += audit
+	POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
+endif
+
+# Enable LSPP_PRIV if both audit and linux pam are enabled
+ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
+	POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
+endif
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+POLICYCOREUTILS_MAKE_OPTS = \
+	$(TARGET_CONFIGURE_OPTS) \
+	CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
+	LDFLAGS="$(TARGET_LDFLAGS) $(if $(BR2_NEEDS_GETTEXT),-lintl)"
+
+POLICYCOREUTILS_MAKE_DIRS = load_policy newrole run_init \
+	secon semodule semodule_deps semodule_expand semodule_link \
+	semodule_package sepolgen-ifgen sestatus setfiles setsebool
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
+POLICYCOREUTILS_DEPENDENCIES += dbus-glib
+POLICYCOREUTILS_MAKE_DIRS += restorecond
+endif
+
+define POLICYCOREUTILS_BUILD_CMDS
+	for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
+		$(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all || exit 1 ; \
+	done
+endef
+
+define POLICYCOREUTILS_INSTALL_TARGET_CMDS
+	for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
+		$(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install || exit 1 ; \
+	done
+endef
+
+HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage host-dbus-glib host-sepolgen host-setools
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+HOST_POLICYCOREUTILS_MAKE_OPTS = \
+	$(HOST_CONFIGURE_OPTS) \
+	CFLAGS+="-U_FILE_OFFSET_BITS" \
+	PYTHON="$(HOST_DIR)/usr/bin/python"
+
+ifeq ($(BR2_PACKAGE_PYTHON3),y)
+HOST_POLICYCOREUTILS_DEPENDENCIES += host-python3
+HOST_POLICYCOREUTILS_MAKE_OPTS += \
+	PYLIBVER="python$(PYTHON3_VERSION_MAJOR)" \
+	PYTHON_SRC="$(BUILD_DIR)/host-python$(PYTHON3_VERSION)"
+else
+HOST_POLICYCOREUTILS_DEPENDENCIES += host-python
+HOST_POLICYCOREUTILS_MAKE_OPTS += \
+	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+	PYTHON_SRC="$(BUILD_DIR)/host-python$(PYTHON_VERSION)"
+endif
+
+# Note: We are only building the programs required by the refpolicy build
+HOST_POLICYCOREUTILS_MAKE_DIRS = load_policy semodule semodule_deps semodule_expand semodule_link \
+	semodule_package setfiles restorecond audit2allow audit2why scripts semanage sepolicy
+
+define HOST_POLICYCOREUTILS_BUILD_CMDS
+	for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
+		$(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) all || exit 1 ; \
+	done
+endef
+
+define HOST_POLICYCOREUTILS_INSTALL_CMDS
+	for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
+		$(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) install || exit 1 ; \
+	done
+	# Fix python paths
+	$(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/audit2allow
+	$(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/audit2why
+	$(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/sepolgen-ifgen
+	$(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/sepolicy
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.9.1

[Buildroot] [PATCH v5 06/24] policycoreutils: new package

[Samuel Martin]

Hi Clayton, Matt,

On Wed, May 13, 2015 at 11:39 PM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
>
[...]
> +diff -urN a/Makefile b/Makefile
> +--- a/Makefile 2013-02-05 19:43:22.000000000 -0600
> ++++ b/Makefile 2013-08-23 09:16:21.292985286 -0500
> +@@ -1,8 +1,8 @@
> + SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
> +
> +-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
> ++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
> +
> +-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
> ++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
Is this really working? (I mean the extra space after ",")

> +       SUBDIRS += restorecond
> + endif
> +
[...]
> +diff -urN a/newrole/Makefile b/newrole/Makefile
> +--- a/newrole/Makefile 2013-02-05 19:43:22.000000000 -0600
> ++++ b/newrole/Makefile 2013-08-23 09:16:21.292985286 -0500
> +@@ -3,9 +3,9 @@
> + BINDIR ?= $(PREFIX)/bin
> + MANDIR ?= $(PREFIX)/share/man
> + ETCDIR ?= $(DESTDIR)/etc
> +-LOCALEDIR = /usr/share/locale
> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> ++LOCALEDIR = $(DESTDIR)/usr/share/locale
> ++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
> ++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
> + # Enable capabilities to permit newrole to generate audit records.
> + # This will make newrole a setuid root program.
> + # The capabilities used are: CAP_AUDIT_WRITE.
> +@@ -24,7 +24,7 @@
> + EXTRA_OBJS =
> + override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> + LDLIBS += -lselinux -L$(PREFIX)/lib
> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> ++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
ditto

> +       override CFLAGS += -DUSE_PAM
> +       EXTRA_OBJS += hashtab.o
> +       LDLIBS += -lpam -lpam_misc
> +@@ -32,7 +32,7 @@
> +       override CFLAGS += -D_XOPEN_SOURCE=500
> +       LDLIBS += -lcrypt
> + endif
> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> ++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
ditto

> +       override CFLAGS += -DUSE_AUDIT
> +       LDLIBS += -laudit
> + endif
> +@@ -66,7 +66,7 @@
> +       test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
> +       install -m $(MODE) newrole $(BINDIR)
> +       install -m 644 newrole.1 $(MANDIR)/man1/
> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> ++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
ditto

> +       test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
> + ifeq ($(LSPP_PRIV),y)
> +       install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
[...]
> +diff -urN a/run_init/Makefile b/run_init/Makefile
> +--- a/run_init/Makefile        2013-02-05 19:43:22.000000000 -0600
> ++++ b/run_init/Makefile        2013-08-23 09:16:21.292985286 -0500
> +@@ -4,21 +4,21 @@
> + SBINDIR ?= $(PREFIX)/sbin
> + MANDIR ?= $(PREFIX)/share/man
> + ETCDIR ?= $(DESTDIR)/etc
> +-LOCALEDIR ?= /usr/share/locale
> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> ++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
> ++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
> ++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
> +
> + CFLAGS ?= -Werror -Wall -W
> + override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> + LDLIBS += -lselinux -L$(PREFIX)/lib
> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> ++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
ditto

> +       override CFLAGS += -DUSE_PAM
> +       LDLIBS += -lpam -lpam_misc
> + else
> +       override CFLAGS += -D_XOPEN_SOURCE=500
> +       LDLIBS += -lcrypt
> + endif
> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> ++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
ditto

> +       override CFLAGS += -DUSE_AUDIT
> +       LDLIBS += -laudit
> + endif
> +@@ -38,7 +38,7 @@
> +       install -m 755 open_init_pty $(SBINDIR)
> +       install -m 644 run_init.8 $(MANDIR)/man8/
> +       install -m 644 open_init_pty.8 $(MANDIR)/man8/
> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> ++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
ditto

> +       install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
> + endif
> +
> +diff -urN a/semodule/Makefile b/semodule/Makefile
> +--- a/semodule/Makefile        2013-02-05 19:43:22.000000000 -0600
> ++++ b/semodule/Makefile        2013-08-23 09:16:21.302924109 -0500
> +@@ -2,7 +2,7 @@
> + PREFIX ?= $(DESTDIR)/usr
> + INCLUDEDIR ?= $(PREFIX)/include
> + SBINDIR ?= $(PREFIX)/sbin
> +-MANDIR = $(PREFIX)/share/man
> ++MANDIR ?= $(PREFIX)/share/man
> + LIBDIR ?= $(PREFIX)/lib
> +
> + CFLAGS ?= -Werror -Wall -W
> +diff -urN a/sepolicy/Makefile b/sepolicy/Makefile
> +--- a/sepolicy/Makefile        2013-02-05 19:43:22.000000000 -0600
> ++++ b/sepolicy/Makefile        2013-08-23 09:16:21.302924109 -0500
> +@@ -5,25 +5,32 @@
> + BINDIR ?= $(PREFIX)/bin
> + SBINDIR ?= $(PREFIX)/sbin
> + MANDIR ?= $(PREFIX)/share/man
> +-LOCALEDIR ?= /usr/share/locale
> ++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
> + PYTHON ?= /usr/bin/python
> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> + SHAREDIR ?= $(PREFIX)/share/sandbox
> +-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
> ++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
> +
> + BASHCOMPLETIONS=sepolicy-bash-completion.sh
> +
> ++PYTHON_ARGS = LDSHARED="$(CC) -shared" \
> ++              CROSS_COMPILING=yes              \
> ++              _python_sysroot=$(DESTDIR)       \
> ++              _python_srcdir=$(PYTHON_SRC)     \
> ++              _python_prefix=/usr              \
> ++              _python_exec_prefix=/usr
> ++
> + all: python-build
> +
> + python-build: info.c search.c common.h policy.h policy.c
> +-      $(PYTHON) setup.py build
> ++      $(PYTHON_ARGS) $(PYTHON) setup.py build
> +
> + clean:
> +       $(PYTHON) setup.py clean
> +       -rm -rf build *~ \#* *pyc .#*
> +
> + install:
> +-      $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
> ++      $(PYTHON_ARGS) $(PYTHON) setup.py install --prefix=$(PREFIX)
> +       [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
> +       install -m 755 sepolicy.py $(BINDIR)/sepolicy
> +       -mkdir -p $(MANDIR)/man8
> +diff -urN a/sestatus/Makefile b/sestatus/Makefile
> +--- a/sestatus/Makefile        2013-02-05 19:43:22.000000000 -0600
> ++++ b/sestatus/Makefile        2013-08-23 09:16:21.302924109 -0500
> +@@ -1,11 +1,11 @@
> + # Installation directories.
> + PREFIX ?= $(DESTDIR)/usr
> + SBINDIR ?= $(PREFIX)/sbin
> +-MANDIR = $(PREFIX)/share/man
> ++MANDIR ?= $(PREFIX)/share/man
> + ETCDIR ?= $(DESTDIR)/etc
> + LIBDIR ?= $(PREFIX)/lib
> +
> +-CFLAGS = -Werror -Wall -W
> ++CFLAGS ?= -Werror -Wall -W
> + override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
> + LDLIBS = -lselinux -L$(LIBDIR)
> +
> +diff -urN a/setfiles/Makefile b/setfiles/Makefile
> +--- a/setfiles/Makefile        2013-02-05 19:43:22.000000000 -0600
> ++++ b/setfiles/Makefile        2013-08-23 09:16:21.302924109 -0500
> +@@ -1,24 +1,27 @@
> + # Installation directories.
> + PREFIX ?= $(DESTDIR)/usr
> + SBINDIR ?= $(DESTDIR)/sbin
> +-MANDIR = $(PREFIX)/share/man
> ++MANDIR ?= $(PREFIX)/share/man
> + LIBDIR ?= $(PREFIX)/lib
> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> ++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
> +
> +-PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
> +-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
> ++PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk '{ print $$3 }')
> ++ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk '{ print $$3 }')
> +
> +-CFLAGS = -g -Werror -Wall -W
> ++CFLAGS ?= -g -Werror -Wall -W
> + override CFLAGS += -I$(PREFIX)/include
> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
> +
> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> ++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
ditto

> +       override CFLAGS += -DUSE_AUDIT
> +       LDLIBS += -laudit
> + endif
> +
> + all: setfiles restorecon man
> +
> ++%.o: %.c
> ++      $(CC) $(CFLAGS) -c -o $@ $<
> ++
> + setfiles:  setfiles.o restore.o
> +
> + restorecon: setfiles
> diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
> new file mode 100644
> index 0000000..733b896
> --- /dev/null
> +++ b/package/policycoreutils/Config.in
> @@ -0,0 +1,53 @@
> +config BR2_PACKAGE_POLICYCOREUTILS
> +       bool "policycoreutils"
> +       select BR2_PACKAGE_LIBSEMANAGE
> +       select BR2_PACKAGE_LIBCAP_NG
> +       select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
> +       depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
> +       depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # uses fts.h
> +       help
> +         Policycoreutils is a collection of policy utilities (originally
> +         the "core" set of utilities needed to use SELinux, although it
> +         has grown a bit over time), which have different dependencies.
> +         sestatus, secon, run_init, and newrole only use libselinux.
> +         load_policy and setfiles only use libselinux and libsepol.
> +         semodule and semanage use libsemanage (and thus bring in
> +         dependencies on libsepol and libselinux as well). setsebool
> +         uses libselinux to make non-persistent boolean changes (via
> +         the kernel interface) and uses libsemanage to make persistent
> +         boolean changes.
> +
> +         The base package will install the following utilities:
> +             load_policy
> +             newrole
> +             restorecond
> +             run_init
> +             secon
> +             semodule
> +             semodule_deps
> +             semodule_expand
> +             semodule_link
> +             semodule_package
> +             sepolgen-ifgen
> +             sestatus
> +             setfiles
> +             setsebool
> +
> +         http://selinuxproject.org/page/Main_Page
> +
> +comment "policycoreutils needs a toolchain w/ threads, glibc or musl"
> +       depends on !BR2_TOOLCHAIN_HAS_THREADS  \
> +               || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
> +
> +if BR2_PACKAGE_POLICYCOREUTILS
> +
> +config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
> +       bool "restorecond Utility"
> +       depends on BR2_PACKAGE_DBUS_GLIB
We usually use a "select ..." statement here:
    depends on BR2_USE_WCHAR # dbus-glib -> dbus -> glib2
    depends on BR2_TOOLCHAIN_HAS_THREADS # dbus-glib -> dbus -> glib2
    depends on BR2_USE_MMU # dbus-glib -> dbus -> glib2
    select BR2_PACKAGE_DBUS_GLIB

So, no need for the below comment.

> +       help
> +         Enable restorecond to be built
> +
> +comment "restorecond needs dbus-glib"
> +       depends on !BR2_PACKAGE_DBUS_GLIB
> +
> +endif
> diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
> new file mode 100644
> index 0000000..575dd25
> --- /dev/null
> +++ b/package/policycoreutils/policycoreutils.hash
> @@ -0,0 +1,2 @@
> +# https://github.com/SELinuxProject/selinux/wiki/Releases
> +sha256 b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5  policycoreutils-2.1.14.tar.gz
> diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
> new file mode 100644
> index 0000000..b03ea5c
> --- /dev/null
> +++ b/package/policycoreutils/policycoreutils.mk
> @@ -0,0 +1,107 @@
> +################################################################################
> +#
> +# policycoreutils
> +#
> +################################################################################
> +
> +POLICYCOREUTILS_VERSION = 2.1.14
> +POLICYCOREUTILS_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
> +POLICYCOREUTILS_LICENSE = GPLv2
> +POLICYCOREUTILS_LICENSE_FILES = COPYING
> +
> +# gettext for load_policy.c use of libintl_* functions
> +POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if $(BR2_NEEDS_GETTEXT),gettext)
> +
> +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
> +       POLICYCOREUTILS_DEPENDENCIES += linux-pam
> +       POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
No need for leading indentation

> +define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
> +       $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd $(TARGET_DIR)/etc/pam.d/newrole
> +       $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd $(TARGET_DIR)/etc/pam.d/run_init
> +endef
> +endif
> +
> +ifeq ($(BR2_PACKAGE_AUDIT),y)
> +       POLICYCOREUTILS_DEPENDENCIES += audit
> +       POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
ditto

> +endif
> +
> +# Enable LSPP_PRIV if both audit and linux pam are enabled
> +ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
> +       POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
ditto

> +endif
> +
> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
> +# large file support.
> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
> +POLICYCOREUTILS_MAKE_OPTS = \
> +       $(TARGET_CONFIGURE_OPTS) \
> +       CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
> +       LDFLAGS="$(TARGET_LDFLAGS) $(if $(BR2_NEEDS_GETTEXT),-lintl)"
> +
> +POLICYCOREUTILS_MAKE_DIRS = load_policy newrole run_init \
> +       secon semodule semodule_deps semodule_expand semodule_link \
> +       semodule_package sepolgen-ifgen sestatus setfiles setsebool
> +
> +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
> +POLICYCOREUTILS_DEPENDENCIES += dbus-glib
> +POLICYCOREUTILS_MAKE_DIRS += restorecond
> +endif
> +
> +define POLICYCOREUTILS_BUILD_CMDS
> +       for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
> +               $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all || exit 1 ; \
> +       done
> +endef
> +
> +define POLICYCOREUTILS_INSTALL_TARGET_CMDS
> +       for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
> +               $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install || exit 1 ; \
> +       done
> +endef
> +
> +HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage host-dbus-glib host-sepolgen host-setools
> +
> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
> +# large file support.
> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
> +HOST_POLICYCOREUTILS_MAKE_OPTS = \
> +       $(HOST_CONFIGURE_OPTS) \
> +       CFLAGS+="-U_FILE_OFFSET_BITS" \
> +       PYTHON="$(HOST_DIR)/usr/bin/python"
> +
> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python3
> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
> +       PYLIBVER="python$(PYTHON3_VERSION_MAJOR)" \
> +       PYTHON_SRC="$(BUILD_DIR)/host-python$(PYTHON3_VERSION)"
> +else
> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python
> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
> +       PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
> +       PYTHON_SRC="$(BUILD_DIR)/host-python$(PYTHON_VERSION)"
> +endif
> +
> +# Note: We are only building the programs required by the refpolicy build
> +HOST_POLICYCOREUTILS_MAKE_DIRS = load_policy semodule semodule_deps semodule_expand semodule_link \
> +       semodule_package setfiles restorecond audit2allow audit2why scripts semanage sepolicy
Hmm ok, python is only needed for sepolicy, which is only built for
the host-package.

> +
> +define HOST_POLICYCOREUTILS_BUILD_CMDS
> +       for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
> +               $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) all || exit 1 ; \
> +       done
> +endef
> +
> +define HOST_POLICYCOREUTILS_INSTALL_CMDS
> +       for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
> +               $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) install || exit 1 ; \
> +       done
> +       # Fix python paths
> +       $(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/audit2allow
> +       $(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/audit2why
> +       $(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/sepolgen-ifgen
> +       $(SED) 's~/usr/bin/~$(HOST_DIR)/usr/bin/~g' $(HOST_DIR)/usr/bin/sepolicy
> +endef
> +
> +$(eval $(generic-package))
> +$(eval $(host-generic-package))
What is the purpose of host-policycoreutils? I don't see it as
dependency of policycoreutils...

> --
> 1.9.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

Regards,

-- 
Samuel

[Buildroot] [PATCH v5 06/24] policycoreutils: new package

[Samuel Martin]

[...]
>> +$(eval $(generic-package))
>> +$(eval $(host-generic-package))
> What is the purpose of host-policycoreutils? I don't see it as
> dependency of policycoreutils...
Nvm, just see it's a deps of refpolicy.


-- 
Samuel

[Buildroot] [PATCH v5 07/24] refpolicy: new package

[Clayton Shotwell]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>

---
Changes v4 -> v5:
  - Removed TODO and dependency on glibc (Matt W.)
  - Added lib depends to meet policycoreutils limitation on std lib
    (Matt W.)
  - Added comment for when an option is not defined (Matt W.)
  - Removed largefile, locale, and wchar dependencies (Clayton S.)
  - Remove dependancy on host-python-pyxml (Ryan B.)
  - Forced package to use $(HOST_DIR)/usr/bin/python2 for python
    executable (Ryan B.)
  - Added host-python dependency (Clayton S.)
  - Removed config menu (suggested by Thomas P.)
  - Added patch to fix awk issue (Clayton S.)

Changes v3 -> v4:
  - Added a dependency on host-gawk and correct the awk calls
    in the makefile to use $(AWK)
  - Changed the default policy name to br_policy to differentiate
    the policy generated from refpolicy
  - Added a install step to create a /.autorelabel file to cause
    the file system to be relabeled by S12SELinux init script
  - Adding a default modules.conf file with an option to specify
    a different one. This will decrease the build time for
    refpolicy by removing unused policies. (implemented by
    Thomas P.)
  - Cleaned up the configure comments (implemented by Thomas).
  - Added a check to only install the documentation if the
    Buildroot option is enabled
  - Removed the build because the install step completes the
    same process. Also removed the clean step because it is
    being removed globally from buildroot (implemented by
    Thomas P.)
  - Added more error handling to the startup script to print
    a warning if SELinux fails to install the policy if it
    exists. This can be caused by the kernel not being configured
    with SELinux enabled

Changes v2 -> v3:
  - Changes patch naming convention (suggested by Thomas P.)
  - Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and
    BR2_LARGEFILE (suggested by Thomas P.)
  - Removed configure option for a specific patch folder
    (suggested by Thomas P.)
  - Removed distribution configuration option (suggested by Thomas)
  - Changed the monolithic configuration option to a modular
    configuration option (suggested by Thomas P.)
  - Removed the refpolicy name option (suggested by Thomas P.)
  - Corrected gramatical and comment errors (suggested by Thomas P.)
  - Multiple style corrections to the mk file (suggested by Thomas P.)
  - Added a comment to clairfy the usage of the the host build
    options for a target build

Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format
  - Fixed the patch naming to match the standard 4 digit numbering
  - Changed package dependencies into selects in the config
---
 package/Config.in                                  |   2 +
 package/refpolicy-contrib/Config.in                |  20 +
 package/refpolicy-contrib/refpolicy-contrib.mk     |  18 +
 .../0001-Fix-awk-references-to-use-variable.patch  |  42 +++
 package/refpolicy/Config.in                        |  91 +++++
 package/refpolicy/S00selinux                       | 136 +++++++
 package/refpolicy/config                           |   8 +
 package/refpolicy/modules.conf                     | 406 +++++++++++++++++++++
 package/refpolicy/refpolicy.hash                   |   2 +
 package/refpolicy/refpolicy.mk                     | 118 ++++++
 10 files changed, 843 insertions(+)
 create mode 100644 package/refpolicy-contrib/Config.in
 create mode 100644 package/refpolicy-contrib/refpolicy-contrib.mk
 create mode 100644 package/refpolicy/0001-Fix-awk-references-to-use-variable.patch
 create mode 100755 package/refpolicy/Config.in
 create mode 100644 package/refpolicy/S00selinux
 create mode 100644 package/refpolicy/config
 create mode 100644 package/refpolicy/modules.conf
 create mode 100644 package/refpolicy/refpolicy.hash
 create mode 100755 package/refpolicy/refpolicy.mk

diff --git a/package/Config.in b/package/Config.in
index b99a7e0..dcb03d5 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1339,6 +1339,8 @@ endmenu
 
 menu "Security"
 	source "package/policycoreutils/Config.in"
+	source "package/refpolicy/Config.in"
+	source "package/refpolicy-contrib/Config.in"
 	source "package/setools/Config.in"
 endmenu
 
