* [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions
@ 2015-07-10 23:27 Clayton Shotwell
2015-07-10 23:27 ` [Buildroot] [PATCH v8 01/16] policycoreutils: new package Clayton Shotwell
` (15 more replies)
0 siblings, 16 replies; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:27 UTC (permalink / raw)
To: buildroot
### Highlevel updates in v8 of these patches
* Dropped several patches because they have been committed already
* Refactored the policycoreutils patch to make it more upstreamable
* Added a new patch to add the audit package startup script which
was removed from the audit package before it was committed due issues
* Corrected various minor issues in many other patches
### What's SELinux?
Security-Enhanced Linux (SELinux) is a Linux feature that provides
a variety of security policies, including U.S. Department of Defense
style mandatory access controls (MAC), through the use of Linux
Security Modules (LSM) in the Linux kernel. It is not a Linux
distribution, but rather a set of modifications that can be applied
to Unix-like operating systems, such as Linux and BSD.
Running SELinux under a Linux distribution requires three things:
An SELinux enabled kernel, SELinux Userspace tools and libraries,
and SELinux Policies (mostly based on the Reference Policy). Some
common Linux programs will also need to be patched/compiled with
SELinux features. (Credit Archlinux wiki)
### What's in this patchset?
This patchset adds the required userspace tools, libraries, example
QEMU target, existing package modifications, and initial policy
to Buildroot.
The design approach took a minimalist view to the selinux capability.
The necessary packages have been added but all the ways in which they
could be used (target vs host) are not exposed. One example is
the audit2allow framework that requires python. This is currently
setup for "host only use" to post analyze audit service output. It
could also be setup for target use but it would require the target
to have python and other supporting libs present.
Another aspect that utilized known SELinux capable applications
was for init and logging. We choose to use sysvinit and rsyslog
instead of the busybox applet version. This simplified getting
this initial configuration pulled together.
Lastly, the building of libselinux was limited to a set of
architectures and libraries that have been tested. An area for
future work will be to enable broader use.
Some references to help with the review of this patchset.
Arch and Gentoo implementation and design details:
https://wiki.archlinux.org/index.php/SELinux
http://wiki.gentoo.org/wiki/SELinux
http://wiki.gentoo.org/wiki/SELinux/Installation
### Details of changes from previous patchsets
This is a new round of patches based on the v5 patchset from
last year. The changes since v4 consist of:
* The removal of on target policy debugging using audit2allow.
The host tools have been setup to provide offline capability
for analyzing audit output.
* The example qemu configuration defaults to using full versions
of applications instead of the busybox applets. This simplified
the configuration but as a side effect grew the filesystem size.
There is definitely opportunity to slim down the approach to
just using busybox applets (I've still included the patches
that enable the capability to create individual applets).
* Added documentation of the qemu target to that targets readme
* Updated for structural changes (OPTS vs OPT, patch naming,
improvements to existing packages)
* Autobuilder was modified to run against our upstreaming
branch and has has logged a couple weeks of builds and almost
all of the issues are resolved against the current upstream.
Since Refpolicy is heavily tailored for a projects use, the
package exposed options of using the provided version with
patches or a custom GIT repo. Here's a bit more detail on
those assumptions.
* Refpolicy as the package defines with default patches
plus possibly some global patches applied. Using a default
modules config file provided in the package folder or
provided by the user.
* Refpolicy looking at specific git repo revisions. Using a
modules config file from within that git repo.
* Repolicy using src override which assumes the same as the
git repo case for where the modules config file originates.
### What's next:
* Testing out support for using busybox applets instead of
sysvinit/util-linux/etc.
* qemu targets for ARM and PPC
Clayton Shotwell (8):
policycoreutils: new package
refpolicy: new package
busybox: applets as individual binaries
busybox: selinux support
qemu x86 selinux: base br defconfig
squashfs: Add xattr support
cpio: new package
audit: Add startup script
Matt Weber (8):
linux-pam: selinux support
busybox: added linux-pam support
sysvinit: added libselinux dependency
dbus: selinux file context support
openssh: selinux and pam support
util-linux: selinux, audit, and pam support
rsyslog: fix config file comment style
qemu x86 selinux: added common selinux support files
board/common_selinux/busybox-selinux.config | 1058 ++++++++++++++++++++
board/common_selinux/post_build.sh | 30 +
.../common_selinux/skeleton/etc/audit/auditd.conf | 32 +
.../skeleton/etc/audit/rules.d/audit.rules | 3 +
board/common_selinux/skeleton/etc/fstab | 15 +
board/common_selinux/skeleton/etc/inittab | 29 +
board/common_selinux/skeleton_permissions.txt | 26 +
board/qemu/x86/linux-4.0-selinux.config | 77 ++
board/qemu/x86/readme.txt | 17 +
configs/qemu_x86_selinux_defconfig | 67 ++
package/Config.in | 4 +
package/Config.in.host | 1 +
package/audit/S01auditd | 80 ++
package/audit/audit.mk | 4 +
...s-Add-installation-of-individual-binaries.patch | 103 ++
...ags-strip-non-l-arguments-returned-by-pkg.patch | 28 +
package/busybox/Config.in | 25 +
package/busybox/busybox.mk | 57 ++
package/cpio/Config.in | 8 +
package/cpio/Config.in.host | 6 +
package/cpio/cpio.hash | 9 +
package/cpio/cpio.mk | 27 +
package/dbus/S30dbus | 4 +
package/dbus/dbus.mk | 14 +
package/linux-pam/linux-pam.mk | 56 +-
package/linux-pam/system-auth.pamd | 15 +
package/openssh/openssh.mk | 16 +
...IR-to-all-paths-that-use-an-absolute-path.patch | 258 +++++
.../0002-Allow-CFLAGS-to-be-overwritten.patch | 57 ++
...licy-python-install-arguments-to-be-a-var.patch | 42 +
package/policycoreutils/Config.in | 59 ++
package/policycoreutils/policycoreutils.hash | 2 +
package/policycoreutils/policycoreutils.mk | 107 ++
package/refpolicy-contrib/Config.in | 19 +
package/refpolicy-contrib/refpolicy-contrib.mk | 18 +
.../0001-Fix-awk-references-to-use-variable.patch | 42 +
package/refpolicy/Config.in | 99 ++
package/refpolicy/S00selinux | 136 +++
package/refpolicy/config | 8 +
package/refpolicy/modules.conf | 406 ++++++++
package/refpolicy/refpolicy.hash | 2 +
package/refpolicy/refpolicy.mk | 120 +++
.../rsyslog/0001-fix-config-file-comments.patch | 37 +
package/squashfs/squashfs.mk | 8 +-
...1-Fix-SELinux-compile-flags-and-libraries.patch | 44 +
package/sysvinit/sysvinit.mk | 5 +
package/util-linux/util-linux.mk | 27 +
47 files changed, 3304 insertions(+), 3 deletions(-)
create mode 100644 board/common_selinux/busybox-selinux.config
create mode 100755 board/common_selinux/post_build.sh
create mode 100644 board/common_selinux/skeleton/etc/audit/auditd.conf
create mode 100644 board/common_selinux/skeleton/etc/audit/rules.d/audit.rules
create mode 100755 board/common_selinux/skeleton/etc/fstab
create mode 100755 board/common_selinux/skeleton/etc/inittab
create mode 100755 board/common_selinux/skeleton_permissions.txt
create mode 100644 board/qemu/x86/linux-4.0-selinux.config
create mode 100644 configs/qemu_x86_selinux_defconfig
create mode 100644 package/audit/S01auditd
create mode 100644 package/busybox/0002-applets-Add-installation-of-individual-binaries.patch
create mode 100644 package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
create mode 100644 package/cpio/Config.in
create mode 100644 package/cpio/Config.in.host
create mode 100644 package/cpio/cpio.hash
create mode 100644 package/cpio/cpio.mk
mode change 100755 => 100644 package/dbus/S30dbus
create mode 100644 package/linux-pam/system-auth.pamd
create mode 100644 package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
create mode 100644 package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
create mode 100644 package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
create mode 100644 package/policycoreutils/Config.in
create mode 100644 package/policycoreutils/policycoreutils.hash
create mode 100644 package/policycoreutils/policycoreutils.mk
create mode 100644 package/refpolicy-contrib/Config.in
create mode 100644 package/refpolicy-contrib/refpolicy-contrib.mk
create mode 100644 package/refpolicy/2.20130424/0001-Fix-awk-references-to-use-variable.patch
create mode 100644 package/refpolicy/Config.in
create mode 100644 package/refpolicy/S00selinux
create mode 100644 package/refpolicy/config
create mode 100644 package/refpolicy/modules.conf
create mode 100644 package/refpolicy/refpolicy.hash
create mode 100644 package/refpolicy/refpolicy.mk
create mode 100644 package/rsyslog/0001-fix-config-file-comments.patch
create mode 100644 package/sysvinit/0001-Fix-SELinux-compile-flags-and-libraries.patch
--
1.9.1
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 01/16] policycoreutils: new package
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
@ 2015-07-10 23:27 ` Clayton Shotwell
2015-07-14 12:26 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 02/16] refpolicy: " Clayton Shotwell
` (14 subsequent siblings)
15 siblings, 1 reply; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:27 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
Changes v7 -> v8:
- Cleaned up indentations in policycoreutils.mk (Suggested by
Thomas P.)
