[Buildroot] [PATCH 1/8] libselinux: bump to 2.7

[Buildroot] [PATCH 1/8] libselinux: bump to 2.7

[Adam Duskett]

remove patch as it's in this release.

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
 ...src-regex.c-support-old-compilers-for-the.patch | 47 ----------------------
 package/libselinux/libselinux.hash                 |  4 +-
 package/libselinux/libselinux.mk                   |  4 +-
 3 files changed, 4 insertions(+), 51 deletions(-)
 delete mode 100644 package/libselinux/0001-libselinux-src-regex.c-support-old-compilers-for-the.patch

diff --git a/package/libselinux/0001-libselinux-src-regex.c-support-old-compilers-for-the.patch b/package/libselinux/0001-libselinux-src-regex.c-support-old-compilers-for-the.patch
deleted file mode 100644
index 3bda607512..0000000000
--- a/package/libselinux/0001-libselinux-src-regex.c-support-old-compilers-for-the.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From e0803c0bdbb1abf06b6b5bb1b52fdb733505b8f7 Mon Sep 17 00:00:00 2001
-From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
-Date: Wed, 25 Jan 2017 22:41:02 +1300
-Subject: [PATCH] src/regex.c: support old compilers for the endian
- check
-
-libselinux 2.6 has added some code in regex.c that uses __BYTE_ORDER__
-to determine the system endianness. Unfortunately, this definition
-provided directly by the compiler doesn't exist in older gcc versions
-such as gcc 4.4.
-
-In order to address this, this commit extends the logic to use
-<endian.h> definitions if __BYTE_ORDER__ is not provided by the
-compiler. This allows libselinux to build properly with gcc 4.4.
-
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
----
- src/regex.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/src/regex.c b/src/regex.c
-index a3b427b..0c5ad27 100644
---- a/src/regex.c
-+++ b/src/regex.c
-@@ -13,7 +13,18 @@
- #endif
- 
- #ifndef __BYTE_ORDER__
--#error __BYTE_ORDER__ not defined. Unable to determine endianness.
-+
-+/* If the compiler doesn't define __BYTE_ORDER__, try to use the C
-+ * library <endian.h> header definitions. */
-+#include <endian.h>
-+#ifndef __BYTE_ORDER
-+#error Neither __BYTE_ORDER__ nor __BYTE_ORDER defined. Unable to determine endianness.
-+#endif
-+
-+#define __ORDER_LITTLE_ENDIAN __LITTLE_ENDIAN
-+#define __ORDER_BIG_ENDIAN __BIG_ENDIAN
-+#define __BYTE_ORDER__ __BYTE_ORDER
-+
- #endif
- 
- #ifdef USE_PCRE2
--- 
-2.7.4
-
diff --git a/package/libselinux/libselinux.hash b/package/libselinux/libselinux.hash
index 76130b2dc0..3c60d5111d 100644
--- a/package/libselinux/libselinux.hash
+++ b/package/libselinux/libselinux.hash
@@ -1,2 +1,2 @@
-# Locally computed
-sha256 4ea2dde50665c202253ba5caac7738370ea0337c47b251ba981c60d24e1a118a libselinux-2.6.tar.gz
+# From: https://github.com/SELinuxProject/selinux/wiki/Releases
+sha256 d0fec0769b3ad60aa7baf9b9a4b7a056827769dc2dadda0dc0eb59b3d1c18c57 libselinux-2.7.tar.gz
diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
index f23eea4962..8ac8000de5 100644
--- a/package/libselinux/libselinux.mk
+++ b/package/libselinux/libselinux.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-LIBSELINUX_VERSION = 2.6
-LIBSELINUX_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014
+LIBSELINUX_VERSION = 2.7
+LIBSELINUX_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804
 LIBSELINUX_LICENSE = Public Domain
 LIBSELINUX_LICENSE_FILES = LICENSE
 
-- 
2.13.6

[Buildroot] [PATCH 2/8] libsemanage: bump to 2.7

[Adam Duskett]

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
 package/libsemanage/libsemanage.hash | 4 ++--
 package/libsemanage/libsemanage.mk   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/libsemanage/libsemanage.hash b/package/libsemanage/libsemanage.hash
index 62f4d833a5..c386571591 100644
--- a/package/libsemanage/libsemanage.hash
+++ b/package/libsemanage/libsemanage.hash
@@ -1,2 +1,2 @@
-# Locally computed
-sha256 4f81541047290b751f2ffb926fcd381c186f22db18d9fe671b0b4a6a54e8cfce libsemanage-2.6.tar.gz
+# From: https://github.com/SELinuxProject/selinux/wiki/Releases
+sha256 07e9477714ce6a4557a1fe924ea4cb06501b62d0fa0e3c0dc32a2cf47cb8d476 libsemanage-2.7.tar.gz
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index 2964c56f96..829409f527 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-LIBSEMANAGE_VERSION = 2.6
-LIBSEMANAGE_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014
+LIBSEMANAGE_VERSION = 2.7
+LIBSEMANAGE_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804
 LIBSEMANAGE_LICENSE = LGPL-2.1+
 LIBSEMANAGE_LICENSE_FILES = COPYING
 LIBSEMANAGE_DEPENDENCIES = host-bison host-flex audit libselinux ustr bzip2
-- 
2.13.6

[Buildroot] [PATCH 3/8] libsepol: bump to 2.7

[Adam Duskett]

Also refresh patches to work with new version.

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
 package/libsepol/0001-support-static-only.patch | 32 +++++++++++++++----------
 package/libsepol/0003-revert-ln-relative.patch  | 18 ++++++++++----
 package/libsepol/libsepol.hash                  |  4 ++--
 package/libsepol/libsepol.mk                    |  4 ++--
 4 files changed, 37 insertions(+), 21 deletions(-)

diff --git a/package/libsepol/0001-support-static-only.patch b/package/libsepol/0001-support-static-only.patch
index 3e6d555e96..185a5641de 100644
--- a/package/libsepol/0001-support-static-only.patch
+++ b/package/libsepol/0001-support-static-only.patch
@@ -1,4 +1,7 @@
-Add support for static-only build
+From 2140db697c7f1da2a0a3f7bbcb14c1a0dade84e5 Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Adamduskett@outlook.com>
+Date: Mon, 9 Oct 2017 16:28:12 -0400
+Subject: [PATCH] Add support for static-only build
 
 Instead of unconditionally building shared libraries, this patch
 improves the libsepol build system with a "STATIC" variable, which
@@ -7,30 +10,30 @@ libraries. It allows to support cases where the target architecture
 does not have support for shared libraries.
 
 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
-Signed-off-by: Adam Duskett <Aduskett@gmail.com>
-
-Index: b/src/Makefile
-===================================================================
+Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
+---
+ src/Makefile | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
 
 diff --git a/src/Makefile b/src/Makefile
-index db6c2ba..0006285 100644
+index 819d261..040921d 100644
 --- a/src/Makefile
 +++ b/src/Makefile
-@@ -30,8 +30,12 @@ LOBJS += $(sort $(patsubst %.c,%.lo,$(wildcard $(CILDIR)/src/*.c) $(CIL_GENERATE
- override CFLAGS += -I$(CILDIR)/include
+@@ -40,7 +40,12 @@ LDFLAGS += -undefined dynamic_lookup
+ LN=gln
  endif
  
+-all: $(LIBA) $(LIBSO) $(LIBPC)
 +ALL_TARGETS = $(LIBA) $(LIBPC)
 +ifeq ($(STATIC),)
 +ALL_TARGETS += $(LIBSO)
 +endif
-
--all: $(LIBA) $(LIBSO) $(LIBPC)
++
 +all: $(ALL_TARGETS)
  
-
+ 
  $(LIBA):  $(OBJS)
-@@ -66,11 +70,13 @@
+@@ -82,11 +87,13 @@ endif
  install: all
  	test -d $(LIBDIR) || install -m 755 -d $(LIBDIR)
  	install -m 644 $(LIBA) $(LIBDIR)
@@ -41,8 +44,11 @@ index db6c2ba..0006285 100644
 +ifeq ($(STATIC),)
 +	test -d $(SHLIBDIR) || install -m 755 -d $(SHLIBDIR)
 +	install -m 755 $(LIBSO) $(SHLIBDIR)
- 	ln -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET)
+ 	$(LN) -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET)
 +endif
  
  relabel:
  	/sbin/restorecon $(SHLIBDIR)/$(LIBSO)
+-- 
+2.13.6
+
diff --git a/package/libsepol/0003-revert-ln-relative.patch b/package/libsepol/0003-revert-ln-relative.patch
index 0902d8d40e..488a9abea0 100644
--- a/package/libsepol/0003-revert-ln-relative.patch
+++ b/package/libsepol/0003-revert-ln-relative.patch
@@ -1,4 +1,7 @@
-Makefile: revert libsepol: use ln --relative to create .so symlinks
+From 16b2b0e21e10727065042a1baabd1a887757c65c Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Adamduskett@outlook.com>
+Date: Mon, 9 Oct 2017 16:29:36 -0400
+Subject: [PATCH] Makefile: revert libsepol: use ln --relative to create .so symlinks
 
 This reverts 71393a181d63c9baae5fe8dcaeb9411d1f253998
 
@@ -9,16 +12,23 @@ they are maintained (up to 10 years in some cases?).
 For the sake of Buildroot, revert the upstream patch.
 
 Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
+---
+ src/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff -durN a/src/Makefile b/src/Makefile
+diff --git a/src/Makefile b/src/Makefile
+index 040921d..e811c9e 100644
 --- a/src/Makefile
 +++ b/src/Makefile
-@@ -77,7 +77,7 @@
+@@ -92,7 +92,7 @@ install: all
  ifeq ($(STATIC),)
  	test -d $(SHLIBDIR) || install -m 755 -d $(SHLIBDIR)
  	install -m 755 $(LIBSO) $(SHLIBDIR)
--	ln -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET)
+-	$(LN) -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET)
 +	cd $(LIBDIR) && ln -sf ../../`basename $(SHLIBDIR)`/$(LIBSO) $(TARGET)
  endif
  
  relabel:
+-- 
+2.13.6
+
diff --git a/package/libsepol/libsepol.hash b/package/libsepol/libsepol.hash
index 6c705067a2..08e2bf97a4 100644
--- a/package/libsepol/libsepol.hash
+++ b/package/libsepol/libsepol.hash
@@ -1,2 +1,2 @@
-# From https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256 d856d6506054f52abeaa3543ea2f2344595a3dc05d0d873ed7f724f7a16b1874  libsepol-2.6.tar.gz
+# From: https://github.com/SELinuxProject/selinux/wiki/Releases
+sha256 d69d3bd8ec901a3bd5adf2be2fb47fb1a685ed73066ab482e7e505371a48f9e7  libsepol-2.7.tar.gz
diff --git a/package/libsepol/libsepol.mk b/package/libsepol/libsepol.mk
index 21ca419c74..c54c3bfc42 100644
--- a/package/libsepol/libsepol.mk
+++ b/package/libsepol/libsepol.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-LIBSEPOL_VERSION = 2.6
-LIBSEPOL_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014
+LIBSEPOL_VERSION = 2.7
+LIBSEPOL_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804
 LIBSEPOL_LICENSE = LGPL-2.1+
 LIBSEPOL_LICENSE_FILES = COPYING
 
-- 
2.13.6

[Buildroot] [PATCH 4/8] Checkpolicy: bump to 2.7

[Adam Duskett]

Also remove patch, as it's in this release.