diff --git a/package/refpolicy-contrib/Config.in b/package/refpolicy-contrib/Config.in
new file mode 100644
index 0000000..af493fd
--- /dev/null
+++ b/package/refpolicy-contrib/Config.in
@@ -0,0 +1,20 @@
+if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
+
+comment "A refpolicy contrib repository is required if using a refpolicy repo. (Contrib is a GIT submodule of refpolicy)"
+
+config BR2_PACKAGE_REFPOLICY_CONTRIB
+	bool "refpolicy-contrib"
+	help
+	  A GIT submodule of the refpolicy package.
+
+
+config BR2_PACKAGE_REFPOLICY_CONTRIB_CUSTOM_REPO_URL
+	string "URL of custom contrib submodule repository"
+
+config BR2_PACKAGE_REFPOLICY_CONTRIB_CUSTOM_REPO_VERSION
+	string "Custom contrib submodule repository version"
+	help
+	  Revision to use in the typical format used by Git
+	  e.g. a SHA id, a tag, branch, ..
+
+endif
diff --git a/package/refpolicy-contrib/refpolicy-contrib.mk b/package/refpolicy-contrib/refpolicy-contrib.mk
new file mode 100644
index 0000000..3d1c53e
--- /dev/null
+++ b/package/refpolicy-contrib/refpolicy-contrib.mk
@@ -0,0 +1,18 @@
+################################################################################
+#
+# refpolicy-contrib
+#
+################################################################################
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
+REFPOLICY_CONTRIB_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CONTRIB_CUSTOM_REPO_URL))
+REFPOLICY_CONTRIB_VERSION = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CONTRIB_CUSTOM_REPO_VERSION))
+REFPOLICY_CONTRIB_SITE_METHOD = git
+
+# Inherits license from refpolicy as normally this is a submodule
+REFPOLICY_CONTRIB_LICENSE = GPLv2
+endif
+
+# If refpolicy is from release archive, this contrib content is part of it.
+
+$(eval $(generic-package))
diff --git a/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch b/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch
new file mode 100644
index 0000000..8236fa2
--- /dev/null
+++ b/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch
@@ -0,0 +1,42 @@
+From 1d4c826e8de366bccb93f167cd9be834ab5911c8 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Fri, 8 May 2015 14:13:00 -0500
+Subject: [PATCH] Fix awk references to use variable
+
+Ensure all awk calls use the variable setup in the makefile rather than
+relying on the system.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 85d4cfb..3aa4b51 100644
+--- a/Makefile
++++ b/Makefile
+@@ -292,9 +292,9 @@ cmdline_mods := $(addsuffix .te,$(APPS_MODS))
+ cmdline_off := $(addsuffix .te,$(APPS_OFF))
+ 
+ # extract settings from modules.conf
+-mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
+-mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
+-mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_base := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_mods := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_off := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
+ 
+ base_mods := $(cmdline_base)
+ mod_mods := $(cmdline_mods)
+@@ -308,7 +308,7 @@ off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_c
+ off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+ 
+ # filesystems to be used in labeling targets
+-filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
++filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+ fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
+ 
+ ########################################
+-- 
+1.9.1
+
diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
new file mode 100755
index 0000000..cfc8b94
--- /dev/null
+++ b/package/refpolicy/Config.in
@@ -0,0 +1,91 @@
+config BR2_PACKAGE_REFPOLICY
+	bool "refpolicy"
+	select BR2_PACKAGE_POLICYCOREUTILS
+	select BR2_PACKAGE_BUSYBOX_SELINUX
+	depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
+	depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # policycoreutils
+	help
+	  The SELinux Reference Policy project (refpolicy) is a
+	  complete SELinux policy that can be used as the system
+	  policy for a variety of systems and used as the basis
+	  for creating other policies. Reference Policy was originally
+	  based on the NSA example policy, but aims to accomplish
+	  many additional goals.
+
+	  The current refpolicy does not fully support Buildroot
+	  and needs modifications to work with the default system
+	  file layout.  These changes should be added as patches to
+	  the refpolicy that modify a single SELinux policy.
+
+comment "refpolicy needs a toolchain w/ threads, glibc or musl"
+	depends on !BR2_TOOLCHAIN_HAS_THREADS \
+		|| !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
+
+if BR2_PACKAGE_REFPOLICY
+
+choice
+	prompt "SELinux policy type"
+	default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+
+	config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+		bool "Standard"
+		help
+		  Standard SELinux policy
+
+	config BR2_PACKAGE_REFPOLICY_TYPE_MCS
+		bool "MCS"
+		help
+		  SELinux policy with multi-catagory support
+
+	config BR2_PACKAGE_REFPOLICY_TYPE_MLS
+		bool "MLS"
+		help
+		  SELinux policy with multi-catagory and multi-level support
+endchoice
+
+config BR2_PACKAGE_REFPOLICY_TYPE
+	string
+	default "standard" if BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+	default "mcs" if BR2_PACKAGE_REFPOLICY_TYPE_MCS
+	default "mls" if BR2_PACKAGE_REFPOLICY_TYPE_MLS
+
+config BR2_PACKAGE_REFPOLICY_MODULES_FILE
+	string "Refpolicy modules configuration"
+	default "package/refpolicy/modules.conf"
+	help
+	  Location of a custom modules.conf file that lists the
+	  SELinux policy modules to be included in the compiled
+	  policy. See policy/modules.conf in the refpolicy sources for
+	  the complete list of available modules.
+	  NOTE: This file is only used if a Custom GIT repo is
+	  not specified.
+
+config BR2_PACKAGE_REFPOLICY_MODULAR
+	bool "Build a modular SELinux policy"
+	help
+	  Select Y to build a modular SELinux policy. By default,
+	  a monolithing policy will be built to save space on the
+	  target. A modular policy can also be built if policies
+	  need to be modified without reloading the target.
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
+	bool "Custom Git repository"
+	select BR2_PACKAGE_REFPOLICY_CONTRIB
+	help
+	 This option allows Buildroot to get the refpolicy source
+	 code from a Git repository.
+
+if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
+	string "URL of custom repository"
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
+	string "Custom repository version"
+	help
+	  Revision to use in the typical format used by Git
+	  e.g. a SHA id, a tag, branch, ..
+
+endif
+
+endif
diff --git a/package/refpolicy/S00selinux b/package/refpolicy/S00selinux
new file mode 100644
index 0000000..f2ac2e6
--- /dev/null
+++ b/package/refpolicy/S00selinux
@@ -0,0 +1,136 @@
+#!/bin/sh
+################################################################################
+#
+# This file labels the security contexts of memory based filesystems such as
+# /dev/ and checks for auto relabel request if '/.autorelabel' file exists.
+#
+# This script is a heavily stripped down and modified version of the one used
+# in CentOS 6.2
+#
+################################################################################
+
+failed()
+{
+   echo $1
+   exit 1
+}
+
+# Get SELinux config env vars
+. /etc/selinux/config || failed "Failed to source the SELinux config"
+
+setup_selinux() {
+   # Create required directories
+   mkdir -p /etc/selinux/${SELINUXTYPE}/policy/ ||
+         failed "Failed to create the policy folder"
+   mkdir -p /etc/selinux/${SELINUXTYPE}/modules/active/modules || \
+         failed "Failed to create the modules folder"
+   if [ ! -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local ]
+   then
+      touch /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local || \
+            failed "Failed to create the file_contexts.local file"
+   fi
+
+   # Install modules
+   semodule -v -s ${SELINUXTYPE} -b /usr/share/selinux/${SELINUXTYPE}/base.pp \
+         -i $(ls /usr/share/selinux/${SELINUXTYPE}/*.pp | grep -v base) || \
+         failed "Failed to install the base policy"
+
+   # Load the policy to activate it
+   load_policy -i || failed "Failed to load the SELinux policy"
+}
+
+relabel_selinux() {
+   # if /sbin/init is not labeled correctly this process is running in the
+   # wrong context, so a reboot will be required after relabel
+   AUTORELABEL=
+
+   # Switch to Permissive mode
+   echo "0" > /selinux/enforce || failed "Failed to disable enforcing mode"
+
+   echo
+   echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
+   echo "*** Relabeling could take a very long time, depending on file"
+   echo "*** system size and speed of hard drives."
+
+   # Relabel mount points
+   restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) \
+         >/dev/null 2>&1 || failed "Failed to relabel the mount points"
+
+   # Relabel file system
+   echo "Relabeling file systems"
+   restorecon -R -F / || failed "Failed to relabel the file system"
+
+   # Remove label
+   rm -f  /.autorelabel || failed "Failed to remove the autorelabel flag"
+
+   # Reboot to activate relabeled file system
+   echo "Automatic reboot in progress."
+   reboot -f
+}
+
+start() {
+   echo -n "Initializing SELinux: "
+
+   # Check to see if the default policy has been installed
+   if [ "`sestatus | grep "SELinux status" | grep enabled`" == "" ]; then
+      if [ ! -f /etc/selinux/${SELINUXTYPE}/policy/policy.* ]
+      then
+         setup_selinux
+      else
+         echo "SELinux policy install failed. Check kernel and init config"
+         exit 1
+      fi
+   fi
+
+   # Check SELinux status
+   SELINUX_STATE=
+   if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then
+      if [ -r "/selinux/enforce" ] ; then
+         SELINUX_STATE=$(cat "/selinux/enforce")
+      else
+         # assume enforcing if you can't read it
+         SELINUX_STATE=1
+      fi
+   fi
+
+   # Context Label /dev/
+   if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ] && fgrep " /dev " /proc/mounts >/dev/null 2>&1 ; then
+      /sbin/restorecon -R -F /dev 2>/dev/null
+   fi
+
+   # Context Label tmpfs mounts
+   if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ]; then
+      /sbin/restorecon -R -F $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// && $3 =="tmpfs" { print $2 }' /etc/fstab) >/dev/null 2>&1
+   fi
+
+   # Clean up SELinux labels
+   if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ]; then
+      restorecon -F /etc/mtab /etc/ld.so.cache /etc/resolv.conf >/dev/null 2>&1
+   fi
+
+   # Check for filesystem relabel request
+   if [ -f /.autorelabel ] ; then
+      relabel_selinux
+   fi
+
+   echo "OK"
+}
+stop() {
+   # There is nothing to do
+   echo "OK"
+}
+
+case "$1" in
+   start)
+      start
+      ;;
+   stop)
+      stop
+      ;;
+   *)
+      echo "Usage: $0 {start|stop}"
+      exit 1
+      ;;
+esac
+
+exit $?
diff --git a/package/refpolicy/config b/package/refpolicy/config
new file mode 100644
index 0000000..5eee807
--- /dev/null
+++ b/package/refpolicy/config
@@ -0,0 +1,8 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#     enforcing - SELinux security policy is enforced.
+#     permissive - SELinux prints warnings instead of enforcing.
+#     disabled - No SELinux policy is loaded.
+SELINUX=permissive
+# SELINUXTYPE= name of the selinux policy to use
+SELINUXTYPE=refpolicy
diff --git a/package/refpolicy/modules.conf b/package/refpolicy/modules.conf
new file mode 100644
index 0000000..58282d8
--- /dev/null
+++ b/package/refpolicy/modules.conf
@@ -0,0 +1,406 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from  being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module.  "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: kernel
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,
+# and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# Multicategory security policy
+#
+mcs = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: kernel
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+# Required in base
+#
+# User-based access control policy
+#
+ubac = base
+
+# Layer: admin
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = module
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+#
+consoletype = module
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+#
+su = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+sudo = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = module
+
+# Layer: apps
+# Module: seunshare
+#
+# Filesystem namespacing/polyinstantiation application.
+#
+seunshare = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = module
+
+# Layer: roles
+# Module: auditadm
+#
+# Audit administrator role
+#
+auditadm = module
+
+# Layer: roles
+# Module: logadm
+#
+# Log administrator role
+#
+logadm = module
+
+# Layer: roles
+# Module: secadm
+#
+# Security administrator role
+#
+secadm = module
+
+# Layer: roles
+# Module: staff
+#
+# Administrator's unprivileged user role
+#
+staff = module
+
+# Layer: roles
+# Module: sysadm
+#
+# General system administration role
+#
+sysadm = module
+
+# Layer: roles
+# Module: unprivuser
+#
+# Generic unprivileged user role
+#
+unprivuser = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+#
+postgresql = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+#
+ssh = module
+
+# Layer: services
+# Module: xserver
+#
+# X Windows Server
+#
+xserver = module
+
+# Layer: system
+# Module: application
+#
+# Policy for user executable applications.
+#
+application = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = module
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+#
+hotplug = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+#
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+#
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# NetLabel/CIPSO labeled networking management
+#
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = module
+
+# Layer: system
+# Module: setrans
+#
+# SELinux MLS/MCS label translation service.
+#
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = module
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = module
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+#
+unconfined = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = module
+
diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash
new file mode 100644
index 0000000..eca53d7
--- /dev/null
+++ b/package/refpolicy/refpolicy.hash
@@ -0,0 +1,2 @@
+#From https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease
+sha256 6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4  refpolicy-2.20130424.tar.bz2
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
new file mode 100755
index 0000000..8d9e509
--- /dev/null
+++ b/package/refpolicy/refpolicy.mk
@@ -0,0 +1,118 @@
+################################################################################
+#
+# refpolicy
+#
+################################################################################
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
+REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
+REFPOLICY_VERSION = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
+REFPOLICY_SITE_METHOD = git
+REFPOLICY_DEPENDENCIES += refpolicy-contrib
+else
+REFPOLICY_VERSION = 2.20130424
+REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
+REFPOLICY_SITE = http://oss.tresys.com/files/refpolicy/
+endif
+REFPOLICY_LICENSE = GPLv2
+REFPOLICY_LICENSE_FILES = COPYING
+
+# Cannot use multiple threads to build the reference policy
+REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)
+
+REFPOLICY_DEPENDENCIES += host-m4 host-checkpolicy host-policycoreutils \
+	host-setools host-gawk host-python policycoreutils
+
+REFPOLICY_INSTALL_STAGING = YES
+
+REFPOLICY_POLICY_NAME = br_policy
+
+# To apply board specific customizations, create a refpolicy folder in
+# BR2_GLOBAL_PATCH_DIR.  These patches will be applied after the patches
+# in package/refpolicy
+
+# Pointing to the host compiler to build a sort application during the build.
+# The host compiler tools are not used for any part of the refpolicy build.
+# Note, the TEST_TOOLCHAIN option will also set the
+# LD_LIBRARY_PATH at run time.
+REFPOLICY_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
+	TEST_TOOLCHAIN="$(HOST_DIR)"
+
+# Build requies python2 to run
+REFPOLICY_MAKE_ENV = \
+	PYTHON="$(HOST_DIR)/usr/bin/python2" \
+	AWK="$(HOST_DIR)/usr/bin/gawk" \
+	M4="$(HOST_DIR)/usr/bin/m4"
+
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
+	REFPOLICY_MONOLITHIC = n
+else
+	REFPOLICY_MONOLITHIC = y
+endif
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
+define REFPOLICY_GIT_SUBMODULE_SETUP
+	rsync -ar $(REFPOLICY_CONTRIB_DIR)/* $(@D)/policy/modules/contrib/
+endef
+else
+REFPOLICY_MODULES_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_MODULES_FILE))
+define REFPOLICY_CUSTOM_MODULES_CONF
+	cp $(REFPOLICY_MODULES_FILE) $(@D)/policy/modules.conf
+endef
+endif
+
+define REFPOLICY_CONFIGURE_CMDS
+	$(REFPOLICY_GIT_SUBMODULE_SETUP)
+	# If an external repo is used to build refpolicy, this preserves the
+	# custom modules.conf which defines the enabled components.
+	if [ -f $(@D)/policy/modules.conf ]; then \
+		mv $(@D)/policy/modules.conf $(@D)/modules.conf.bk ; \
+	fi
+	$(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) bare \
+		$(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+	$(SED) "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
+	$(SED) "/MONOLITHIC/c\MONOLITHIC = $(REFPOLICY_MONOLITHIC)" $(@D)/build.conf
+	$(SED) "/NAME/c\NAME = $(REFPOLICY_POLICY_NAME)" $(@D)/build.conf
+	$(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) conf \
+		$(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+	if [ -f $(@D)/modules.conf.bk ]; then \
+		echo "[Preserved modules.conf]" ; \
+		mv $(@D)/modules.conf.bk $(@D)/policy/modules.conf ; \
+	fi
+	$(REFPOLICY_CUSTOM_MODULES_CONF)
+endef
+
+define REFPOLICY_INSTALL_STAGING_CMDS
+	$(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install-src install-headers \
+		$(if $(BR2_HAVE_DOCUMENTATION),install-docs) \
+		$(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_INSTALL_TARGET_CMDS
+	$(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install \
+		$(REFPOLICY_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
+	$(INSTALL) -m 0755 -D package/refpolicy/config $(TARGET_DIR)/etc/selinux/config
+	$(SED) "/^SELINUXTYPE/c\SELINUXTYPE=$(REFPOLICY_POLICY_NAME)" \
+		$(TARGET_DIR)/etc/selinux/config
+	touch $(TARGET_DIR)/.autorelabel
+	$(RM) $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/booleans
+endef
+
+define REFPOLICY_INSTALL_INIT_SYSV
+	$(INSTALL) -m 0755 -D package/refpolicy/S00selinux \
+		$(TARGET_DIR)/etc/init.d/S00selinux
+endef
+
+define REFPOLICY_POLICY_COMPILE
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/policy
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/modules/active/modules
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/contexts/files
+	touch $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/contexts/files/file_contexts.local
+endef
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
+	REFPOLICY_POST_INSTALL_TARGET_HOOKS += REFPOLICY_POLICY_COMPILE
+endif
+
+$(eval $(generic-package))
-- 
1.9.1

[Buildroot] [PATCH v5 07/24] refpolicy: new package

[Ryan Barnett]

Clayton,

A few minor notes below.

On Wed, May 13, 2015 at 4:39 PM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> From: Clayton Shotwell <clshotwe@rockwellcollins.com>
>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
>
> ---
> Changes v4 -> v5:
>   - Removed TODO and dependency on glibc (Matt W.)
>   - Added lib depends to meet policycoreutils limitation on std lib
>     (Matt W.)
>   - Added comment for when an option is not defined (Matt W.)
>   - Removed largefile, locale, and wchar dependencies (Clayton S.)
>   - Remove dependancy on host-python-pyxml (Ryan B.)
>   - Forced package to use $(HOST_DIR)/usr/bin/python2 for python
>     executable (Ryan B.)
>   - Added host-python dependency (Clayton S.)
>   - Removed config menu (suggested by Thomas P.)
>   - Added patch to fix awk issue (Clayton S.)
>
> Changes v3 -> v4:
>   - Added a dependency on host-gawk and correct the awk calls
>     in the makefile to use $(AWK)
>   - Changed the default policy name to br_policy to differentiate
>     the policy generated from refpolicy
>   - Added a install step to create a /.autorelabel file to cause
>     the file system to be relabeled by S12SELinux init script
>   - Adding a default modules.conf file with an option to specify
>     a different one. This will decrease the build time for
>     refpolicy by removing unused policies. (implemented by
>     Thomas P.)
>   - Cleaned up the configure comments (implemented by Thomas).
>   - Added a check to only install the documentation if the
>     Buildroot option is enabled
>   - Removed the build because the install step completes the
>     same process. Also removed the clean step because it is
>     being removed globally from buildroot (implemented by
>     Thomas P.)
>   - Added more error handling to the startup script to print
>     a warning if SELinux fails to install the policy if it
>     exists. This can be caused by the kernel not being configured
>     with SELinux enabled
>
> Changes v2 -> v3:
>   - Changes patch naming convention (suggested by Thomas P.)
>   - Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and
>     BR2_LARGEFILE (suggested by Thomas P.)
>   - Removed configure option for a specific patch folder
>     (suggested by Thomas P.)
>   - Removed distribution configuration option (suggested by Thomas)
>   - Changed the monolithic configuration option to a modular
>     configuration option (suggested by Thomas P.)
>   - Removed the refpolicy name option (suggested by Thomas P.)
>   - Corrected gramatical and comment errors (suggested by Thomas P.)
>   - Multiple style corrections to the mk file (suggested by Thomas P.)
>   - Added a comment to clairfy the usage of the the host build
>     options for a target build
>
> Changes v1 -> v2:
>   - General cleanup to the mk file to conform to the standard format
>   - Fixed the patch naming to match the standard 4 digit numbering
>   - Changed package dependencies into selects in the config
> ---
>  package/Config.in                                  |   2 +
>  package/refpolicy-contrib/Config.in                |  20 +
>  package/refpolicy-contrib/refpolicy-contrib.mk     |  18 +
>  .../0001-Fix-awk-references-to-use-variable.patch  |  42 +++
>  package/refpolicy/Config.in                        |  91 +++++
>  package/refpolicy/S00selinux                       | 136 +++++++
>  package/refpolicy/config                           |   8 +
>  package/refpolicy/modules.conf                     | 406 +++++++++++++++++++++
>  package/refpolicy/refpolicy.hash                   |   2 +
>  package/refpolicy/refpolicy.mk                     | 118 ++++++
>  10 files changed, 843 insertions(+)
>  create mode 100644 package/refpolicy-contrib/Config.in
>  create mode 100644 package/refpolicy-contrib/refpolicy-contrib.mk
>  create mode 100644 package/refpolicy/0001-Fix-awk-references-to-use-variable.patch
>  create mode 100755 package/refpolicy/Config.in

Should remove the execute permissions on Config.in and refpolicy.mk.

>  create mode 100644 package/refpolicy/S00selinux
>  create mode 100644 package/refpolicy/config
>  create mode 100644 package/refpolicy/modules.conf
>  create mode 100644 package/refpolicy/refpolicy.hash
>  create mode 100755 package/refpolicy/refpolicy.mk
>
> diff --git a/package/Config.in b/package/Config.in
> index b99a7e0..dcb03d5 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1339,6 +1339,8 @@ endmenu
>
>  menu "Security"
>         source "package/policycoreutils/Config.in"
> +       source "package/refpolicy/Config.in"
> +       source "package/refpolicy-contrib/Config.in"
>         source "package/setools/Config.in"
>  endmenu
>
> diff --git a/package/refpolicy-contrib/Config.in b/package/refpolicy-contrib/Config.in
> new file mode 100644
> index 0000000..af493fd
> --- /dev/null
> +++ b/package/refpolicy-contrib/Config.in
> @@ -0,0 +1,20 @@
> +if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
> +
> +comment "A refpolicy contrib repository is required if using a refpolicy repo. (Contrib is a GIT submodule of refpolicy)"

GIT should be spell as Git for consistency

> +
> +config BR2_PACKAGE_REFPOLICY_CONTRIB
> +       bool "refpolicy-contrib"
> +       help
> +         A GIT submodule of the refpolicy package.
> +
> +

Remove the extra new line.

> +config BR2_PACKAGE_REFPOLICY_CONTRIB_CUSTOM_REPO_URL
> +       string "URL of custom contrib submodule repository"
> +
> +config BR2_PACKAGE_REFPOLICY_CONTRIB_CUSTOM_REPO_VERSION
> +       string "Custom contrib submodule repository version"
> +       help
> +         Revision to use in the typical format used by Git
> +         e.g. a SHA id, a tag, branch, ..
> +
> +endif

[...]

Thanks,
-Ryan


-- 
Ryan Barnett / Sr Software Engineer
Airborne Information Systems / Security Systems and Software
MS 131-100, C Ave NE, Cedar Rapids, IA, 52498, USA
ryan.barnett at rockwellcollins.com
www.rockwellcollins.com

[Buildroot] [PATCH v5 07/24] refpolicy: new package

[Samuel Martin]

Hi Clayton,

On Wed, May 13, 2015 at 11:39 PM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> From: Clayton Shotwell <clshotwe@rockwellcollins.com>
>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
>
[...]
> --- /dev/null
> +++ b/package/refpolicy/refpolicy.mk
> @@ -0,0 +1,118 @@
> +################################################################################
> +#
> +# refpolicy
> +#
> +################################################################################
> +
> +ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
> +REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
> +REFPOLICY_VERSION = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
> +REFPOLICY_SITE_METHOD = git
> +REFPOLICY_DEPENDENCIES += refpolicy-contrib
> +else
> +REFPOLICY_VERSION = 2.20130424
> +REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
> +REFPOLICY_SITE = http://oss.tresys.com/files/refpolicy/
> +endif
> +REFPOLICY_LICENSE = GPLv2
> +REFPOLICY_LICENSE_FILES = COPYING
> +
> +# Cannot use multiple threads to build the reference policy
> +REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)
> +
> +REFPOLICY_DEPENDENCIES += host-m4 host-checkpolicy host-policycoreutils \
> +       host-setools host-gawk host-python policycoreutils
> +
> +REFPOLICY_INSTALL_STAGING = YES
> +
> +REFPOLICY_POLICY_NAME = br_policy
> +
> +# To apply board specific customizations, create a refpolicy folder in
> +# BR2_GLOBAL_PATCH_DIR.  These patches will be applied after the patches
> +# in package/refpolicy
> +
> +# Pointing to the host compiler to build a sort application during the build.
> +# The host compiler tools are not used for any part of the refpolicy build.
> +# Note, the TEST_TOOLCHAIN option will also set the
> +# LD_LIBRARY_PATH at run time.
> +REFPOLICY_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
> +       TEST_TOOLCHAIN="$(HOST_DIR)"
> +
> +# Build requies python2 to run
s/requies/requires/

> +REFPOLICY_MAKE_ENV = \
> +       PYTHON="$(HOST_DIR)/usr/bin/python2" \
> +       AWK="$(HOST_DIR)/usr/bin/gawk" \
> +       M4="$(HOST_DIR)/usr/bin/m4"
> +
> +
> +ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
> +       REFPOLICY_MONOLITHIC = n
> +else
> +       REFPOLICY_MONOLITHIC = y
> +endif
> +
> +ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
> +define REFPOLICY_GIT_SUBMODULE_SETUP
> +       rsync -ar $(REFPOLICY_CONTRIB_DIR)/* $(@D)/policy/modules/contrib/
> +endef
> +else
> +REFPOLICY_MODULES_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_MODULES_FILE))
> +define REFPOLICY_CUSTOM_MODULES_CONF
> +       cp $(REFPOLICY_MODULES_FILE) $(@D)/policy/modules.conf
> +endef
> +endif
> +
> +define REFPOLICY_CONFIGURE_CMDS
> +       $(REFPOLICY_GIT_SUBMODULE_SETUP)
> +       # If an external repo is used to build refpolicy, this preserves the
> +       # custom modules.conf which defines the enabled components.
> +       if [ -f $(@D)/policy/modules.conf ]; then \
> +               mv $(@D)/policy/modules.conf $(@D)/modules.conf.bk ; \
> +       fi
> +       $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) bare \
> +               $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
> +       $(SED) "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
> +       $(SED) "/MONOLITHIC/c\MONOLITHIC = $(REFPOLICY_MONOLITHIC)" $(@D)/build.conf
> +       $(SED) "/NAME/c\NAME = $(REFPOLICY_POLICY_NAME)" $(@D)/build.conf
> +       $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) conf \
> +               $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
> +       if [ -f $(@D)/modules.conf.bk ]; then \
> +               echo "[Preserved modules.conf]" ; \
> +               mv $(@D)/modules.conf.bk $(@D)/policy/modules.conf ; \
> +       fi
> +       $(REFPOLICY_CUSTOM_MODULES_CONF)
> +endef
> +
> +define REFPOLICY_INSTALL_STAGING_CMDS
> +       $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install-src install-headers \
> +               $(if $(BR2_HAVE_DOCUMENTATION),install-docs) \
No need for conditional target. BR2_HAVE_DOCUMENTATION is already
deprecated and will be removed sooner or later.
So for staging install, choose either to always or never install the doc.