- Fixed sed separator (Suggested by Thomas P.)
- Cleaned up cross compile patches and make options (Suggested by
Thomas P.)
- Changed dbus-glib dependency to a select and cleaned up the
dependencies (Suggested by Thomas P.)
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- Updated depends and removed glibc dependency (Matt W.)
- Updated site to github (Matt W.)
- Added host python 2/3 support (Matt W.)
- Removed sandbox and mctrans support (Matt W.)
- Removed restorcon init script (Matt W.)
- Agree as optional settings were removed so menu isn't needed
(Suggested by Ryan B. and Thomas P.)
- added Config.in select for LIBCAP_NG (Suggested by Thomas P.)
- cleaned up pam/audit ifeq (Suggested by Thomas P.)
- fixed CFLAGS to include target_cflags instead of += (Suggested by
Thomas P.)
- Refactored lists of build/install steps into loops (Suggested by
Thomas P.)
- Removed += on first host depends assignment (Suggested by Thomas P.)
- Refactored host make opts assignments (Suggested by Thomas P.)
- Limited to glibc because of fts.h, some uclibc toolchains have it
others don't. Eventually this would be good to fix with the updated
method of file traversal. (Matt W.)
- Gettext fixups for uclibc support. Counter productive as we
now limit to glibc only. (Matt W.)
- Added musl as possible lib type (Matt W.)
- Removed largefile dependency (Clayton S.)
- Changed dbus-glib select to a depends on in the Config.in (suggested
by Ryan B.)
Changes v3 -> v4:
- Add a select for the libselinux Python bindings when debugging
is enabled. This will cause Python to be built for the target
(suggested by Thomas P.)
- Cleaned up the configure comments (suggested by Thomas).
- Added a dependency on BR2_USE_MMU for the debugging option
because python requires it (suggested by Thomas P.)
- Removed the dependencies on audit and linux-pam. Both packages
are now optional dependencies based on whether or not the package
has been selected
- Moved the dependency on dbus-glib to only the restorecond option
where it is used
- Added a INSTALL_INIT_SYSV for the restorecond daemon rather than
just installing it directly
- Adding a dependency on glibc
- Removed the clean commands
Changes v2 -> v3:
- Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and BR2_LARGEFILE
(suggested by Thomas P.)
- Changes patch naming convention (suggested by Thomas P.)
- Added selects for linux-pam and audit
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format
- Fixed the patch naming to avoid using the version number
- Cleaned up the patch to include a signed-off-by line
- Changed package dependencies into selects in the config
---
package/Config.in | 1 +
...IR-to-all-paths-that-use-an-absolute-path.patch | 258 +++++++++++++++++++++
.../0002-Allow-CFLAGS-to-be-overwritten.patch | 57 +++++
...licy-python-install-arguments-to-be-a-var.patch | 42 ++++
package/policycoreutils/Config.in | 59 +++++
package/policycoreutils/policycoreutils.hash | 2 +
package/policycoreutils/policycoreutils.mk | 107 +++++++++
7 files changed, 526 insertions(+)
create mode 100644 package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
create mode 100644 package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
create mode 100644 package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
create mode 100644 package/policycoreutils/Config.in
create mode 100644 package/policycoreutils/policycoreutils.hash
create mode 100644 package/policycoreutils/policycoreutils.mk
diff --git a/package/Config.in b/package/Config.in
index d9b0794..8aea808 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1351,6 +1351,7 @@ menu "Real-Time"
endmenu
menu "Security"
+ source "package/policycoreutils/Config.in"
source "package/setools/Config.in"
endmenu
diff --git a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
new file mode 100644
index 0000000..016980f
--- /dev/null
+++ b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
@@ -0,0 +1,258 @@
+From a8eea90050551e42d4dc81867853f351282f9f90 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Fri, 10 Jul 2015 11:44:08 -0500
+Subject: [PATCH 1/3] Add DESTDIR to all paths that use an absolute path
+
+To aid in cross compiling, add the DESTDIR variable to the start of all
+of the paths used during compilation. Most paths already used DESTDIR.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ Makefile | 4 ++--
+ audit2allow/Makefile | 2 +-
+ load_policy/Makefile | 2 +-
+ mcstrans/src/Makefile | 11 +++++++----
+ mcstrans/utils/Makefile | 9 ++++++---
+ newrole/Makefile | 12 ++++++------
+ restorecond/Makefile | 6 ++++--
+ run_init/Makefile | 12 ++++++------
+ sepolicy/Makefile | 2 +-
+ setfiles/Makefile | 4 ++--
+ 10 files changed, 36 insertions(+), 28 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 3980799..0fca022 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,8 +1,8 @@
+ SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
+
+-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
+
+-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
+ SUBDIRS += restorecond
+ endif
+
+diff --git a/audit2allow/Makefile b/audit2allow/Makefile
+index 88635d4..933e520 100644
+--- a/audit2allow/Makefile
++++ b/audit2allow/Makefile
+@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
+ BINDIR ?= $(PREFIX)/bin
+ LIBDIR ?= $(PREFIX)/lib
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+
+ all: ;
+
+diff --git a/load_policy/Makefile b/load_policy/Makefile
+index 7c5bab0..4129d8f 100644
+--- a/load_policy/Makefile
++++ b/load_policy/Makefile
+@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(DESTDIR)/sbin
+ USRSBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
+index fb44490..1982b43 100644
+--- a/mcstrans/src/Makefile
++++ b/mcstrans/src/Makefile
+@@ -1,15 +1,18 @@
+ ARCH = $(shell uname -i)
+ ifeq "$(ARCH)" "x86_64"
+ # In case of 64 bit system, use these lines
+- LIBDIR=/usr/lib64
+-else
++ LIBDIR=$(DESTDIR)/usr/lib64
++else
+ ifeq "$(ARCH)" "i686"
+ # In case of 32 bit system, use these lines
+- LIBDIR=/usr/lib
++ LIBDIR=$(DESTDIR)/usr/lib
+ else
+ ifeq "$(ARCH)" "i386"
+ # In case of 32 bit system, use these lines
+- LIBDIR=/usr/lib
++ LIBDIR=$(DESTDIR)/usr/lib
++else
++ # Default to these lines if arch is unknown
++ LIBDIR=$(DESTDIR)/usr/lib
+ endif
+ endif
+ endif
+diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
+index 1ffb027..dcdc68b 100644
+--- a/mcstrans/utils/Makefile
++++ b/mcstrans/utils/Makefile
+@@ -5,15 +5,18 @@ BINDIR ?= $(PREFIX)/sbin
+ ARCH = $(shell uname -i)
+ ifeq "$(ARCH)" "x86_64"
+ # In case of 64 bit system, use these lines
+- LIBDIR=/usr/lib64
++ LIBDIR=$(DESTDIR)/usr/lib64
+ else
+ ifeq "$(ARCH)" "i686"
+ # In case of 32 bit system, use these lines
+- LIBDIR=/usr/lib
++ LIBDIR=$(DESTDIR)/usr/lib
+ else
+ ifeq "$(ARCH)" "i386"
+ # In case of 32 bit system, use these lines
+- LIBDIR=/usr/lib
++ LIBDIR=$(DESTDIR)/usr/lib
++else
++ # Default to these lines if arch is unknown
++ LIBDIR=$(DESTDIR)/usr/lib
+ endif
+ endif
+ endif
+diff --git a/newrole/Makefile b/newrole/Makefile
+index 646cd4d..a876ff3 100644
+--- a/newrole/Makefile
++++ b/newrole/Makefile
+@@ -3,9 +3,9 @@ PREFIX ?= $(DESTDIR)/usr
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR = /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++LOCALEDIR = $(DESTDIR)/usr/share/locale
++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ # Enable capabilities to permit newrole to generate audit records.
+ # This will make newrole a setuid root program.
+ # The capabilities used are: CAP_AUDIT_WRITE.