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
 .../0001-checkpolicy-remove-lfl-from-LDLIBS.patch  | 58 ----------------------
 package/checkpolicy/checkpolicy.hash               |  2 +-
 package/checkpolicy/checkpolicy.mk                 |  4 +-
 3 files changed, 3 insertions(+), 61 deletions(-)
 delete mode 100644 package/checkpolicy/0001-checkpolicy-remove-lfl-from-LDLIBS.patch

diff --git a/package/checkpolicy/0001-checkpolicy-remove-lfl-from-LDLIBS.patch b/package/checkpolicy/0001-checkpolicy-remove-lfl-from-LDLIBS.patch
deleted file mode 100644
index c0b6de8a5a..0000000000
--- a/package/checkpolicy/0001-checkpolicy-remove-lfl-from-LDLIBS.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 4d215a1e8111e14f6074f7abe2559800b6f4838c Mon Sep 17 00:00:00 2001
-From: Adam Duskett <Adamduskett@outlook.com>
-Date: Sat, 20 May 2017 11:01:08 -0400
-Subject: [PATCH] checkpolicy: remove -lfl from LDLIBSlogin
-
-When building checkpolicy/test, the linker reports the following error:
-cc   dispol.o  -lfl /usr/src/selinux/DESTDIR/usr/lib/libsepol.a
--L/usr/src/selinux/DESTDIR/usr/lib -o dispol
-/usr/lib/gcc/x86_64-pc-linux-gnu/6.2.1/../../../../lib/libfl.so:
-undefined reference to `yylex'
-collect2: error: ld returned 1 exit status
-
-According to flex documentation
-(https://github.com/westes/flex/blob/master/doc/flex.texi), -lfl is used
-to provide an implementation for yywrap(). However every flex file now
-uses "%option noyywrap", which makes -lfl no longer mandatory. Remove
-this option from checkpolicy Makefiles.
-
-
-Backported from:
-https://patchwork.kernel.org/patch/9450549/
-
-Original author: Nicolas Iooss <nicolas.iooss@m4x.org>
-Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
----
- Makefile      | 2 +-
- test/Makefile | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index 53a3074..875cf00 100644
---- a/Makefile
-+++ b/Makefile
-@@ -20,7 +20,7 @@ CHECKOBJS = y.tab.o lex.yy.o queue.o module_compiler.o parse_util.o \
- CHECKPOLOBJS = $(CHECKOBJS) checkpolicy.o
- CHECKMODOBJS = $(CHECKOBJS) checkmodule.o
- 
--LDLIBS=$(LIBDIR)/libsepol.a -lfl
-+LDLIBS=$(LIBDIR)/libsepol.a
- 
- GENERATED=lex.yy.c y.tab.c y.tab.h
- 
-diff --git a/test/Makefile b/test/Makefile
-index c2367e1..e7bd717 100644
---- a/test/Makefile
-+++ b/test/Makefile
-@@ -9,7 +9,7 @@ INCLUDEDIR ?= $(PREFIX)/include
- CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
- override CFLAGS += -I$(INCLUDEDIR)
- 
--LDLIBS=-lfl $(LIBDIR)/libsepol.a -L$(LIBDIR)
-+LDLIBS=$(LIBDIR)/libsepol.a -L$(LIBDIR)
- 
- all: dispol dismod
- 
--- 
-2.9.3
-
diff --git a/package/checkpolicy/checkpolicy.hash b/package/checkpolicy/checkpolicy.hash
index 6208d7749c..7397393a76 100644
--- a/package/checkpolicy/checkpolicy.hash
+++ b/package/checkpolicy/checkpolicy.hash
@@ -1,2 +1,2 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256 0bebd18688ca8027b1b3b4ff1532c0626f1fe49883ae6cb74d9d385940e74157  checkpolicy-2.6.tar.gz
+sha256 5413479f1dcde866c19896b4dbfec315d822aa431606e1d03c944408984c3201  checkpolicy-2.7.tar.gz
diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
index f0cca593d3..c1fb43da4d 100644
--- a/package/checkpolicy/checkpolicy.mk
+++ b/package/checkpolicy/checkpolicy.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-CHECKPOLICY_VERSION = 2.6
-CHECKPOLICY_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014
+CHECKPOLICY_VERSION = 2.7
+CHECKPOLICY_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804
 CHECKPOLICY_LICENSE = GPL-2.0
 CHECKPOLICY_LICENSE_FILES = COPYING
 
-- 
2.13.6

[Buildroot] [PATCH 5/8] policycoreutils: bump to 2.7

[Adam Duskett]

Policycoreutils was broken up into several packages, as such several
changes needed to happen for this patch to work:

- Remove patches 3, 4, and 5 as they no longer apply.
- Refresh patches 1 and 2 to work with version 2.7
- Remove semodule_${deps,expand,link,package} and sestatus from the makedirs
  in the mk file.
- Remove restorecond from the make and config file. (Seperate package)
- Remove Audit2allow from the make and config file. (In a different package)

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
 ...IR-to-all-paths-that-use-an-absolute-path.patch | 121 ++-----------
 .../0002-Add-PREFIX-to-host-paths.patch            | 200 ++++-----------------
 .../0003-Remove-hardcoded-arch-variable.patch      |  43 -----
 ...licy-python-install-arguments-to-be-a-var.patch |  42 -----
 .../0005-Check-to-see-if-DBUS-is-enabled.patch     |  56 ------
 package/policycoreutils/Config.in                  |  43 -----
 package/policycoreutils/policycoreutils.hash       |   2 +-
 package/policycoreutils/policycoreutils.mk         |  35 +---
 8 files changed, 51 insertions(+), 491 deletions(-)
 delete mode 100644 package/policycoreutils/0003-Remove-hardcoded-arch-variable.patch
 delete mode 100644 package/policycoreutils/0004-Change-sepolicy-python-install-arguments-to-be-a-var.patch
 delete mode 100644 package/policycoreutils/0005-Check-to-see-if-DBUS-is-enabled.patch

diff --git a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
index bbd6895e7f..3c1610f7a2 100644
--- a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
+++ b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
@@ -1,3 +1,8 @@
+From 85763549c53b2907dab094163f1404b2233f8029 Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Adamduskett@outlook.com>
+Date: Mon, 9 Oct 2017 16:51:20 -0400
+Subject: [PATCH] Add DESTDIR to setfiles
+
 The addition of this patch makes the use of DESTDIR
 mandatory as there are conditional checks which would fail if it's not
 defined.
@@ -9,123 +14,25 @@ Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
 Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
 Signed-off-by: Adam Duskett <AdamDuskett@outlook.com>
 Signed-off-by: Adam Duskett <Aduskett@gmail.com>
+refresh for 2.7
+Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
 ---
- policycoreutils/Makefile             | 2 +-
- policycoreutils/newrole/Makefile     | 4 ++--
- policycoreutils/restorecond/Makefile | 5 +++--
- policycoreutils/run_init/Makefile    | 4 ++--
- policycoreutils/sepolicy/Makefile    | 2 +-
- policycoreutils/sestatus/Makefile    | 2 +-
- policycoreutils/setfiles/Makefile    | 4 ++--
- 7 files changed, 12 insertions(+), 11 deletions(-)
+ setfiles/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/Makefile b/Makefile
-index 962ac12..0634a2a 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,6 +1,6 @@
- SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui hll
- 
--INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
-+INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
- 
- ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
- 	SUBDIRS += restorecond
-diff --git a/newrole/Makefile b/newrole/Makefile
-index 646cd4d..f124a6a 100644
---- a/newrole/Makefile
-+++ b/newrole/Makefile
-@@ -4,8 +4,8 @@ BINDIR ?= $(PREFIX)/bin
- MANDIR ?= $(PREFIX)/share/man
- ETCDIR ?= $(DESTDIR)/etc
- LOCALEDIR = /usr/share/locale
--PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
--AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
-+PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
-+AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
- # Enable capabilities to permit newrole to generate audit records.
- # This will make newrole a setuid root program.
- # The capabilities used are: CAP_AUDIT_WRITE.
-diff --git a/restorecond/Makefile b/restorecond/Makefile
-index f99e1e7..92a4a4d 100644
---- a/restorecond/Makefile
-+++ b/restorecond/Makefile
-@@ -11,11 +11,12 @@ autostart_DATA = sealertauto.desktop
- INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
- SELINUXDIR = $(DESTDIR)/etc/selinux
- 
--DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
-+DBUSFLAGS = -DHAVE_DBUS -I$(DESTDIR)/usr/include/dbus-1.0 -I$(DESTDIR)/usr/lib64/dbus-1.0/include -I$(DESTDIR)/usr/lib/dbus-1.0/include
- DBUSLIB = -ldbus-glib-1 -ldbus-1
- 
- CFLAGS ?= -g -Werror -Wall -W
--override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
-+override CFLAGS += -I$(DESTDIR)/usr/include $(DBUSFLAGS) -I$(DESTDIR)/usr/include/glib-2.0 \
-+-I$(DESTDIR)/usr/lib64/glib-2.0/include -I$(DESTDIR)/usr/lib/glib-2.0/include
- 
- LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
- 
-diff --git a/run_init/Makefile b/run_init/Makefile
-index 5815a08..c81179b 100644
---- a/run_init/Makefile
-+++ b/run_init/Makefile
-@@ -5,8 +5,8 @@ SBINDIR ?= $(PREFIX)/sbin
- MANDIR ?= $(PREFIX)/share/man
- ETCDIR ?= $(DESTDIR)/etc
- LOCALEDIR ?= /usr/share/locale
--PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
--AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
-+PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
-+AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
- 
- CFLAGS ?= -Werror -Wall -W
- override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
-diff --git a/sepolicy/Makefile b/sepolicy/Makefile
-index 39d46e8..6624373 100644
---- a/sepolicy/Makefile
-+++ b/sepolicy/Makefile
-@@ -12,7 +12,7 @@ LOCALEDIR ?= /usr/share/locale
- BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
- SHAREDIR ?= $(PREFIX)/share/sandbox
- CFLAGS ?= -Wall -Werror -Wextra -W
--override CFLAGS += -I$(PREFIX)/include -DPACKAGE="policycoreutils" -DSHARED -shared
-+override CFLAGS = $(LDFLAGS) -I$(DESTDIR)/usr/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
- 
- BASHCOMPLETIONS=sepolicy-bash-completion.sh
- 
-diff --git a/sestatus/Makefile b/sestatus/Makefile
-index c04ff00..e10c32c 100644
---- a/sestatus/Makefile
-+++ b/sestatus/Makefile
-@@ -6,7 +6,7 @@ ETCDIR ?= $(DESTDIR)/etc
- LIBDIR ?= $(PREFIX)/lib
- 
- CFLAGS ?= -Werror -Wall -W
--override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
-+override CFLAGS += -I$(DESTDIR)/usr/include -D_FILE_OFFSET_BITS=64
- LDLIBS = -lselinux -L$(LIBDIR)
- 
- all: sestatus
 diff --git a/setfiles/Makefile b/setfiles/Makefile
-index 98f4f7d..eb26ed0 100644
+index c08e2dd..36c0638 100644
 --- a/setfiles/Makefile
 +++ b/setfiles/Makefile
-@@ -3,13 +3,13 @@ PREFIX ?= $(DESTDIR)/usr
+@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
  SBINDIR ?= $(DESTDIR)/sbin
  MANDIR = $(PREFIX)/share/man
  LIBDIR ?= $(PREFIX)/lib
--AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
-+AUDITH = $(shell ls  $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
++AUDITH ?= $(shell test -f $(DESTDIR)/include/libaudit.h && echo y)
  
- PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
  ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
  