> +               $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
> +endef
> +
> +define REFPOLICY_INSTALL_TARGET_CMDS
> +       $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install \
> +               $(REFPOLICY_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
> +       $(INSTALL) -m 0755 -D package/refpolicy/config $(TARGET_DIR)/etc/selinux/config
> +       $(SED) "/^SELINUXTYPE/c\SELINUXTYPE=$(REFPOLICY_POLICY_NAME)" \
> +               $(TARGET_DIR)/etc/selinux/config
> +       touch $(TARGET_DIR)/.autorelabel
> +       $(RM) $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/booleans
> +endef
> +
> +define REFPOLICY_INSTALL_INIT_SYSV
> +       $(INSTALL) -m 0755 -D package/refpolicy/S00selinux \
> +               $(TARGET_DIR)/etc/init.d/S00selinux
> +endef
> +
> +define REFPOLICY_POLICY_COMPILE
> +       $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/policy
> +       $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/modules/active/modules
> +       $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/contexts/files
> +       touch $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/contexts/files/file_contexts.local
> +endef
> +
> +ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
> +       REFPOLICY_POST_INSTALL_TARGET_HOOKS += REFPOLICY_POLICY_COMPILE
> +endif
> +
> +$(eval $(generic-package))
> --
> 1.9.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

Regards,

-- 
Samuel

[Buildroot] [PATCH v5 07/24] refpolicy: new package

[Clayton Shotwell]

Samuel,

>> +# Pointing to the host compiler to build a sort application during the build.
>> +# The host compiler tools are not used for any part of the refpolicy build.
>> +# Note, the TEST_TOOLCHAIN option will also set the
>> +# LD_LIBRARY_PATH at run time.
>> +REFPOLICY_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
>> +       TEST_TOOLCHAIN="$(HOST_DIR)"
>> +
>> +# Build requies python2 to run
> s/requies/requires/

Good catch.

>> +define REFPOLICY_INSTALL_STAGING_CMDS
>> +       $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install-src install-headers \
>> +               $(if $(BR2_HAVE_DOCUMENTATION),install-docs) \
> No need for conditional target. BR2_HAVE_DOCUMENTATION is already
> deprecated and will be removed sooner or later.
> So for staging install, choose either to always or never install the doc.

I will change the staging install step to always install the
documentation since it can be handy for policy debugging.


Thanks,
Clayton

[Buildroot] [PATCH v5 08/24] busybox: applets as individual binaries

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

The individual binaries option of busybox allows for the applets
that would usually be symlinks to be built as individual applications
that link against a shared library.

This feature is needed for SELinux to allow the applications to run
under the correct SELinux context.

The patch being added allows the individual applications to be
installed and will be upstreamed to the busybox developers.

The initial work for this change was done by Thomas Petazzoni
<thomas.petazzoni@free-electrons.com>.

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes v4 -> v5:
  - Renamed to follow latest patch naming convention (Matt W.)
  - Updated to use BR2_STATIC_LIBS instead of old PREFERRED (Matt W.)
  - Added depends to make sure bfin can't build shared lib
    busybox lib for individual binary use.  Looks like shared
    lib creation doesn't error out but the objects don't get
    placed into the elf.  Then the trylink fails on linking
    the first individual applet. (Matt W.)
  - Made suid permissions setting dynamic for applets actually being
    installed (Clayton S.)

Changes v1 -> v4:
  - Did not exist
---
 ...s-Add-installation-of-individual-binaries.patch | 103 +++++++++++++++++++++
 package/busybox/Config.in                          |   9 ++
 package/busybox/busybox.mk                         |  41 ++++++++
 3 files changed, 153 insertions(+)
 create mode 100644 package/busybox/0002-applets-Add-installation-of-individual-binaries.patch

diff --git a/package/busybox/0002-applets-Add-installation-of-individual-binaries.patch b/package/busybox/0002-applets-Add-installation-of-individual-binaries.patch
new file mode 100644
index 0000000..ae0e654
--- /dev/null
+++ b/package/busybox/0002-applets-Add-installation-of-individual-binaries.patch
@@ -0,0 +1,103 @@
+From 3451b55054a6fe2073a21301938802a27dec835d Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clshotwe@rockwellcollins.com>
+Date: Mon, 16 Dec 2013 14:45:33 -0600
+Subject: [PATCH 5/5] applets: Add installation of individual binaries
+
+Adding support to install individual binaries if the option is
+enabled. This also installs the shared libbusybox.so.* library.
+
+Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
+---
+ Makefile.custom    |    4 ++++
+ applets/install.sh |   26 ++++++++++++++++++++++++--
+ 2 files changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.custom b/Makefile.custom
+index 6da79e6..e4dc4dc 100644
+--- a/Makefile.custom
++++ b/Makefile.custom
+@@ -23,6 +23,10 @@ ifeq ($(CONFIG_INSTALL_SH_APPLET_SCRIPT_WRAPPER),y)
+ INSTALL_OPTS:= --scriptwrapper
+ endif
+ endif
++ifeq ($(CONFIG_FEATURE_INDIVIDUAL),y)
++INSTALL_OPTS:= --binaries
++LIBBUSYBOX_SONAME:= 0_lib/libbusybox.so.$(BB_VER)
++endif
+ install: $(srctree)/applets/install.sh busybox busybox.links
+ 	$(Q)DO_INSTALL_LIBS="$(strip $(LIBBUSYBOX_SONAME) $(DO_INSTALL_LIBS))" \
+ 		$(SHELL) $< $(CONFIG_PREFIX) $(INSTALL_OPTS)
+diff --git a/applets/install.sh b/applets/install.sh
+index 95b4719..d01c98d 100755
+--- a/applets/install.sh
++++ b/applets/install.sh
+@@ -5,19 +5,26 @@ export LC_CTYPE=POSIX
+ 
+ prefix=$1
+ if [ -z "$prefix" ]; then
+-	echo "usage: applets/install.sh DESTINATION [--symlinks/--hardlinks/--scriptwrapper]"
++	echo "usage: applets/install.sh DESTINATION [--symlinks/--hardlinks/--binaries/--scriptwrapper]"
+ 	exit 1
+ fi
+ 
++# Source the configuration
++. ./.config
++
+ h=`sort busybox.links | uniq`
+ 
++sharedlib_dir="0_lib"
++
+ linkopts=""
+ scriptwrapper="n"
++binaries="n"
+ cleanup="0"
+ noclobber="0"
+ case "$2" in
+ 	--hardlinks)     linkopts="-f";;
+ 	--symlinks)      linkopts="-fs";;
++	--binaries)      binaries="y";;
+ 	--scriptwrapper) scriptwrapper="y";swrapall="y";;
+ 	--sw-sh-hard)    scriptwrapper="y";linkopts="-f";;
+ 	--sw-sh-sym)     scriptwrapper="y";linkopts="-fs";;
+@@ -40,8 +47,9 @@ if [ -n "$DO_INSTALL_LIBS" ] && [ "$DO_INSTALL_LIBS" != "n" ]; then
+ 	for i in $DO_INSTALL_LIBS; do
+ 		rm -f "$prefix/$libdir/$i" || exit 1
+ 		if [ -f "$i" ]; then
++			echo "   Installing $i to the target@$prefix/$libdir/"
+ 			cp -pPR "$i" "$prefix/$libdir/" || exit 1
+-			chmod 0644 "$prefix/$libdir/$i" || exit 1
++			chmod 0644 "$prefix/$libdir/`basename $i`" || exit 1
+ 		fi
+ 	done
+ fi
+@@ -68,6 +76,7 @@ install -m 755 busybox "$prefix/bin/busybox" || exit 1
+ 
+ for i in $h; do
+ 	appdir=`dirname "$i"`
++	app=`basename "$i"`
+ 	mkdir -p "$prefix/$appdir" || exit 1
+ 	if [ "$scriptwrapper" = "y" ]; then
+ 		if [ "$swrapall" != "y" ] && [ "$i" = "/bin/sh" ]; then
+@@ -78,6 +87,19 @@ for i in $h; do
+ 			chmod +x "$prefix/$i"
+ 		fi
+ 		echo "	$prefix/$i"
++	elif [ "$binaries" = "y" ]; then
++		# Copy the binary over rather
++		if [ -e $sharedlib_dir/$app ]; then
++			if [ "$noclobber" = "0" ] || [ ! -e "$prefix/$i" ]; then
++				echo "   Copying $sharedlib_dir/$app to $prefix/$i"
++				cp -pPR $sharedlib_dir/$app $prefix/$i || exit 1
++			else
++				echo "  $prefix/$i already exists"
++			fi
++		else
++			echo "Error: Could not find $sharedlib_dir/$app"
++			exit 1
++		fi
+ 	else
+ 		if [ "$2" = "--hardlinks" ]; then
+ 			bb_path="$prefix/bin/busybox"
+-- 
+1.7.1
+
diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index b4f949f..275e317 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -26,6 +26,15 @@ config BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
 	  Show packages in menuconfig that are potentially also provided
 	  by busybox.
 
+config BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES
+	bool "Individual binaries"
+	depends on !BR2_STATIC_LIBS
+	depends on !BR2_bfin # libbusybox.so link issue
+
+comment "Busybox individual binaries depends on dynamic libraries"
+	depends on BR2_STATIC_LIBS
+	depends on BR2_bfin
+
 config BR2_PACKAGE_BUSYBOX_WATCHDOG
 	bool "Install the watchdog daemon startup script"
 	help
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 1ce508a..dbee100 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -49,10 +49,38 @@ BUSYBOX_KCONFIG_FILE = $(BUSYBOX_CONFIG_FILE)
 BUSYBOX_KCONFIG_EDITORS = menuconfig xconfig gconfig
 BUSYBOX_KCONFIG_OPTS = $(BUSYBOX_MAKE_OPTS)
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
+define BUSYBOX_PERMISSIONS
+	/usr/share/udhcpc/default.script f 755  0  0 - - - - -
+endef
+
+# Set permissions on all applets with BB_SUID_REQUIRE and BB_SUID_MAYBE. The
+# permissions are pulled from the applets.h file that is generated during
+# the build and used to determine all of the possible applets. The permissions
+# file is generated and added to the list of device tables used by makedevs to
+# set file permissions.
+define BUSYBOX_MAKEDEV_PERMISSIONS
+	if [ -f $(@D)/.buildroot_permissions ]; then \
+		rm $(@D)/.buildroot_permissions; \
+	fi; \
+	touch $(@D)/.buildroot_permissions; \
+	for app in `grep -r -e "APPLET.*BB_SUID_REQUIRE\|APPLET.*BB_SUID_MAYBE" $(@D)/include/applets.h \
+			| sed -e 's/,.*//' -e 's/.*(//'`; \
+	do \
+		temp=`grep -w $${app} $(@D)/busybox.links`; \
+		if [ -n "$${temp}" ]; then \
+			echo "$${temp} f 4755 0  0 - - - - -" >> $(@D)/.buildroot_permissions; \
+		fi; \
+	done
+endef
+BUSYBOX_POST_INSTALL_TARGET_HOOKS += BUSYBOX_MAKEDEV_PERMISSIONS
+BR2_ROOTFS_DEVICE_TABLE += $(BUSYBOX_DIR)/.buildroot_permissions
+else
 define BUSYBOX_PERMISSIONS
 	/bin/busybox                     f 4755 0  0 - - - - -
 	/usr/share/udhcpc/default.script f 755  0  0 - - - - -
 endef
+endif
 
 # If mdev will be used for device creation enable it and copy S10mdev to /etc/init.d
 ifeq ($(BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_MDEV),y)
@@ -132,6 +160,17 @@ define BUSYBOX_SET_INIT
 endef
 endif
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
+define BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BUILD_LIBBUSYBOX,$(BUSYBOX_BUILD_CONFIG))
+	$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_INDIVIDUAL,$(BUSYBOX_BUILD_CONFIG))
+endef
+
+define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
+	rm -f $(TARGET_DIR)/bin/busybox
+endef
+endif
+
 define BUSYBOX_INSTALL_LOGGING_SCRIPT
 	if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
 		$(INSTALL) -m 0755 -D package/busybox/S01logging \
@@ -167,6 +206,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
 	$(BUSYBOX_INTERNAL_SHADOW_PASSWORDS)
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
+	$(BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES)
 endef
 
 define BUSYBOX_CONFIGURE_CMDS
@@ -190,6 +230,7 @@ define BUSYBOX_INSTALL_INIT_SYSV
 	$(BUSYBOX_INSTALL_MDEV_SCRIPT)
 	$(BUSYBOX_INSTALL_LOGGING_SCRIPT)
 	$(BUSYBOX_INSTALL_WATCHDOG_SCRIPT)
+	$(BUSYBOX_INSTALL_INDIVIDUAL_BINARIES)
 endef
 
 $(eval $(kconfig-package))
-- 
1.9.1

[Buildroot] [PATCH v5 09/24] busybox: selinux support

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Add a configure option to enable the SELinux support in the
busybox configuration from the Buildroot menuconfig.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>

---
Changes v4 -> v5:
  - Renamed to follow patch naming convention (Matt W.)
  - Added a dependency on having threads for the busybox SELinux flag to
    ensure it does not cause libselinux to build when threads are not
    available. Also added a select for libselinux to make the linking
    apparent. (Clayton S.)
 - Add dependency on not static libs for libselinux (Clayton S.)

Changes v1 -> v4:
  - Did not exist
---
 ...ags-strip-non-l-arguments-returned-by-pkg.patch | 28 ++++++++++++++++++++++
 package/busybox/Config.in                          |  6 +++++
 package/busybox/busybox.mk                         |  9 +++++++
 3 files changed, 43 insertions(+)
 create mode 100644 package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch

diff --git a/package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch b/package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
new file mode 100644
index 0000000..105626c
--- /dev/null
+++ b/package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
@@ -0,0 +1,28 @@
+From 67eb23d2be8aba3c474dac81a15b0fa11e5847b7 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Mon, 25 Nov 2013 22:51:53 +0100
+Subject: [PATCH] Makefile.flags: strip non -l arguments returned by pkg-config
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+---
+ Makefile.flags | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.flags b/Makefile.flags
+index 307afa7..885e323 100644
+--- a/Makefile.flags
++++ b/Makefile.flags
+@@ -141,7 +141,9 @@ ifeq ($(CONFIG_SELINUX),y)
+ SELINUX_PC_MODULES = libselinux libsepol
+ $(eval $(call pkg_check_modules,SELINUX,$(SELINUX_PC_MODULES)))
+ CPPFLAGS += $(SELINUX_CFLAGS)
+-LDLIBS += $(if $(SELINUX_LIBS),$(SELINUX_LIBS:-l%=%),$(SELINUX_PC_MODULES:lib%=%))
++LDLIBS += $(if $(SELINUX_LIBS),\
++       $(patsubst -l%,%,$(filter -l%,$(SELINUX_LIBS))),\
++       $(SELINUX_PC_MODULES:lib%=%))
+ endif
+ 
+ ifeq ($(CONFIG_EFENCE),y)
+-- 
+1.8.1.2
+
diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index 275e317..a60c54b 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -35,6 +35,12 @@ comment "Busybox individual binaries depends on dynamic libraries"
 	depends on BR2_STATIC_LIBS
 	depends on BR2_bfin
 
+config BR2_PACKAGE_BUSYBOX_SELINUX
+	select BR2_PACKAGE_LIBSELINUX
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on !BR2_STATIC_LIBS
+	bool "Enable SELinux support"
+
 config BR2_PACKAGE_BUSYBOX_WATCHDOG
 	bool "Install the watchdog daemon startup script"
 	help
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index dbee100..f60e3f2 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -171,6 +171,14 @@ define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
 endef
 endif
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_SELINUX),y)
+BUSYBOX_DEPENDENCIES += host-pkgconf libselinux libsepol
+define BUSYBOX_SET_SELINUX
+	$(call KCONFIG_ENABLE_OPT,CONFIG_SELINUX,$(BUSYBOX_BUILD_CONFIG))
+	$(call KCONFIG_ENABLE_OPT,CONFIG_SELINUXENABLED,$(BUSYBOX_BUILD_CONFIG))
+endef
+endif
+
 define BUSYBOX_INSTALL_LOGGING_SCRIPT
 	if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
 		$(INSTALL) -m 0755 -D package/busybox/S01logging \
@@ -207,6 +215,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
 	$(BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES)
+	$(BUSYBOX_SET_SELINUX)
 endef
 
 define BUSYBOX_CONFIGURE_CMDS
-- 
1.9.1

[Buildroot] [PATCH v5 09/24] busybox: selinux support

[Samuel Martin]

Hi Clayton,

On Wed, May 13, 2015 at 11:39 PM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> Add a configure option to enable the SELinux support in the
> busybox configuration from the Buildroot menuconfig.
>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
>
[...]
> diff --git a/package/busybox/Config.in b/package/busybox/Config.in
> index 275e317..a60c54b 100644
> --- a/package/busybox/Config.in
> +++ b/package/busybox/Config.in
> @@ -35,6 +35,12 @@ comment "Busybox individual binaries depends on dynamic libraries"
>         depends on BR2_STATIC_LIBS
>         depends on BR2_bfin
>
> +config BR2_PACKAGE_BUSYBOX_SELINUX
> +       select BR2_PACKAGE_LIBSELINUX
> +       depends on BR2_TOOLCHAIN_HAS_THREADS
> +       depends on !BR2_STATIC_LIBS
> +       bool "Enable SELinux support"
Does not this option also need to select
BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES?

> +
>  config BR2_PACKAGE_BUSYBOX_WATCHDOG
>         bool "Install the watchdog daemon startup script"
>         help
> diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
> index dbee100..f60e3f2 100644
> --- a/package/busybox/busybox.mk
> +++ b/package/busybox/busybox.mk
> @@ -171,6 +171,14 @@ define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
>  endef
>  endif
>
> +ifeq ($(BR2_PACKAGE_BUSYBOX_SELINUX),y)
> +BUSYBOX_DEPENDENCIES += host-pkgconf libselinux libsepol
> +define BUSYBOX_SET_SELINUX
> +       $(call KCONFIG_ENABLE_OPT,CONFIG_SELINUX,$(BUSYBOX_BUILD_CONFIG))
> +       $(call KCONFIG_ENABLE_OPT,CONFIG_SELINUXENABLED,$(BUSYBOX_BUILD_CONFIG))
> +endef
> +endif
> +
>  define BUSYBOX_INSTALL_LOGGING_SCRIPT
>         if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
>                 $(INSTALL) -m 0755 -D package/busybox/S01logging \
> @@ -207,6 +215,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
>         $(BUSYBOX_SET_INIT)
>         $(BUSYBOX_SET_WATCHDOG)
>         $(BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES)
> +       $(BUSYBOX_SET_SELINUX)
>  endef
>
>  define BUSYBOX_CONFIGURE_CMDS
> --
> 1.9.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

Regards,

-- 
Samuel

[Buildroot] [PATCH v5 09/24] busybox: selinux support

[Clayton Shotwell]

Samuel,

On Fri, May 15, 2015 at 1:22 AM, Samuel Martin <s.martin49@gmail.com> wrote:
> Hi Clayton,
>
> On Wed, May 13, 2015 at 11:39 PM, Clayton Shotwell
> <clayton.shotwell@rockwellcollins.com> wrote:
>> From: Matt Weber <matthew.weber@rockwellcollins.com>
>>
>> Add a configure option to enable the SELinux support in the
>> busybox configuration from the Buildroot menuconfig.
>>
>> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
>> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
>>
> [...]
>> diff --git a/package/busybox/Config.in b/package/busybox/Config.in
>> index 275e317..a60c54b 100644
>> --- a/package/busybox/Config.in
>> +++ b/package/busybox/Config.in
>> @@ -35,6 +35,12 @@ comment "Busybox individual binaries depends on dynamic libraries"
>>         depends on BR2_STATIC_LIBS
>>         depends on BR2_bfin
>>
>> +config BR2_PACKAGE_BUSYBOX_SELINUX
>> +       select BR2_PACKAGE_LIBSELINUX
>> +       depends on BR2_TOOLCHAIN_HAS_THREADS
>> +       depends on !BR2_STATIC_LIBS
>> +       bool "Enable SELinux support"
> Does not this option also need to select
> BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES?

Those features are not necessarily dependent, it mostly depends on
what parts of busybox are being used. For instance, if a configuration
only used a couple of minor busybox features, such as simple command
line utilities, the symlinked version of busybox could be used to save
space. If busybox was providing more features, such as crond, then
individual binaries would have to be enabled for the SELinux type
transitions to occur properly. I would like to leave that up to the
individual user to enable the individual binaries as needed.

Thanks,
Clayton

[Buildroot] [PATCH v5 09/24] busybox: selinux support

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Mon, 18 May 2015 09:14:54 -0500, Clayton Shotwell wrote:

> >> +config BR2_PACKAGE_BUSYBOX_SELINUX
> >> +       select BR2_PACKAGE_LIBSELINUX
> >> +       depends on BR2_TOOLCHAIN_HAS_THREADS
> >> +       depends on !BR2_STATIC_LIBS
> >> +       bool "Enable SELinux support"
> > Does not this option also need to select
> > BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES?
> 
> Those features are not necessarily dependent, it mostly depends on
> what parts of busybox are being used. For instance, if a configuration
> only used a couple of minor busybox features, such as simple command
> line utilities, the symlinked version of busybox could be used to save
> space. If busybox was providing more features, such as crond, then
> individual binaries would have to be enabled for the SELinux type
> transitions to occur properly. I would like to leave that up to the
> individual user to enable the individual binaries as needed.

Then exactly this needs to be copy/pasted in the help text of this
option :-)

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH v5 09/24] busybox: selinux support

[Clayton Shotwell]

Thomas,

On Mon, May 18, 2015 at 9:30 AM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Dear Clayton Shotwell,
>
> On Mon, 18 May 2015 09:14:54 -0500, Clayton Shotwell wrote:
>
>> >> +config BR2_PACKAGE_BUSYBOX_SELINUX
>> >> +       select BR2_PACKAGE_LIBSELINUX
>> >> +       depends on BR2_TOOLCHAIN_HAS_THREADS
>> >> +       depends on !BR2_STATIC_LIBS
>> >> +       bool "Enable SELinux support"
>> > Does not this option also need to select
>> > BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES?
>>
>> Those features are not necessarily dependent, it mostly depends on
>> what parts of busybox are being used. For instance, if a configuration
>> only used a couple of minor busybox features, such as simple command
>> line utilities, the symlinked version of busybox could be used to save
>> space. If busybox was providing more features, such as crond, then
>> individual binaries would have to be enabled for the SELinux type
>> transitions to occur properly. I would like to leave that up to the
>> individual user to enable the individual binaries as needed.
>
> Then exactly this needs to be copy/pasted in the help text of this
> option :-)

Good point. I'll add that in there.

Thanks,
Clayton

[Buildroot] [PATCH v5 10/24] linux-pam: selinux support

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>

---
Changes v4 -> v5:
  - Dropping unneeded patch (Clayton S.)