+@@ -24,7 +24,7 @@ CFLAGS ?= -Werror -Wall -W
+ EXTRA_OBJS =
+ override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ override CFLAGS += -DUSE_PAM
+ EXTRA_OBJS += hashtab.o
+ LDLIBS += -lpam -lpam_misc
+@@ -32,7 +32,7 @@ else
+ override CFLAGS += -D_XOPEN_SOURCE=500
+ LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ override CFLAGS += -DUSE_AUDIT
+ LDLIBS += -laudit
+ endif
+@@ -66,7 +66,7 @@ install: all
+ test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
+ install -m $(MODE) newrole $(BINDIR)
+ install -m 644 newrole.1 $(MANDIR)/man1/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
+ ifeq ($(LSPP_PRIV),y)
+ install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
+diff --git a/restorecond/Makefile b/restorecond/Makefile
+index 3074542..7c40f95 100644
+--- a/restorecond/Makefile
++++ b/restorecond/Makefile
+@@ -10,11 +10,13 @@ autostart_DATA = sealertauto.desktop
+ INITDIR = $(DESTDIR)/etc/rc.d/init.d
+ SELINUXDIR = $(DESTDIR)/etc/selinux
+
+-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
++ -I$(PREFIX)/lib/dbus-1.0/include
+ DBUSLIB = -ldbus-glib-1 -ldbus-1
+
+ CFLAGS ?= -g -Werror -Wall -W
+-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
++ -I$(PREFIX)/lib64/glib-2.0/include -I$(PREFIX)/lib/glib-2.0/include
+
+ LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
+
+diff --git a/run_init/Makefile b/run_init/Makefile
+index 12b39b4..3c6f58a 100644
+--- a/run_init/Makefile
++++ b/run_init/Makefile
+@@ -4,21 +4,21 @@ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR ?= /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ override CFLAGS += -DUSE_PAM
+ LDLIBS += -lpam -lpam_misc
+ else
+ override CFLAGS += -D_XOPEN_SOURCE=500
+ LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ override CFLAGS += -DUSE_AUDIT
+ LDLIBS += -laudit
+ endif
+@@ -38,7 +38,7 @@ install: all
+ install -m 755 open_init_pty $(SBINDIR)
+ install -m 644 run_init.8 $(MANDIR)/man8/
+ install -m 644 open_init_pty.8 $(MANDIR)/man8/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
+ endif
+
+diff --git a/sepolicy/Makefile b/sepolicy/Makefile
+index 11b534f..1074d26 100644
+--- a/sepolicy/Makefile
++++ b/sepolicy/Makefile
+@@ -5,7 +5,7 @@ LIBDIR ?= $(PREFIX)/lib
+ BINDIR ?= $(PREFIX)/bin
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ PYTHON ?= /usr/bin/python
+ BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+diff --git a/setfiles/Makefile b/setfiles/Makefile
+index 4b44b3c..dc04d9a 100644
+--- a/setfiles/Makefile
++++ b/setfiles/Makefile
+@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(DESTDIR)/sbin
+ MANDIR = $(PREFIX)/share/man
+ LIBDIR ?= $(PREFIX)/lib
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+
+ PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
+ ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
+@@ -12,7 +12,7 @@ CFLAGS = -g -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include
+ LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ override CFLAGS += -DUSE_AUDIT
+ LDLIBS += -laudit
+ endif
+--
+1.9.1
+
diff --git a/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
new file mode 100644
index 0000000..54aecae
--- /dev/null
+++ b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
@@ -0,0 +1,57 @@
+From 656740d38ad34cbd5a89e900dab82ec521d0a522 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Fri, 10 Jul 2015 11:47:09 -0500
+Subject: [PATCH 2/3] Allow CFLAGS to be overwritten
+
+Allow all CFLAGS declarations to be overwritten to aid in cross
+compiling.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ sepolicy/Makefile | 2 +-
+ sestatus/Makefile | 2 +-
+ setfiles/Makefile | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sepolicy/Makefile b/sepolicy/Makefile
+index 1074d26..9d44ac2 100644
+--- a/sepolicy/Makefile
++++ b/sepolicy/Makefile
+@@ -9,7 +9,7 @@ LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ PYTHON ?= /usr/bin/python
+ BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
+
+ BASHCOMPLETIONS=sepolicy-bash-completion.sh
+
+diff --git a/sestatus/Makefile b/sestatus/Makefile
+index c5db7a3..c04ff00 100644
+--- a/sestatus/Makefile
++++ b/sestatus/Makefile
+@@ -5,7 +5,7 @@ MANDIR = $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+ LIBDIR ?= $(PREFIX)/lib
+
+-CFLAGS = -Werror -Wall -W
++CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
+ LDLIBS = -lselinux -L$(LIBDIR)
+
+diff --git a/setfiles/Makefile b/setfiles/Makefile
+index dc04d9a..67d9ef0 100644
+--- a/setfiles/Makefile
++++ b/setfiles/Makefile
+@@ -8,7 +8,7 @@ AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
+ ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
+
+-CFLAGS = -g -Werror -Wall -W
++CFLAGS ?= -g -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include
+ LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+
+--
+1.9.1
+
diff --git a/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
new file mode 100644
index 0000000..4e35d92
--- /dev/null
+++ b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
@@ -0,0 +1,42 @@
+From c8f1022be057cfe28101fbd0d6dedf6f42477ffc Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Fri, 10 Jul 2015 11:56:49 -0500
+Subject: [PATCH 3/3] Change sepolicy python install arguments to be a variable
+
+To allow the python install arguments to be overwritten, change the
+arguments to be a variable. This also cleans up the DESTDIR detection a
+little bit.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ sepolicy/Makefile | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/sepolicy/Makefile b/sepolicy/Makefile
+index 9d44ac2..bd8a383 100644
+--- a/sepolicy/Makefile
++++ b/sepolicy/Makefile
+@@ -7,6 +7,11 @@ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+ LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ PYTHON ?= /usr/bin/python
++ifneq (,$(DESTDIR))
++PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
++else
++PYTHON_INSTALL_ARGS ?=
++endif
+ BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+ override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
+@@ -23,7 +28,7 @@ clean:
+ -rm -rf build *~ \#* *pyc .#*
+
+ install:
+- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++ $(PYTHON) setup.py install $(PYTHON_INSTALL_ARGS)
+ [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
+ install -m 755 sepolicy.py $(BINDIR)/sepolicy
+ -mkdir -p $(MANDIR)/man8
+--
+1.9.1
+
diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
new file mode 100644
index 0000000..1dc01c4
--- /dev/null
+++ b/package/policycoreutils/Config.in
@@ -0,0 +1,59 @@
+config BR2_PACKAGE_POLICYCOREUTILS
+ bool "policycoreutils"
+ select BR2_PACKAGE_LIBSEMANAGE
+ select BR2_PACKAGE_LIBCAP_NG
+ select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
+ depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
+ depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # uses fts.h
+ help
+ Policycoreutils is a collection of policy utilities (originally
+ the "core" set of utilities needed to use SELinux, although it
+ has grown a bit over time), which have different dependencies.
+ sestatus, secon, run_init, and newrole only use libselinux.
+ load_policy and setfiles only use libselinux and libsepol.
+ semodule and semanage use libsemanage (and thus bring in
+ dependencies on libsepol and libselinux as well). setsebool
+ uses libselinux to make non-persistent boolean changes (via
+ the kernel interface) and uses libsemanage to make persistent
+ boolean changes.