- CFLAGS ?= -g -Werror -Wall -W
--override CFLAGS += -I$(PREFIX)/include
-+override CFLAGS += -I$(DESTDIR)/usr/include
- LDLIBS = -lselinux -lsepol -L$(LIBDIR)
- 
- ifeq ($(AUDITH), /usr/include/libaudit.h)
 -- 
-2.7.4
+2.13.6
 
diff --git a/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch b/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch
index 56aae74ba0..440923dd58 100644
--- a/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch
+++ b/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch
@@ -1,6 +1,6 @@
-From 7f99a727cdb8160d49bb0d0554fc88787980c971 Mon Sep 17 00:00:00 2001
-From: Adam Duskett <Aduskett@gmail.com>
-Date: Thu, 14 Jul 2016 13:16:03 -0400
+From a221304344b3f9db7e86d928cf97d77542bcf456 Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Adamduskett@outlook.com>
+Date: Mon, 9 Oct 2017 16:47:19 -0400
 Subject: [PATCH] Add PREFIX to host paths
 
 Updates the remaining hardcoded host paths used in the build to be
@@ -11,201 +11,61 @@ Updated to work with version 2.5
 Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
 Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
 Signed-off-by: Adam Duskett <AdamDuskett@outlook.com>
-Signed-off-by: Adam Duskett <Aduskett@gmail.com>
+refresh for 2.7
+Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
 ---
- policycoreutils/Makefile              |  4 +++-
- policycoreutils/audit2allow/Makefile  |  2 +-
- policycoreutils/load_policy/Makefile  |  2 +-
- policycoreutils/mcstrans/src/Makefile | 17 +++++++++--------
- policycoreutils/newrole/Makefile      |  8 ++++----
- policycoreutils/run_init/Makefile     |  8 ++++----
- policycoreutils/sepolicy/Makefile     |  2 +-
- policycoreutils/setfiles/Makefile     |  4 ++--
- 8 files changed, 25 insertions(+), 22 deletions(-)
+ load_policy/Makefile | 2 +-
+ newrole/Makefile     | 6 +++---
+ run_init/Makefile    | 6 +++---
+ 3 files changed, 7 insertions(+), 7 deletions(-)
 
-diff --git a/Makefile b/Makefile
-index 0634a2a..bd99b1c 100644
---- a/Makefile
-+++ b/Makefile
-@@ -1,8 +1,10 @@
-+PREFIX  ?= $(DESTDIR)/usr
-+
- SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui hll
- 
- INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
- 
--ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
-+ifeq (${INOTIFYH}, $(PREFIX)/include/sys/inotify.h)
- 	SUBDIRS += restorecond
- endif
- 
-diff --git a/audit2allow/Makefile b/audit2allow/Makefile
-index 87d2502..d4108fe 100644
---- a/audit2allow/Makefile
-+++ b/audit2allow/Makefile
-@@ -5,7 +5,7 @@ PREFIX ?= $(DESTDIR)/usr
- BINDIR ?= $(PREFIX)/bin
- LIBDIR ?= $(PREFIX)/lib
- MANDIR ?= $(PREFIX)/share/man
--LOCALEDIR ?= /usr/share/locale
-+LOCALEDIR ?= $(PREFIX)/share/locale
- 
- all: audit2why
- 
 diff --git a/load_policy/Makefile b/load_policy/Makefile
-index 7c5bab0..5cd0bbb 100644
+index b85833c..6a45f31 100644
 --- a/load_policy/Makefile
 +++ b/load_policy/Makefile
-@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
+@@ -2,7 +2,7 @@
+ PREFIX ?= $(DESTDIR)/usr
  SBINDIR ?= $(DESTDIR)/sbin
- USRSBINDIR ?= $(PREFIX)/sbin
  MANDIR ?= $(PREFIX)/share/man
 -LOCALEDIR ?= /usr/share/locale
 +LOCALEDIR ?= $(PREFIX)/share/locale
  
  CFLAGS ?= -Werror -Wall -W
- override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
-diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
-index 907a1f1..6fda57e 100644
---- a/mcstrans/src/Makefile
-+++ b/mcstrans/src/Makefile
-@@ -1,23 +1,24 @@
- ARCH = $(shell uname -i)
-+# Installation directories.
-+PREFIX  ?= $(DESTDIR)/usr
-+SBINDIR ?= $(DESTDIR)/sbin
-+INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
-+SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd
-+
- ifeq "$(ARCH)" "x86_64"
- 	# In case of 64 bit system, use these lines
--	LIBDIR=/usr/lib64
-+	LIBDIR=$(PREFIX)/lib64
- else 
- ifeq "$(ARCH)" "i686"
- 	# In case of 32 bit system, use these lines
--	LIBDIR=/usr/lib
-+	LIBDIR=$(PREFIX)/lib
- else
- ifeq "$(ARCH)" "i386"
- 	# In case of 32 bit system, use these lines
--	LIBDIR=/usr/lib
-+	LIBDIR=$(PREFIX)/lib
- endif
- endif
- endif
--# Installation directories.
--PREFIX  ?= $(DESTDIR)/usr
--SBINDIR ?= $(DESTDIR)/sbin
--INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
--SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd
- 
- PROG_SRC=mcstrans.c  mcscolor.c  mcstransd.c  mls_level.c
- PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
+ override CFLAGS += $(LDFLAGS) -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
 diff --git a/newrole/Makefile b/newrole/Makefile
-index f124a6a..b687a09 100644
+index 196af92..896708f 100644
 --- a/newrole/Makefile
 +++ b/newrole/Makefile
-@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
+@@ -3,9 +3,9 @@ PREFIX ?= $(DESTDIR)/usr
  BINDIR ?= $(PREFIX)/bin
  MANDIR ?= $(PREFIX)/share/man
  ETCDIR ?= $(DESTDIR)/etc
 -LOCALEDIR = /usr/share/locale
-+LOCALEDIR =  $(PREFIX)/share/locale
- PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
- AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+-PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
+-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
++LOCALEDIR = $(PREFIX)/share/locale
++PAMH ?= $(shell test -f $(PREFIX)/include/security/pam_appl.h && echo y)
++AUDITH ?= $(shell test -f $(PREFIX)/include/libaudit.h && echo y)
  # Enable capabilities to permit newrole to generate audit records.
-@@ -24,7 +24,7 @@ CFLAGS ?= -Werror -Wall -W
- EXTRA_OBJS =
- override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
- LDLIBS += -lselinux -L$(PREFIX)/lib
--ifeq ($(PAMH), /usr/include/security/pam_appl.h)
-+ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
- 	override CFLAGS += -DUSE_PAM
- 	EXTRA_OBJS += hashtab.o
- 	LDLIBS += -lpam -lpam_misc
-@@ -32,7 +32,7 @@ else
- 	override CFLAGS += -D_XOPEN_SOURCE=500
- 	LDLIBS += -lcrypt
- endif
--ifeq ($(AUDITH), /usr/include/libaudit.h)
-+ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
- 	override CFLAGS += -DUSE_AUDIT
- 	LDLIBS += -laudit
- endif
-@@ -66,7 +66,7 @@ install: all
- 	test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
- 	install -m $(MODE) newrole $(BINDIR)
- 	install -m 644 newrole.1 $(MANDIR)/man1/
--ifeq ($(PAMH), /usr/include/security/pam_appl.h)
-+ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
- 	test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
- ifeq ($(LSPP_PRIV),y)
- 	install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
+ # This will make newrole a setuid root program.
+ # The capabilities used are: CAP_AUDIT_WRITE.
 diff --git a/run_init/Makefile b/run_init/Makefile
-index c81179b..ce0df9f 100644
+index 921f0b0..e1566fc 100644
 --- a/run_init/Makefile
 +++ b/run_init/Makefile
-@@ -4,21 +4,21 @@ PREFIX ?= $(DESTDIR)/usr
+@@ -4,9 +4,9 @@ PREFIX ?= $(DESTDIR)/usr
  SBINDIR ?= $(PREFIX)/sbin
  MANDIR ?= $(PREFIX)/share/man
  ETCDIR ?= $(DESTDIR)/etc
 -LOCALEDIR ?= /usr/share/locale
+-PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
+-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
 +LOCALEDIR ?= $(PREFIX)/share/locale
- PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
- AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
++PAMH ?= $(shell test -f $(PREFIX)/include/security/pam_appl.h && echo y)
++AUDITH ?= $(shell test -f $(PREFIX)/include/libaudit.h && echo y)
  
  CFLAGS ?= -Werror -Wall -W
- override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
- LDLIBS += -lselinux -L$(PREFIX)/lib
--ifeq ($(PAMH), /usr/include/security/pam_appl.h)
-+ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
- 	override CFLAGS += -DUSE_PAM
- 	LDLIBS += -lpam -lpam_misc
- else
- 	override CFLAGS += -D_XOPEN_SOURCE=500
- 	LDLIBS += -lcrypt
- endif
--ifeq ($(AUDITH), /usr/include/libaudit.h)
-+ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
- 	override CFLAGS += -DUSE_AUDIT
- 	LDLIBS += -laudit
- endif
-@@ -38,7 +38,7 @@ install: all
- 	install -m 755 open_init_pty $(SBINDIR)
- 	install -m 644 run_init.8 $(MANDIR)/man8/
- 	install -m 644 open_init_pty.8 $(MANDIR)/man8/
--ifeq ($(PAMH), /usr/include/security/pam_appl.h)
-+ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
- 	install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
- endif
- 
-diff --git a/sepolicy/Makefile b/sepolicy/Makefile
-index 6624373..a16f8de 100644
---- a/sepolicy/Makefile
-+++ b/sepolicy/Makefile
-@@ -8,7 +8,7 @@ BINDIR ?= $(PREFIX)/bin
- SBINDIR ?= $(PREFIX)/sbin
- DATADIR ?= $(PREFIX)/share
- MANDIR ?= $(PREFIX)/share/man
--LOCALEDIR ?= /usr/share/locale
-+LOCALEDIR ?= $(PREFIX)/share/locale
- BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
- SHAREDIR ?= $(PREFIX)/share/sandbox
- CFLAGS ?= -Wall -Werror -Wextra -W
-diff --git a/setfiles/Makefile b/setfiles/Makefile
-index eb26ed0..3c6b80d 100644
---- a/setfiles/Makefile
-+++ b/setfiles/Makefile
-@@ -12,7 +12,7 @@ CFLAGS ?= -g -Werror -Wall -W
- override CFLAGS += -I$(DESTDIR)/usr/include
- LDLIBS = -lselinux -lsepol -L$(LIBDIR)
- 
--ifeq ($(AUDITH), /usr/include/libaudit.h)
-+ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
- 	override CFLAGS += -DUSE_AUDIT
- 	LDLIBS += -laudit
- endif
+ override CFLAGS += -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
 -- 
-2.7.4
+2.13.6
 