Changes v1 -> v4:
  - Did not exist
---
 package/linux-pam/linux-pam.mk     | 58 +++++++++++++++++++++++++++++++++++++-
 package/linux-pam/system-auth.pamd | 15 ++++++++++
 2 files changed, 72 insertions(+), 1 deletion(-)
 create mode 100644 package/linux-pam/system-auth.pamd

diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
index 26b627e..8a28f78 100644
--- a/package/linux-pam/linux-pam.mk
+++ b/package/linux-pam/linux-pam.mk
@@ -8,6 +8,9 @@ LINUX_PAM_VERSION = 1.1.8
 LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.bz2
 LINUX_PAM_SITE = http://linux-pam.org/library
 LINUX_PAM_INSTALL_STAGING = YES
+
+# lckpwdf is included with shadow
+# cracklib and libdb are not currently present in buildroot
 LINUX_PAM_CONF_OPTS = \
 	--disable-prelude \
 	--disable-isadir \
@@ -15,8 +18,10 @@ LINUX_PAM_CONF_OPTS = \
 	--disable-db \
 	--disable-regenerate-docu \
 	--enable-securedir=/lib/security \
+	--disable-cracklib \
 	--libdir=/lib
-LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf
+
+LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf host-linux-pam
 LINUX_PAM_AUTORECONF = YES
 LINUX_PAM_LICENSE = BSD-3c
 LINUX_PAM_LICENSE_FILES = Copyright
@@ -26,12 +31,63 @@ LINUX_PAM_DEPENDENCIES += gettext
 LINUX_PAM_MAKE_OPTS += LIBS=-lintl
 endif
 
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+	LINUX_PAM_CONF_OPTS += --enable-selinux
+	LINUX_PAM_DEPENDENCIES += libselinux
+else
+	LINUX_PAM_CONF_OPTS += --disable-selinux
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+	LINUX_PAM_CONF_OPTS += --enable-audit
+	LINUX_PAM_DEPENDENCIES += audit
+else
+	LINUX_PAM_CONF_OPTS += --disable-audit
+endif
+
 # Install default pam config (deny everything)
 define LINUX_PAM_INSTALL_CONFIG
 	$(INSTALL) -m 0644 -D package/linux-pam/other.pam \
 		$(TARGET_DIR)/etc/pam.d/other
 endef
 
+# Use the host-pam pam_conv1 app to create the pam.d files
+define LINUX_PAM_CONFIG_FILE_TARGET_INSTALL
+	( \
+		if [ -d $(TARGET_DIR)/etc/pam.d/ ]; then \
+			mv $(TARGET_DIR)/etc/pam.d/ $(TARGET_DIR)/etc/pam.d.orig/; \
+		fi; \
+		cd $(TARGET_DIR)/etc/ && \
+		cat $(@D)/conf/pam.conf | $(HOST_DIR)/usr/bin/pam_conv1; \
+		if [ -d pam.d.orig ]; then \
+			cp -a pam.d/* pam.d.orig/; \
+			rm -rf pam.d/; \
+			mv pam.d.orig/ pam.d/; \
+		fi; \
+	)
+	$(INSTALL) -D -m 0644 package/linux-pam/system-auth.pamd $(TARGET_DIR)/etc/pam.d/system-auth
+endef
+
+LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_CONFIG_FILE_TARGET_INSTALL
 LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_INSTALL_CONFIG
 
+HOST_LINUX_PAM_DEPENDENCIES = host-autoconf host-flex
+
+HOST_LINUX_PAM_CONF_OPTS = --disable-rpath \
+               --enable-read-both-confs \
+               --disable-regenerate-docu \
+               --disable-isadir \
+               --disable-nis \
+               --enable-securedir=/lib/security \
+               --disable-prelude \
+               --disable-cracklib \
+               --disable-lckpwdf \
+               --enable-db=no \
+               --disable-selinux \
+               --disable-audit \
+
+define HOST_LINUX_PAM_INSTALL_CMDS
+	$(INSTALL) -m 755 $(@D)/conf/pam_conv1/pam_conv1 $(HOST_DIR)/usr/bin/
+endef
 $(eval $(autotools-package))
+$(eval $(host-autotools-package))
diff --git a/package/linux-pam/system-auth.pamd b/package/linux-pam/system-auth.pamd
new file mode 100644
index 0000000..2fa116a
--- /dev/null
+++ b/package/linux-pam/system-auth.pamd
@@ -0,0 +1,15 @@
+#%PAM-1.0
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+
+#password    required      pam_cracklib.so try_first_pass retry=3
+password    sufficient    pam_unix.so md5 shadow try_first_pass
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
-- 
1.9.1

[Buildroot] [PATCH v5 11/24] busybox: added linux-pam support

[Clayton Shotwell]

From: Matt Weber <Matthew.Weber@rockwellcollins.com>

Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>

---
Changes v4 -> v5:
  - No changes

Changes v1 -> v4:
  - Did not exist
---
 package/busybox/busybox.mk | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index f60e3f2..4ef099a 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -171,6 +171,13 @@ define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
 endef
 endif
 
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+define BUSYBOX_LINUX_PAM
+	$(call KCONFIG_ENABLE_OPT,CONFIG_PAM,$(BUSYBOX_BUILD_CONFIG))
+endef
+BUSYBOX_DEPENDENCIES += linux-pam
+endif
+
 ifeq ($(BR2_PACKAGE_BUSYBOX_SELINUX),y)
 BUSYBOX_DEPENDENCIES += host-pkgconf libselinux libsepol
 define BUSYBOX_SET_SELINUX
@@ -211,6 +218,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
 	$(BUSYBOX_PREFER_STATIC)
 	$(BUSYBOX_SET_MDEV)
 	$(BUSYBOX_SET_CRYPT_SHA)
+	$(BUSYBOX_LINUX_PAM)
 	$(BUSYBOX_INTERNAL_SHADOW_PASSWORDS)
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
-- 
1.9.1

[Buildroot] [PATCH v5 12/24] sysvinit: added libselinux dependency

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>

---
Changes v4 -> v5:
  - Removed unnecessary += when adding buysbox dependency (Ryan B.)
  - Removed duplicate assignment of OPTS (Matt W.)
  - Added description to patch and signed off line (Clayton S.)

Changes v1 -> v4:
  - Did not exist
---
 ...1-Fix-SELinux-compile-flags-and-libraries.patch | 44 ++++++++++++++++++++++
 package/sysvinit/sysvinit.mk                       |  5 +++
 2 files changed, 49 insertions(+)
 create mode 100644 package/sysvinit/0001-Fix-SELinux-compile-flags-and-libraries.patch

diff --git a/package/sysvinit/0001-Fix-SELinux-compile-flags-and-libraries.patch b/package/sysvinit/0001-Fix-SELinux-compile-flags-and-libraries.patch
new file mode 100644
index 0000000..f857e07
--- /dev/null
+++ b/package/sysvinit/0001-Fix-SELinux-compile-flags-and-libraries.patch
@@ -0,0 +1,44 @@
+From e7dc523c1850534d98ab90dd02e07ee214e21f24 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Fri, 1 May 2015 10:58:47 -0500
+Subject: [PATCH] Fix SELinux compile flags and libraries
+
+The SELinux flags, added as CPPFLAGS, end up getting dropped by the
+Makefile. Also ensuring sulogin is linked against libsepol which is
+required.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ src/Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index e2b8028..bf1ae81 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -104,7 +104,7 @@ utmpdump:	utmpdump.o
+ 
+ runlevel:	runlevel.o
+ 
+-sulogin:	LDLIBS += $(SULOGINLIBS) $(STATIC)
++sulogin:	LDLIBS += $(SULOGINLIBS) $(INITLIBS) $(STATIC)
+ sulogin:	sulogin.o
+ 
+ wall:		dowall.o wall.o
+@@ -114,10 +114,10 @@ shutdown:	dowall.o shutdown.o utmp.o reboot.h
+ bootlogd:	LDLIBS += -lutil
+ bootlogd:	bootlogd.o
+ 
+-sulogin.o:	CPPFLAGS += $(SELINUX_DEF)
+-sulogin.o:	sulogin.c 
++sulogin.o:	CFLAGS += $(SELINUX_DEF)
++sulogin.o:	sulogin.c
+ 
+-init.o:		CPPFLAGS += $(SELINUX_DEF)
++init.o:		CFLAGS += $(SELINUX_DEF)
+ init.o:		init.c init.h set.h reboot.h initreq.h
+ 
+ utmp.o:		utmp.c init.h
+-- 
+1.9.1
+
diff --git a/package/sysvinit/sysvinit.mk b/package/sysvinit/sysvinit.mk
index 53640a4..9669a29 100644
--- a/package/sysvinit/sysvinit.mk
+++ b/package/sysvinit/sysvinit.mk
@@ -16,6 +16,11 @@ ifeq ($(BR2_PACKAGE_BUSYBOX),y)
 SYSVINIT_DEPENDENCIES = busybox
 endif
 
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+SYSVINIT_DEPENDENCIES += libselinux
+TARGET_CONFIGURE_OPTS += WITH_SELINUX="yes" ROOT="$(TARGET_DIR)"
+endif
+
 define SYSVINIT_DEBIAN_PATCHES
 	if [ -d $(@D)/debian/patches ]; then \
 		$(APPLY_PATCHES) $(@D) $(@D)/debian/patches \*.patch; \
-- 
1.9.1

[Buildroot] [PATCH v5 13/24] dbus: selinux file context support

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>

---
Changes v4 -> v5
  - No changes

Changes v1 -> v4:
  - Did not exist
---
 package/dbus/S30dbus |  4 ++++
 package/dbus/dbus.mk | 14 ++++++++++++++
 2 files changed, 18 insertions(+)
 mode change 100755 => 100644 package/dbus/S30dbus

diff --git a/package/dbus/S30dbus b/package/dbus/S30dbus
old mode 100755
new mode 100644
index 0d15c73..be51807
--- a/package/dbus/S30dbus
+++ b/package/dbus/S30dbus
@@ -17,6 +17,10 @@
 [ -d /var/run/dbus ] || mkdir -p /var/run/dbus
 [ -d /var/lock/subsys ] || mkdir -p /var/lock/subsys
 [ -d /tmp/dbus ] || mkdir -p /tmp/dbus
+[ -d /var/lib/dbus ] || mkdir -p /var/lib/dbus
+if [ -e /sbin/restorecon ]; then
+   restorecon -R /var/run/dbus /var/lock/subsys /tmp/dbus /var/lib/dbus
+fi
 
 RETVAL=0
 
diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk
index c810800..a5ec807 100644
--- a/package/dbus/dbus.mk
+++ b/package/dbus/dbus.mk
@@ -44,6 +44,20 @@ ifeq ($(BR2_microblaze),y)
 DBUS_CONF_OPTS += --disable-inotify
 endif
 
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+DBUS_CONF_OPTS += --enable-selinux
+DBUS_DEPENDENCIES += libselinux
+else
+DBUS_CONF_OPTS += --disable-selinux
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+DBUS_CONF_OPTS += --enable-libaudit
+DBUS_DEPENDENCIES += audit libcap-ng
+else
+DBUS_CONF_OPTS += --disable-libaudit
+endif
+
 ifeq ($(BR2_PACKAGE_XLIB_LIBX11),y)
 DBUS_CONF_OPTS += --with-x
 DBUS_DEPENDENCIES += xlib_libX11
-- 
1.9.1

[Buildroot] [PATCH v5 14/24] openssh: selinux and pam support

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>

---
Changes v4 -> v5:
  - New patch
  - Added without assignments (Matt W.)
  - Moved install pam define in conditional (Matt W.)
---
 package/openssh/openssh.mk | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 24af079..00cdf6c 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -30,8 +30,24 @@ endif
 OPENSSH_DEPENDENCIES = zlib openssl
 
 ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+define OPENSSH_INSTALL_PAM_CONF
+	$(INSTALL) -D -m 644 $(@D)/contrib/sshd.pam.generic $(TARGET_DIR)/etc/pam.d/sshd
+	sed -i '/password   required     \/lib\/security\/pam_cracklib.so/d' $(TARGET_DIR)/etc/pam.d/sshd
+	sed -i -e 's/\#UsePAM no/UsePAM yes/' $(TARGET_DIR)/etc/ssh/sshd_config
+endef
+
 OPENSSH_DEPENDENCIES += linux-pam
 OPENSSH_CONF_OPTS += --with-pam
+OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_PAM_CONF
+else
+OPENSSH_CONF_OPTS += --without-pam
+endif
+
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+OPENSSH_DEPENDENCIES += libselinux
+OPENSSH_CONF_OPTS += --with-selinux
+else
+OPENSSH_CONF_OPTS += --without-selinux
 endif
 
 define OPENSSH_INSTALL_INIT_SYSTEMD
-- 
1.9.1

[Buildroot] [PATCH v5 15/24] util-linux: selinux, audit, and pam support

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>

---
Changes v4 -> v5:
  - New patch
  - Added pam file tweaks for selinux support (Clayton S.)
---
 package/util-linux/util-linux.mk | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
index 3ca147a..259334f 100644
--- a/package/util-linux/util-linux.mk
+++ b/package/util-linux/util-linux.mk
@@ -59,6 +59,20 @@ ifeq ($(BR2_PACKAGE_LIBCAP_NG),y)
 UTIL_LINUX_DEPENDENCIES += libcap-ng
 endif
 
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+UTIL_LINUX_DEPENDENCIES += libselinux
+UTIL_LINUX_CONF_OPTS += --with-selinux
+else
+UTIL_LINUX_CONF_OPTS += --without-selinux
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+UTIL_LINUX_DEPENDENCIES += audit
+UTIL_LINUX_CONF_OPTS += --with-audit
+else
+UTIL_LINUX_CONF_OPTS += --without-audit
+endif
+
 # Used by cramfs utils
 UTIL_LINUX_DEPENDENCIES += $(if $(BR2_PACKAGE_ZLIB),zlib)
 
@@ -146,9 +160,22 @@ define UTIL_LINUX_INSTALL_PAMFILES
 	$(INSTALL) -m 0644 package/util-linux/su.pam \
 		$(TARGET_DIR)/etc/pam.d/su-l
 endef
+
+# Add the required hooks to the pam files if SELinux is enabled
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+define UTIL_LINUX_FIXUP_PAMFILES
+	for file in login su su-l ; do \
+		$(SED) '/selinux/d' $(TARGET_DIR)/etc/pam.d/$${file}; \
+		$(SED) '0,/session/s/session/session		required	pam_selinux.so close\nsession/' $(TARGET_DIR)/etc/pam.d/$${file}; \
+		echo "session		required	pam_selinux.so open" >> $(TARGET_DIR)/etc/pam.d/$${file}; \
+	done
+endef
+endif
+
 endif
 
 UTIL_LINUX_POST_INSTALL_TARGET_HOOKS += UTIL_LINUX_INSTALL_PAMFILES
+UTIL_LINUX_POST_INSTALL_TARGET_HOOKS += UTIL_LINUX_FIXUP_PAMFILES
 
 # Install agetty->getty symlink to avoid breakage when there's no busybox
 ifeq ($(BR2_PACKAGE_UTIL_LINUX_AGETTY),y)
-- 
1.9.1

[Buildroot] [PATCH v5 16/24] vim: selinux support

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes v4 -> v5:
  - New patch
---
 package/vim/vim.mk | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/package/vim/vim.mk b/package/vim/vim.mk
index da84d14..518afaf 100644
--- a/package/vim/vim.mk
+++ b/package/vim/vim.mk
@@ -28,6 +28,13 @@ VIM_CONF_OPTS = --with-tlib=ncurses --enable-gui=no --without-x
 VIM_LICENSE = Charityware
 VIM_LICENSE_FILES = README.txt
 
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+VIM_CONF_OPTS += --enable-selinux
+VIM_DEPENDENCIES += libselinux
+else
+VIM_CONF_OPTS += --disable-selinux
+endif
+
 define VIM_INSTALL_TARGET_CMDS
 	cd $(@D)/src; \
 		$(MAKE) DESTDIR=$(TARGET_DIR) installvimbin; \
-- 
1.9.1

[Buildroot] [PATCH v5 17/24] rsyslog: fix config file comment style

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
 package/rsyslog/rsyslog.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
index 99e6eba..2254b60 100644
--- a/package/rsyslog/rsyslog.mk
+++ b/package/rsyslog/rsyslog.mk
@@ -75,6 +75,10 @@ endef
 define RSYSLOG_INSTALL_CONF
 	$(INSTALL) -m 0644 -D $(@D)/platform/redhat/rsyslog.conf \
 		$(TARGET_DIR)/etc/rsyslog.conf
+	# Fix invalid config file comment style
+	$(SED) 's~\/\* ~#  ~g' $(TARGET_DIR)/etc/rsyslog.conf
+	$(SED) 's~ \*\/~# ~g' $(TARGET_DIR)/etc/rsyslog.conf
+	$(SED) 's~ \*~# ~g' $(TARGET_DIR)/etc/rsyslog.conf
 	mkdir -p $(TARGET_DIR)/etc/rsyslog.d
 endef
 
-- 
1.9.1

[Buildroot] [PATCH v5 18/24] qemu x86 selinux: added common selinux support files

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

Add a default busybox SELinux config which disables init and uses
sysvinit. Add base skeleton with inittab and fstab tailored to selinux
Add base skeleton audit configuration (didn't seem to merit being
the package default).

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>

---
Changes v4 -> v5:
 - Update the selinux busybox config to the latest version of busybox
    (Clayton S.)

Changes v1 -> v4:
  - Did not exist
---
 board/common_selinux/busybox-selinux.config        | 1058 ++++++++++++++++++++
 board/common_selinux/post_build.sh                 |   30 +
 .../common_selinux/skeleton/etc/audit/auditd.conf  |   32 +
 .../skeleton/etc/audit/rules.d/audit.rules         |    3 +
 board/common_selinux/skeleton/etc/fstab            |   15 +
 board/common_selinux/skeleton/etc/inittab          |   29 +
 board/common_selinux/skeleton_permissions.txt      |   26 +
 7 files changed, 1193 insertions(+)
 create mode 100644 board/common_selinux/busybox-selinux.config
 create mode 100755 board/common_selinux/post_build.sh
 create mode 100644 board/common_selinux/skeleton/etc/audit/auditd.conf
 create mode 100644 board/common_selinux/skeleton/etc/audit/rules.d/audit.rules
 create mode 100755 board/common_selinux/skeleton/etc/fstab
 create mode 100755 board/common_selinux/skeleton/etc/inittab
 create mode 100755 board/common_selinux/skeleton_permissions.txt