+
+ The base package will install the following utilities:
+ load_policy
+ newrole
+ restorecond
+ run_init
+ secon
+ semodule
+ semodule_deps
+ semodule_expand
+ semodule_link
+ semodule_package
+ sepolgen-ifgen
+ sestatus
+ setfiles
+ setsebool
+
+ http://selinuxproject.org/page/Main_Page
+
+comment "policycoreutils needs a glibc or musl toolchain w/ threads"
+ depends on !BR2_TOOLCHAIN_HAS_THREADS \
+ || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
+
+if BR2_PACKAGE_POLICYCOREUTILS
+
+config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
+ bool "restorecond Utility"
+ select BR2_PACKAGE_DBUS_GLIB
+ depends on BR2_PACKAGE_DBUS
+ depends on BR2_USE_WCHAR # glib2
+ depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
+ depends on BR2_USE_MMU # glib2
+ help
+ Enable restorecond to be built
+
+comment "restorecond needs a toolchain w/ wchar, threads, dbus"
+ depends on BR2_USE_MMU
+ depends on BR2_PACKAGE_DBUS
+ depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
+
+endif
diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
new file mode 100644
index 0000000..575dd25
--- /dev/null
+++ b/package/policycoreutils/policycoreutils.hash
@@ -0,0 +1,2 @@
+# https://github.com/SELinuxProject/selinux/wiki/Releases
+sha256 b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5 policycoreutils-2.1.14.tar.gz
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
new file mode 100644
index 0000000..2b954b9
--- /dev/null
+++ b/package/policycoreutils/policycoreutils.mk
@@ -0,0 +1,107 @@
+################################################################################
+#
+# policycoreutils
+#
+################################################################################
+
+POLICYCOREUTILS_VERSION = 2.1.14
+POLICYCOREUTILS_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
+POLICYCOREUTILS_LICENSE = GPLv2
+POLICYCOREUTILS_LICENSE_FILES = COPYING
+
+# gettext for load_policy.c use of libintl_* functions
+POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if $(BR2_NEEDS_GETTEXT),gettext)
+
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+POLICYCOREUTILS_DEPENDENCIES += linux-pam
+POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
+define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
+ $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd $(TARGET_DIR)/etc/pam.d/newrole
+ $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd $(TARGET_DIR)/etc/pam.d/run_init
+endef
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+POLICYCOREUTILS_DEPENDENCIES += audit
+POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
+endif
+
+# Enable LSPP_PRIV if both audit and linux pam are enabled
+ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
+POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
+endif
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+POLICYCOREUTILS_MAKE_OPTS = \
+ CC="$(TARGET_CC)" \
+ CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
+ LDFLAGS="$(TARGET_LDFLAGS) $(if $(BR2_NEEDS_GETTEXT),-lintl)"
+
+POLICYCOREUTILS_MAKE_DIRS = load_policy newrole run_init \
+ secon semodule semodule_deps semodule_expand semodule_link \
+ semodule_package sepolgen-ifgen sestatus setfiles setsebool
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
+POLICYCOREUTILS_DEPENDENCIES += dbus-glib
+POLICYCOREUTILS_MAKE_DIRS += restorecond
+endif
+
+define POLICYCOREUTILS_BUILD_CMDS
+ for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
+ $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all || exit 1 ; \
+ done
+endef
+
+define POLICYCOREUTILS_INSTALL_TARGET_CMDS
+ for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
+ $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install || exit 1 ; \
+ done
+endef
+
+HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage host-dbus-glib host-sepolgen host-setools
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+HOST_POLICYCOREUTILS_MAKE_OPTS = \
+ CC="$(HOSTCC)" \
+ CFLAGS="$(HOST_CFLAGS) -U_FILE_OFFSET_BITS" \
+ PYTHON="$(HOST_DIR)/usr/bin/python" \
+ PYTHON_INSTALL_ARGS="$(HOST_PKG_PYTHON_DISTUTILS_INSTALL_OPTS)"
+
+
+ifeq ($(BR2_PACKAGE_PYTHON3),y)
+HOST_POLICYCOREUTILS_DEPENDENCIES += host-python3
+HOST_POLICYCOREUTILS_MAKE_OPTS += \
+ PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
+else
+HOST_POLICYCOREUTILS_DEPENDENCIES += host-python
+HOST_POLICYCOREUTILS_MAKE_OPTS += \
+ PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
+endif
+
+# Note: We are only building the programs required by the refpolicy build
+HOST_POLICYCOREUTILS_MAKE_DIRS = load_policy semodule semodule_deps semodule_expand semodule_link \
+ semodule_package setfiles restorecond audit2allow audit2why scripts semanage sepolicy
+
+define HOST_POLICYCOREUTILS_BUILD_CMDS
+ for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
+ $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) all || exit 1 ; \
+ done
+endef
+
+define HOST_POLICYCOREUTILS_INSTALL_CMDS
+ for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
+ $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) install || exit 1 ; \
+ done
+ # Fix python paths
+ $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2allow
+ $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2why
+ $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolgen-ifgen
+ $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolicy
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 02/16] refpolicy: new package
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
2015-07-10 23:27 ` [Buildroot] [PATCH v8 01/16] policycoreutils: new package Clayton Shotwell
@ 2015-07-10 23:27 ` Clayton Shotwell
2015-07-14 14:50 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 03/16] busybox: applets as individual binaries Clayton Shotwell
` (13 subsequent siblings)
15 siblings, 1 reply; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:27 UTC (permalink / raw)
To: buildroot
From: Clayton Shotwell <clshotwe@rockwellcollins.com>
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
Changes v7 -> v8:
- Changes REFPOLICY_MAKE_CMDS to REFPOLICY_MAKE_OPTS (Suggested by
Samuel)
- Added a help section to the custom git repo to explain why the
refpolicy-contrib option is needed (Suggested by Samuel)
- Added rsync exclusions to ensure no unneeded files are copied during
the refpolicy-contrib sync (Suggested by Samuel)
Changes v6 -> v7:
- Moving the refpolicy patch into a version specific folder to
prevent it from being applied to the custom git repos. (Clayton S.)
Changes v5 -> v6:
- Fixed references to GIT in config files (Suggested by Ryan B.)
- Removed execute permissions on files (Suggested by Ryan B.)
- Fixed spelling error and changed staging install to always install
the documentation (Suggested by Samuel)
Changes v4 -> v5:
- Removed TODO and dependency on glibc (Matt W.)
- Added lib depends to meet policycoreutils limitation on std lib
(Matt W.)
- Added comment for when an option is not defined (Matt W.)
- Removed largefile, locale, and wchar dependencies (Clayton S.)
- Remove dependancy on host-python-pyxml (Ryan B.)
- Forced package to use $(HOST_DIR)/usr/bin/python2 for python
executable (Ryan B.)
- Added host-python dependency (Clayton S.)
- Removed config menu (suggested by Thomas P.)
- Added patch to fix awk issue (Clayton S.)
Changes v3 -> v4:
- Added a dependency on host-gawk and correct the awk calls
in the makefile to use $(AWK)
- Changed the default policy name to br_policy to differentiate
the policy generated from refpolicy
- Added a install step to create a /.autorelabel file to cause
the file system to be relabeled by S12SELinux init script
- Adding a default modules.conf file with an option to specify
a different one. This will decrease the build time for
refpolicy by removing unused policies. (implemented by
Thomas P.)
- Cleaned up the configure comments (implemented by Thomas).
- Added a check to only install the documentation if the
Buildroot option is enabled
- Removed the build because the install step completes the
same process. Also removed the clean step because it is
being removed globally from buildroot (implemented by
Thomas P.)
- Added more error handling to the startup script to print
a warning if SELinux fails to install the policy if it
exists. This can be caused by the kernel not being configured
with SELinux enabled
Changes v2 -> v3:
- Changes patch naming convention (suggested by Thomas P.)
- Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and
BR2_LARGEFILE (suggested by Thomas P.)
- Removed configure option for a specific patch folder
(suggested by Thomas P.)
- Removed distribution configuration option (suggested by Thomas)
- Changed the monolithic configuration option to a modular
configuration option (suggested by Thomas P.)
- Removed the refpolicy name option (suggested by Thomas P.)
- Corrected gramatical and comment errors (suggested by Thomas P.)
- Multiple style corrections to the mk file (suggested by Thomas P.)
- Added a comment to clairfy the usage of the the host build
options for a target build
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format
- Fixed the patch naming to match the standard 4 digit numbering
- Changed package dependencies into selects in the config
---
package/Config.in | 2 +
package/refpolicy-contrib/Config.in | 19 +
package/refpolicy-contrib/refpolicy-contrib.mk | 18 +
.../0001-Fix-awk-references-to-use-variable.patch | 42 +++
package/refpolicy/Config.in | 99 +++++
package/refpolicy/S00selinux | 136 +++++++
package/refpolicy/config | 8 +
package/refpolicy/modules.conf | 406 +++++++++++++++++++++
package/refpolicy/refpolicy.hash | 2 +
package/refpolicy/refpolicy.mk | 120 ++++++
10 files changed, 852 insertions(+)
create mode 100644 package/refpolicy-contrib/Config.in
create mode 100644 package/refpolicy-contrib/refpolicy-contrib.mk
create mode 100644 package/refpolicy/2.20130424/0001-Fix-awk-references-to-use-variable.patch
create mode 100644 package/refpolicy/Config.in
create mode 100644 package/refpolicy/S00selinux
create mode 100644 package/refpolicy/config
create mode 100644 package/refpolicy/modules.conf
create mode 100644 package/refpolicy/refpolicy.hash
create mode 100644 package/refpolicy/refpolicy.mk
diff --git a/package/Config.in b/package/Config.in
index 8aea808..2cc81fa 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1352,6 +1352,8 @@ endmenu
menu "Security"
source "package/policycoreutils/Config.in"
+ source "package/refpolicy/Config.in"
+ source "package/refpolicy-contrib/Config.in"
source "package/setools/Config.in"
endmenu
diff --git a/package/refpolicy-contrib/Config.in b/package/refpolicy-contrib/Config.in
new file mode 100644
index 0000000..b518248
--- /dev/null
+++ b/package/refpolicy-contrib/Config.in
@@ -0,0 +1,19 @@
+if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
+
+comment "A refpolicy contrib repository is required if using a refpolicy repo. (Contrib is a Git submodule of refpolicy)"
+
+config BR2_PACKAGE_REFPOLICY_CONTRIB
+ bool "refpolicy-contrib"
+ help
+ A Git submodule of the refpolicy package.
+
+config BR2_PACKAGE_REFPOLICY_CONTRIB_CUSTOM_REPO_URL
+ string "URL of custom contrib submodule repository"
+
+config BR2_PACKAGE_REFPOLICY_CONTRIB_CUSTOM_REPO_VERSION
+ string "Custom contrib submodule repository version"
+ help
+ Revision to use in the typical format used by Git
+ e.g. a SHA id, a tag, branch, ..