diff --git a/package/policycoreutils/0003-Remove-hardcoded-arch-variable.patch b/package/policycoreutils/0003-Remove-hardcoded-arch-variable.patch
deleted file mode 100644
index 375fb577f7..0000000000
--- a/package/policycoreutils/0003-Remove-hardcoded-arch-variable.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 7424f2bea0cb412e96202f596ad8077131589f40 Mon Sep 17 00:00:00 2001
-From: Adam Duskett <Aduskett@gmail.com>
-Date: Thu, 14 Jul 2016 13:18:24 -0400
-Subject: [PATCH] Remove hardcoded arch variable.
-
-Allow the ARCH value to be passed in as original configuration was
-solely based on host architecture.
-
-This patch was updated to work with version 2.5
-
-Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
-Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
-Signed-off-by: Adam Duskett <AdamDuskett@outlook.com>
-Signed-off-by: Adam Duskett <Aduskett@gmail.com>
----
- policycoreutils/mcstrans/src/Makefile   | 1 -
- policycoreutils/mcstrans/utils/Makefile | 1 -
- 2 files changed, 2 deletions(-)
-
-diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
-index 6fda57e..7b4489f 100644
---- a/mcstrans/src/Makefile
-+++ b/mcstrans/src/Makefile
-@@ -1,4 +1,3 @@
--ARCH = $(shell uname -i)
- # Installation directories.
- PREFIX  ?= $(DESTDIR)/usr
- SBINDIR ?= $(DESTDIR)/sbin
-diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
-index 1ffb027..912fe12 100644
---- a/mcstrans/utils/Makefile
-+++ b/mcstrans/utils/Makefile
-@@ -2,7 +2,6 @@
- PREFIX ?= $(DESTDIR)/usr
- BINDIR ?= $(PREFIX)/sbin
- 
--ARCH = $(shell uname -i)
- ifeq "$(ARCH)" "x86_64"
-         # In case of 64 bit system, use these lines
-         LIBDIR=/usr/lib64
--- 
-2.7.4
-
diff --git a/package/policycoreutils/0004-Change-sepolicy-python-install-arguments-to-be-a-var.patch b/package/policycoreutils/0004-Change-sepolicy-python-install-arguments-to-be-a-var.patch
deleted file mode 100644
index 636b722b70..0000000000
--- a/package/policycoreutils/0004-Change-sepolicy-python-install-arguments-to-be-a-var.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 27fd1c85ca95b5d66ab0241a08242a75b60b375c Mon Sep 17 00:00:00 2001
-From: Adam Duskett <Aduskett@gmail.com>
-Date: Thu, 14 Jul 2016 13:22:57 -0400
-Subject: [PATCH] Change sepolicy python install arguments to be a variable
-
-To allow the python install arguments to be overwritten, change the
-arguments to be a variable. This also cleans up the DESTDIR detection a
-little bit.
-
-Updated to work with version 2.5
-
-Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
-Signed-off-by: Adam Duskett <AdamDuskett@outlook.com>
-Signed-off-by: Adam Duskett <Aduskett@gmail.com>
----
- policycoreutils/sepolicy/Makefile | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/sepolicy/Makefile b/sepolicy/Makefile
-index a16f8de..2013301 100644
---- a/sepolicy/Makefile
-+++ b/sepolicy/Makefile
-@@ -1,4 +1,7 @@
- PYTHON ?= python
-+ifneq ($(DESTDIR),)
-+PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
-+endif
- 
- # Installation directories.
- PREFIX ?= $(DESTDIR)/usr
-@@ -32,7 +35,7 @@ test:
- 	@$(PYTHON) test_sepolicy.py -v
- 
- install:
--	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
-+	$(PYTHON) setup.py install $(PYTHON_INSTALL_ARGS)
- 	[ -d $(BINDIR) ] || mkdir -p $(BINDIR)
- 	install -m 755 sepolicy.py $(BINDIR)/sepolicy
- 	(cd $(BINDIR); ln -sf sepolicy sepolgen)
--- 
-2.7.4
-
diff --git a/package/policycoreutils/0005-Check-to-see-if-DBUS-is-enabled.patch b/package/policycoreutils/0005-Check-to-see-if-DBUS-is-enabled.patch
deleted file mode 100644
index 37ffac8de8..0000000000
--- a/package/policycoreutils/0005-Check-to-see-if-DBUS-is-enabled.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From d1bc28c5b2efe60a0ee04d9c171928d0f3475654 Mon Sep 17 00:00:00 2001
-From: Adam Duskett <Aduskett@gmail.com>
-Date: Thu, 14 Jul 2016 13:26:23 -0400
-Subject: [PATCH] Check to see if DBUS is enabled.
-
-Adds a condition to prevent linking against dbus when at build time
-dbus has not been enabled.
-
-Updated for 2.5.
-
-Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
-Signed-off-by: Adam Duskett <AdamDuskett@outlook.com>
-Signed-off-by: Adam Duskett <Aduskett@gmail.com>
----
- policycoreutils/restorecond/Makefile | 2 ++
- policycoreutils/restorecond/user.c   | 2 +-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/restorecond/Makefile b/restorecond/Makefile
-index 92a4a4d..95f38a6 100644
---- a/restorecond/Makefile
-+++ b/restorecond/Makefile
-@@ -11,8 +11,10 @@ autostart_DATA = sealertauto.desktop
- INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
- SELINUXDIR = $(DESTDIR)/etc/selinux
- 
-+ifdef ENABLE_DBUS
- DBUSFLAGS = -DHAVE_DBUS -I$(DESTDIR)/usr/include/dbus-1.0 -I$(DESTDIR)/usr/lib64/dbus-1.0/include -I$(DESTDIR)/usr/lib/dbus-1.0/include
- DBUSLIB = -ldbus-glib-1 -ldbus-1
-+endif
- 
- CFLAGS ?= -g -Werror -Wall -W
- override CFLAGS += -I$(DESTDIR)/usr/include $(DBUSFLAGS) -I$(DESTDIR)/usr/include/glib-2.0 \
-diff --git a/restorecond/user.c b/restorecond/user.c
-index 714aae7..a04cddb 100644
---- a/restorecond/user.c
-+++ b/restorecond/user.c
-@@ -54,7 +54,6 @@ static const char *PATH="/org/selinux/Restorecond";
- static const char *INTERFACE="org.selinux.RestorecondIface";
- static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'";
- 
--static int local_lock_fd = -1;
- 
- static DBusHandlerResult
- signal_filter (DBusConnection *connection  __attribute__ ((__unused__)), DBusMessage *message, void *user_data)
-@@ -101,6 +100,7 @@ static int dbus_server(GMainLoop *loop) {
- #include <selinux/selinux.h>
- #include <sys/file.h>
- 
-+static int local_lock_fd = -1;
- /* size of the event structure, not counting name */
- #define EVENT_SIZE  (sizeof (struct inotify_event))
- /* reasonable guess as to size of 1024 events */
--- 
-2.7.4
-
diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
index 6b58d6ea33..0d69fb51a5 100644
--- a/package/policycoreutils/Config.in
+++ b/package/policycoreutils/Config.in
@@ -28,54 +28,11 @@ config BR2_PACKAGE_POLICYCOREUTILS
 	  The base package will install the following utilities:
 	      load_policy
 	      newrole
-	      restorecond
 	      run_init
 	      secon
 	      semodule
-	      semodule_deps
-	      semodule_expand
-	      semodule_link
-	      semodule_package
-	      sepolgen-ifgen
 	      sestatus
 	      setfiles
 	      setsebool
 
 	  http://selinuxproject.org/page/Main_Page
-
-if BR2_PACKAGE_POLICYCOREUTILS
-
-config BR2_PACKAGE_POLICYCOREUTILS_AUDIT2ALLOW
-	bool "audit2allow"
-	depends on BR2_USE_WCHAR # python3, sepolgen
-	depends on BR2_USE_MMU # python3, sepolgen
-	depends on BR2_TOOLCHAIN_HAS_THREADS # python3, sepolgen, checkpolicy
-	depends on !BR2_STATIC_LIBS # python3, sepolgen
-	depends on BR2_TOOLCHAIN_USES_GLIBC # checkpolicy
-	depends on !BR2_arc # checkpolicy
-	select BR2_PACKAGE_SEPOLGEN
-	select BR2_PACKAGE_CHECKPOLICY
-	select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
-	help
-	  Enable audit2allow to be built
-
-comment "audit2allow needs a glibc toolchain w/ wchar, threads, dynamic library"
-	depends on BR2_USE_MMU
-	depends on !BR2_arc
-	depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS || \
-		BR2_STATIC_LIBS
-
-config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
-	bool "restorecond"
-	depends on BR2_USE_WCHAR # glib2
-	depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
-	depends on BR2_USE_MMU # glib2
-	select BR2_PACKAGE_LIBGLIB2
-	help
-	  Enable restorecond to be built
-
-comment "restorecond needs a toolchain w/ wchar, threads"
-	depends on BR2_USE_MMU
-	depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
-
-endif
diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
index 999a7788d2..9ec47c394b 100644
--- a/package/policycoreutils/policycoreutils.hash
+++ b/package/policycoreutils/policycoreutils.hash
@@ -1,2 +1,2 @@
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256 68891b376f5048edc53c6ccb2fca44da3dc7f4563f4b6894e201d70c04a05a29 policycoreutils-2.6.tar.gz
+sha256 0a1b8a4a323b854981c6755ff025fe98a0f1cff307f109abb260f0490f13e4f4 policycoreutils-2.7.tar.gz
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
index 6fec4afb25..7979d23171 100644
--- a/package/policycoreutils/policycoreutils.mk
+++ b/package/policycoreutils/policycoreutils.mk
@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-POLICYCOREUTILS_VERSION = 2.6
-POLICYCOREUTILS_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014
+POLICYCOREUTILS_VERSION = 2.7
+POLICYCOREUTILS_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804
 POLICYCOREUTILS_LICENSE = GPL-2.0
 POLICYCOREUTILS_LICENSE_FILES = COPYING
 
@@ -41,28 +41,8 @@ POLICYCOREUTILS_MAKE_OPTS += \
 
 POLICYCOREUTILS_MAKE_DIRS = \
 	load_policy newrole run_init \
-	secon semodule semodule_deps \
-	semodule_expand semodule_link \
-	semodule_package sepolgen-ifgen \
-	sestatus setfiles setsebool
-
-ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
-POLICYCOREUTILS_MAKE_DIRS += restorecond
-POLICYCOREUTILS_DEPENDENCIES += libglib2
-endif
-
-ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_AUDIT2ALLOW),y)
-ifeq ($(BR2_PACKAGE_PYTHON3),y)
-POLICYCOREUTILS_DEPENDENCIES += python3
-POLICYCOREUTILS_MAKE_OPTS += PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
-else
-POLICYCOREUTILS_DEPENDENCIES += python
-POLICYCOREUTILS_MAKE_OPTS += PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
-endif
-
-POLICYCOREUTILS_DEPENDENCIES += sepolgen checkpolicy
-POLICYCOREUTILS_MAKE_DIRS += audit2allow
-endif
+	secon semodule sestatus setfiles \
+	setsebool
 
 # We need to pass DESTDIR at build time because it's used by
 # policycoreutils build system to find headers and libraries.
@@ -112,10 +92,8 @@ endif
 
 # Note: We are only building the programs required by the refpolicy build
 HOST_POLICYCOREUTILS_MAKE_DIRS = \
-	load_policy semodule semodule_deps \
-	semodule_expand semodule_link \
-	semodule_package setfiles restorecond \
-	audit2allow scripts semanage sepolicy
+	load_policy semodule setfiles \
+	scripts semanage sepolicy
 
 define HOST_POLICYCOREUTILS_BUILD_CMDS
 	$(foreach d,$(HOST_POLICYCOREUTILS_MAKE_DIRS),
@@ -128,7 +106,6 @@ define HOST_POLICYCOREUTILS_INSTALL_CMDS
 		$(MAKE) -C $(@D)/$(d) $(HOST_POLICYCOREUTILS_MAKE_OPTS) install
 	)
 	# Fix python paths
-	$(SED) 's%/usr/bin/%$(HOST_DIR)/bin/%g' $(HOST_DIR)/bin/audit2allow
 	$(SED) 's%/usr/bin/%$(HOST_DIR)/bin/%g' $(HOST_DIR)/bin/sepolgen-ifgen
 	$(SED) 's%/usr/bin/%$(HOST_DIR)/bin/%g' $(HOST_DIR)/bin/sepolicy
 endef
-- 
2.13.6

[Buildroot] [PATCH 6/8] sepolgen: Remove package

[Adam Duskett]

sepolgen has been consolidated into the selinux-python package for version
2.7.