diff --git a/board/common_selinux/busybox-selinux.config b/board/common_selinux/busybox-selinux.config
new file mode 100644
index 0000000..2e86c22
--- /dev/null
+++ b/board/common_selinux/busybox-selinux.config
@@ -0,0 +1,1058 @@
+#
+# Automatically generated make config: don't edit
+# Busybox version: 1.23.2
+# Wed May  6 10:14:52 2015
+#
+CONFIG_HAVE_DOT_CONFIG=y
+
+#
+# Busybox Settings
+#
+
+#
+# General Configuration
+#
+CONFIG_DESKTOP=y
+# CONFIG_EXTRA_COMPAT is not set
+CONFIG_INCLUDE_SUSv2=y
+# CONFIG_USE_PORTABLE_CODE is not set
+CONFIG_PLATFORM_LINUX=y
+CONFIG_FEATURE_BUFFERS_USE_MALLOC=y
+# CONFIG_FEATURE_BUFFERS_GO_ON_STACK is not set
+# CONFIG_FEATURE_BUFFERS_GO_IN_BSS is not set
+CONFIG_SHOW_USAGE=y
+CONFIG_FEATURE_VERBOSE_USAGE=y
+# CONFIG_FEATURE_COMPRESS_USAGE is not set
+CONFIG_FEATURE_INSTALLER=y
+# CONFIG_INSTALL_NO_USR is not set
+# CONFIG_LOCALE_SUPPORT is not set
+# CONFIG_UNICODE_SUPPORT is not set
+# CONFIG_UNICODE_USING_LOCALE is not set
+# CONFIG_FEATURE_CHECK_UNICODE_IN_ENV is not set
+CONFIG_SUBST_WCHAR=0
+CONFIG_LAST_SUPPORTED_WCHAR=0
+# CONFIG_UNICODE_COMBINING_WCHARS is not set
+# CONFIG_UNICODE_WIDE_WCHARS is not set
+# CONFIG_UNICODE_BIDI_SUPPORT is not set
+# CONFIG_UNICODE_NEUTRAL_TABLE is not set
+# CONFIG_UNICODE_PRESERVE_BROKEN is not set
+CONFIG_PAM=y
+CONFIG_FEATURE_USE_SENDFILE=y
+CONFIG_LONG_OPTS=y
+CONFIG_FEATURE_DEVPTS=y
+CONFIG_FEATURE_CLEAN_UP=y
+CONFIG_FEATURE_UTMP=y
+CONFIG_FEATURE_WTMP=y
+# CONFIG_FEATURE_PIDFILE is not set
+CONFIG_PID_FILE_PATH=""
+CONFIG_FEATURE_SUID=y
+# CONFIG_FEATURE_SUID_CONFIG is not set
+# CONFIG_FEATURE_SUID_CONFIG_QUIET is not set
+CONFIG_SELINUX=y
+# CONFIG_FEATURE_PREFER_APPLETS is not set
+CONFIG_BUSYBOX_EXEC_PATH="/proc/self/exe"
+CONFIG_FEATURE_SYSLOG=y
+CONFIG_FEATURE_HAVE_RPC=y
+
+#
+# Build Options
+#
+# CONFIG_STATIC is not set
+# CONFIG_PIE is not set
+# CONFIG_NOMMU is not set
+CONFIG_BUILD_LIBBUSYBOX=y
+CONFIG_FEATURE_INDIVIDUAL=y
+# CONFIG_FEATURE_SHARED_BUSYBOX is not set
+CONFIG_LFS=y
+CONFIG_CROSS_COMPILER_PREFIX=""
+CONFIG_SYSROOT=""
+CONFIG_EXTRA_CFLAGS=""
+CONFIG_EXTRA_LDFLAGS=""
+CONFIG_EXTRA_LDLIBS=""
+
+#
+# Debugging Options
+#
+# CONFIG_DEBUG is not set
+# CONFIG_DEBUG_PESSIMIZE is not set
+# CONFIG_UNIT_TEST is not set
+# CONFIG_WERROR is not set
+CONFIG_NO_DEBUG_LIB=y
+# CONFIG_DMALLOC is not set
+# CONFIG_EFENCE is not set
+
+#
+# Installation Options ("make install" behavior)
+#
+CONFIG_INSTALL_APPLET_SYMLINKS=y
+# CONFIG_INSTALL_APPLET_HARDLINKS is not set
+# CONFIG_INSTALL_APPLET_SCRIPT_WRAPPERS is not set
+# CONFIG_INSTALL_APPLET_DONT is not set
+# CONFIG_INSTALL_SH_APPLET_SYMLINK is not set
+# CONFIG_INSTALL_SH_APPLET_HARDLINK is not set
+# CONFIG_INSTALL_SH_APPLET_SCRIPT_WRAPPER is not set
+CONFIG_PREFIX="./_install"
+
+#
+# Busybox Library Tuning
+#
+# CONFIG_FEATURE_SYSTEMD is not set
+CONFIG_FEATURE_RTMINMAX=y
+CONFIG_PASSWORD_MINLEN=6
+CONFIG_MD5_SMALL=1
+CONFIG_SHA3_SMALL=1
+# CONFIG_FEATURE_FAST_TOP is not set
+# CONFIG_FEATURE_ETC_NETWORKS is not set
+CONFIG_FEATURE_USE_TERMIOS=y
+CONFIG_FEATURE_EDITING=y
+CONFIG_FEATURE_EDITING_MAX_LEN=1024
+CONFIG_FEATURE_EDITING_VI=y
+CONFIG_FEATURE_EDITING_HISTORY=999
+CONFIG_FEATURE_EDITING_SAVEHISTORY=y
+# CONFIG_FEATURE_EDITING_SAVE_ON_EXIT is not set
+CONFIG_FEATURE_REVERSE_SEARCH=y
+CONFIG_FEATURE_TAB_COMPLETION=y
+# CONFIG_FEATURE_USERNAME_COMPLETION is not set
+CONFIG_FEATURE_EDITING_FANCY_PROMPT=y
+# CONFIG_FEATURE_EDITING_ASK_TERMINAL is not set
+CONFIG_FEATURE_NON_POSIX_CP=y
+# CONFIG_FEATURE_VERBOSE_CP_MESSAGE is not set
+CONFIG_FEATURE_COPYBUF_KB=4
+CONFIG_FEATURE_SKIP_ROOTFS=y
+CONFIG_MONOTONIC_SYSCALL=y
+CONFIG_IOCTL_HEX2STR_ERROR=y
+CONFIG_FEATURE_HWIB=y
+
+#
+# Applets
+#
+
+#
+# Archival Utilities
+#
+# CONFIG_FEATURE_SEAMLESS_XZ is not set
+# CONFIG_FEATURE_SEAMLESS_LZMA is not set
+# CONFIG_FEATURE_SEAMLESS_BZ2 is not set
+# CONFIG_FEATURE_SEAMLESS_GZ is not set
+# CONFIG_FEATURE_SEAMLESS_Z is not set
+CONFIG_AR=y
+# CONFIG_FEATURE_AR_LONG_FILENAMES is not set
+CONFIG_FEATURE_AR_CREATE=y
+# CONFIG_UNCOMPRESS is not set
+CONFIG_GUNZIP=y
+CONFIG_BUNZIP2=y
+CONFIG_UNLZMA=y
+# CONFIG_FEATURE_LZMA_FAST is not set
+CONFIG_LZMA=y
+CONFIG_UNXZ=y
+CONFIG_XZ=y
+# CONFIG_BZIP2 is not set
+CONFIG_CPIO=y
+# CONFIG_FEATURE_CPIO_O is not set
+# CONFIG_FEATURE_CPIO_P is not set
+# CONFIG_DPKG is not set
+# CONFIG_DPKG_DEB is not set
+# CONFIG_FEATURE_DPKG_DEB_EXTRACT_ONLY is not set
+CONFIG_GZIP=y
+# CONFIG_FEATURE_GZIP_LONG_OPTIONS is not set
+CONFIG_GZIP_FAST=0
+# CONFIG_LZOP is not set
+# CONFIG_LZOP_COMPR_HIGH is not set
+# CONFIG_RPM is not set
+# CONFIG_RPM2CPIO is not set
+CONFIG_TAR=y
+CONFIG_FEATURE_TAR_CREATE=y
+# CONFIG_FEATURE_TAR_AUTODETECT is not set
+CONFIG_FEATURE_TAR_FROM=y
+# CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY is not set
+# CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY is not set
+CONFIG_FEATURE_TAR_GNU_EXTENSIONS=y
+CONFIG_FEATURE_TAR_LONG_OPTIONS=y
+CONFIG_FEATURE_TAR_TO_COMMAND=y
+# CONFIG_FEATURE_TAR_UNAME_GNAME is not set
+# CONFIG_FEATURE_TAR_NOPRESERVE_TIME is not set
+CONFIG_FEATURE_TAR_SELINUX=y
+CONFIG_UNZIP=y
+
+#
+# Coreutils
+#
+CONFIG_BASENAME=y
+CONFIG_CAT=y
+CONFIG_DATE=y
+CONFIG_FEATURE_DATE_ISOFMT=y
+# CONFIG_FEATURE_DATE_NANO is not set
+CONFIG_FEATURE_DATE_COMPAT=y
+CONFIG_HOSTID=y
+CONFIG_ID=y
+CONFIG_GROUPS=y
+CONFIG_SHUF=y
+CONFIG_TEST=y
+CONFIG_FEATURE_TEST_64=y
+CONFIG_TOUCH=y
+CONFIG_FEATURE_TOUCH_NODEREF=y
+CONFIG_FEATURE_TOUCH_SUSV3=y
+CONFIG_TR=y
+CONFIG_FEATURE_TR_CLASSES=y
+CONFIG_FEATURE_TR_EQUIV=y
+CONFIG_UNLINK=y
+# CONFIG_BASE64 is not set
+CONFIG_WHO=y
+CONFIG_USERS=y
+# CONFIG_CAL is not set
+CONFIG_CATV=y
+CONFIG_CHGRP=y
+CONFIG_CHMOD=y
+CONFIG_CHOWN=y
+# CONFIG_FEATURE_CHOWN_LONG_OPTIONS is not set
+CONFIG_CHROOT=y
+CONFIG_CKSUM=y
+# CONFIG_COMM is not set
+CONFIG_CP=y
+# CONFIG_FEATURE_CP_LONG_OPTIONS is not set
+CONFIG_CUT=y
+CONFIG_DD=y
+CONFIG_FEATURE_DD_SIGNAL_HANDLING=y
+# CONFIG_FEATURE_DD_THIRD_STATUS_LINE is not set
+CONFIG_FEATURE_DD_IBS_OBS=y
+CONFIG_DF=y
+# CONFIG_FEATURE_DF_FANCY is not set
+CONFIG_DIRNAME=y
+CONFIG_DOS2UNIX=y
+CONFIG_UNIX2DOS=y
+CONFIG_DU=y
+CONFIG_FEATURE_DU_DEFAULT_BLOCKSIZE_1K=y
+CONFIG_ECHO=y
+CONFIG_FEATURE_FANCY_ECHO=y
+CONFIG_ENV=y
+# CONFIG_FEATURE_ENV_LONG_OPTIONS is not set
+# CONFIG_EXPAND is not set
+# CONFIG_FEATURE_EXPAND_LONG_OPTIONS is not set
+CONFIG_EXPR=y
+CONFIG_EXPR_MATH_SUPPORT_64=y
+CONFIG_FALSE=y
+CONFIG_FOLD=y
+# CONFIG_FSYNC is not set
+CONFIG_HEAD=y
+CONFIG_FEATURE_FANCY_HEAD=y
+CONFIG_INSTALL=y
+CONFIG_FEATURE_INSTALL_LONG_OPTIONS=y
+CONFIG_LN=y
+CONFIG_LOGNAME=y
+CONFIG_LS=y
+CONFIG_FEATURE_LS_FILETYPES=y
+CONFIG_FEATURE_LS_FOLLOWLINKS=y
+CONFIG_FEATURE_LS_RECURSIVE=y
+CONFIG_FEATURE_LS_SORTFILES=y
+CONFIG_FEATURE_LS_TIMESTAMPS=y
+CONFIG_FEATURE_LS_USERNAME=y
+CONFIG_FEATURE_LS_COLOR=y
+CONFIG_FEATURE_LS_COLOR_IS_DEFAULT=y
+CONFIG_MD5SUM=y
+CONFIG_MKDIR=y
+CONFIG_FEATURE_MKDIR_LONG_OPTIONS=y
+CONFIG_MKFIFO=y
+CONFIG_MKNOD=y
+CONFIG_MV=y
+CONFIG_FEATURE_MV_LONG_OPTIONS=y
+CONFIG_NICE=y
+CONFIG_NOHUP=y
+CONFIG_OD=y
+CONFIG_PRINTENV=y
+CONFIG_PRINTF=y
+CONFIG_PWD=y
+CONFIG_READLINK=y
+CONFIG_FEATURE_READLINK_FOLLOW=y
+CONFIG_REALPATH=y
+CONFIG_RM=y
+CONFIG_RMDIR=y
+# CONFIG_FEATURE_RMDIR_LONG_OPTIONS is not set
+CONFIG_SEQ=y
+CONFIG_SHA1SUM=y
+CONFIG_SHA256SUM=y
+CONFIG_SHA512SUM=y
+CONFIG_SHA3SUM=y
+CONFIG_SLEEP=y
+CONFIG_FEATURE_FANCY_SLEEP=y
+CONFIG_FEATURE_FLOAT_SLEEP=y
+CONFIG_SORT=y
+CONFIG_FEATURE_SORT_BIG=y
+# CONFIG_SPLIT is not set
+# CONFIG_FEATURE_SPLIT_FANCY is not set
+# CONFIG_STAT is not set
+# CONFIG_FEATURE_STAT_FORMAT is not set
+CONFIG_STTY=y
+# CONFIG_SUM is not set
+CONFIG_SYNC=y
+# CONFIG_TAC is not set
+CONFIG_TAIL=y
+CONFIG_FEATURE_FANCY_TAIL=y
+CONFIG_TEE=y
+CONFIG_FEATURE_TEE_USE_BLOCK_IO=y
+CONFIG_TRUE=y
+CONFIG_TTY=y
+CONFIG_UNAME=y
+# CONFIG_UNEXPAND is not set
+# CONFIG_FEATURE_UNEXPAND_LONG_OPTIONS is not set
+CONFIG_UNIQ=y
+CONFIG_USLEEP=y
+CONFIG_UUDECODE=y
+CONFIG_UUENCODE=y
+CONFIG_WC=y
+# CONFIG_FEATURE_WC_LARGE is not set
+CONFIG_WHOAMI=y
+CONFIG_YES=y
+
+#
+# Common options
+#
+CONFIG_FEATURE_VERBOSE=y
+
+#
+# Common options for cp and mv
+#
+CONFIG_FEATURE_PRESERVE_HARDLINKS=y
+
+#
+# Common options for ls, more and telnet
+#
+CONFIG_FEATURE_AUTOWIDTH=y
+
+#
+# Common options for df, du, ls
+#
+CONFIG_FEATURE_HUMAN_READABLE=y
+
+#
+# Common options for md5sum, sha1sum, sha256sum, sha512sum, sha3sum
+#
+CONFIG_FEATURE_MD5_SHA1_SUM_CHECK=y
+
+#
+# Console Utilities
+#
+CONFIG_CHVT=y
+# CONFIG_FGCONSOLE is not set
+CONFIG_CLEAR=y
+CONFIG_DEALLOCVT=y
+CONFIG_DUMPKMAP=y
+# CONFIG_KBD_MODE is not set
+CONFIG_LOADFONT=y
+CONFIG_LOADKMAP=y
+CONFIG_OPENVT=y
+CONFIG_RESET=y
+CONFIG_RESIZE=y
+CONFIG_FEATURE_RESIZE_PRINT=y
+CONFIG_SETCONSOLE=y
+# CONFIG_FEATURE_SETCONSOLE_LONG_OPTIONS is not set
+# CONFIG_SETFONT is not set
+# CONFIG_FEATURE_SETFONT_TEXTUAL_MAP is not set
+CONFIG_DEFAULT_SETFONT_DIR=""
+CONFIG_SETKEYCODES=y
+CONFIG_SETLOGCONS=y
+# CONFIG_SHOWKEY is not set
+
+#
+# Common options for loadfont and setfont
+#
+CONFIG_FEATURE_LOADFONT_PSF2=y
+CONFIG_FEATURE_LOADFONT_RAW=y
+
+#
+# Debian Utilities
+#
+CONFIG_MKTEMP=y
+CONFIG_PIPE_PROGRESS=y
+CONFIG_RUN_PARTS=y
+CONFIG_FEATURE_RUN_PARTS_LONG_OPTIONS=y
+# CONFIG_FEATURE_RUN_PARTS_FANCY is not set
+CONFIG_START_STOP_DAEMON=y
+CONFIG_FEATURE_START_STOP_DAEMON_FANCY=y
+CONFIG_FEATURE_START_STOP_DAEMON_LONG_OPTIONS=y
+CONFIG_WHICH=y
+
+#
+# Editors
+#
+CONFIG_AWK=y
+# CONFIG_FEATURE_AWK_LIBM is not set
+CONFIG_FEATURE_AWK_GNU_EXTENSIONS=y
+CONFIG_CMP=y
+CONFIG_DIFF=y
+# CONFIG_FEATURE_DIFF_LONG_OPTIONS is not set
+CONFIG_FEATURE_DIFF_DIR=y
+# CONFIG_ED is not set
+CONFIG_PATCH=y
+CONFIG_SED=y
+CONFIG_VI=y
+CONFIG_FEATURE_VI_MAX_LEN=4096
+CONFIG_FEATURE_VI_8BIT=y
+CONFIG_FEATURE_VI_COLON=y
+CONFIG_FEATURE_VI_YANKMARK=y
+CONFIG_FEATURE_VI_SEARCH=y
+# CONFIG_FEATURE_VI_REGEX_SEARCH is not set
+CONFIG_FEATURE_VI_USE_SIGNALS=y
+CONFIG_FEATURE_VI_DOT_CMD=y
+CONFIG_FEATURE_VI_READONLY=y
+CONFIG_FEATURE_VI_SETOPTS=y
+CONFIG_FEATURE_VI_SET=y
+CONFIG_FEATURE_VI_WIN_RESIZE=y
+CONFIG_FEATURE_VI_ASK_TERMINAL=y
+CONFIG_FEATURE_VI_UNDO=y
+CONFIG_FEATURE_VI_UNDO_QUEUE=y
+CONFIG_FEATURE_VI_UNDO_QUEUE_MAX=256
+CONFIG_FEATURE_ALLOW_EXEC=y
+
+#
+# Finding Utilities
+#
+CONFIG_FIND=y
+CONFIG_FEATURE_FIND_PRINT0=y
+CONFIG_FEATURE_FIND_MTIME=y
+CONFIG_FEATURE_FIND_MMIN=y
+CONFIG_FEATURE_FIND_PERM=y
+CONFIG_FEATURE_FIND_TYPE=y
+CONFIG_FEATURE_FIND_XDEV=y
+CONFIG_FEATURE_FIND_MAXDEPTH=y
+CONFIG_FEATURE_FIND_NEWER=y
+CONFIG_FEATURE_FIND_INUM=y
+CONFIG_FEATURE_FIND_EXEC=y
+CONFIG_FEATURE_FIND_EXEC_PLUS=y
+CONFIG_FEATURE_FIND_USER=y
+CONFIG_FEATURE_FIND_GROUP=y
+CONFIG_FEATURE_FIND_NOT=y
+CONFIG_FEATURE_FIND_DEPTH=y
+CONFIG_FEATURE_FIND_PAREN=y
+CONFIG_FEATURE_FIND_SIZE=y
+CONFIG_FEATURE_FIND_PRUNE=y
+# CONFIG_FEATURE_FIND_DELETE is not set
+CONFIG_FEATURE_FIND_PATH=y
+CONFIG_FEATURE_FIND_REGEX=y
+# CONFIG_FEATURE_FIND_CONTEXT is not set
+# CONFIG_FEATURE_FIND_LINKS is not set
+CONFIG_GREP=y
+CONFIG_FEATURE_GREP_EGREP_ALIAS=y
+CONFIG_FEATURE_GREP_FGREP_ALIAS=y
+CONFIG_FEATURE_GREP_CONTEXT=y
+CONFIG_XARGS=y
+# CONFIG_FEATURE_XARGS_SUPPORT_CONFIRMATION is not set
+CONFIG_FEATURE_XARGS_SUPPORT_QUOTES=y
+CONFIG_FEATURE_XARGS_SUPPORT_TERMOPT=y
+CONFIG_FEATURE_XARGS_SUPPORT_ZERO_TERM=y
+CONFIG_FEATURE_XARGS_SUPPORT_REPL_STR=y
+
+#
+# Init Utilities
+#
+# CONFIG_BOOTCHARTD is not set
+# CONFIG_FEATURE_BOOTCHARTD_BLOATED_HEADER is not set
+# CONFIG_FEATURE_BOOTCHARTD_CONFIG_FILE is not set
+# CONFIG_HALT is not set
+# CONFIG_FEATURE_CALL_TELINIT is not set
+CONFIG_TELINIT_PATH=""
+# CONFIG_INIT is not set
+# CONFIG_FEATURE_USE_INITTAB is not set
+# CONFIG_FEATURE_KILL_REMOVED is not set
+CONFIG_FEATURE_KILL_DELAY=0
+# CONFIG_FEATURE_INIT_SCTTY is not set
+# CONFIG_FEATURE_INIT_SYSLOG is not set
+# CONFIG_FEATURE_EXTRA_QUIET is not set
+# CONFIG_FEATURE_INIT_COREDUMPS is not set
+# CONFIG_FEATURE_INITRD is not set
+CONFIG_INIT_TERMINAL_TYPE=""
+CONFIG_MESG=y
+CONFIG_FEATURE_MESG_ENABLE_ONLY_GROUP=y
+
+#
+# Login/Password Management Utilities
+#
+# CONFIG_ADD_SHELL is not set
+# CONFIG_REMOVE_SHELL is not set
+# CONFIG_FEATURE_SHADOWPASSWDS is not set
+# CONFIG_USE_BB_PWD_GRP is not set
+# CONFIG_USE_BB_SHADOW is not set
+# CONFIG_USE_BB_CRYPT is not set
+# CONFIG_USE_BB_CRYPT_SHA is not set
+# CONFIG_ADDUSER is not set
+# CONFIG_FEATURE_ADDUSER_LONG_OPTIONS is not set
+# CONFIG_FEATURE_CHECK_NAMES is not set
+CONFIG_LAST_ID=0
+CONFIG_FIRST_SYSTEM_ID=0
+CONFIG_LAST_SYSTEM_ID=0
+# CONFIG_ADDGROUP is not set
+# CONFIG_FEATURE_ADDGROUP_LONG_OPTIONS is not set
+# CONFIG_FEATURE_ADDUSER_TO_GROUP is not set
+# CONFIG_DELUSER is not set
+# CONFIG_DELGROUP is not set
+# CONFIG_FEATURE_DEL_USER_FROM_GROUP is not set
+CONFIG_GETTY=y
+# CONFIG_LOGIN is not set
+# CONFIG_LOGIN_SESSION_AS_CHILD is not set
+# CONFIG_LOGIN_SCRIPTS is not set
+# CONFIG_FEATURE_NOLOGIN is not set
+# CONFIG_FEATURE_SECURETTY is not set
+# CONFIG_PASSWD is not set
+# CONFIG_FEATURE_PASSWD_WEAK_CHECK is not set
+# CONFIG_CRYPTPW is not set
+# CONFIG_CHPASSWD is not set
+CONFIG_FEATURE_DEFAULT_PASSWD_ALGO=""
+# CONFIG_SU is not set
+# CONFIG_FEATURE_SU_SYSLOG is not set
+# CONFIG_FEATURE_SU_CHECKS_SHELLS is not set
+# CONFIG_SULOGIN is not set
+# CONFIG_VLOCK is not set
+
+#
+# Linux Ext2 FS Progs
+#
+# CONFIG_CHATTR is not set
+CONFIG_FSCK=y
+# CONFIG_LSATTR is not set
+# CONFIG_TUNE2FS is not set
+
+#
+# Linux Module Utilities
+#
+# CONFIG_MODINFO is not set
+# CONFIG_MODPROBE_SMALL is not set
+# CONFIG_FEATURE_MODPROBE_SMALL_OPTIONS_ON_CMDLINE is not set
+# CONFIG_FEATURE_MODPROBE_SMALL_CHECK_ALREADY_LOADED is not set
+# CONFIG_INSMOD is not set
+# CONFIG_RMMOD is not set
+# CONFIG_LSMOD is not set
+# CONFIG_FEATURE_LSMOD_PRETTY_2_6_OUTPUT is not set
+# CONFIG_MODPROBE is not set
+# CONFIG_FEATURE_MODPROBE_BLACKLIST is not set
+# CONFIG_DEPMOD is not set
+
+#
+# Options common to multiple modutils
+#
+# CONFIG_FEATURE_2_4_MODULES is not set
+# CONFIG_FEATURE_INSMOD_TRY_MMAP is not set
+# CONFIG_FEATURE_INSMOD_VERSION_CHECKING is not set
+# CONFIG_FEATURE_INSMOD_KSYMOOPS_SYMBOLS is not set
+# CONFIG_FEATURE_INSMOD_LOADINKMEM is not set
+# CONFIG_FEATURE_INSMOD_LOAD_MAP is not set
+# CONFIG_FEATURE_INSMOD_LOAD_MAP_FULL is not set
+# CONFIG_FEATURE_CHECK_TAINTED_MODULE is not set
+# CONFIG_FEATURE_MODUTILS_ALIAS is not set
+# CONFIG_FEATURE_MODUTILS_SYMBOLS is not set
+CONFIG_DEFAULT_MODULES_DIR=""
+CONFIG_DEFAULT_DEPMOD_FILE=""
+
+#
+# Linux System Utilities
+#
+# CONFIG_BLOCKDEV is not set
+CONFIG_FATATTR=y
+CONFIG_FSTRIM=y
+CONFIG_MDEV=y
+CONFIG_FEATURE_MDEV_CONF=y
+CONFIG_FEATURE_MDEV_RENAME=y
+# CONFIG_FEATURE_MDEV_RENAME_REGEXP is not set
+CONFIG_FEATURE_MDEV_EXEC=y
+# CONFIG_FEATURE_MDEV_LOAD_FIRMWARE is not set
+# CONFIG_REV is not set
+# CONFIG_ACPID is not set
+# CONFIG_FEATURE_ACPID_COMPAT is not set
+CONFIG_BLKID=y
+# CONFIG_FEATURE_BLKID_TYPE is not set
+CONFIG_DMESG=y
+CONFIG_FEATURE_DMESG_PRETTY=y
+# CONFIG_FBSET is not set
+# CONFIG_FEATURE_FBSET_FANCY is not set
+# CONFIG_FEATURE_FBSET_READMODE is not set
+CONFIG_FDFLUSH=y
+CONFIG_FDFORMAT=y
+CONFIG_FDISK=y
+# CONFIG_FDISK_SUPPORT_LARGE_DISKS is not set
+CONFIG_FEATURE_FDISK_WRITABLE=y
+# CONFIG_FEATURE_AIX_LABEL is not set
+# CONFIG_FEATURE_SGI_LABEL is not set
+# CONFIG_FEATURE_SUN_LABEL is not set
+# CONFIG_FEATURE_OSF_LABEL is not set
+CONFIG_FEATURE_GPT_LABEL=y
+CONFIG_FEATURE_FDISK_ADVANCED=y
+# CONFIG_FINDFS is not set
+# CONFIG_FLOCK is not set
+CONFIG_FREERAMDISK=y
+# CONFIG_FSCK_MINIX is not set
+# CONFIG_MKFS_EXT2 is not set
+# CONFIG_MKFS_MINIX is not set
+# CONFIG_FEATURE_MINIX2 is not set
+# CONFIG_MKFS_REISER is not set
+# CONFIG_MKFS_VFAT is not set
+CONFIG_GETOPT=y
+CONFIG_FEATURE_GETOPT_LONG=y
+CONFIG_HEXDUMP=y
+# CONFIG_FEATURE_HEXDUMP_REVERSE is not set
+# CONFIG_HD is not set
+CONFIG_HWCLOCK=y
+CONFIG_FEATURE_HWCLOCK_LONG_OPTIONS=y
+CONFIG_FEATURE_HWCLOCK_ADJTIME_FHS=y
+CONFIG_IPCRM=y
+CONFIG_IPCS=y
+CONFIG_LOSETUP=y
+CONFIG_LSPCI=y
+CONFIG_LSUSB=y
+CONFIG_MKSWAP=y
+# CONFIG_FEATURE_MKSWAP_UUID is not set
+CONFIG_MORE=y
+CONFIG_MOUNT=y
+# CONFIG_FEATURE_MOUNT_FAKE is not set
+CONFIG_FEATURE_MOUNT_VERBOSE=y
+CONFIG_FEATURE_MOUNT_HELPERS=y
+CONFIG_FEATURE_MOUNT_LABEL=y
+CONFIG_FEATURE_MOUNT_NFS=y
+CONFIG_FEATURE_MOUNT_CIFS=y
+CONFIG_FEATURE_MOUNT_FLAGS=y
+CONFIG_FEATURE_MOUNT_FSTAB=y
+# CONFIG_PIVOT_ROOT is not set
+CONFIG_RDATE=y
+# CONFIG_RDEV is not set
+CONFIG_READPROFILE=y
+# CONFIG_RTCWAKE is not set
+# CONFIG_SCRIPT is not set
+# CONFIG_SCRIPTREPLAY is not set
+CONFIG_SETARCH=y
+CONFIG_SWAPONOFF=y
+CONFIG_FEATURE_SWAPON_DISCARD=y
+# CONFIG_FEATURE_SWAPON_PRI is not set
+CONFIG_SWITCH_ROOT=y
+CONFIG_UMOUNT=y
+CONFIG_FEATURE_UMOUNT_ALL=y
+
+#
+# Common options for mount/umount
+#
+CONFIG_FEATURE_MOUNT_LOOP=y
+CONFIG_FEATURE_MOUNT_LOOP_CREATE=y
+# CONFIG_FEATURE_MTAB_SUPPORT is not set
+CONFIG_VOLUMEID=y
+
+#
+# Filesystem/Volume identification
+#
+# CONFIG_FEATURE_VOLUMEID_BTRFS is not set
+# CONFIG_FEATURE_VOLUMEID_CRAMFS is not set
+CONFIG_FEATURE_VOLUMEID_EXFAT=y
+CONFIG_FEATURE_VOLUMEID_EXT=y
+CONFIG_FEATURE_VOLUMEID_F2FS=y
+CONFIG_FEATURE_VOLUMEID_FAT=y
+# CONFIG_FEATURE_VOLUMEID_HFS is not set
+# CONFIG_FEATURE_VOLUMEID_ISO9660 is not set
+# CONFIG_FEATURE_VOLUMEID_JFS is not set
+# CONFIG_FEATURE_VOLUMEID_LINUXRAID is not set
+# CONFIG_FEATURE_VOLUMEID_LINUXSWAP is not set
+# CONFIG_FEATURE_VOLUMEID_LUKS is not set
+# CONFIG_FEATURE_VOLUMEID_NILFS is not set
+# CONFIG_FEATURE_VOLUMEID_NTFS is not set
+# CONFIG_FEATURE_VOLUMEID_OCFS2 is not set
+# CONFIG_FEATURE_VOLUMEID_REISERFS is not set
+# CONFIG_FEATURE_VOLUMEID_ROMFS is not set
+# CONFIG_FEATURE_VOLUMEID_SQUASHFS is not set
+# CONFIG_FEATURE_VOLUMEID_SYSV is not set
+# CONFIG_FEATURE_VOLUMEID_UDF is not set
+# CONFIG_FEATURE_VOLUMEID_XFS is not set
+
+#
+# Miscellaneous Utilities
+#
+# CONFIG_CONSPY is not set
+CONFIG_CROND=y
+# CONFIG_FEATURE_CROND_D is not set
+# CONFIG_FEATURE_CROND_CALL_SENDMAIL is not set
+CONFIG_FEATURE_CROND_DIR="/var/spool/cron"
+CONFIG_LESS=y
+CONFIG_FEATURE_LESS_MAXLINES=9999999
+CONFIG_FEATURE_LESS_BRACKETS=y
+CONFIG_FEATURE_LESS_FLAGS=y
+# CONFIG_FEATURE_LESS_MARKS is not set
+CONFIG_FEATURE_LESS_REGEXP=y
+# CONFIG_FEATURE_LESS_WINCH is not set