+
+endif
diff --git a/package/refpolicy-contrib/refpolicy-contrib.mk b/package/refpolicy-contrib/refpolicy-contrib.mk
new file mode 100644
index 0000000..3d1c53e
--- /dev/null
+++ b/package/refpolicy-contrib/refpolicy-contrib.mk
@@ -0,0 +1,18 @@
+################################################################################
+#
+# refpolicy-contrib
+#
+################################################################################
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
+REFPOLICY_CONTRIB_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CONTRIB_CUSTOM_REPO_URL))
+REFPOLICY_CONTRIB_VERSION = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CONTRIB_CUSTOM_REPO_VERSION))
+REFPOLICY_CONTRIB_SITE_METHOD = git
+
+# Inherits license from refpolicy as normally this is a submodule
+REFPOLICY_CONTRIB_LICENSE = GPLv2
+endif
+
+# If refpolicy is from release archive, this contrib content is part of it.
+
+$(eval $(generic-package))
diff --git a/package/refpolicy/2.20130424/0001-Fix-awk-references-to-use-variable.patch b/package/refpolicy/2.20130424/0001-Fix-awk-references-to-use-variable.patch
new file mode 100644
index 0000000..8236fa2
--- /dev/null
+++ b/package/refpolicy/2.20130424/0001-Fix-awk-references-to-use-variable.patch
@@ -0,0 +1,42 @@
+From 1d4c826e8de366bccb93f167cd9be834ab5911c8 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Fri, 8 May 2015 14:13:00 -0500
+Subject: [PATCH] Fix awk references to use variable
+
+Ensure all awk calls use the variable setup in the makefile rather than
+relying on the system.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 85d4cfb..3aa4b51 100644
+--- a/Makefile
++++ b/Makefile
+@@ -292,9 +292,9 @@ cmdline_mods := $(addsuffix .te,$(APPS_MODS))
+ cmdline_off := $(addsuffix .te,$(APPS_OFF))
+
+ # extract settings from modules.conf
+-mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
+-mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
+-mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_base := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_mods := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_off := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
+
+ base_mods := $(cmdline_base)
+ mod_mods := $(cmdline_mods)
+@@ -308,7 +308,7 @@ off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_c
+ off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+
+ # filesystems to be used in labeling targets
+-filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
++filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+ fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
+
+ ########################################
+--
+1.9.1
+
diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
new file mode 100644
index 0000000..b6af100
--- /dev/null
+++ b/package/refpolicy/Config.in
@@ -0,0 +1,99 @@
+config BR2_PACKAGE_REFPOLICY
+ bool "refpolicy"
+ select BR2_PACKAGE_POLICYCOREUTILS
+ select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX
+ depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
+ depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # policycoreutils
+ help
+ The SELinux Reference Policy project (refpolicy) is a
+ complete SELinux policy that can be used as the system
+ policy for a variety of systems and used as the basis
+ for creating other policies. Reference Policy was originally
+ based on the NSA example policy, but aims to accomplish
+ many additional goals.
+
+ The current refpolicy does not fully support Buildroot
+ and needs modifications to work with the default system
+ file layout. These changes should be added as patches to
+ the refpolicy that modify a single SELinux policy.
+
+comment "refpolicy needs a toolchain w/ threads, glibc or musl"
+ depends on !BR2_TOOLCHAIN_HAS_THREADS \
+ || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
+
+if BR2_PACKAGE_REFPOLICY
+
+choice
+ prompt "SELinux policy type"
+ default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+
+ config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+ bool "Standard"
+ help
+ Standard SELinux policy
+
+ config BR2_PACKAGE_REFPOLICY_TYPE_MCS
+ bool "MCS"
+ help
+ SELinux policy with multi-catagory support
+
+ config BR2_PACKAGE_REFPOLICY_TYPE_MLS
+ bool "MLS"
+ help
+ SELinux policy with multi-catagory and multi-level support
+endchoice
+
+config BR2_PACKAGE_REFPOLICY_TYPE
+ string
+ default "standard" if BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+ default "mcs" if BR2_PACKAGE_REFPOLICY_TYPE_MCS
+ default "mls" if BR2_PACKAGE_REFPOLICY_TYPE_MLS
+
+config BR2_PACKAGE_REFPOLICY_MODULES_FILE
+ string "Refpolicy modules configuration"
+ default "package/refpolicy/modules.conf"
+ help
+ Location of a custom modules.conf file that lists the
+ SELinux policy modules to be included in the compiled
+ policy. See policy/modules.conf in the refpolicy sources for
+ the complete list of available modules.
+ NOTE: This file is only used if a Custom Git repo is
+ not specified.
+
+config BR2_PACKAGE_REFPOLICY_MODULAR
+ bool "Build a modular SELinux policy"
+ help
+ Select Y to build a modular SELinux policy. By default,
+ a monolithing policy will be built to save space on the
+ target. A modular policy can also be built if policies
+ need to be modified without reloading the target.
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
+ bool "Custom Git repository"
+ select BR2_PACKAGE_REFPOLICY_CONTRIB
+ help
+ This option allows Buildroot to get the refpolicy source
+ code from a Git repository. This option should generally
+ be used to add custom SELinux policy to the base refpolicy
+ without having to deal with lots of patches.
+
+ Please note that with the current configuration of the
+ mainline refpolicy git repositories, a refpolicy and a
+ refpolicy-contrib git repo must be specified. These are
+ linked using a git submodule which does not get initialized
+ during the Buildroot build.
+
+if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
+ string "URL of custom repository"
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
+ string "Custom repository version"
+ help
+ Revision to use in the typical format used by Git
+ e.g. a SHA id, a tag, branch, ..
+
+endif
+
+endif
diff --git a/package/refpolicy/S00selinux b/package/refpolicy/S00selinux
new file mode 100644
index 0000000..f2ac2e6
--- /dev/null
+++ b/package/refpolicy/S00selinux
@@ -0,0 +1,136 @@
+#!/bin/sh
+################################################################################
+#
+# This file labels the security contexts of memory based filesystems such as
+# /dev/ and checks for auto relabel request if '/.autorelabel' file exists.
+#
+# This script is a heavily stripped down and modified version of the one used
+# in CentOS 6.2
+#
+################################################################################
+
+failed()
+{
+ echo $1
+ exit 1
+}
+
+# Get SELinux config env vars
+. /etc/selinux/config || failed "Failed to source the SELinux config"
+
+setup_selinux() {
+ # Create required directories
+ mkdir -p /etc/selinux/${SELINUXTYPE}/policy/ ||
+ failed "Failed to create the policy folder"
+ mkdir -p /etc/selinux/${SELINUXTYPE}/modules/active/modules || \
+ failed "Failed to create the modules folder"
+ if [ ! -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local ]
+ then
+ touch /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local || \
+ failed "Failed to create the file_contexts.local file"
+ fi
+
+ # Install modules
+ semodule -v -s ${SELINUXTYPE} -b /usr/share/selinux/${SELINUXTYPE}/base.pp \
+ -i $(ls /usr/share/selinux/${SELINUXTYPE}/*.pp | grep -v base) || \
+ failed "Failed to install the base policy"
+
+ # Load the policy to activate it
+ load_policy -i || failed "Failed to load the SELinux policy"
+}
+
+relabel_selinux() {
+ # if /sbin/init is not labeled correctly this process is running in the
+ # wrong context, so a reboot will be required after relabel
+ AUTORELABEL=
+
+ # Switch to Permissive mode
+ echo "0" > /selinux/enforce || failed "Failed to disable enforcing mode"
+
+ echo
+ echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
+ echo "*** Relabeling could take a very long time, depending on file"
+ echo "*** system size and speed of hard drives."
+
+ # Relabel mount points
+ restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) \
+ >/dev/null 2>&1 || failed "Failed to relabel the mount points"
+
+ # Relabel file system
+ echo "Relabeling file systems"
+ restorecon -R -F / || failed "Failed to relabel the file system"
+
+ # Remove label
+ rm -f /.autorelabel || failed "Failed to remove the autorelabel flag"
+
+ # Reboot to activate relabeled file system
+ echo "Automatic reboot in progress."