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
 package/Config.in              |  1 -
 package/sepolgen/Config.in     | 19 ----------------
 package/sepolgen/sepolgen.hash |  2 --
 package/sepolgen/sepolgen.mk   | 49 ------------------------------------------
 4 files changed, 71 deletions(-)
 delete mode 100644 package/sepolgen/Config.in
 delete mode 100644 package/sepolgen/sepolgen.hash
 delete mode 100644 package/sepolgen/sepolgen.mk

diff --git a/package/Config.in b/package/Config.in
index 6f8564334d..b9c62de1f3 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1840,7 +1840,6 @@ menu "Security"
 	source "package/paxtest/Config.in"
 	source "package/policycoreutils/Config.in"
 	source "package/refpolicy/Config.in"
-	source "package/sepolgen/Config.in"
 	source "package/setools/Config.in"
 endmenu
 
diff --git a/package/sepolgen/Config.in b/package/sepolgen/Config.in
deleted file mode 100644
index 8dd90388c8..0000000000
--- a/package/sepolgen/Config.in
+++ /dev/null
@@ -1,19 +0,0 @@
-config BR2_PACKAGE_SEPOLGEN
-	bool "sepolgen"
-	depends on BR2_USE_WCHAR # python3
-	depends on BR2_USE_MMU # python3
-	depends on BR2_TOOLCHAIN_HAS_THREADS # python3
-	depends on !BR2_STATIC_LIBS # python3
-	select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
-	help
-	  This package contains a Python module that forms the core of
-	  the modern audit2allow (which is a part of the package
-	  policycoreutils).  It contains infrastructure for parsing
-	  SELinux related messages as produced by the audit system.
-	  It has facilities for generating policy based on required
-	  access.
-
-comment "sepolgen needs a toolchain w/ wchar, threads, dynamic library"
-	depends on BR2_USE_MMU
-	depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS || \
-		BR2_STATIC_LIBS
diff --git a/package/sepolgen/sepolgen.hash b/package/sepolgen/sepolgen.hash
deleted file mode 100644
index b338a7019f..0000000000
--- a/package/sepolgen/sepolgen.hash
+++ /dev/null
@@ -1,2 +0,0 @@
-# https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256 6a327b1576d914e57ad796a541a7a9bcceefb14c445355559993de0fdb8e7a60  sepolgen-2.6.tar.gz
diff --git a/package/sepolgen/sepolgen.mk b/package/sepolgen/sepolgen.mk
deleted file mode 100644
index ab7f18d857..0000000000
--- a/package/sepolgen/sepolgen.mk
+++ /dev/null
@@ -1,49 +0,0 @@
-################################################################################
-#
-# sepolgen
-#
-################################################################################
-
-SEPOLGEN_VERSION = 2.6
-SEPOLGEN_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014
-SEPOLGEN_LICENSE = GPL-2.0
-SEPOLGEN_LICENSE_FILES = COPYING
-
-ifeq ($(BR2_PACKAGE_PYTHON3),y)
-SEPOLGEN_DEPENDENCIES = python3
-SEPOLGEN_MAKE_CMDS = $(TARGET_CONFIGURE_OPTS) \
-	PYTHONLIBDIR=/usr/lib/python$(PYTHON3_VERSION_MAJOR)/site-packages
-else
-SEPOLGEN_DEPENDENCIES = python
-SEPOLGEN_MAKE_CMDS = $(TARGET_CONFIGURE_OPTS) \
-	PYTHONLIBDIR=/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
-endif
-
-define SEPOLGEN_BUILD_CMDS
-	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) $(TARGET_SEPOLGEN_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
-endef
-
-define SEPOLGEN_INSTALL_TARGET_CMDS
-	$(MAKE_ENV) $(MAKE) -C $(@D) $(SEPOLGEN_MAKE_CMDS) DESTDIR=$(TARGET_DIR) install
-endef
-
-ifeq ($(BR2_PACKAGE_PYTHON3),y)
-HOST_SEPOLGEN_DEPENDENCIES = host-python3
-HOST_SEPOLGEN_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
-	PYTHONLIBDIR=lib/python$(PYTHON3_VERSION_MAJOR)/site-packages
-else
-HOST_SEPOLGEN_DEPENDENCIES = host-python
-HOST_SEPOLGEN_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
-	PYTHONLIBDIR=lib/python$(PYTHON_VERSION_MAJOR)/site-packages
-endif
-
-define HOST_SEPOLGEN_BUILD_CMDS
-	$(HOST_MAKE_ENV) $(MAKE) -C $(@D) $(HOST_SEPOLGEN_MAKE_CMDS) DESTDIR=$(HOST_DIR)
-endef
-
-define HOST_SEPOLGEN_INSTALL_CMDS
-	$(HOST_MAKE_ENV) $(MAKE) -C $(@D) $(HOST_SEPOLGEN_MAKE_CMDS) DESTDIR=$(HOST_DIR) install
-endef
-
-$(eval $(generic-package))
-$(eval $(host-generic-package))
-- 
2.13.6

[Buildroot] [PATCH 7/8] restorecond: new package

[Adam Duskett]

restorecond is now a seperate package released by the SELinux maintainers.

restorecond is a daemon that watches for file creation and then sets the
default SELinux file context for that file.

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
 DEVELOPERS                           |  1 +
 package/Config.in                    |  1 +
 package/restorecond/Config.in        | 12 +++++++++
 package/restorecond/restorecond.hash |  2 ++
 package/restorecond/restorecond.mk   | 48 ++++++++++++++++++++++++++++++++++++
 5 files changed, 64 insertions(+)
 create mode 100644 package/restorecond/Config.in
 create mode 100644 package/restorecond/restorecond.hash
 create mode 100644 package/restorecond/restorecond.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index f35d6f3688..18e878d8d5 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -41,6 +41,7 @@ F:	package/libsepol/
 F:	package/nginx-naxsi/
 F:	package/policycoreutils/
 F:	package/python-mutagen/
+F:	package/restorecond/
 F:	package/refpolicy/
 F:	package/sepolgen/
 F:	package/setools/
diff --git a/package/Config.in b/package/Config.in
index b9c62de1f3..c9677a460c 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1840,6 +1840,7 @@ menu "Security"
 	source "package/paxtest/Config.in"
 	source "package/policycoreutils/Config.in"
 	source "package/refpolicy/Config.in"
+	source "package/restorecond/Config.in"
 	source "package/setools/Config.in"
 endmenu
 
diff --git a/package/restorecond/Config.in b/package/restorecond/Config.in
new file mode 100644
index 0000000000..f9c3ebe6ba
--- /dev/null
+++ b/package/restorecond/Config.in
@@ -0,0 +1,12 @@
+config BR2_PACKAGE_RESTORECOND
+	bool "restorecond"
+	depends on BR2_PACKAGE_DBUS # dbus-glib
+	depends on BR2_USE_WCHAR # glib2
+	depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
+	depends on BR2_USE_MMU # glib2
+	select BR2_PACKAGE_LIBSELINUX
+	select BR2_PACKAGE_DBUS_GLIB
+	select BR2_PACKAGE_LIBGLIB2
+	help
+	  restorecond is a daemon that watches for file creation and then sets the
+	  default SELinux file context for that file.
diff --git a/package/restorecond/restorecond.hash b/package/restorecond/restorecond.hash
new file mode 100644
index 0000000000..f52bbd2161
--- /dev/null
+++ b/package/restorecond/restorecond.hash
@@ -0,0 +1,2 @@
+# https://github.com/SELinuxProject/selinux/wiki/Releases
+sha256 cb8e0a8d706cb2c1f105125f3514dffffefcbcfb49199183a7f91ab0bdf1f24d restorecond-2.7.tar.gz
diff --git a/package/restorecond/restorecond.mk b/package/restorecond/restorecond.mk
new file mode 100644
index 0000000000..98ae3e7314
--- /dev/null
+++ b/package/restorecond/restorecond.mk
@@ -0,0 +1,48 @@
+################################################################################
+#
+# restorecond
+#
+################################################################################
+
+RESTORECOND_VERSION = 2.7
+RESTORECOND_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804
+RESTORECOND_LICENSE = GPL-2.0
+RESTORECOND_LICENSE_FILES = COPYING
+
+RESTORECOND_DEPENDENCIES = libglib2 libselinux dbus-glib
+
+RESTORECOND_MAKE_OPTS += \
+	$(TARGET_CONFIGURE_OPTS) \
+	CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
+	CPPFLAGS="$(TARGET_CPPFLAGS) -U_FILE_OFFSET_BITS" \
+	ARCH="$(BR2_ARCH)"
+
+# We need to pass DESTDIR at build time because it's used by
+# RESTORECOND build system to find headers and libraries.
+define RESTORECOND_BUILD_CMDS
+	$(MAKE) -C $(@D) $(RESTORECOND_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all
+endef
+
+define RESTORECOND_INSTALL_INIT_SYSV
+	$(INSTALL) -m 0755 -D $(@D)/restorecond.init \
+		$(TARGET_DIR)/etc/init.d/restorecond
+endef
+
+define RESTORECOND_INSTALL_INIT_SYSTEMD
+	$(INSTALL) -m 0644 -D $(@D)/restorecond.service \
+		$(TARGET_DIR)/usr/lib/systemd/system/restorecond.service
+		
+	$(INSTALL) -m 0600 -D $(@D)/org.selinux.Restorecond.service \
+		$(TARGET_DIR)/etc/systemd/system/org.selinux.Restorecond.service
+endef
+
+define RESTORECOND_INSTALL_TARGET_CMDS
+	$(INSTALL) -m 0644 -D $(@D)/restorecond.conf $(TARGET_DIR)/etc/selinux
+	$(INSTALL) -m 0644 -D $(@D)/restorecond_user.conf $(TARGET_DIR)/etc/selinux
+	$(INSTALL) -m 0755 -D $(@D)/restorecond $(TARGET_DIR)/usr/sbin
+endef
+
+
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
2.13.6

[Buildroot] [PATCH 8/8] selinux-python: new package

[Adam Duskett]

The python utilities that were previously in policycoreutils are now maintained
in a seperate package called selinux-python.  This package includes:

- audit2allow
- chcat
- semanage
- sepolgen
- sepolicy

Currently, only audit2allow and sepolgen are selectable.