+# CONFIG_FEATURE_LESS_ASK_TERMINAL is not set
+# CONFIG_FEATURE_LESS_DASHCMD is not set
+# CONFIG_FEATURE_LESS_LINENUMS is not set
+# CONFIG_NANDWRITE is not set
+# CONFIG_NANDDUMP is not set
+# CONFIG_RFKILL is not set
+CONFIG_SETSERIAL=y
+# CONFIG_TASKSET is not set
+# CONFIG_FEATURE_TASKSET_FANCY is not set
+# CONFIG_UBIATTACH is not set
+# CONFIG_UBIDETACH is not set
+# CONFIG_UBIMKVOL is not set
+# CONFIG_UBIRMVOL is not set
+# CONFIG_UBIRSVOL is not set
+# CONFIG_UBIUPDATEVOL is not set
+# CONFIG_WALL is not set
+# CONFIG_ADJTIMEX is not set
+# CONFIG_BBCONFIG is not set
+# CONFIG_FEATURE_COMPRESS_BBCONFIG is not set
+# CONFIG_BEEP is not set
+CONFIG_FEATURE_BEEP_FREQ=0
+CONFIG_FEATURE_BEEP_LENGTH_MS=0
+# CONFIG_CHAT is not set
+# CONFIG_FEATURE_CHAT_NOFAIL is not set
+# CONFIG_FEATURE_CHAT_TTY_HIFI is not set
+# CONFIG_FEATURE_CHAT_IMPLICIT_CR is not set
+# CONFIG_FEATURE_CHAT_SWALLOW_OPTS is not set
+# CONFIG_FEATURE_CHAT_SEND_ESCAPES is not set
+# CONFIG_FEATURE_CHAT_VAR_ABORT_LEN is not set
+# CONFIG_FEATURE_CHAT_CLR_ABORT is not set
+CONFIG_CHRT=y
+CONFIG_CRONTAB=y
+CONFIG_DC=y
+# CONFIG_FEATURE_DC_LIBM is not set
+# CONFIG_DEVFSD is not set
+# CONFIG_DEVFSD_MODLOAD is not set
+# CONFIG_DEVFSD_FG_NP is not set
+# CONFIG_DEVFSD_VERBOSE is not set
+# CONFIG_FEATURE_DEVFS is not set
+CONFIG_DEVMEM=y
+CONFIG_EJECT=y
+# CONFIG_FEATURE_EJECT_SCSI is not set
+# CONFIG_FBSPLASH is not set
+# CONFIG_FLASHCP is not set
+# CONFIG_FLASH_LOCK is not set
+# CONFIG_FLASH_UNLOCK is not set
+# CONFIG_FLASH_ERASEALL is not set
+# CONFIG_IONICE is not set
+# CONFIG_INOTIFYD is not set
+CONFIG_LAST=y
+CONFIG_FEATURE_LAST_SMALL=y
+# CONFIG_FEATURE_LAST_FANCY is not set
+CONFIG_HDPARM=y
+CONFIG_FEATURE_HDPARM_GET_IDENTITY=y
+# CONFIG_FEATURE_HDPARM_HDIO_SCAN_HWIF is not set
+# CONFIG_FEATURE_HDPARM_HDIO_UNREGISTER_HWIF is not set
+# CONFIG_FEATURE_HDPARM_HDIO_DRIVE_RESET is not set
+# CONFIG_FEATURE_HDPARM_HDIO_TRISTATE_HWIF is not set
+# CONFIG_FEATURE_HDPARM_HDIO_GETSET_DMA is not set
+CONFIG_MAKEDEVS=y
+# CONFIG_FEATURE_MAKEDEVS_LEAF is not set
+CONFIG_FEATURE_MAKEDEVS_TABLE=y
+# CONFIG_MAN is not set
+CONFIG_MICROCOM=y
+CONFIG_MOUNTPOINT=y
+CONFIG_MT=y
+# CONFIG_RAIDAUTORUN is not set
+# CONFIG_READAHEAD is not set
+CONFIG_RUNLEVEL=y
+# CONFIG_RX is not set
+CONFIG_SETSID=y
+CONFIG_STRINGS=y
+CONFIG_TIME=y
+# CONFIG_TIMEOUT is not set
+# CONFIG_TTYSIZE is not set
+# CONFIG_VOLNAME is not set
+CONFIG_WATCHDOG=y
+
+#
+# Networking Utilities
+#
+CONFIG_NAMEIF=y
+# CONFIG_FEATURE_NAMEIF_EXTENDED is not set
+# CONFIG_NBDCLIENT is not set
+# CONFIG_NC is not set
+# CONFIG_NC_SERVER is not set
+# CONFIG_NC_EXTRA is not set
+# CONFIG_NC_110_COMPAT is not set
+CONFIG_PING=y
+# CONFIG_PING6 is not set
+CONFIG_FEATURE_FANCY_PING=y
+# CONFIG_WHOIS is not set
+CONFIG_FEATURE_IPV6=y
+# CONFIG_FEATURE_UNIX_LOCAL is not set
+# CONFIG_FEATURE_PREFER_IPV4_ADDRESS is not set
+# CONFIG_VERBOSE_RESOLUTION_ERRORS is not set
+# CONFIG_ARP is not set
+CONFIG_ARPING=y
+# CONFIG_BRCTL is not set
+# CONFIG_FEATURE_BRCTL_FANCY is not set
+# CONFIG_FEATURE_BRCTL_SHOW is not set
+CONFIG_DNSD=y
+CONFIG_ETHER_WAKE=y
+# CONFIG_FAKEIDENTD is not set
+# CONFIG_FTPD is not set
+# CONFIG_FEATURE_FTP_WRITE is not set
+# CONFIG_FEATURE_FTPD_ACCEPT_BROKEN_LIST is not set
+# CONFIG_FEATURE_FTP_AUTHENTICATION is not set
+# CONFIG_FTPGET is not set
+# CONFIG_FTPPUT is not set
+# CONFIG_FEATURE_FTPGETPUT_LONG_OPTIONS is not set
+CONFIG_HOSTNAME=y
+# CONFIG_HTTPD is not set
+# CONFIG_FEATURE_HTTPD_RANGES is not set
+# CONFIG_FEATURE_HTTPD_SETUID is not set
+# CONFIG_FEATURE_HTTPD_BASIC_AUTH is not set
+# CONFIG_FEATURE_HTTPD_AUTH_MD5 is not set
+# CONFIG_FEATURE_HTTPD_CGI is not set
+# CONFIG_FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR is not set
+# CONFIG_FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV is not set
+# CONFIG_FEATURE_HTTPD_ENCODE_URL_STR is not set
+# CONFIG_FEATURE_HTTPD_ERROR_PAGES is not set
+# CONFIG_FEATURE_HTTPD_PROXY is not set
+# CONFIG_FEATURE_HTTPD_GZIP is not set
+CONFIG_IFCONFIG=y
+CONFIG_FEATURE_IFCONFIG_STATUS=y
+CONFIG_FEATURE_IFCONFIG_SLIP=y
+CONFIG_FEATURE_IFCONFIG_MEMSTART_IOADDR_IRQ=y
+CONFIG_FEATURE_IFCONFIG_HW=y
+# CONFIG_FEATURE_IFCONFIG_BROADCAST_PLUS is not set
+# CONFIG_IFENSLAVE is not set
+# CONFIG_IFPLUGD is not set
+CONFIG_IFUPDOWN=y
+CONFIG_IFUPDOWN_IFSTATE_PATH="/var/run/ifstate"
+CONFIG_FEATURE_IFUPDOWN_IP=y
+# CONFIG_FEATURE_IFUPDOWN_IP_BUILTIN is not set
+# CONFIG_FEATURE_IFUPDOWN_IFCONFIG_BUILTIN is not set
+CONFIG_FEATURE_IFUPDOWN_IPV4=y
+CONFIG_FEATURE_IFUPDOWN_IPV6=y
+CONFIG_FEATURE_IFUPDOWN_MAPPING=y
+# CONFIG_FEATURE_IFUPDOWN_EXTERNAL_DHCP is not set
+# CONFIG_INETD is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_ECHO is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_DISCARD is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_TIME is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_DAYTIME is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_CHARGEN is not set
+# CONFIG_FEATURE_INETD_RPC is not set
+CONFIG_IP=y
+CONFIG_FEATURE_IP_ADDRESS=y
+CONFIG_FEATURE_IP_LINK=y
+CONFIG_FEATURE_IP_ROUTE=y
+CONFIG_FEATURE_IP_TUNNEL=y
+CONFIG_FEATURE_IP_RULE=y
+CONFIG_FEATURE_IP_SHORT_FORMS=y
+# CONFIG_FEATURE_IP_RARE_PROTOCOLS is not set
+CONFIG_IPADDR=y
+CONFIG_IPLINK=y
+CONFIG_IPROUTE=y
+CONFIG_IPTUNNEL=y
+CONFIG_IPRULE=y
+# CONFIG_IPCALC is not set
+# CONFIG_FEATURE_IPCALC_FANCY is not set
+# CONFIG_FEATURE_IPCALC_LONG_OPTIONS is not set
+CONFIG_NETSTAT=y
+# CONFIG_FEATURE_NETSTAT_WIDE is not set
+# CONFIG_FEATURE_NETSTAT_PRG is not set
+CONFIG_NSLOOKUP=y
+# CONFIG_NTPD is not set
+# CONFIG_FEATURE_NTPD_SERVER is not set
+# CONFIG_FEATURE_NTPD_CONF is not set
+# CONFIG_PSCAN is not set
+CONFIG_ROUTE=y
+# CONFIG_SLATTACH is not set
+# CONFIG_TCPSVD is not set
+CONFIG_TELNET=y
+CONFIG_FEATURE_TELNET_TTYPE=y
+CONFIG_FEATURE_TELNET_AUTOLOGIN=y
+# CONFIG_TELNETD is not set
+# CONFIG_FEATURE_TELNETD_STANDALONE is not set
+# CONFIG_FEATURE_TELNETD_INETD_WAIT is not set
+CONFIG_TFTP=y
+# CONFIG_TFTPD is not set
+
+#
+# Common options for tftp/tftpd
+#
+CONFIG_FEATURE_TFTP_GET=y
+CONFIG_FEATURE_TFTP_PUT=y
+CONFIG_FEATURE_TFTP_BLOCKSIZE=y
+# CONFIG_FEATURE_TFTP_PROGRESS_BAR is not set
+# CONFIG_TFTP_DEBUG is not set
+CONFIG_TRACEROUTE=y
+# CONFIG_TRACEROUTE6 is not set
+# CONFIG_FEATURE_TRACEROUTE_VERBOSE is not set
+# CONFIG_FEATURE_TRACEROUTE_SOURCE_ROUTE is not set
+# CONFIG_FEATURE_TRACEROUTE_USE_ICMP is not set
+# CONFIG_TUNCTL is not set
+# CONFIG_FEATURE_TUNCTL_UG is not set
+# CONFIG_UDHCPC6 is not set
+# CONFIG_UDHCPD is not set
+# CONFIG_DHCPRELAY is not set
+# CONFIG_DUMPLEASES is not set
+# CONFIG_FEATURE_UDHCPD_WRITE_LEASES_EARLY is not set
+# CONFIG_FEATURE_UDHCPD_BASE_IP_ON_MAC is not set
+CONFIG_DHCPD_LEASES_FILE=""
+CONFIG_UDHCPC=y
+CONFIG_FEATURE_UDHCPC_ARPING=y
+CONFIG_FEATURE_UDHCPC_SANITIZEOPT=y
+# CONFIG_FEATURE_UDHCP_PORT is not set
+CONFIG_UDHCP_DEBUG=0
+# CONFIG_FEATURE_UDHCP_RFC3397 is not set
+CONFIG_FEATURE_UDHCP_8021Q=y
+CONFIG_UDHCPC_DEFAULT_SCRIPT="/usr/share/udhcpc/default.script"
+CONFIG_UDHCPC_SLACK_FOR_BUGGY_SERVERS=80
+CONFIG_IFUPDOWN_UDHCPC_CMD_OPTIONS="-R -n"
+# CONFIG_UDPSVD is not set
+CONFIG_VCONFIG=y
+CONFIG_WGET=y
+CONFIG_FEATURE_WGET_STATUSBAR=y
+CONFIG_FEATURE_WGET_AUTHENTICATION=y
+CONFIG_FEATURE_WGET_LONG_OPTIONS=y
+CONFIG_FEATURE_WGET_TIMEOUT=y
+# CONFIG_ZCIP is not set
+
+#
+# Print Utilities
+#
+# CONFIG_LPD is not set
+# CONFIG_LPR is not set
+# CONFIG_LPQ is not set
+
+#
+# Mail Utilities
+#
+# CONFIG_MAKEMIME is not set
+CONFIG_FEATURE_MIME_CHARSET=""
+# CONFIG_POPMAILDIR is not set
+# CONFIG_FEATURE_POPMAILDIR_DELIVERY is not set
+# CONFIG_REFORMIME is not set
+# CONFIG_FEATURE_REFORMIME_COMPAT is not set
+# CONFIG_SENDMAIL is not set
+
+#
+# Process Utilities
+#
+# CONFIG_IOSTAT is not set
+CONFIG_LSOF=y
+# CONFIG_MPSTAT is not set
+# CONFIG_NMETER is not set
+# CONFIG_PMAP is not set
+# CONFIG_POWERTOP is not set
+# CONFIG_PSTREE is not set
+# CONFIG_PWDX is not set
+# CONFIG_SMEMCAP is not set
+CONFIG_TOP=y
+CONFIG_FEATURE_TOP_CPU_USAGE_PERCENTAGE=y
+CONFIG_FEATURE_TOP_CPU_GLOBAL_PERCENTS=y
+# CONFIG_FEATURE_TOP_SMP_CPU is not set
+# CONFIG_FEATURE_TOP_DECIMALS is not set
+# CONFIG_FEATURE_TOP_SMP_PROCESS is not set
+# CONFIG_FEATURE_TOPMEM is not set
+CONFIG_UPTIME=y
+# CONFIG_FEATURE_UPTIME_UTMP_SUPPORT is not set
+CONFIG_FREE=y
+CONFIG_FUSER=y
+CONFIG_KILL=y
+CONFIG_KILLALL=y
+CONFIG_KILLALL5=y
+# CONFIG_PGREP is not set
+CONFIG_PIDOF=y
+CONFIG_FEATURE_PIDOF_SINGLE=y
+CONFIG_FEATURE_PIDOF_OMIT=y
+# CONFIG_PKILL is not set
+CONFIG_PS=y
+# CONFIG_FEATURE_PS_WIDE is not set
+# CONFIG_FEATURE_PS_LONG is not set
+# CONFIG_FEATURE_PS_TIME is not set
+# CONFIG_FEATURE_PS_ADDITIONAL_COLUMNS is not set
+# CONFIG_FEATURE_PS_UNUSUAL_SYSTEMS is not set
+CONFIG_RENICE=y
+CONFIG_BB_SYSCTL=y
+# CONFIG_FEATURE_SHOW_THREADS is not set
+CONFIG_WATCH=y
+
+#
+# Runit Utilities
+#
+# CONFIG_RUNSV is not set
+# CONFIG_RUNSVDIR is not set
+# CONFIG_FEATURE_RUNSVDIR_LOG is not set
+# CONFIG_SV is not set
+CONFIG_SV_DEFAULT_SERVICE_DIR=""
+# CONFIG_SVLOGD is not set
+# CONFIG_CHPST is not set
+# CONFIG_SETUIDGID is not set
+# CONFIG_ENVUIDGID is not set
+# CONFIG_ENVDIR is not set
+# CONFIG_SOFTLIMIT is not set
+
+#
+# SELinux Utilities
+#
+CONFIG_CHCON=y
+CONFIG_FEATURE_CHCON_LONG_OPTIONS=y
+# CONFIG_GETENFORCE is not set
+# CONFIG_GETSEBOOL is not set
+# CONFIG_LOAD_POLICY is not set
+# CONFIG_MATCHPATHCON is not set
+# CONFIG_RESTORECON is not set
+CONFIG_RUNCON=y
+CONFIG_FEATURE_RUNCON_LONG_OPTIONS=y
+CONFIG_SELINUXENABLED=y
+# CONFIG_SETENFORCE is not set
+# CONFIG_SETFILES is not set
+# CONFIG_FEATURE_SETFILES_CHECK_OPTION is not set
+# CONFIG_SETSEBOOL is not set
+# CONFIG_SESTATUS is not set
+
+#
+# Shells
+#
+CONFIG_ASH=y
+CONFIG_ASH_BASH_COMPAT=y
+CONFIG_ASH_IDLE_TIMEOUT=y
+CONFIG_ASH_JOB_CONTROL=y
+CONFIG_ASH_ALIAS=y
+CONFIG_ASH_GETOPTS=y
+CONFIG_ASH_BUILTIN_ECHO=y
+CONFIG_ASH_BUILTIN_PRINTF=y
+CONFIG_ASH_BUILTIN_TEST=y
+CONFIG_ASH_HELP=y
+CONFIG_ASH_CMDCMD=y
+# CONFIG_ASH_MAIL is not set
+CONFIG_ASH_OPTIMIZE_FOR_SIZE=y
+CONFIG_ASH_RANDOM_SUPPORT=y
+CONFIG_ASH_EXPAND_PRMT=y
+# CONFIG_CTTYHACK is not set
+# CONFIG_HUSH is not set
+# CONFIG_HUSH_BASH_COMPAT is not set
+# CONFIG_HUSH_BRACE_EXPANSION is not set
+# CONFIG_HUSH_HELP is not set
+# CONFIG_HUSH_INTERACTIVE is not set
+# CONFIG_HUSH_SAVEHISTORY is not set
+# CONFIG_HUSH_JOB is not set
+# CONFIG_HUSH_TICK is not set
+# CONFIG_HUSH_IF is not set
+# CONFIG_HUSH_LOOPS is not set
+# CONFIG_HUSH_CASE is not set
+# CONFIG_HUSH_FUNCTIONS is not set
+# CONFIG_HUSH_LOCAL is not set
+# CONFIG_HUSH_RANDOM_SUPPORT is not set
+# CONFIG_HUSH_EXPORT_N is not set
+# CONFIG_HUSH_MODE_X is not set
+# CONFIG_MSH is not set
+CONFIG_FEATURE_SH_IS_ASH=y
+# CONFIG_FEATURE_SH_IS_HUSH is not set
+# CONFIG_FEATURE_SH_IS_NONE is not set
+CONFIG_FEATURE_BASH_IS_ASH=y
+# CONFIG_FEATURE_BASH_IS_HUSH is not set
+# CONFIG_FEATURE_BASH_IS_NONE is not set
+CONFIG_SH_MATH_SUPPORT=y
+# CONFIG_SH_MATH_SUPPORT_64 is not set
+CONFIG_FEATURE_SH_EXTRA_QUIET=y
+# CONFIG_FEATURE_SH_STANDALONE is not set
+# CONFIG_FEATURE_SH_NOFORK is not set
+# CONFIG_FEATURE_SH_HISTFILESIZE is not set
+
+#
+# System Logging Utilities
+#
+# CONFIG_SYSLOGD is not set
+# CONFIG_FEATURE_ROTATE_LOGFILE is not set
+# CONFIG_FEATURE_REMOTE_LOG is not set
+# CONFIG_FEATURE_SYSLOGD_DUP is not set
+# CONFIG_FEATURE_SYSLOGD_CFG is not set
+CONFIG_FEATURE_SYSLOGD_READ_BUFFER_SIZE=0
+# CONFIG_FEATURE_IPC_SYSLOG is not set
+CONFIG_FEATURE_IPC_SYSLOG_BUFFER_SIZE=0
+# CONFIG_LOGREAD is not set
+# CONFIG_FEATURE_LOGREAD_REDUCED_LOCKING is not set
+# CONFIG_FEATURE_KMSG_SYSLOG is not set
+# CONFIG_KLOGD is not set
+# CONFIG_FEATURE_KLOGD_KLOGCTL is not set
+CONFIG_LOGGER=y
diff --git a/board/common_selinux/post_build.sh b/board/common_selinux/post_build.sh
new file mode 100755
index 0000000..3509de9
--- /dev/null
+++ b/board/common_selinux/post_build.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+################################################################################
+#
+# DESCRIPTION:
+#     This script will do any "post-build" steps (after all packages are built
+#     but before image creation). Any filesystem permission issues should be
+#     fixed in this script.
+#
+#     The script requires following variables to be passed into it.
+#        $1 - the target directory (passed in by default by buildroot if
+#             script is BR2_ROOTFS_POST_BUILD_SCRIPT)
+#
+################################################################################
+
+DEST_DIR=$1
+
+# For SELinux targets, the /var directory symlinks need to be removed
+# and replaced with actual folders. The removal is done here and the
+# recreation is done in the permissions file for the common_selinux
+# local_skeleton
+for link in ${DEST_DIR}/var/{cache,lock,log,run,spool,tmp} ${DEST_DIR}/var/lib/misc; do
+	if [ -h ${link} ]; then
+		echo "Removing symlink ${link}"
+		unlink ${link}
+	fi
+done
+
+# Replace the /run folder with a symlink to /var/run
+rm -rf ${DEST_DIR}/run
+ln -sf -t ${DEST_DIR} run var/run
diff --git a/board/common_selinux/skeleton/etc/audit/auditd.conf b/board/common_selinux/skeleton/etc/audit/auditd.conf
new file mode 100644
index 0000000..039b7f0
--- /dev/null
+++ b/board/common_selinux/skeleton/etc/audit/auditd.conf
@@ -0,0 +1,32 @@
+#
+# This file controls the configuration of the audit daemon
+#
+
+log_file = /var/log/audit/audit.log
+log_format = RAW
+log_group = root
+priority_boost = 4
+flush = INCREMENTAL
+freq = 20
+num_logs = 5
+disp_qos = lossy
+dispatcher = /usr/sbin/audispd
+name_format = NONE
+##name = mydomain
+max_log_file = 6 
+max_log_file_action = ROTATE
+space_left = 75
+space_left_action = IGNORE
+action_mail_acct = root
+admin_space_left = 50
+admin_space_left_action = IGNORE
+disk_full_action = IGNORE
+disk_error_action = IGNORE
+##tcp_listen_port = 
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+tcp_client_max_idle = 0
+enable_krb5 = no
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key
diff --git a/board/common_selinux/skeleton/etc/audit/rules.d/audit.rules b/board/common_selinux/skeleton/etc/audit/rules.d/audit.rules
new file mode 100644
index 0000000..7c90606
--- /dev/null
+++ b/board/common_selinux/skeleton/etc/audit/rules.d/audit.rules
@@ -0,0 +1,3 @@
+-D
+-b 1024
+-e 2
diff --git a/board/common_selinux/skeleton/etc/fstab b/board/common_selinux/skeleton/etc/fstab
new file mode 100755
index 0000000..d772349
--- /dev/null
+++ b/board/common_selinux/skeleton/etc/fstab
@@ -0,0 +1,15 @@
+# /etc/fstab: static file system information.
+#
+# <file system> <mount pt>     <type>    <options>                      <dump> <pass>
+/dev/root       /              ext3      rw,noauto                       0      1
+proc            /proc          proc      defaults                        0      0
+devpts          /dev/pts       devpts    defaults,gid=5,mode=620         0      0
+tmpfs           /dev/shm       tmpfs     mode=0700,nodev,nosuid,noexec,size=1M    0      0
+tmpfs           /tmp           tmpfs     mode=0700,nodev,nosuid,noexec,size=200M  0      0
+tmpfs           /var/cache     tmpfs     mode=0700,nodev,nosuid,noexec,size=1M    0      0
+tmpfs           /var/lock      tmpfs     mode=0700,nodev,nosuid,noexec,size=1M    0      0
+tmpfs           /var/log       tmpfs     mode=0700,nodev,nosuid,noexec,size=50M   0      0
+tmpfs           /var/run       tmpfs     mode=0700,nodev,nosuid,noexec,size=1M    0      0
+tmpfs           /var/spool     tmpfs     mode=0700,nodev,nosuid,noexec,size=1M    0      0
+sysfs           /sys           sysfs     defaults                 0      0
+none            /selinux       selinuxfs noauto                   0      0
diff --git a/board/common_selinux/skeleton/etc/inittab b/board/common_selinux/skeleton/etc/inittab
new file mode 100755
index 0000000..05e05b2
--- /dev/null
+++ b/board/common_selinux/skeleton/etc/inittab
@@ -0,0 +1,29 @@
+# /etc/inittab
+#
+# This inittab is a basic inittab sample for sysvinit, which mimics
+# Buildroot's default inittab for BusyBox.
+id:1:initdefault:
+
+proc::sysinit:/bin/mount -t proc proc /proc
+sysf::sysinit:/bin/mount -t sysfs sysfs /sys
+dpts::sysinit:/bin/mkdir -p /dev/pts -Z `matchpathcon -n /dev/pts`
+dshm::sysinit:/bin/mkdir -p /dev/shm -Z `matchpathcon -n /dev/shm`
+mpts::sysinit:/bin/mkdir -p /dev/pts
+mshm::sysinit:/bin/mkdir -p /dev/shm
+fsck::sysinit:/sbin/fsck -ARy
+moun::sysinit:/bin/mount -a
+host::sysinit:/bin/hostname -F /etc/hostname
+
+# now run any rc scripts
+init::bootwait:/etc/init.d/rcS
+
+S0::respawn:/sbin/getty -L  ttyS0 115200 vt100 # GENERIC_SERIAL
+
+# Stuff to do before rebooting
+shd0:06:wait:/etc/init.d/rcK
+shd1:06:wait:/sbin/swapoff -a
+shd2:06:wait:/bin/umount -a -r
+
+# The usual halt or reboot actions
+lt0:0:wait:/sbin/halt -dhp
+reb0:6:wait:/sbin/reboot
diff --git a/board/common_selinux/skeleton_permissions.txt b/board/common_selinux/skeleton_permissions.txt
new file mode 100755
index 0000000..374adbc
--- /dev/null
+++ b/board/common_selinux/skeleton_permissions.txt
@@ -0,0 +1,26 @@
+################################################################################
+#
+# See <buildroot-source>/package/makedevs/README for details
+#
+# This device table is used to assign proper ownership and permissions
+# on the files in the local-skeleton directory. It doesn't create any device
+# file, as it is used in both static device configurations (where /dev/ is static)
+# and in dynamic configurations (where devtmpfs, mdev or udev are used).
+#
+# <name>				<type>	<mode>	<uid>	<gid>	<major>	<minor>	<start>	<inc>	<count>
+
+# All the necessary file permissions for /etc
+/etc/audit/auditd.conf			f	644	0	0	-	-	-	-	-
+/etc/audit/rules.d/audit.rules		f	644	0	0	-	-	-	-	-
+/etc/fstab				f	644	0	0	-	-	-	-	-
+/etc/inittab				f	644	0	0	-	-	-	-	-
+
+# Setup entries for all of the /var/* directories that need proper
+# mount points
+/var/cache				d	755	0	0	-	-	-	-	-
+/var/lib/misc				d	755	0	0	-	-	-	-	-
+/var/lock				d	755	0	0	-	-	-	-	-
+/var/log				d	755	0	0	-	-	-	-	-
+/var/run				d	755	0	0	-	-	-	-	-
+/var/spool				d	755	0	0	-	-	-	-	-
+/var/tmp				d	755	0	0	-	-	-	-	-
-- 
1.9.1