+ reboot -f
+}
+
+start() {
+ echo -n "Initializing SELinux: "
+
+ # Check to see if the default policy has been installed
+ if [ "`sestatus | grep "SELinux status" | grep enabled`" == "" ]; then
+ if [ ! -f /etc/selinux/${SELINUXTYPE}/policy/policy.* ]
+ then
+ setup_selinux
+ else
+ echo "SELinux policy install failed. Check kernel and init config"
+ exit 1
+ fi
+ fi
+
+ # Check SELinux status
+ SELINUX_STATE=
+ if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then
+ if [ -r "/selinux/enforce" ] ; then
+ SELINUX_STATE=$(cat "/selinux/enforce")
+ else
+ # assume enforcing if you can't read it
+ SELINUX_STATE=1
+ fi
+ fi
+
+ # Context Label /dev/
+ if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ] && fgrep " /dev " /proc/mounts >/dev/null 2>&1 ; then
+ /sbin/restorecon -R -F /dev 2>/dev/null
+ fi
+
+ # Context Label tmpfs mounts
+ if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ]; then
+ /sbin/restorecon -R -F $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// && $3 =="tmpfs" { print $2 }' /etc/fstab) >/dev/null 2>&1
+ fi
+
+ # Clean up SELinux labels
+ if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ]; then
+ restorecon -F /etc/mtab /etc/ld.so.cache /etc/resolv.conf >/dev/null 2>&1
+ fi
+
+ # Check for filesystem relabel request
+ if [ -f /.autorelabel ] ; then
+ relabel_selinux
+ fi
+
+ echo "OK"
+}
+stop() {
+ # There is nothing to do
+ echo "OK"
+}
+
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ *)
+ echo "Usage: $0 {start|stop}"
+ exit 1
+ ;;
+esac
+
+exit $?
diff --git a/package/refpolicy/config b/package/refpolicy/config
new file mode 100644
index 0000000..5eee807
--- /dev/null
+++ b/package/refpolicy/config
@@ -0,0 +1,8 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=permissive
+# SELINUXTYPE= name of the selinux policy to use
+SELINUXTYPE=refpolicy
diff --git a/package/refpolicy/modules.conf b/package/refpolicy/modules.conf
new file mode 100644
index 0000000..58282d8
--- /dev/null
+++ b/package/refpolicy/modules.conf
@@ -0,0 +1,406 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module. "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: kernel
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,
+# and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# Multicategory security policy
+#
+mcs = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: kernel
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+# Required in base
+#
+# User-based access control policy
+#
+ubac = base
+
+# Layer: admin
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = module
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+#
+consoletype = module
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+#
+su = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+sudo = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = module
+
+# Layer: apps
+# Module: seunshare
+#
+# Filesystem namespacing/polyinstantiation application.
+#
+seunshare = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = module
+
+# Layer: roles
+# Module: auditadm
+#
+# Audit administrator role
+#
+auditadm = module
+
+# Layer: roles
+# Module: logadm
+#
+# Log administrator role
+#
+logadm = module
+
+# Layer: roles
+# Module: secadm
+#
+# Security administrator role
+#
+secadm = module
+
+# Layer: roles
+# Module: staff
+#
+# Administrator's unprivileged user role
+#
+staff = module
+
+# Layer: roles
+# Module: sysadm
+#
+# General system administration role
+#
+sysadm = module
+
+# Layer: roles
+# Module: unprivuser
+#
+# Generic unprivileged user role
+#
+unprivuser = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+#
+postgresql = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+#
+ssh = module
+
+# Layer: services
+# Module: xserver
+#
+# X Windows Server
+#
+xserver = module
+
+# Layer: system
+# Module: application
+#
+# Policy for user executable applications.
+#
+application = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = module
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+#
+hotplug = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+#
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+#
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# NetLabel/CIPSO labeled networking management
+#
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = module
+
+# Layer: system
+# Module: setrans
+#
+# SELinux MLS/MCS label translation service.
+#
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = module
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = module
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+#
+unconfined = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = module
+
diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash
new file mode 100644
index 0000000..eca53d7
--- /dev/null
+++ b/package/refpolicy/refpolicy.hash
@@ -0,0 +1,2 @@
+#From https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease
+sha256 6039ba854f244a39dc727cc7db25632f7b933bb271c803772d754d4354f5aef4 refpolicy-2.20130424.tar.bz2
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
new file mode 100644
index 0000000..dbc662d
--- /dev/null
+++ b/package/refpolicy/refpolicy.mk
@@ -0,0 +1,120 @@
+################################################################################
+#
+# refpolicy
+#
+################################################################################
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
+REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
+REFPOLICY_VERSION = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
+REFPOLICY_SITE_METHOD = git
+REFPOLICY_DEPENDENCIES += refpolicy-contrib
+else
+REFPOLICY_VERSION = 2.20130424
+REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
+REFPOLICY_SITE = http://oss.tresys.com/files/refpolicy/
+endif
+REFPOLICY_LICENSE = GPLv2
+REFPOLICY_LICENSE_FILES = COPYING
+
+# Cannot use multiple threads to build the reference policy
+REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)
+
+REFPOLICY_DEPENDENCIES += host-m4 host-checkpolicy host-policycoreutils \
+ host-setools host-gawk host-python policycoreutils
+
+REFPOLICY_INSTALL_STAGING = YES
+
+REFPOLICY_POLICY_NAME = br_policy
+
+# To apply board specific customizations, create a refpolicy folder in
+# BR2_GLOBAL_PATCH_DIR. These patches will be applied after the patches
+# in package/refpolicy
+
+# Passing the HOST_CONFIGURE_OPTS to the target build because all of the
+# build utilities are expected to be on system. This fools the make files
+# into using the host built utilities to compile the SELinux policy for
+# the target.
+#
+# Note, the TEST_TOOLCHAIN option will also set the
+# LD_LIBRARY_PATH at run time.
+REFPOLICY_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
+ TEST_TOOLCHAIN="$(HOST_DIR)"
+
+# Build requires python2 to run
+REFPOLICY_MAKE_ENV = \
+ PYTHON="$(HOST_DIR)/usr/bin/python2" \
+ AWK="$(HOST_DIR)/usr/bin/gawk" \
+ M4="$(HOST_DIR)/usr/bin/m4"
+
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
+ REFPOLICY_MONOLITHIC = n
+else
+ REFPOLICY_MONOLITHIC = y
+endif
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
+define REFPOLICY_GIT_SUBMODULE_SETUP
+ rsync -ar $(RSYNC_VCS_EXCLUSIONS) $(REFPOLICY_CONTRIB_DIR)/* $(@D)/policy/modules/contrib/
+endef
+else
+REFPOLICY_MODULES_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_MODULES_FILE))
+define REFPOLICY_CUSTOM_MODULES_CONF
+ cp $(REFPOLICY_MODULES_FILE) $(@D)/policy/modules.conf
+endef
+endif
+
+define REFPOLICY_CONFIGURE_CMDS
+ $(REFPOLICY_GIT_SUBMODULE_SETUP)
+ # If an external repo is used to build refpolicy, this preserves the
+ # custom modules.conf which defines the enabled components.
+ if [ -f $(@D)/policy/modules.conf ]; then \
+ mv $(@D)/policy/modules.conf $(@D)/modules.conf.bk ; \
+ fi
+ $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) bare \
+ $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+ $(SED) "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
+ $(SED) "/MONOLITHIC/c\MONOLITHIC = $(REFPOLICY_MONOLITHIC)" $(@D)/build.conf
+ $(SED) "/NAME/c\NAME = $(REFPOLICY_POLICY_NAME)" $(@D)/build.conf
+ $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) conf \
+ $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+ if [ -f $(@D)/modules.conf.bk ]; then \
+ echo "[Preserved modules.conf]" ; \
+ mv $(@D)/modules.conf.bk $(@D)/policy/modules.conf ; \
+ fi
+ $(REFPOLICY_CUSTOM_MODULES_CONF)
+endef
+
+define REFPOLICY_INSTALL_STAGING_CMDS
+ $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install-src install-headers \
+ install-docs $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_INSTALL_TARGET_CMDS
+ $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install \
+ $(REFPOLICY_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
+ $(INSTALL) -m 0755 -D package/refpolicy/config $(TARGET_DIR)/etc/selinux/config
+ $(SED) "/^SELINUXTYPE/c\SELINUXTYPE=$(REFPOLICY_POLICY_NAME)" \
+ $(TARGET_DIR)/etc/selinux/config
+ touch $(TARGET_DIR)/.autorelabel
+ $(RM) $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/booleans
+endef
+
+define REFPOLICY_INSTALL_INIT_SYSV
+ $(INSTALL) -m 0755 -D package/refpolicy/S00selinux \
+ $(TARGET_DIR)/etc/init.d/S00selinux
+endef
+
+define REFPOLICY_POLICY_COMPILE
+ $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/policy
+ $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/modules/active/modules
+ $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/contexts/files
+ touch $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/contexts/files/file_contexts.local
+endef
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
+ REFPOLICY_POST_INSTALL_TARGET_HOOKS += REFPOLICY_POLICY_COMPILE
+endif
+
+$(eval $(generic-package))
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 03/16] busybox: applets as individual binaries
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
2015-07-10 23:27 ` [Buildroot] [PATCH v8 01/16] policycoreutils: new package Clayton Shotwell
2015-07-10 23:27 ` [Buildroot] [PATCH v8 02/16] refpolicy: " Clayton Shotwell
@ 2015-07-10 23:27 ` Clayton Shotwell
2015-07-14 15:19 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 04/16] busybox: selinux support Clayton Shotwell
` (12 subsequent siblings)
15 siblings, 1 reply; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:27 UTC (permalink / raw)
To: buildroot
The individual binaries option of busybox allows for the applets
that would usually be symlinks to be built as individual applications
that link against a shared library.
This feature is needed for SELinux to allow the applications to run
under the correct SELinux context.