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
 DEVELOPERS                                 |  1 +
 package/Config.in                          |  1 +
 package/selinux-python/Config.in           | 47 ++++++++++++++++++++++++++
 package/selinux-python/selinux-python.hash |  2 ++
 package/selinux-python/selinux-python.mk   | 53 ++++++++++++++++++++++++++++++
 5 files changed, 104 insertions(+)
 create mode 100644 package/selinux-python/Config.in
 create mode 100644 package/selinux-python/selinux-python.hash
 create mode 100644 package/selinux-python/selinux-python.mk

diff --git a/DEVELOPERS b/DEVELOPERS
index 18e878d8d5..a44f87e47b 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -43,6 +43,7 @@ F:	package/policycoreutils/
 F:	package/python-mutagen/
 F:	package/restorecond/
 F:	package/refpolicy/
+F:	package/selinux-python/
 F:	package/sepolgen/
 F:	package/setools/
 F:	package/sngrep/
diff --git a/package/Config.in b/package/Config.in
index c9677a460c..0c7ed44177 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1841,6 +1841,7 @@ menu "Security"
 	source "package/policycoreutils/Config.in"
 	source "package/refpolicy/Config.in"
 	source "package/restorecond/Config.in"
+	source "package/selinux-python/Config.in"
 	source "package/setools/Config.in"
 endmenu
 
diff --git a/package/selinux-python/Config.in b/package/selinux-python/Config.in
new file mode 100644
index 0000000000..1078c4e792
--- /dev/null
+++ b/package/selinux-python/Config.in
@@ -0,0 +1,47 @@
+menuconfig BR2_PACKAGE_SELINUX_PYTHON
+	bool "SELinux Python packages"
+	help
+	  A set of SELinux tools written in python that help with
+	  managing a system with SELinux enabled.
+
+	  https://github.com/SELinuxProject/selinux/wiki
+
+if BR2_PACKAGE_SELINUX_PYTHON
+
+comment "packages"
+
+config BR2_PACKAGE_SELINUX_PYTHON_AUDIT2ALLOW
+	bool "audit2allow"
+	depends on BR2_USE_WCHAR # python3, sepolgen
+	depends on BR2_USE_MMU # python3, sepolgen
+	depends on BR2_TOOLCHAIN_HAS_THREADS # python3, sepolgen, checkpolicy
+	depends on !BR2_STATIC_LIBS # python3, sepolgen
+	depends on BR2_TOOLCHAIN_USES_GLIBC # checkpolicy
+	depends on !BR2_arc # checkpolicy
+	select BR2_PACKAGE_SEPOLGEN
+	select BR2_PACKAGE_CHECKPOLICY
+	select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
+	help
+	  Enable audit2allow to be built
+
+config BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN
+	bool "sepolgen"
+	depends on BR2_USE_WCHAR # python3
+	depends on BR2_USE_MMU # python3
+	depends on BR2_TOOLCHAIN_HAS_THREADS # python3
+	depends on !BR2_STATIC_LIBS # python3
+	select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
+	help
+	  This package contains a Python module that forms the core of
+	  the modern audit2allow (which is a part of the package
+	  policycoreutils).  It contains infrastructure for parsing
+	  SELinux related messages as produced by the audit system.
+	  It has facilities for generating policy based on required
+	  access.
+
+comment "sepolgen needs a toolchain w/ wchar, threads, dynamic library"
+	depends on BR2_USE_MMU
+	depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS || \
+		BR2_STATIC_LIBS
+
+endif
diff --git a/package/selinux-python/selinux-python.hash b/package/selinux-python/selinux-python.hash
new file mode 100644
index 0000000000..42fe575e7b
--- /dev/null
+++ b/package/selinux-python/selinux-python.hash
@@ -0,0 +1,2 @@
+# https://github.com/SELinuxProject/selinux/wiki/Releases
+sha256 4217cb965ecda96c91e15ffcc2e7ddd13ecc2bf5631100f3cd072a7616f140ed selinux-python-2.7.tar.gz
diff --git a/package/selinux-python/selinux-python.mk b/package/selinux-python/selinux-python.mk
new file mode 100644
index 0000000000..2a141be9ab
--- /dev/null
+++ b/package/selinux-python/selinux-python.mk
@@ -0,0 +1,53 @@
+################################################################################
+#
+# selinux-python
+#
+################################################################################
+
+SELINUX_PYTHON_VERSION = 2.7
+SELINUX_PYTHON_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804
+SELINUX_PYTHON_LICENSE = GPL-2.0
+SELINUX_PYTHON_LICENSE_FILES = COPYING
+
+SELINUX_PYTHON_MAKE_OPTS += \
+	$(TARGET_CONFIGURE_OPTS) \
+	CFLAGS="$(TARGET_CFLAGS)" \
+	CPPFLAGS="$(TARGET_CPPFLAGS)" \
+	ARCH="$(BR2_ARCH)" \
+	LIBDIR="$(STAGING_DIR)/usr/lib"
+
+ifeq ($(BR2_PACKAGE_PYTHON3),y)
+HOST_SELINUX_PYTHON_DEPENDENCIES += host-python3
+HOST_SELINUX_PYTHON_MAKE_OPTS += \
+	PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
+else
+HOST_SELINUX_PYTHON_DEPENDENCIES += host-python
+HOST_SELINUX_PYTHON_MAKE_OPTS += \
+	PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
+endif
+
+ifeq ($(BR2_PACKAGE_SELINUX_PYTHON_AUDIT2ALLOW),y)
+SELINUX_PYTHON_DEPENDENCIES += checkpolicy
+SELINUX_PYTHON_MAKE_DIRS += audit2allow
+
+endif
+
+ifeq ($(BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN),y)
+SELINUX_PYTHON_MAKE_DIRS += sepolgen/src/sepolgen
+endif
+
+define SELINUX_PYTHON_BUILD_CMDS
+	$(foreach d,$(SELINUX_PYTHON_MAKE_DIRS),
+		$(MAKE) -C $(@D)/$(d) $(SELINUX_PYTHON_MAKE_OPTS) \
+			DESTDIR=$(STAGING_DIR) all
+	)
+endef
+
+define SELINUX_PYTHON_INSTALL_TARGET_CMDS
+	$(foreach d,$(SELINUX_PYTHON_MAKE_DIRS),
+		$(MAKE) -C $(@D)/$(d) $(SELINUX_PYTHON_MAKE_OPTS) \
+			DESTDIR=$(TARGET_DIR) install
+	)
+endef
+
+$(eval $(generic-package))
-- 
2.13.6

[Buildroot] [PATCH 6/8] sepolgen: Remove package

[Arnout Vandecappelle]

 Hi Adam,

On 10-10-17 00:27, Adam Duskett wrote:
> sepolgen has been consolidated into the selinux-python package for version
> 2.7.

 We want people to be able to upgrade their Buildroot by doing:

git pull
make menuconfig

i.e. they should not loose any package that they previously had.

 In this case, people who previously had sepolgen selected will now NOT have it
anymore if they didn't have selinux-python selected.

 Therefore, you need to create an entry in Config.in.legacy that selects
selinux-python. Its help text should have what you had in the commit message here.


 Regards,
 Arnout

> 
> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
> ---
>  package/Config.in              |  1 -
>  package/sepolgen/Config.in     | 19 ----------------
>  package/sepolgen/sepolgen.hash |  2 --
>  package/sepolgen/sepolgen.mk   | 49 ------------------------------------------
>  4 files changed, 71 deletions(-)
>  delete mode 100644 package/sepolgen/Config.in
>  delete mode 100644 package/sepolgen/sepolgen.hash
>  delete mode 100644 package/sepolgen/sepolgen.mk

[snip]

-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF

[Buildroot] [PATCH 5/8] policycoreutils: bump to 2.7

[Arnout Vandecappelle]

 Hi Adam,

On 10-10-17 00:27, Adam Duskett wrote:
> Policycoreutils was broken up into several packages, as such several
> changes needed to happen for this patch to work:
> 
> - Remove patches 3, 4, and 5 as they no longer apply.
> - Refresh patches 1 and 2 to work with version 2.7
> - Remove semodule_${deps,expand,link,package} and sestatus from the makedirs
>   in the mk file.
> - Remove restorecond from the make and config file. (Seperate package)
> - Remove Audit2allow from the make and config file. (In a different package)

 Like for sepolgen, you'll need to create Config.in.legacy entries for those two.

 Obviously that implies that the order of the patches should be different as
well: selinux-python and restorecond must come before this one.

> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
> ---
>  ...IR-to-all-paths-that-use-an-absolute-path.patch | 121 ++-----------
>  .../0002-Add-PREFIX-to-host-paths.patch            | 200 ++++-----------------
>  .../0003-Remove-hardcoded-arch-variable.patch      |  43 -----
>  ...licy-python-install-arguments-to-be-a-var.patch |  42 -----
>  .../0005-Check-to-see-if-DBUS-is-enabled.patch     |  56 ------
>  package/policycoreutils/Config.in                  |  43 -----
>  package/policycoreutils/policycoreutils.hash       |   2 +-
>  package/policycoreutils/policycoreutils.mk         |  35 +---
>  8 files changed, 51 insertions(+), 491 deletions(-)
>  delete mode 100644 package/policycoreutils/0003-Remove-hardcoded-arch-variable.patch
>  delete mode 100644 package/policycoreutils/0004-Change-sepolicy-python-install-arguments-to-be-a-var.patch
>  delete mode 100644 package/policycoreutils/0005-Check-to-see-if-DBUS-is-enabled.patch
> 
> diff --git a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> index bbd6895e7f..3c1610f7a2 100644
> --- a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> +++ b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> @@ -1,3 +1,8 @@
> +From 85763549c53b2907dab094163f1404b2233f8029 Mon Sep 17 00:00:00 2001
> +From: Adam Duskett <Adamduskett@outlook.com>
> +Date: Mon, 9 Oct 2017 16:51:20 -0400
> +Subject: [PATCH] Add DESTDIR to setfiles
> +
>  The addition of this patch makes the use of DESTDIR
>  mandatory as there are conditional checks which would fail if it's not
>  defined.
> @@ -9,123 +14,25 @@ Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>  Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
>  Signed-off-by: Adam Duskett <AdamDuskett@outlook.com>
>  Signed-off-by: Adam Duskett <Aduskett@gmail.com>
> +refresh for 2.7

 We normally format this like so:

[Adam: refresh for 2.7]

 However, since you're already the author of this patch, it's not required.
Also, there is no need to repeat your Sob 3 times, just one is sufficient.

> +Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
>  ---
> - policycoreutils/Makefile             | 2 +-
> - policycoreutils/newrole/Makefile     | 4 ++--
> - policycoreutils/restorecond/Makefile | 5 +++--
> - policycoreutils/run_init/Makefile    | 4 ++--
> - policycoreutils/sepolicy/Makefile    | 2 +-
> - policycoreutils/sestatus/Makefile    | 2 +-

 So they fixed things in all these other Makefiles? Great!

> - policycoreutils/setfiles/Makefile    | 4 ++--
> - 7 files changed, 12 insertions(+), 11 deletions(-)
> + setfiles/Makefile | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
[snip]
> diff --git a/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch b/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch
> index 56aae74ba0..440923dd58 100644
> --- a/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch
> +++ b/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch
> @@ -1,6 +1,6 @@
> -From 7f99a727cdb8160d49bb0d0554fc88787980c971 Mon Sep 17 00:00:00 2001
> -From: Adam Duskett <Aduskett@gmail.com>
> -Date: Thu, 14 Jul 2016 13:16:03 -0400
> +From a221304344b3f9db7e86d928cf97d77542bcf456 Mon Sep 17 00:00:00 2001
> +From: Adam Duskett <Adamduskett@outlook.com>
> +Date: Mon, 9 Oct 2017 16:47:19 -0400
>  Subject: [PATCH] Add PREFIX to host paths
>  
>  Updates the remaining hardcoded host paths used in the build to be
> @@ -11,201 +11,61 @@ Updated to work with version 2.5
>  Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>  Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
>  Signed-off-by: Adam Duskett <AdamDuskett@outlook.com>
> -Signed-off-by: Adam Duskett <Aduskett@gmail.com>
> +refresh for 2.7
> +Signed-off-by: Adam Duskett <Adamduskett@outlook.com>

 Same comments here, of course.