[Buildroot] [PATCH v5 19/24] qemu x86 selinux: base br defconfig

[Clayton Shotwell]

From: Clayton Shotwell <clshotwe@rockwellcollins.com>

This will build a base SELinux system that boots with SELinux
in permissive mode. Also adding documentation on how to use it.

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>

---
Changes v4 -> v5:
  - Update the qemu_x86_defconfig to the 4.0 kernel series (Clayton S.)

Changes v1 -> v4:
  - Did not exist
---
 board/qemu/x86/linux-4.0-selinux.config | 77 +++++++++++++++++++++++++++++++++
 board/qemu/x86/readme.txt               | 17 ++++++++
 configs/qemu_x86_selinux_defconfig      | 67 ++++++++++++++++++++++++++++
 3 files changed, 161 insertions(+)
 create mode 100644 board/qemu/x86/linux-4.0-selinux.config
 create mode 100644 configs/qemu_x86_selinux_defconfig

diff --git a/board/qemu/x86/linux-4.0-selinux.config b/board/qemu/x86/linux-4.0-selinux.config
new file mode 100644
index 0000000..89ab0dc
--- /dev/null
+++ b/board/qemu/x86/linux-4.0-selinux.config
@@ -0,0 +1,77 @@
+# CONFIG_LOCALVERSION_AUTO is not set
+# CONFIG_SWAP is not set
+CONFIG_AUDIT=y
+# CONFIG_COMPAT_BRK is not set
+CONFIG_MODULES=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_IOSCHED_DEADLINE is not set
+# CONFIG_IOSCHED_CFQ is not set
+# CONFIG_X86_EXTENDED_PLATFORM is not set
+# CONFIG_SCHED_OMIT_FRAME_POINTER is not set
+# CONFIG_MTRR_SANITIZER is not set
+# CONFIG_SECCOMP is not set
+# CONFIG_RELOCATABLE is not set
+CONFIG_NET=y
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+CONFIG_INET=y
+CONFIG_IP_PNP=y
+# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
+# CONFIG_INET_XFRM_MODE_TUNNEL is not set
+# CONFIG_INET_XFRM_MODE_BEET is not set
+# CONFIG_INET_LRO is not set
+# CONFIG_INET_DIAG is not set
+# CONFIG_IPV6 is not set
+# CONFIG_WIRELESS is not set
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+# CONFIG_PREVENT_FIRMWARE_BUILD is not set
+# CONFIG_FIRMWARE_IN_KERNEL is not set
+# CONFIG_BLK_DEV is not set
+CONFIG_BLK_DEV_SD=y
+CONFIG_ATA=y
+CONFIG_ATA_PIIX=y
+CONFIG_NETDEVICES=y
+CONFIG_NE2K_PCI=y
+CONFIG_8139CP=y
+# CONFIG_WLAN is not set
+# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
+# CONFIG_INPUT_MOUSE is not set
+# CONFIG_SERIO_SERPORT is not set
+# CONFIG_LEGACY_PTYS is not set
+# CONFIG_DEVKMEM is not set
+CONFIG_SERIAL_8250=y
+CONFIG_SERIAL_8250_CONSOLE=y
+# CONFIG_HW_RANDOM is not set
+# CONFIG_HWMON is not set
+CONFIG_SOUND=y
+CONFIG_SND=y
+CONFIG_SND_HDA_INTEL=y
+# CONFIG_USB_SUPPORT is not set
+# CONFIG_X86_PLATFORM_DEVICES is not set
+# CONFIG_DMIID is not set
+CONFIG_EXT2_FS=y
+CONFIG_EXT2_FS_XATTR=y
+CONFIG_EXT2_FS_POSIX_ACL=y
+CONFIG_EXT2_FS_SECURITY=y
+CONFIG_EXT3_FS=y
+CONFIG_EXT3_FS_POSIX_ACL=y
+CONFIG_EXT3_FS_SECURITY=y
+# CONFIG_DNOTIFY is not set
+# CONFIG_INOTIFY_USER is not set
+CONFIG_TMPFS=y
+CONFIG_TMPFS_POSIX_ACL=y
+# CONFIG_MISC_FILESYSTEMS is not set
+CONFIG_NFS_FS=y
+CONFIG_ROOT_NFS=y
+# CONFIG_ENABLE_WARN_DEPRECATED is not set
+# CONFIG_ENABLE_MUST_CHECK is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_FRAME_POINTER is not set
+# CONFIG_X86_VERBOSE_BOOTUP is not set
+CONFIG_SECURITY=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_BOOTPARAM=y
+CONFIG_CRYPTO_ANSI_CPRNG=y
+# CONFIG_VIRTUALIZATION is not set
diff --git a/board/qemu/x86/readme.txt b/board/qemu/x86/readme.txt
index 85d5c60..032d714 100644
--- a/board/qemu/x86/readme.txt
+++ b/board/qemu/x86/readme.txt
@@ -5,3 +5,20 @@ Run the emulation with:
 The login prompt will appear in the graphical window.
 
 Tested with QEMU 2.2.1
+
+-------------------------------------------------------------------
+
+Run the SElinux target emulation with:
+
+  qemu-system-i386 -M pc -kernel output/images/bzImage -drive file=output/images/rootfs.ext2,if=ide -append "root=/dev/sda rw console=ttyS0 selinux=1" -net nic,model=rtl8139 -net user -display none -serial stdio
+
+The emulation should reboot once the first time for relabeling and
+then provide a login prompt. The login is username root and password
+root because PAM requires a password in this secure configuration. To
+enable SELinux enforcing at boot, login and edit the
+/etc/selinux/config and set SELINUX to enforcing. Save and make sure
+to "sync" before restarting the emulation as the ext2 fs would
+otherwise corrupt when the emulation exits. After enforcing is
+default, the selinux= provided as part of the qemu "append" above can
+be used to turn enforcing on/off. This configuration would be tailored
+as part of a targets refpolicy customization.
diff --git a/configs/qemu_x86_selinux_defconfig b/configs/qemu_x86_selinux_defconfig
new file mode 100644
index 0000000..feb4534
--- /dev/null
+++ b/configs/qemu_x86_selinux_defconfig
@@ -0,0 +1,67 @@
+# Architecture
+BR2_x86_pentiumpro=y
+
+# Default to the latest Code Sourcery
+BR2_TOOLCHAIN_EXTERNAL=y
+
+# Select SYSV init to provide selinux enabled init
+BR2_INIT_SYSV=y
+
+# Default password to allow PAM login
+BR2_TARGET_GENERIC_ROOT_PASSWD="root"
+
+# Default the shell to bash, sh symlinks to busybox which
+# is not compatible with refpolicy
+BR2_SYSTEM_BIN_SH_BASH=y
+
+# Pull in SELinux specific file overlay to allow login
+# in enforcing mode.
+BR2_ROOTFS_DEVICE_TABLE="system/device_table.txt board/common_selinux/skeleton_permissions.txt"
+BR2_ROOTFS_OVERLAY="board/common_selinux/skeleton"
+BR2_ROOTFS_POST_BUILD_SCRIPT="board/common_selinux/post_build.sh"
+
+# Lock to a kernel that's been tested against selinux libs
+BR2_LINUX_KERNEL=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.0"
+BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/x86/linux-4.0-selinux.config"
+
+# Customized busybox config providing a tailored
+# balance of applets vs full apps
+BR2_PACKAGE_BUSYBOX_CONFIG="board/common_selinux/busybox-selinux.config"
+
+# Ensure busybox is built as individual binaries for the
+# SELinux refpolicy to work correctly
+BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES=y
+
+# Audit service
+BR2_PACKAGE_AUDIT=y
+
+# Enhanced authentication with selinux hooks
+BR2_PACKAGE_LINUX_PAM=y
+
+# Full version of login with SELinux support
+BR2_PACKAGE_UTIL_LINUX=y
+BR2_PACKAGE_UTIL_LINUX_BINARIES=y
+BR2_PACKAGE_UTIL_LINUX_LOGIN_UTILS=y
+
+# SSH daemon for secure login
+BR2_PACKAGE_OPENSSH=y
+
+# Provides tools for fs security context relabeling
+BR2_PACKAGE_POLICYCOREUTILS=y
+
+# SELinux policy config/definition
+BR2_PACKAGE_REFPOLICY=y
+
+# Logging daemon
+BR2_PACKAGE_RSYSLOG=y
+
+#rootfs with spare space for fs relabel activity
+BR2_TARGET_ROOTFS_EXT2=y
+BR2_TARGET_ROOTFS_EXT2_RESBLKS=5
+# BR2_TARGET_ROOTFS_TAR is not set
+
+# Offline tools for policy analysis/building
+BR2_PACKAGE_HOST_CHECKPOLICY=y
-- 
1.9.1

[Buildroot] [PATCH v5 20/24] libsemanage: cleanup python use and license definition

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

The original package supported python on target, now we just use
it as part of the host tools.  The license was also mis-assigned.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>

---
Changes v4 -> v5:
  - Added a 'm' to the end of the python3 major version used
    in the include path.
---
 package/libsemanage/Config.in      | 10 -------
 package/libsemanage/libsemanage.mk | 54 ++++++++++++++++----------------------
 2 files changed, 22 insertions(+), 42 deletions(-)

diff --git a/package/libsemanage/Config.in b/package/libsemanage/Config.in
index 130fd82..78b6315 100644
--- a/package/libsemanage/Config.in
+++ b/package/libsemanage/Config.in
@@ -16,15 +16,5 @@ config BR2_PACKAGE_LIBSEMANAGE
 
 	  http://selinuxproject.org/page/Main_Page
 
-if BR2_PACKAGE_LIBSEMANAGE
-
-config BR2_PACKAGE_LIBSEMANAGE_PYTHON_BINDINGS
-	depends on BR2_PACKAGE_PYTHON
-	bool "python bindings"
-	help
-	  Enable building python bindings
-
-endif
-
 comment "libsemanage needs a toolchain w/ threads, dynamic library"
 	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index 17e8fea..197c14e 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -6,66 +6,56 @@
 
 LIBSEMANAGE_VERSION = 2.1.10
 LIBSEMANAGE_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
-LIBSEPOL_LICENSE = LGPLv2.1+
-LIBSEPOL_LICENSE_FILES = COPYING
-
+LIBSEMANAGE_LICENSE = LGPLv2.1+
+LIBSEMANAGE_LICENSE_FILES = COPYING
 LIBSEMANAGE_DEPENDENCIES = host-bison host-flex libselinux ustr bzip2
-
 LIBSEMANAGE_INSTALL_STAGING = YES
 
 LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
 
-ifeq ($(BR2_PACKAGE_LIBSEMANAGE_PYTHON_BINDINGS),y)
-
-LIBSEMANAGE_DEPENDENCIES += python host-swig
-LIBSEMANAGE_MAKE_OPTS += \
-	PYINC="-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
-	PYTHONLIBDIR="-L$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
-	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
-	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
-
-define LIBSEMANAGE_PYTHON_BUILD_CMDS
-	$(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) swigify pywrap
-endef
-
-define LIBSEMANAGE_PYTHON_INSTALL_STAGING_CMDS
-	$(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install-pywrap
-endef
-
-define LIBSEMANAGE_PYTHON_INSTALL_TARGET_CMDS
-	$(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install-pywrap
-endef
-
-endif # End of BR2_PACKAGE_PYTHON
-
 define LIBSEMANAGE_BUILD_CMDS
 	# DESTDIR is needed during the compile to compute library and
 	# header paths.
 	$(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all
-	$(LIBSEMANAGE_PYTHON_BUILD_CMDS)
 endef
 
 define LIBSEMANAGE_INSTALL_STAGING_CMDS
 	$(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install
-	$(LIBSEMANAGE_PYTHON_INSTALL_STAGING_CMDS)
 endef
 
 define LIBSEMANAGE_INSTALL_TARGET_CMDS
 	$(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install
-	$(LIBSEMANAGE_PYTHON_INSTALL_TARGET_CMDS)
 endef
 
-HOST_LIBSEMANAGE_DEPENDENCIES = host-bison host-libsepol \
-	host-libselinux host-ustr host-bzip2
+HOST_LIBSEMANAGE_DEPENDENCIES = host-bison host-libsepol host-libselinux \
+				host-ustr host-bzip2 host-swig
+HOST_LIBSEMANAGE_MAKE_OPTS += $(HOST_CONFIGURE_OPTS) \
+	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
+
+ifeq ($(BR2_PACKAGE_PYTHON3),y)
+HOST_LIBSEMANAGE_DEPENDENCIES += host-python3
+HOST_LIBSEMANAGE_MAKE_OPTS += \
+	PYINC="-I$(HOST_DIR)/usr/include/python$(PYTHON3_VERSION_MAJOR)m/" \
+	PYTHONLIBDIR="-L$(HOST_DIR)/usr/lib/python$(PYTHON3_VERSION_MAJOR)/" \
+	PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
+else
+HOST_LIBSEMANAGE_DEPENDENCIES += host-python
+HOST_LIBSEMANAGE_MAKE_OPTS += \
+	PYINC="-I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
+	PYTHONLIBDIR="-L$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
+	PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
+endif
 
 define HOST_LIBSEMANAGE_BUILD_CMDS
 	# DESTDIR is needed during the compile to compute library and
 	# header paths.
 	$(MAKE) -C $(@D) $(HOST_CONFIGURE_OPTS) DESTDIR=$(HOST_DIR) all
+	$(MAKE) -C $(@D) $(HOST_LIBSEMANAGE_MAKE_OPTS) DESTDIR=$(HOST_DIR) swigify pywrap
 endef
 
 define HOST_LIBSEMANAGE_INSTALL_CMDS
 	$(MAKE) -C $(@D) $(HOST_CONFIGURE_OPTS) DESTDIR=$(HOST_DIR) install
+	$(MAKE) -C $(@D) $(HOST_LIBSEMANAGE_MAKE_OPTS) DESTDIR=$(HOST_DIR) install-pywrap
 endef
 
 $(eval $(generic-package))
-- 
1.9.1

[Buildroot] [PATCH v5 21/24] bash: added option to disable locale support

[Clayton Shotwell]

From: Matt Weber <matthew.weber@rockwellcollins.com>

---
 package/bash/Config.in | 10 ++++++++++
 package/bash/bash.mk   |  9 +++++++++
 2 files changed, 19 insertions(+)

diff --git a/package/bash/Config.in b/package/bash/Config.in
index 2f823dc..171d2ad 100644
--- a/package/bash/Config.in
+++ b/package/bash/Config.in
@@ -8,3 +8,13 @@ config BR2_PACKAGE_BASH
 	  The standard GNU Bourne again shell.
 
 	  http://tiswww.case.edu/php/chet/bash/bashtop.html
+
+if BR2_PACKAGE_BASH
+
+config BR2_PACKAGE_BASH_NO_LOCALE
+	bool "disable locale support"
+	help
+	  Disable locale support for cases where toolchain has it
+	  but target isn't setup to use it.
+
+endif
diff --git a/package/bash/bash.mk b/package/bash/bash.mk
index 9865e19..67a423e 100644
--- a/package/bash/bash.mk
+++ b/package/bash/bash.mk
@@ -21,6 +21,15 @@ BASH_CONF_ENV += \
 	bash_cv_func_sigsetjmp=present \
 	bash_cv_printf_a_format=yes
 
+
+ifeq ($(BR2_PACKAGE_BASH_NO_LOCALE),y)
+BASH_CONF_ENV += \
+	ac_cv_header_locale_h=no \
+	ac_cv_func_locale_charset=no \
+	ac_cv_func_setlocale=no \
+	ac_cv_func_localeconv=no
+endif
+
 # Parallel build sometimes fails because some of the generator tools
 # are built twice (i.e. while executing).
 BASH_MAKE = $(MAKE1)
-- 
1.9.1

[Buildroot] [PATCH v5 21/24] bash: added option to disable locale support

[Matthew Weber]

Clayton,

On Wed, May 13, 2015 at 4:39 PM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> ---
>  package/bash/Config.in | 10 ++++++++++
>  package/bash/bash.mk   |  9 +++++++++
>  2 files changed, 19 insertions(+)
>
<snip>
This patch needs to be removed from v6.  Accidentally included....


-- 
Matthew L Weber / Pr Software Engineer
Airborne Information Systems / Security Systems and Software / Secure Platforms
MS 131-100, C Ave NE, Cedar Rapids, IA, 52498, USA
www.rockwellcollins.com

Note: Any Export License Required Information and License Restricted
Third Party Intellectual Property (TPIP) content must be encrypted and
sent to matthew.weber at corp.rockwellcollins.com.

[Buildroot] [PATCH v5 22/24] squashfs: Add xattr support

[Clayton Shotwell]

Adding extended attribute support for the squashfs tools when the attr
package is selected. This is needed for SELinux support.

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
---
 package/squashfs/squashfs.mk | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/package/squashfs/squashfs.mk b/package/squashfs/squashfs.mk
index 8ca9e2e..f44ef9f 100644
--- a/package/squashfs/squashfs.mk
+++ b/package/squashfs/squashfs.mk
@@ -10,9 +10,6 @@ SQUASHFS_SITE = http://downloads.sourceforge.net/project/squashfs/squashfs/squas
 SQUASHFS_LICENSE = GPLv2+
 SQUASHFS_LICENSE_FILES = COPYING
 
-# no libattr in BR
-SQUASHFS_MAKE_ARGS = XATTR_SUPPORT=0
-
 ifeq ($(BR2_PACKAGE_SQUASHFS_LZ4),y)
 SQUASHFS_DEPENDENCIES += lz4
 SQUASHFS_MAKE_ARGS += LZ4_SUPPORT=1 COMP_DEFAULT=lz4
@@ -52,13 +49,20 @@ HOST_SQUASHFS_DEPENDENCIES = host-zlib host-lz4 host-lzo host-xz
 
 # no libattr/xz in BR
 HOST_SQUASHFS_MAKE_ARGS = \
-	XATTR_SUPPORT=0 \
 	XZ_SUPPORT=1    \
 	GZIP_SUPPORT=1  \
 	LZ4_SUPPORT=1	\
 	LZO_SUPPORT=1	\
 	LZMA_XZ_SUPPORT=1
 
+ifeq ($(BR2_PACKAGE_ATTR),y)
+	SQUASHFS_MAKE_ARGS += XATTR_SUPPORT=1
+	HOST_SQUASHFS_MAKE_ARGS += XATTR_SUPPORT=1
+else
+	SQUASHFS_MAKE_ARGS += XATTR_SUPPORT=0
+	HOST_SQUASHFS_MAKE_ARGS += XATTR_SUPPORT=0
+endif
+
 define SQUASHFS_BUILD_CMDS
 	$(TARGET_MAKE_ENV) $(MAKE)    \
 		CC="$(TARGET_CC)"           \
-- 
1.9.1

[Buildroot] [PATCH v5 23/24] mtd: Add xattr support

[Clayton Shotwell]

Adding extended attribute support for the mtd tools when theattr
package is selected. This is needed for SELinux support.

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
---
 package/mtd/mtd.mk | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/package/mtd/mtd.mk b/package/mtd/mtd.mk
index 3397ebc..653848c 100644
--- a/package/mtd/mtd.mk
+++ b/package/mtd/mtd.mk
@@ -24,7 +24,18 @@ ifeq ($(BR2_PACKAGE_BUSYBOX),y)
 MTD_DEPENDENCIES += busybox
 endif
 
-HOST_MTD_DEPENDENCIES = host-zlib host-lzo host-e2fsprogs
+MTD_MAKE_OPTS = WITHOUT_LARGEFILE=1
+
+# If extended attributes are required, the acl package must
+# also be enabled which will also include the attr package.
+ifeq ($(BR2_PACKAGE_ACL),y)
+MTD_DEPENDENCIES += acl
+MTD_MAKE_OPTS += WITHOUT_XATTR=0
+else
+MTD_MAKE_OPTS += WITHOUT_XATTR=1
+endif
+
+HOST_MTD_DEPENDENCIES += host-zlib host-lzo host-e2fsprogs
 
 define HOST_MTD_BUILD_CMDS
 	$(HOST_CONFIGURE_OPTS) $(MAKE1) \
@@ -84,7 +95,7 @@ MTD_TARGETS_$(BR2_PACKAGE_MTD_MKFSUBIFS) += mkfs.ubifs/mkfs.ubifs
 
 define MTD_BUILD_CMDS
 	$(TARGET_CONFIGURE_OPTS) $(MAKE1) CROSS=$(TARGET_CROSS) \
-		BUILDDIR=$(@D) WITHOUT_XATTR=1 WITHOUT_LARGEFILE=1 -C $(@D) \
+		BUILDDIR=$(@D) $(MTD_MAKE_OPTS) -C $(@D) \
 		$(addprefix $(@D)/,$(MTD_TARGETS_y)) \
 		$(addprefix $(@D)/,$(MTD_STAGING_y))
 endef
-- 
1.9.1

[Buildroot] [PATCH v5 24/24] cpio: new package

[Clayton Shotwell]

Adding the cpio archive utility for the target and host. Patches have
been pulled from ArchLinux and Debian to fix CVE issues and compile
issues.

Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
---
 package/Config.in                                  |   1 +
 package/Config.in.host                             |   1 +
 package/cpio/0001-stdio.in.patch                   |  19 ++
 package/cpio/0002-CVE-2014-9112.patch              | 218 +++++++++++++++++++++
 package/cpio/0003-testsuite-CVE-2014-9112.patch    |  36 ++++
 .../0004-check_for_symlinks-CVE-2015-1197.patch    | 158 +++++++++++++++
 package/cpio/0005-stat.patch                       |  31 +++
 package/cpio/Config.in                             |   6 +
 package/cpio/Config.in.host                        |   6 +
 package/cpio/cpio.mk                               |  13 ++
 10 files changed, 489 insertions(+)
 create mode 100644 package/cpio/0001-stdio.in.patch
 create mode 100644 package/cpio/0002-CVE-2014-9112.patch
 create mode 100644 package/cpio/0003-testsuite-CVE-2014-9112.patch
 create mode 100644 package/cpio/0004-check_for_symlinks-CVE-2015-1197.patch
 create mode 100644 package/cpio/0005-stat.patch
 create mode 100644 package/cpio/Config.in
 create mode 100644 package/cpio/Config.in.host
 create mode 100644 package/cpio/cpio.mk

diff --git a/package/Config.in b/package/Config.in
index dcb03d5..0163232 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -148,6 +148,7 @@ endmenu
 menu "Filesystem and flash utilities"
 	source "package/btrfs-progs/Config.in"
 	source "package/cifs-utils/Config.in"
+	source "package/cpio/Config.in"
 	source "package/cramfs/Config.in"
 	source "package/curlftpfs/Config.in"
 	source "package/dosfstools/Config.in"
diff --git a/package/Config.in.host b/package/Config.in.host
index 051bc4a..322e4fe 100644
--- a/package/Config.in.host
+++ b/package/Config.in.host
@@ -1,6 +1,7 @@
 menu "Host utilities"
 
 	source "package/checkpolicy/Config.in.host"
+	source "package/cpio/Config.in.host"
 	source "package/cramfs/Config.in.host"
 	source "package/dfu-util/Config.in.host"
 	source "package/dos2unix/Config.in.host"
diff --git a/package/cpio/0001-stdio.in.patch b/package/cpio/0001-stdio.in.patch
new file mode 100644
index 0000000..89728e1
--- /dev/null
+++ b/package/cpio/0001-stdio.in.patch
@@ -0,0 +1,19 @@
+Patch pulled from Arch Linux repo at the link below
+
+https://projects.archlinux.org/svntogit/packages.git/plain/trunk/cpio-2.11-stdio.in.patch?h=packages/cpio
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+
+diff -urNp cpio-2.11-orig/gnu/stdio.in.h cpio-2.11/gnu/stdio.in.h
+--- cpio-2.11-orig/gnu/stdio.in.h	2010-03-10 10:27:03.000000000 +0100
++++ cpio-2.11/gnu/stdio.in.h	2012-06-04 10:23:23.804471185 +0200
+@@ -139,7 +139,9 @@ _GL_WARN_ON_USE (fflush, "fflush is not 
+    so any use of gets warrants an unconditional warning.  Assume it is
+    always declared, since it is required by C89.  */
+ #undef gets
++#if HAVE_RAW_DECL_GETS
+ _GL_WARN_ON_USE (gets, "gets is a security hole - use fgets instead");
++#endif
+ 
+ #if @GNULIB_FOPEN@
+ # if @REPLACE_FOPEN@
diff --git a/package/cpio/0002-CVE-2014-9112.patch b/package/cpio/0002-CVE-2014-9112.patch
new file mode 100644
index 0000000..20b27b5
--- /dev/null
+++ b/package/cpio/0002-CVE-2014-9112.patch
@@ -0,0 +1,218 @@
+Patch pulled from Arch Linux repo at the link below
+
+https://projects.archlinux.org/svntogit/packages.git/plain/trunk/cpio-2.11-CVE-2014-9112.patch?h=packages/cpio
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+
+diff --git a/src/copyin.c b/src/copyin.c
+index d505407..db8ee66 100644
+--- a/src/copyin.c
++++ b/src/copyin.c
+@@ -124,10 +124,30 @@ tape_skip_padding (int in_file_des, off_t offset)
+   if (pad != 0)
+     tape_toss_input (in_file_des, pad);
+ }
+-
++\f
++static char *
++get_link_name (struct cpio_file_stat *file_hdr, int in_file_des)
++{
++  char *link_name;
++  
++  if (file_hdr->c_filesize < 0 || file_hdr->c_filesize > SIZE_MAX-1)
++    {
++      error (0, 0, _("%s: stored filename length is out of range"),
++	     file_hdr->c_name);
++      link_name = NULL;
++    }
++  else
++    {
++      link_name = xmalloc (file_hdr->c_filesize + 1);
++      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
++      link_name[file_hdr->c_filesize] = '\0';
++      tape_skip_padding (in_file_des, file_hdr->c_filesize);
++    }
++  return link_name;
++}
+ \f
+ static void
+-list_file(struct cpio_file_stat* file_hdr, int in_file_des)
++list_file (struct cpio_file_stat* file_hdr, int in_file_des)
+ {
+   if (verbose_flag)
+     {
+@@ -136,21 +156,16 @@ list_file(struct cpio_file_stat* file_hdr, int in_file_des)
+ 	{
+ 	  if (archive_format != arf_tar && archive_format != arf_ustar)
+ 	    {
+-	      char *link_name = NULL;	/* Name of hard and symbolic links.  */
+-
+-	      link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+-	      link_name[file_hdr->c_filesize] = '\0';
+-	      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+-	      long_format (file_hdr, link_name);
+-	      free (link_name);
+-	      tape_skip_padding (in_file_des, file_hdr->c_filesize);
+-	      return;
++	      char *link_name = get_link_name (file_hdr, in_file_des);
++	      if (link_name)
++		{
++		  long_format (file_hdr, link_name);
++		  free (link_name);
++		}
+ 	    }
+ 	  else
+-	    {
+-	      long_format (file_hdr, file_hdr->c_tar_linkname);
+-	      return;
+-	    }
++	    long_format (file_hdr, file_hdr->c_tar_linkname);
++	  return;
+ 	}
+       else
+ #endif
+@@ -650,10 +665,7 @@ copyin_link(struct cpio_file_stat *file_hdr, int in_file_des)
+ 
+   if (archive_format != arf_tar && archive_format != arf_ustar)
+     {
+-      link_name = (char *) xmalloc ((unsigned int) file_hdr->c_filesize + 1);
+-      link_name[file_hdr->c_filesize] = '\0';
+-      tape_buffered_read (link_name, in_file_des, file_hdr->c_filesize);
+-      tape_skip_padding (in_file_des, file_hdr->c_filesize);
++      link_name = get_link_name (file_hdr, in_file_des);
+     }
+   else
+     {
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index b3e8e60..cf186da 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -52,6 +52,8 @@ TESTSUITE_AT = \
+  setstat04.at\
+  setstat05.at\
+  symlink.at\
++ symlink-bad-length.at\
++ symlink-long.at\
+  version.at
+ 
+ TESTSUITE = $(srcdir)/testsuite
+diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
+new file mode 100644
+index 0000000..cbf4aa7
+--- /dev/null
++++ b/tests/symlink-bad-length.at
+@@ -0,0 +1,49 @@
++# Process this file with autom4te to create testsuite.  -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11 did segfault with badly set symlink length.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-bad-length])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_DATA([ARCHIVE.base64],
++[x3EjAIBAtIEtJy8nAQAAAHRUYW0FAAAADQBGSUxFAABzb21lIGNvbnRlbnQKAMdxIwBgQ/+hLScv
++JwEAAAB0VEhuBQD/////TElOSwAARklMRcdxAAAAAAAAAAAAAAEAAAAAAAAACwAAAAAAVFJBSUxF
++UiEhIQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
++])
++
++AT_CHECK([
++base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
++cpio -ntv < ARCHIVE
++test $? -eq 2
++],
++[0],
++[-rw-rw-r--   1 10029    10031          13 Nov 25 13:52 FILE
++],[cpio: LINK: stored filename length is out of range
++cpio: premature end of file
++])
++
++AT_CLEANUP
+diff --git a/tests/symlink-long.at b/tests/symlink-long.at
+new file mode 100644
+index 0000000..d3def2d
+--- /dev/null
++++ b/tests/symlink-long.at
+@@ -0,0 +1,46 @@
++# Process this file with autom4te to create testsuite.  -*- Autotest -*-
++# Copyright (C) 2014 Free Software Foundation, Inc.
++
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 3, or (at your option)
++# any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
++# 02110-1301 USA.
++
++# Cpio v2.11.90 changed the way symlink name is read from archive.
++# References:
++# http://lists.gnu.org/archive/html/bug-cpio/2014-11/msg00007.html
++
++AT_SETUP([symlink-long])
++AT_KEYWORDS([symlink-long copyout])
++
++AT_CHECK([
++
++# len(dirname) > READBUFSIZE
++dirname=
++for i in {1..52}; do
++    dirname="xxxxxxxxx/$dirname"
++    mkdir "$dirname"
++done
++ln -s "$dirname" x || AT_SKIP_TEST
++
++echo x | cpio -o > ar
++list=`cpio -tv < ar | sed 's|.*-> ||'`
++test "$list" = "$dirname" && echo success || echo fail
++],
++[0],
++[success
++],[2 blocks
++2 blocks
++])
++
++AT_CLEANUP
+diff --git a/tests/testsuite.at b/tests/testsuite.at
+index 8f3330b..590bdcb 100644
+--- a/tests/testsuite.at
++++ b/tests/testsuite.at
+@@ -31,6 +31,8 @@ m4_include([version.at])
+ 
+ m4_include([inout.at])
+ m4_include([symlink.at])
++m4_include([symlink-bad-length.at])
++m4_include([symlink-long.at])
+ m4_include([interdir.at])
+ 
+ m4_include([setstat01.at])
diff --git a/package/cpio/0003-testsuite-CVE-2014-9112.patch b/package/cpio/0003-testsuite-CVE-2014-9112.patch
new file mode 100644
index 0000000..47fc4c6
--- /dev/null
+++ b/package/cpio/0003-testsuite-CVE-2014-9112.patch
@@ -0,0 +1,36 @@
+Patch pulled from Arch Linux repo at the link below
+
+https://projects.archlinux.org/svntogit/packages.git/plain/trunk/cpio-2.11-testsuite-CVE-2014-9112.patch?h=packages/cpio
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+
+diff --git a/tests/symlink-bad-length.at b/tests/symlink-bad-length.at
+index cbf4aa7..d8d250b 100644
+--- a/tests/symlink-bad-length.at
++++ b/tests/symlink-bad-length.at
+@@ -37,13 +37,20 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
+ 
+ AT_CHECK([
+ base64 -d ARCHIVE.base64 > ARCHIVE || AT_SKIP_TEST
+-cpio -ntv < ARCHIVE
+-test $? -eq 2
++TZ=UTC cpio -ntv < ARCHIVE 2>stderr
++rc=$?
++cat stderr | grep -v \
++    -e 'stored filename length is out of range' \
++    -e 'premature end of file' \
++    -e 'archive header has reverse byte-order' \
++    -e 'memory exhausted' \
++    >&2
++echo >&2 STDERR
++test "$rc" -ne 0
+ ],
+ [0],
+-[-rw-rw-r--   1 10029    10031          13 Nov 25 13:52 FILE
+-],[cpio: LINK: stored filename length is out of range
+-cpio: premature end of file
++[-rw-rw-r--   1 10029    10031          13 Nov 25 11:52 FILE
++],[STDERR
+ ])
+ 
+ AT_CLEANUP
diff --git a/package/cpio/0004-check_for_symlinks-CVE-2015-1197.patch b/package/cpio/0004-check_for_symlinks-CVE-2015-1197.patch
new file mode 100644
index 0000000..fd89a8d
--- /dev/null
+++ b/package/cpio/0004-check_for_symlinks-CVE-2015-1197.patch
@@ -0,0 +1,158 @@
+Patch pulled from Arch Linux repo at the link below
+
+https://projects.archlinux.org/svntogit/packages.git/plain/trunk/cpio-2.11-check_for_symlinks-CVE-2015-1197.patch?h=packages/cpio
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+
+Index: cpio-2.11/src/copyin.c
+===================================================================
+--- cpio-2.11.orig/src/copyin.c	2014-07-01 14:02:39.991007263 +0200
++++ cpio-2.11/src/copyin.c	2014-07-22 16:05:28.171344584 +0200
+@@ -686,6 +686,51 @@ copyin_link(struct cpio_file_stat *file_
+   free (link_name);
+ }
+ \f
++
++static int
++path_contains_symlink(char *path)
++{
++  struct stat st;
++  char *slash;
++  char *nextslash;
++
++  /* we got NULL pointer or empty string */
++  if (!path || !*path) {
++    return false;
++  }
++
++  slash = path;
++
++  while ((nextslash = strchr(slash + 1, '/')) != NULL) {
++    slash = nextslash;
++    *slash = '\0';
++
++    if (lstat(path, &st) != 0) {
++      if (errno == ELOOP) {
++        /* ELOOP - too many symlinks */
++        *slash = '/';
++        return true;
++      } else if (errno == ENOMEM) {
++        /* No memory for lstat - terminate */
++        xalloc_die();
++      } else {
++        /* cannot lstat path - give up */
++        *slash = '/';
++        return false;
++      }
++    }
++
++    if (S_ISLNK(st.st_mode)) {
++      *slash = '/';
++      return true;
++    }
++
++    *slash = '/';
++  }
++
++  return false;
++}
++
+ static void
+ copyin_file (struct cpio_file_stat *file_hdr, int in_file_des)
+ {
+@@ -1463,6 +1508,23 @@ process_copy_in ()
+ 	{
+ 	  /* Copy the input file into the directory structure.  */
+ 
++          /* Can we write files over symlinks? */
++          if (!extract_over_symlinks)
++            {
++              if (path_contains_symlink(file_hdr.c_name))
++                {
++                  /* skip the file */
++                  /*
++                  fprintf(stderr, "Can't write over symlinks. Skipping %s\n", file_hdr.c_name);
++                  tape_toss_input (in_file_des, file_hdr.c_filesize);
++                  tape_skip_padding (in_file_des, file_hdr.c_filesize);
++                  continue;
++                  */
++                  /* terminate */
++	          error (1, 0, _("Can't write over symlinks: %s\n"), file_hdr.c_name);
++                }
++            }
++
+ 	  /* Do we need to rename the file? */
+ 	  if (rename_flag || rename_batch_file)
+ 	    {
+Index: cpio-2.11/src/global.c
+===================================================================
+--- cpio-2.11.orig/src/global.c	2014-07-17 16:33:09.768900927 +0200
++++ cpio-2.11/src/global.c	2014-07-21 17:45:58.563494706 +0200
+@@ -187,6 +187,9 @@ bool to_stdout_option = false;
+ /* The name this program was run with.  */
+ char *program_name;
+ 
++/* Extract files over symbolic links */
++bool extract_over_symlinks;
++
+ /* A pointer to either lstat or stat, depending on whether
+    dereferencing of symlinks is done for input files.  */
+ int (*xstat) ();
+Index: cpio-2.11/src/main.c
+===================================================================
+--- cpio-2.11.orig/src/main.c	2014-07-01 14:02:39.840005051 +0200
++++ cpio-2.11/src/main.c	2014-07-17 20:33:47.839215571 +0200
+@@ -57,7 +57,8 @@ enum cpio_options {
+   FORCE_LOCAL_OPTION,            
+   DEBUG_OPTION,                  
+   BLOCK_SIZE_OPTION,             
+-  TO_STDOUT_OPTION
++  TO_STDOUT_OPTION,
++  EXTRACT_OVER_SYMLINKS
+ };
+ 
+ const char *program_authors[] =
+@@ -222,6 +223,8 @@ static struct argp_option options[] = {
+    N_("Create leading directories where needed"), GRID+1 },
+   {"no-preserve-owner", NO_PRESERVE_OWNER_OPTION, 0, 0,
+    N_("Do not change the ownership of the files"), GRID+1 },
++  {"extract-over-symlinks", EXTRACT_OVER_SYMLINKS, 0, 0,
++   N_("Force writing over symbolic links"), GRID+1 },
+   {"unconditional", 'u', NULL, 0,
+    N_("Replace all files unconditionally"), GRID+1 },
+   {"sparse", SPARSE_OPTION, NULL, 0,
+@@ -413,6 +416,10 @@ crc newc odc bin ustar tar (all-caps als
+       no_chown_flag = true;
+       break;
+ 
++    case EXTRACT_OVER_SYMLINKS:		        /* --extract-over-symlinks */
++      extract_over_symlinks = true;
++      break;
++
+     case 'o':		/* Copy-out mode.  */
+       if (copy_function != 0)
+ 	error (PAXEXIT_FAILURE, 0, _("Mode already defined"));
+Index: cpio-2.11/src/extern.h
+===================================================================
+--- cpio-2.11.orig/src/extern.h	2014-07-01 14:02:39.907006032 +0200
++++ cpio-2.11/src/extern.h	2014-07-17 17:11:20.948908806 +0200
+@@ -95,6 +95,7 @@ extern char input_is_special;
+ extern char output_is_special;
+ extern char input_is_seekable;
+ extern char output_is_seekable;
++extern bool extract_over_symlinks;
+ extern int (*xstat) ();
+ extern void (*copy_function) ();
+ \f
+Index: cpio-2.11/doc/cpio.1
+===================================================================
+--- cpio-2.11.orig/doc/cpio.1	2009-02-14 19:15:50.000000000 +0100
++++ cpio-2.11/doc/cpio.1	2014-07-21 23:00:33.878746855 +0200
+@@ -22,6 +22,7 @@ cpio \- copy files to and from archives
+ [\-\-owner=[user][:.][group]] [\-\-no-preserve-owner] [\-\-message=message]
+ [\-\-force\-local] [\-\-no\-absolute\-filenames] [\-\-sparse]
+ [\-\-only\-verify\-crc] [\-\-to\-stdout] [\-\-quiet] [\-\-rsh-command=command]
++[\-\-extract\-over\-symlinks]
+ [\-\-help] [\-\-version] [pattern...] [< archive]
+ 
+ .B cpio
diff --git a/package/cpio/0005-stat.patch b/package/cpio/0005-stat.patch
new file mode 100644
index 0000000..fd824fc
--- /dev/null
+++ b/package/cpio/0005-stat.patch
@@ -0,0 +1,31 @@
+Pulled from the Gentoo sources repository at
+
+https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-arch/cpio/files/cpio-2.11-stat.patch?revision=1.1
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+
+http://bugs.gentoo.org/328531
+
+From 3a7a1820d4cecbd77c7b74c785af5942510bf080 Mon Sep 17 00:00:00 2001
+From: Sergey Poznyakoff <gray@gnu.org.ua>
+Date: Thu, 22 Jul 2010 13:13:34 +0300
+Subject: [PATCH] Minor fix.
+
+* src/filetypes.h: Remove declarations of stat and lstat.
+---
+ src/filetypes.h |    2 --
+ 1 files changed, 0 insertions(+), 2 deletions(-)
+
+diff --git a/src/filetypes.h b/src/filetypes.h
+index f80faab..81f0c32 100644
+--- a/src/filetypes.h
++++ b/src/filetypes.h
+@@ -81,5 +81,3 @@
+ #ifndef S_ISLNK
+ #define lstat stat
+ #endif
+-int lstat ();
+-int stat ();
+-- 
+1.7.3
+
diff --git a/package/cpio/Config.in b/package/cpio/Config.in
new file mode 100644
index 0000000..3ee74f6
--- /dev/null
+++ b/package/cpio/Config.in
@@ -0,0 +1,6 @@
+config BR2_PACKAGE_CPIO
+	bool "cpio"
+	help
+	  cpio archive utility for creation and extraction.
+
+	  https://www.gnu.org/software/cpio/
diff --git a/package/cpio/Config.in.host b/package/cpio/Config.in.host
new file mode 100644
index 0000000..e927952
--- /dev/null
+++ b/package/cpio/Config.in.host
@@ -0,0 +1,6 @@
+config BR2_PACKAGE_HOST_CPIO
+	bool "host cpio"
+	help
+	  cpio archive utility for creation and extraction.
+
+	  https://www.gnu.org/software/cpio/
diff --git a/package/cpio/cpio.mk b/package/cpio/cpio.mk
new file mode 100644
index 0000000..25f4975
--- /dev/null
+++ b/package/cpio/cpio.mk
@@ -0,0 +1,13 @@
+################################################################################
+#
+# cpio
+#
+################################################################################
+
+CPIO_VERSION = 2.11
+CPIO_SITE = http://ftp.gnu.org/gnu/cpio
+CPIO_LICENSE = GPLv3
+CPIO_LICENSE_FILES = COPYING
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))
-- 
1.9.1

[Buildroot] [PATCH v5 24/24] cpio: new package

[Samuel Martin]

Hi Clayton,

On Wed, May 13, 2015 at 11:39 PM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> Adding the cpio archive utility for the target and host. Patches have
> been pulled from ArchLinux and Debian to fix CVE issues and compile
> issues.
>

Does this mean cpio will no longer be a mandatory program?

Regards,


-- 
Samuel

[Buildroot] [PATCH v5 24/24] cpio: new package

[Clayton Shotwell]

Samuel,

>> Adding the cpio archive utility for the target and host. Patches have
>> been pulled from ArchLinux and Debian to fix CVE issues and compile
>> issues.
>>
>
> Does this mean cpio will no longer be a mandatory program?

That is a good question. I am only adding the package because I need
to be able to create a cpio archive on my target. I did not add in any
of the other dependencies that would be required to have this package
generate the cpio tool used during file system creation. They could be
added later if needed.

Thanks,
Clayton

[Buildroot] [PATCH v5 24/24] cpio: new package

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Mon, 18 May 2015 09:09:05 -0500, Clayton Shotwell wrote:

> That is a good question. I am only adding the package because I need
> to be able to create a cpio archive on my target.

So why do you add a host variant?

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [PATCH v5 24/24] cpio: new package

[Clayton Shotwell]

Thomas,

On Mon, May 18, 2015 at 9:13 AM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Dear Clayton Shotwell,
>
> On Mon, 18 May 2015 09:09:05 -0500, Clayton Shotwell wrote:
>
>> That is a good question. I am only adding the package because I need
>> to be able to create a cpio archive on my target.
>
> So why do you add a host variant?

I added it mainly because I could and I had an easy way to test it. I
can remove the host option if needed. What is the reasoning behind
relying on the host system cpio tool?

Thanks,
Clayton

[Buildroot] [PATCH v5 24/24] cpio: new package

[Samuel Martin]

Clayton,

On Mon, May 18, 2015 at 4:16 PM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> Thomas,
>
> On Mon, May 18, 2015 at 9:13 AM, Thomas Petazzoni
> <thomas.petazzoni@free-electrons.com> wrote:
>> Dear Clayton Shotwell,
>>
>> On Mon, 18 May 2015 09:09:05 -0500, Clayton Shotwell wrote:
>>
>>> That is a good question. I am only adding the package because I need
>>> to be able to create a cpio archive on my target.
>>
>> So why do you add a host variant?
>
> I added it mainly because I could and I had an easy way to test it. I
> can remove the host option if needed. What is the reasoning behind
> relying on the host system cpio tool?
Currently, it is just a pre-requisite [1] ;)

[1] http://nightly.buildroot.org/#requirement-mandatory

>
> Thanks,
> Clayton

Regards,

-- 
Samuel