The patch being added allows the individual applications to be
installed and will be upstreamed to the busybox developers.
The initial work for this change was done by Thomas Petazzoni
<thomas.petazzoni@free-electrons.com>.
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes v7 -> v8:
- Changed individual binaries comment to be !BR2_bfin (Suggested by
Samuel)
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- Renamed to follow latest patch naming convention (Matt W.)
- Updated to use BR2_STATIC_LIBS instead of old PREFERRED (Matt W.)
- Added depends to make sure bfin can't build shared lib
busybox lib for individual binary use. Looks like shared
lib creation doesn't error out but the objects don't get
placed into the elf. Then the trylink fails on linking
the first individual applet. (Matt W.)
- Made suid permissions setting dynamic for applets actually being
installed (Clayton S.)
Changes v1 -> v4:
- Did not exist
---
...s-Add-installation-of-individual-binaries.patch | 103 +++++++++++++++++++++
package/busybox/Config.in | 9 ++
package/busybox/busybox.mk | 41 ++++++++
3 files changed, 153 insertions(+)
create mode 100644 package/busybox/0002-applets-Add-installation-of-individual-binaries.patch
diff --git a/package/busybox/0002-applets-Add-installation-of-individual-binaries.patch b/package/busybox/0002-applets-Add-installation-of-individual-binaries.patch
new file mode 100644
index 0000000..ae0e654
--- /dev/null
+++ b/package/busybox/0002-applets-Add-installation-of-individual-binaries.patch
@@ -0,0 +1,103 @@
+From 3451b55054a6fe2073a21301938802a27dec835d Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clshotwe@rockwellcollins.com>
+Date: Mon, 16 Dec 2013 14:45:33 -0600
+Subject: [PATCH 5/5] applets: Add installation of individual binaries
+
+Adding support to install individual binaries if the option is
+enabled. This also installs the shared libbusybox.so.* library.
+
+Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
+---
+ Makefile.custom | 4 ++++
+ applets/install.sh | 26 ++++++++++++++++++++++++--
+ 2 files changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.custom b/Makefile.custom
+index 6da79e6..e4dc4dc 100644
+--- a/Makefile.custom
++++ b/Makefile.custom
+@@ -23,6 +23,10 @@ ifeq ($(CONFIG_INSTALL_SH_APPLET_SCRIPT_WRAPPER),y)
+ INSTALL_OPTS:= --scriptwrapper
+ endif
+ endif
++ifeq ($(CONFIG_FEATURE_INDIVIDUAL),y)
++INSTALL_OPTS:= --binaries
++LIBBUSYBOX_SONAME:= 0_lib/libbusybox.so.$(BB_VER)
++endif
+ install: $(srctree)/applets/install.sh busybox busybox.links
+ $(Q)DO_INSTALL_LIBS="$(strip $(LIBBUSYBOX_SONAME) $(DO_INSTALL_LIBS))" \
+ $(SHELL) $< $(CONFIG_PREFIX) $(INSTALL_OPTS)
+diff --git a/applets/install.sh b/applets/install.sh
+index 95b4719..d01c98d 100755
+--- a/applets/install.sh
++++ b/applets/install.sh
+@@ -5,19 +5,26 @@ export LC_CTYPE=POSIX
+
+ prefix=$1
+ if [ -z "$prefix" ]; then
+- echo "usage: applets/install.sh DESTINATION [--symlinks/--hardlinks/--scriptwrapper]"
++ echo "usage: applets/install.sh DESTINATION [--symlinks/--hardlinks/--binaries/--scriptwrapper]"
+ exit 1
+ fi
+
++# Source the configuration
++. ./.config
++
+ h=`sort busybox.links | uniq`
+
++sharedlib_dir="0_lib"
++
+ linkopts=""
+ scriptwrapper="n"
++binaries="n"
+ cleanup="0"
+ noclobber="0"
+ case "$2" in
+ --hardlinks) linkopts="-f";;
+ --symlinks) linkopts="-fs";;
++ --binaries) binaries="y";;
+ --scriptwrapper) scriptwrapper="y";swrapall="y";;
+ --sw-sh-hard) scriptwrapper="y";linkopts="-f";;
+ --sw-sh-sym) scriptwrapper="y";linkopts="-fs";;
+@@ -40,8 +47,9 @@ if [ -n "$DO_INSTALL_LIBS" ] && [ "$DO_INSTALL_LIBS" != "n" ]; then
+ for i in $DO_INSTALL_LIBS; do
+ rm -f "$prefix/$libdir/$i" || exit 1
+ if [ -f "$i" ]; then
++ echo " Installing $i to the target@$prefix/$libdir/"
+ cp -pPR "$i" "$prefix/$libdir/" || exit 1
+- chmod 0644 "$prefix/$libdir/$i" || exit 1
++ chmod 0644 "$prefix/$libdir/`basename $i`" || exit 1
+ fi
+ done
+ fi
+@@ -68,6 +76,7 @@ install -m 755 busybox "$prefix/bin/busybox" || exit 1
+
+ for i in $h; do
+ appdir=`dirname "$i"`
++ app=`basename "$i"`
+ mkdir -p "$prefix/$appdir" || exit 1
+ if [ "$scriptwrapper" = "y" ]; then
+ if [ "$swrapall" != "y" ] && [ "$i" = "/bin/sh" ]; then
+@@ -78,6 +87,19 @@ for i in $h; do
+ chmod +x "$prefix/$i"
+ fi
+ echo " $prefix/$i"
++ elif [ "$binaries" = "y" ]; then
++ # Copy the binary over rather
++ if [ -e $sharedlib_dir/$app ]; then
++ if [ "$noclobber" = "0" ] || [ ! -e "$prefix/$i" ]; then
++ echo " Copying $sharedlib_dir/$app to $prefix/$i"
++ cp -pPR $sharedlib_dir/$app $prefix/$i || exit 1
++ else
++ echo " $prefix/$i already exists"
++ fi
++ else
++ echo "Error: Could not find $sharedlib_dir/$app"
++ exit 1
++ fi
+ else
+ if [ "$2" = "--hardlinks" ]; then
+ bb_path="$prefix/bin/busybox"
+--
+1.7.1
+
diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index 6847a60..b3303c0 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -32,6 +32,15 @@ config BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
Show packages in menuconfig that are potentially also provided
by busybox.
+config BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES
+ bool "Individual binaries"
+ depends on !BR2_STATIC_LIBS
+ depends on !BR2_bfin # libbusybox.so link issue
+
+comment "Busybox individual binaries depends on dynamic libraries"
+ depends on BR2_STATIC_LIBS
+ depends on !BR2_bfin
+
config BR2_PACKAGE_BUSYBOX_WATCHDOG
bool "Install the watchdog daemon startup script"
help
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 51b35bc..2de6b8a 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -50,10 +50,38 @@ BUSYBOX_KCONFIG_FRAGMENT_FILES = $(call qstrip,$(BR2_PACKAGE_BUSYBOX_CONFIG_FRAG
BUSYBOX_KCONFIG_EDITORS = menuconfig xconfig gconfig
BUSYBOX_KCONFIG_OPTS = $(BUSYBOX_MAKE_OPTS)
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
+define BUSYBOX_PERMISSIONS
+ /usr/share/udhcpc/default.script f 755 0 0 - - - - -
+endef
+
+# Set permissions on all applets with BB_SUID_REQUIRE and BB_SUID_MAYBE. The
+# permissions are pulled from the applets.h file that is generated during
+# the build and used to determine all of the possible applets. The permissions
+# file is generated and added to the list of device tables used by makedevs to
+# set file permissions.