 Regards,
 Arnout

[snip]

-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF

[Buildroot] [PATCH 7/8] restorecond: new package

[Arnout Vandecappelle]

On 10-10-17 00:27, Adam Duskett wrote:
> restorecond is now a seperate package released by the SELinux maintainers.
> 
> restorecond is a daemon that watches for file creation and then sets the
> default SELinux file context for that file.
> 
> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
[snip]
> +config BR2_PACKAGE_RESTORECOND
> +	bool "restorecond"
> +	depends on BR2_PACKAGE_DBUS # dbus-glib
> +	depends on BR2_USE_WCHAR # glib2
> +	depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
> +	depends on BR2_USE_MMU # glib2
> +	select BR2_PACKAGE_LIBSELINUX
> +	select BR2_PACKAGE_DBUS_GLIB
> +	select BR2_PACKAGE_LIBGLIB2
> +	help
> +	  restorecond is a daemon that watches for file creation and then sets the

 This line is too long. Did you run check_package?

> +	  default SELinux file context for that file.
[snip]
> +RESTORECOND_DEPENDENCIES = libglib2 libselinux dbus-glib
> +
> +RESTORECOND_MAKE_OPTS += \
> +	$(TARGET_CONFIGURE_OPTS) \
> +	CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \

 You should carry over the comment about _FILE_OFFSET_BITS.

> +	CPPFLAGS="$(TARGET_CPPFLAGS) -U_FILE_OFFSET_BITS" \
> +	ARCH="$(BR2_ARCH)"
> +
> +# We need to pass DESTDIR at build time because it's used by
> +# RESTORECOND build system to find headers and libraries.
     restorecond (lower case)


 Regards,
 Arnout

> +define RESTORECOND_BUILD_CMDS
> +	$(MAKE) -C $(@D) $(RESTORECOND_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all
> +endef
> +
> +define RESTORECOND_INSTALL_INIT_SYSV
> +	$(INSTALL) -m 0755 -D $(@D)/restorecond.init \
> +		$(TARGET_DIR)/etc/init.d/restorecond
> +endef
> +
> +define RESTORECOND_INSTALL_INIT_SYSTEMD
> +	$(INSTALL) -m 0644 -D $(@D)/restorecond.service \
> +		$(TARGET_DIR)/usr/lib/systemd/system/restorecond.service
> +		
> +	$(INSTALL) -m 0600 -D $(@D)/org.selinux.Restorecond.service \
> +		$(TARGET_DIR)/etc/systemd/system/org.selinux.Restorecond.service
> +endef
> +
> +define RESTORECOND_INSTALL_TARGET_CMDS
> +	$(INSTALL) -m 0644 -D $(@D)/restorecond.conf $(TARGET_DIR)/etc/selinux
> +	$(INSTALL) -m 0644 -D $(@D)/restorecond_user.conf $(TARGET_DIR)/etc/selinux
> +	$(INSTALL) -m 0755 -D $(@D)/restorecond $(TARGET_DIR)/usr/sbin
> +endef
> +
> +
> +
> +$(eval $(generic-package))
> +$(eval $(host-generic-package))
> 

-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF

[Buildroot] [PATCH 8/8] selinux-python: new package

[Arnout Vandecappelle]

On 10-10-17 00:27, Adam Duskett wrote:
> The python utilities that were previously in policycoreutils are now maintained
                                                              ^ and sepolgen

> in a seperate package called selinux-python.  This package includes:
> 
> - audit2allow
> - chcat
> - semanage
> - sepolgen
> - sepolicy
> 
> Currently, only audit2allow and sepolgen are selectable.
> 
> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
[snip]
> diff --git a/package/selinux-python/Config.in b/package/selinux-python/Config.in
> new file mode 100644
> index 0000000000..1078c4e792
> --- /dev/null
> +++ b/package/selinux-python/Config.in
> @@ -0,0 +1,47 @@
> +menuconfig BR2_PACKAGE_SELINUX_PYTHON
> +	bool "SELinux Python packages"
> +	help
> +	  A set of SELinux tools written in python that help with
> +	  managing a system with SELinux enabled.

 Since nothing will be built unless one of the tools is selected, this should
probably be mentioned in the help text.

> +
> +	  https://github.com/SELinuxProject/selinux/wiki
> +
> +if BR2_PACKAGE_SELINUX_PYTHON
> +
> +comment "packages"
> +
> +config BR2_PACKAGE_SELINUX_PYTHON_AUDIT2ALLOW
> +	bool "audit2allow"
> +	depends on BR2_USE_WCHAR # python3, sepolgen
> +	depends on BR2_USE_MMU # python3, sepolgen
> +	depends on BR2_TOOLCHAIN_HAS_THREADS # python3, sepolgen, checkpolicy
> +	depends on !BR2_STATIC_LIBS # python3, sepolgen
> +	depends on BR2_TOOLCHAIN_USES_GLIBC # checkpolicy
> +	depends on !BR2_arc # checkpolicy
> +	select BR2_PACKAGE_SEPOLGEN

 Didn't you just remove sepolgen?

> +	select BR2_PACKAGE_CHECKPOLICY
> +	select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON

 This is more appropriate to move up to the BR2_PACKAGE_SELINUX_PYTHON level.
And then the python dependencies as well. The sepolgen comments are actually not
relevant any more since sepolgen is now part of this package.

 You should then also have a global comment for when selinux-python is not
available, and an additional comment for when audit2allow is not available.

 However, let's take a step back here: is it really useful to have separate
options for the different tools? Isn't it easier to just install everything,
excluding audit2allow if checkpolicy is not selected? Or is there a significant
size difference?

> +	help
> +	  Enable audit2allow to be built
> +
> +config BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN
> +	bool "sepolgen"
> +	depends on BR2_USE_WCHAR # python3
> +	depends on BR2_USE_MMU # python3
> +	depends on BR2_TOOLCHAIN_HAS_THREADS # python3
> +	depends on !BR2_STATIC_LIBS # python3
> +	select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
> +	help
> +	  This package contains a Python module that forms the core of
> +	  the modern audit2allow (which is a part of the package
> +	  policycoreutils).

 No it's not, it's part of this package...

>  It contains infrastructure for parsing
> +	  SELinux related messages as produced by the audit system.
> +	  It has facilities for generating policy based on required
> +	  access.
> +
> +comment "sepolgen needs a toolchain w/ wchar, threads, dynamic library"
> +	depends on BR2_USE_MMU
> +	depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS || \
> +		BR2_STATIC_LIBS
> +
> +endif
> diff --git a/package/selinux-python/selinux-python.hash b/package/selinux-python/selinux-python.hash
> new file mode 100644
> index 0000000000..42fe575e7b
> --- /dev/null
> +++ b/package/selinux-python/selinux-python.hash
> @@ -0,0 +1,2 @@
> +# https://github.com/SELinuxProject/selinux/wiki/Releases
> +sha256 4217cb965ecda96c91e15ffcc2e7ddd13ecc2bf5631100f3cd072a7616f140ed selinux-python-2.7.tar.gz
> diff --git a/package/selinux-python/selinux-python.mk b/package/selinux-python/selinux-python.mk
> new file mode 100644
> index 0000000000..2a141be9ab
> --- /dev/null
> +++ b/package/selinux-python/selinux-python.mk
> @@ -0,0 +1,53 @@
> +################################################################################
> +#
> +# selinux-python
> +#
> +################################################################################
> +
> +SELINUX_PYTHON_VERSION = 2.7
> +SELINUX_PYTHON_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804
> +SELINUX_PYTHON_LICENSE = GPL-2.0
> +SELINUX_PYTHON_LICENSE_FILES = COPYING
> +
> +SELINUX_PYTHON_MAKE_OPTS += \
> +	$(TARGET_CONFIGURE_OPTS) \
> +	CFLAGS="$(TARGET_CFLAGS)" \
> +	CPPFLAGS="$(TARGET_CPPFLAGS)" \

 These two are already part of TARGET_CONFIGURE_OPTS so they shouldn't be needed.

> +	ARCH="$(BR2_ARCH)" \
> +	LIBDIR="$(STAGING_DIR)/usr/lib"
> +
> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> +HOST_SELINUX_PYTHON_DEPENDENCIES += host-python3
> +HOST_SELINUX_PYTHON_MAKE_OPTS += \
> +	PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"

 There is no host-selinux-python, you only enable a target package here... And
you'd probably need this for the target package, no? Well, probably you don't or
you would have noticed, so possibly this is redundant?

 Hm, actually, there was a host-sepolgen so you should probably have a
host-selinux-python as well.


 Regards,
 Arnout

> +else
> +HOST_SELINUX_PYTHON_DEPENDENCIES += host-python
> +HOST_SELINUX_PYTHON_MAKE_OPTS += \
> +	PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
> +endif
> +
> +ifeq ($(BR2_PACKAGE_SELINUX_PYTHON_AUDIT2ALLOW),y)
> +SELINUX_PYTHON_DEPENDENCIES += checkpolicy
> +SELINUX_PYTHON_MAKE_DIRS += audit2allow
> +
> +endif
> +
> +ifeq ($(BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN),y)
> +SELINUX_PYTHON_MAKE_DIRS += sepolgen/src/sepolgen
> +endif
> +
> +define SELINUX_PYTHON_BUILD_CMDS
> +	$(foreach d,$(SELINUX_PYTHON_MAKE_DIRS),
> +		$(MAKE) -C $(@D)/$(d) $(SELINUX_PYTHON_MAKE_OPTS) \
> +			DESTDIR=$(STAGING_DIR) all
> +	)
> +endef
> +
> +define SELINUX_PYTHON_INSTALL_TARGET_CMDS
> +	$(foreach d,$(SELINUX_PYTHON_MAKE_DIRS),
> +		$(MAKE) -C $(@D)/$(d) $(SELINUX_PYTHON_MAKE_OPTS) \
> +			DESTDIR=$(TARGET_DIR) install
> +	)
> +endef
> +
> +$(eval $(generic-package))
> 

-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF

[Buildroot] [PATCH 1/8] libselinux: bump to 2.7

[Arnout Vandecappelle]

 Hi Adam,

On 10-10-17 00:27, Adam Duskett wrote:
> remove patch as it's in this release.
> 
> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
[snip]
> -LIBSELINUX_VERSION = 2.6
> -LIBSELINUX_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014
> +LIBSELINUX_VERSION = 2.7
> +LIBSELINUX_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804

 You update all the individual packages in separate patches, which is excellent
for review. However, I wonder if it is really possible to update just one of
them without updating the rest. Does libselinux-2.7 work with libsepol-2.7?

 If not, we should probably squash all patches into one single patch while
applying. Thomas, Peter, do you agree?

 With that in mind, it would probably be useful to define a global
SELINUX_VERSION and SELINUX_SITE that is used in all those packages. Then
updating is only possible with all packages combined, which is harder to review
but probably what we want anyway. Making this global SELINUX_VERSION and
SELINUX_SITE can be done independently of this series later.

 Regards,
 Arnout

>  LIBSELINUX_LICENSE = Public Domain
>  LIBSELINUX_LICENSE_FILES = LICENSE
>  
> 

-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF

[Buildroot] [PATCH 1/8] libselinux: bump to 2.7

[Thomas Petazzoni]

Hello,

On Tue, 10 Oct 2017 02:47:59 +0200, Arnout Vandecappelle wrote:

>  You update all the individual packages in separate patches, which is excellent
> for review. However, I wonder if it is really possible to update just one of
> them without updating the rest. Does libselinux-2.7 work with libsepol-2.7?
> 
>  If not, we should probably squash all patches into one single patch while
> applying. Thomas, Peter, do you agree?

I don't really have a strong opinion. I think it's sometimes hard to
achieve both full bisectability and fine-grained patches.

In the same vein, in your review of comment PATCH 5/8 on
policycoreutils, you rightfully tell Adam that the patch adding the new
restorecond should come *before* the bump of policycoreutils that drops
the built-in restorecond functionality. This is obviously correct, but
it means that there is a step where you have both the new restorecond
package and the old policycoreutils package, possibly stepping on each
other, or maybe even with restorecond not building (because it needs
the newer version of policycoreutils or something).

So, it's probably hard to have something that is both easy to review
(fine-grained patches) and bisectable (one big patch).

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[Buildroot] [PATCH 1/8] libselinux: bump to 2.7

[Arnout Vandecappelle]

On 10-10-17 10:35, Thomas Petazzoni wrote:
> Hello,
> 
> On Tue, 10 Oct 2017 02:47:59 +0200, Arnout Vandecappelle wrote:
> 
>>  You update all the individual packages in separate patches, which is excellent
>> for review. However, I wonder if it is really possible to update just one of
>> them without updating the rest. Does libselinux-2.7 work with libsepol-2.7?
>>
>>  If not, we should probably squash all patches into one single patch while
>> applying. Thomas, Peter, do you agree?
> 
> I don't really have a strong opinion. I think it's sometimes hard to
> achieve both full bisectability and fine-grained patches.
> 
> In the same vein, in your review of comment PATCH 5/8 on
> policycoreutils, you rightfully tell Adam that the patch adding the new
> restorecond should come *before* the bump of policycoreutils that drops
> the built-in restorecond functionality. This is obviously correct, but
> it means that there is a step where you have both the new restorecond
> package and the old policycoreutils package, possibly stepping on each
> other, or maybe even with restorecond not building (because it needs
> the newer version of policycoreutils or something).
> 
> So, it's probably hard to have something that is both easy to review
> (fine-grained patches) and bisectable (one big patch).

 For such situations, I would prefer if they were fine-grained patches but with
a cover letter explaining that they should be squashed. Perhaps also a subject
line that clarifies that, maybe even using the interactive autorebase format
("fixup: subject line of the first patch"). And of course the first patch should
have the full final commit log.

 I don't mind big patches in the history. Big patches on the list are not so
nice. They tend to never get reviewed.

 That said, I'm not such a sucker for bisectability anyway. Bisecting is rarely
useful in Buildroot, since you usually know pretty well which commits may have
broken things (and AFAIK git bisect has no option to specify "only consider
patches affecting these subdirs"). And when it's a series anyway, it's pretty
unlikely that the bisect gets stuck in the middle of the series.

 So possibly the least effort approach is: fine-grained patches, don't comment
on their bisectability, and committer may squash if they feel like it.

 So Adam, you can ignore my comments about the order of patches. You'll still
have to correct the legacy stuff however.

 Regards,
 Arnout

-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF

[Buildroot] [PATCH 8/8] selinux-python: new package

[Adam Duskett]

Hey Arnout

On Mon, Oct 9, 2017 at 8:42 PM, Arnout Vandecappelle <arnout@mind.be> wrote:
>
>
> On 10-10-17 00:27, Adam Duskett wrote:
>> The python utilities that were previously in policycoreutils are now maintained
>                                                               ^ and sepolgen
>
>> in a seperate package called selinux-python.  This package includes:
>>
>> - audit2allow
>> - chcat
>> - semanage
>> - sepolgen
>> - sepolicy
>>
>> Currently, only audit2allow and sepolgen are selectable.
>>
>> Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
> [snip]
>> diff --git a/package/selinux-python/Config.in b/package/selinux-python/Config.in
>> new file mode 100644
>> index 0000000000..1078c4e792
>> --- /dev/null
>> +++ b/package/selinux-python/Config.in
>> @@ -0,0 +1,47 @@
>> +menuconfig BR2_PACKAGE_SELINUX_PYTHON
>> +     bool "SELinux Python packages"
>> +     help
>> +       A set of SELinux tools written in python that help with
>> +       managing a system with SELinux enabled.
>
>  Since nothing will be built unless one of the tools is selected, this should
> probably be mentioned in the help text.
>
Fair enough!

>> +
>> +       https://github.com/SELinuxProject/selinux/wiki
>> +
>> +if BR2_PACKAGE_SELINUX_PYTHON
>> +
>> +comment "packages"
>> +
>> +config BR2_PACKAGE_SELINUX_PYTHON_AUDIT2ALLOW
>> +     bool "audit2allow"
>> +     depends on BR2_USE_WCHAR # python3, sepolgen
>> +     depends on BR2_USE_MMU # python3, sepolgen
>> +     depends on BR2_TOOLCHAIN_HAS_THREADS # python3, sepolgen, checkpolicy
>> +     depends on !BR2_STATIC_LIBS # python3, sepolgen
>> +     depends on BR2_TOOLCHAIN_USES_GLIBC # checkpolicy
>> +     depends on !BR2_arc # checkpolicy
>> +     select BR2_PACKAGE_SEPOLGEN
>
>  Didn't you just remove sepolgen?
>
Gah! So many packages! Just a typo, will fix.

>> +     select BR2_PACKAGE_CHECKPOLICY
>> +     select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
>
>  This is more appropriate to move up to the BR2_PACKAGE_SELINUX_PYTHON level.
> And then the python dependencies as well. The sepolgen comments are actually not
> relevant any more since sepolgen is now part of this package.
>
>  You should then also have a global comment for when selinux-python is not
> available, and an additional comment for when audit2allow is not available.
>
Can do.

>  However, let's take a step back here: is it really useful to have separate
> options for the different tools? Isn't it easier to just install everything,
> excluding audit2allow if checkpolicy is not selected? Or is there a significant
> size difference?
>
It's not about the size difference.  When it comes to security, and
specifically about SELinux,
some people might not want all of these things enabled.  I also
wouldn't want all of these
tools and packages installed if I don't need them.  The extra logic is
minimal, and currently,
we only have audit2allow and sepolgen anyways.  If a end user was to
do a "git pull" and run
"make" after that, I wouldn't want a bunch of extra packages I didn't
select being installed on
my filing system.

>> +     help
>> +       Enable audit2allow to be built
>> +
>> +config BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN
>> +     bool "sepolgen"
>> +     depends on BR2_USE_WCHAR # python3
>> +     depends on BR2_USE_MMU # python3
>> +     depends on BR2_TOOLCHAIN_HAS_THREADS # python3
>> +     depends on !BR2_STATIC_LIBS # python3
>> +     select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
>> +     help
>> +       This package contains a Python module that forms the core of
>> +       the modern audit2allow (which is a part of the package
>> +       policycoreutils).
>
>  No it's not, it's part of this package...
>
>>  It contains infrastructure for parsing
>> +       SELinux related messages as produced by the audit system.
>> +       It has facilities for generating policy based on required
>> +       access.
>> +
>> +comment "sepolgen needs a toolchain w/ wchar, threads, dynamic library"
>> +     depends on BR2_USE_MMU
>> +     depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS || \
>> +             BR2_STATIC_LIBS
>> +
>> +endif
>> diff --git a/package/selinux-python/selinux-python.hash b/package/selinux-python/selinux-python.hash
>> new file mode 100644
>> index 0000000000..42fe575e7b
>> --- /dev/null
>> +++ b/package/selinux-python/selinux-python.hash
>> @@ -0,0 +1,2 @@
>> +# https://github.com/SELinuxProject/selinux/wiki/Releases
>> +sha256 4217cb965ecda96c91e15ffcc2e7ddd13ecc2bf5631100f3cd072a7616f140ed selinux-python-2.7.tar.gz
>> diff --git a/package/selinux-python/selinux-python.mk b/package/selinux-python/selinux-python.mk
>> new file mode 100644
>> index 0000000000..2a141be9ab
>> --- /dev/null
>> +++ b/package/selinux-python/selinux-python.mk
>> @@ -0,0 +1,53 @@
>> +################################################################################
>> +#
>> +# selinux-python
>> +#
>> +################################################################################
>> +
>> +SELINUX_PYTHON_VERSION = 2.7
>> +SELINUX_PYTHON_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804
>> +SELINUX_PYTHON_LICENSE = GPL-2.0
>> +SELINUX_PYTHON_LICENSE_FILES = COPYING
>> +
>> +SELINUX_PYTHON_MAKE_OPTS += \
>> +     $(TARGET_CONFIGURE_OPTS) \
>> +     CFLAGS="$(TARGET_CFLAGS)" \
>> +     CPPFLAGS="$(TARGET_CPPFLAGS)" \
>
>  These two are already part of TARGET_CONFIGURE_OPTS so they shouldn't be needed.
>
>> +     ARCH="$(BR2_ARCH)" \
>> +     LIBDIR="$(STAGING_DIR)/usr/lib"
>> +
>> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
>> +HOST_SELINUX_PYTHON_DEPENDENCIES += host-python3
>> +HOST_SELINUX_PYTHON_MAKE_OPTS += \
>> +     PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
>
>  There is no host-selinux-python, you only enable a target package here... And
> you'd probably need this for the target package, no? Well, probably you don't or
> you would have noticed, so possibly this is redundant?
>
>  Hm, actually, there was a host-sepolgen so you should probably have a
> host-selinux-python as well.
>
Yeah, I will make sure host-selinux-python is added.
>
>  Regards,
>  Arnout
>
>> +else
>> +HOST_SELINUX_PYTHON_DEPENDENCIES += host-python
>> +HOST_SELINUX_PYTHON_MAKE_OPTS += \
>> +     PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
>> +endif
>> +
>> +ifeq ($(BR2_PACKAGE_SELINUX_PYTHON_AUDIT2ALLOW),y)
>> +SELINUX_PYTHON_DEPENDENCIES += checkpolicy
>> +SELINUX_PYTHON_MAKE_DIRS += audit2allow
>> +
>> +endif
>> +
>> +ifeq ($(BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN),y)
>> +SELINUX_PYTHON_MAKE_DIRS += sepolgen/src/sepolgen
>> +endif
>> +
>> +define SELINUX_PYTHON_BUILD_CMDS
>> +     $(foreach d,$(SELINUX_PYTHON_MAKE_DIRS),
>> +             $(MAKE) -C $(@D)/$(d) $(SELINUX_PYTHON_MAKE_OPTS) \
>> +                     DESTDIR=$(STAGING_DIR) all
>> +     )
>> +endef
>> +
>> +define SELINUX_PYTHON_INSTALL_TARGET_CMDS
>> +     $(foreach d,$(SELINUX_PYTHON_MAKE_DIRS),
>> +             $(MAKE) -C $(@D)/$(d) $(SELINUX_PYTHON_MAKE_OPTS) \
>> +                     DESTDIR=$(TARGET_DIR) install
>> +     )
>> +endef
>> +
>> +$(eval $(generic-package))
>>
>
> --
> Arnout Vandecappelle                          arnout at mind be
> Senior Embedded Software Architect            +32-16-286500
> Essensium/Mind                                http://www.mind.be
> G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
> LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
> GPG fingerprint:  7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF

[Buildroot] [PATCH 1/8] libselinux: bump to 2.7

[Peter Korsgaard]

>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:

Hi,

 >  That said, I'm not such a sucker for bisectability anyway. Bisecting is rarely
 > useful in Buildroot, since you usually know pretty well which commits may have
 > broken things (and AFAIK git bisect has no option to specify "only consider
 > patches affecting these subdirs"). And when it's a series anyway, it's pretty
 > unlikely that the bisect gets stuck in the middle of the series.

Actually it does: git bisect start -- <paths>

 >  So possibly the least effort approach is: fine-grained patches, don't comment
 > on their bisectability, and committer may squash if they feel like it.

Agreed.

-- 
Bye, Peter Korsgaard