+define BUSYBOX_MAKEDEV_PERMISSIONS
+ if [ -f $(@D)/.buildroot_permissions ]; then \
+ rm $(@D)/.buildroot_permissions; \
+ fi; \
+ touch $(@D)/.buildroot_permissions; \
+ for app in `grep -r -e "APPLET.*BB_SUID_REQUIRE\|APPLET.*BB_SUID_MAYBE" $(@D)/include/applets.h \
+ | sed -e 's/,.*//' -e 's/.*(//'`; \
+ do \
+ temp=`grep -w $${app} $(@D)/busybox.links`; \
+ if [ -n "$${temp}" ]; then \
+ echo "$${temp} f 4755 0 0 - - - - -" >> $(@D)/.buildroot_permissions; \
+ fi; \
+ done
+endef
+BUSYBOX_POST_INSTALL_TARGET_HOOKS += BUSYBOX_MAKEDEV_PERMISSIONS
+BR2_ROOTFS_DEVICE_TABLE += $(BUSYBOX_DIR)/.buildroot_permissions
+else
define BUSYBOX_PERMISSIONS
/bin/busybox f 4755 0 0 - - - - -
/usr/share/udhcpc/default.script f 755 0 0 - - - - -
endef
+endif
# If mdev will be used for device creation enable it and copy S10mdev to /etc/init.d
ifeq ($(BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_MDEV),y)
@@ -133,6 +161,17 @@ define BUSYBOX_SET_INIT
endef
endif
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
+define BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES
+ $(call KCONFIG_ENABLE_OPT,CONFIG_BUILD_LIBBUSYBOX,$(BUSYBOX_BUILD_CONFIG))
+ $(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_INDIVIDUAL,$(BUSYBOX_BUILD_CONFIG))
+endef
+
+define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
+ rm -f $(TARGET_DIR)/bin/busybox
+endef
+endif
+
define BUSYBOX_INSTALL_LOGGING_SCRIPT
if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
$(INSTALL) -m 0755 -D package/busybox/S01logging \
@@ -177,6 +216,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
$(BUSYBOX_INTERNAL_SHADOW_PASSWORDS)
$(BUSYBOX_SET_INIT)
$(BUSYBOX_SET_WATCHDOG)
+ $(BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES)
endef
define BUSYBOX_CONFIGURE_CMDS
@@ -200,6 +240,7 @@ define BUSYBOX_INSTALL_INIT_SYSV
$(BUSYBOX_INSTALL_MDEV_SCRIPT)
$(BUSYBOX_INSTALL_LOGGING_SCRIPT)
$(BUSYBOX_INSTALL_WATCHDOG_SCRIPT)
+ $(BUSYBOX_INSTALL_INDIVIDUAL_BINARIES)
endef
$(eval $(kconfig-package))
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 04/16] busybox: selinux support
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
` (2 preceding siblings ...)
2015-07-10 23:27 ` [Buildroot] [PATCH v8 03/16] busybox: applets as individual binaries Clayton Shotwell
@ 2015-07-10 23:27 ` Clayton Shotwell
2015-07-14 14:59 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 05/16] linux-pam: " Clayton Shotwell
` (11 subsequent siblings)
15 siblings, 1 reply; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:27 UTC (permalink / raw)
To: buildroot
Add a configure option to enable the SELinux support in the
busybox configuration from the Buildroot menuconfig.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
Changes v7 -> v8:
- Fixed typos and removed extra line (Suggested by Samuel)
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- Added help text to the SELinux configuration option (Suggested by
Thomas P. and Samuel)
Changes v4 -> v5:
- Renamed to follow patch naming convention (Matt W.)
- Added a dependency on having threads for the busybox SELinux flag to
ensure it does not cause libselinux to build when threads are not
available. Also added a select for libselinux to make the linking
apparent. (Clayton S.)
- Add dependency on not static libs for libselinux (Clayton S.)
Changes v1 -> v4:
- Did not exist
---
...ags-strip-non-l-arguments-returned-by-pkg.patch | 28 ++++++++++++++++++++++
package/busybox/Config.in | 16 +++++++++++++
package/busybox/busybox.mk | 9 +++++++
3 files changed, 53 insertions(+)
create mode 100644 package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
diff --git a/package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch b/package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
new file mode 100644
index 0000000..105626c
--- /dev/null
+++ b/package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
@@ -0,0 +1,28 @@
+From 67eb23d2be8aba3c474dac81a15b0fa11e5847b7 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Mon, 25 Nov 2013 22:51:53 +0100
+Subject: [PATCH] Makefile.flags: strip non -l arguments returned by pkg-config
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+---
+ Makefile.flags | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.flags b/Makefile.flags
+index 307afa7..885e323 100644
+--- a/Makefile.flags
++++ b/Makefile.flags
+@@ -141,7 +141,9 @@ ifeq ($(CONFIG_SELINUX),y)
+ SELINUX_PC_MODULES = libselinux libsepol
+ $(eval $(call pkg_check_modules,SELINUX,$(SELINUX_PC_MODULES)))
+ CPPFLAGS += $(SELINUX_CFLAGS)
+-LDLIBS += $(if $(SELINUX_LIBS),$(SELINUX_LIBS:-l%=%),$(SELINUX_PC_MODULES:lib%=%))
++LDLIBS += $(if $(SELINUX_LIBS),\
++ $(patsubst -l%,%,$(filter -l%,$(SELINUX_LIBS))),\
++ $(SELINUX_PC_MODULES:lib%=%))
+ endif
+
+ ifeq ($(CONFIG_EFENCE),y)
+--
+1.8.1.2
+
diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index b3303c0..a80a050 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -41,6 +41,22 @@ comment "Busybox individual binaries depends on dynamic libraries"
depends on BR2_STATIC_LIBS
depends on !BR2_bfin
+config BR2_PACKAGE_BUSYBOX_SELINUX
+ select BR2_PACKAGE_LIBSELINUX
+ depends on BR2_TOOLCHAIN_HAS_THREADS
+ depends on !BR2_STATIC_LIBS
+ bool "Enable SELinux support"
+ help
+ Enable SELinux support in BusyBox. Please note that depending on
+ your BusyBox configuration and the SELinux policy implementation,
+ you may want to also enable BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES.
+
+ For instance, if your BusyBox configuration only uses a couple of
+ minor BusyBox features, such as simple command line utilities, the
+ symlinked version of BusyBox can be used to save space. If BusyBox
+ provides more features, such as crond, then individual binaries
+ have to be enabled for the SELinux type transitions to occur properly.
+
config BR2_PACKAGE_BUSYBOX_WATCHDOG
bool "Install the watchdog daemon startup script"
help
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 2de6b8a..1df629b 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -172,6 +172,14 @@ define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
endef
endif
+ifeq ($(BR2_PACKAGE_BUSYBOX_SELINUX),y)
+BUSYBOX_DEPENDENCIES += host-pkgconf libselinux libsepol
+define BUSYBOX_SET_SELINUX
+ $(call KCONFIG_ENABLE_OPT,CONFIG_SELINUX,$(BUSYBOX_BUILD_CONFIG))
+ $(call KCONFIG_ENABLE_OPT,CONFIG_SELINUXENABLED,$(BUSYBOX_BUILD_CONFIG))
+endef
+endif
+
define BUSYBOX_INSTALL_LOGGING_SCRIPT
if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
$(INSTALL) -m 0755 -D package/busybox/S01logging \
@@ -217,6 +225,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
$(BUSYBOX_SET_INIT)
$(BUSYBOX_SET_WATCHDOG)
$(BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES)
+ $(BUSYBOX_SET_SELINUX)
endef
define BUSYBOX_CONFIGURE_CMDS
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 05/16] linux-pam: selinux support
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
` (3 preceding siblings ...)
2015-07-10 23:27 ` [Buildroot] [PATCH v8 04/16] busybox: selinux support Clayton Shotwell
@ 2015-07-10 23:27 ` Clayton Shotwell
2015-07-14 15:12 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 06/16] busybox: added linux-pam support Clayton Shotwell
` (10 subsequent siblings)
15 siblings, 1 reply; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:27 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes v7 -> v8:
- Removed sub-shell around the config file install block and
refactored the block to use absolute paths for the copying
(Suggested by Samuel)
- Changed the enable-db=no configure option to disable-db to be
consistent with the rest of the configure options (Suggested by
Samuel)
Changes v6 -> v7:
- Added missing host-pkgconf dependency and removed unneeded
host-autoconf dependency(Clayton S.)
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- Dropping unneeded patch (Clayton S.)
Changes v1 -> v4:
- Did not exist
---
package/linux-pam/linux-pam.mk | 56 +++++++++++++++++++++++++++++++++++++-
package/linux-pam/system-auth.pamd | 15 ++++++++++
2 files changed, 70 insertions(+), 1 deletion(-)
create mode 100644 package/linux-pam/system-auth.pamd
diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
index 26b627e..72ead8e 100644
--- a/package/linux-pam/linux-pam.mk
+++ b/package/linux-pam/linux-pam.mk
@@ -8,6 +8,9 @@ LINUX_PAM_VERSION = 1.1.8
LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.bz2
LINUX_PAM_SITE = http://linux-pam.org/library
LINUX_PAM_INSTALL_STAGING = YES
+
+# lckpwdf is included with shadow
+# cracklib and libdb are not currently present in buildroot
LINUX_PAM_CONF_OPTS = \
--disable-prelude \
--disable-isadir \
@@ -15,8 +18,10 @@ LINUX_PAM_CONF_OPTS = \
--disable-db \
--disable-regenerate-docu \
--enable-securedir=/lib/security \
+ --disable-cracklib \
--libdir=/lib
-LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf
+
+LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf host-linux-pam
LINUX_PAM_AUTORECONF = YES
LINUX_PAM_LICENSE = BSD-3c
LINUX_PAM_LICENSE_FILES = Copyright
@@ -26,12 +31,61 @@ LINUX_PAM_DEPENDENCIES += gettext
LINUX_PAM_MAKE_OPTS += LIBS=-lintl
endif
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+ LINUX_PAM_CONF_OPTS += --enable-selinux
+ LINUX_PAM_DEPENDENCIES += libselinux
+else
+ LINUX_PAM_CONF_OPTS += --disable-selinux
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+ LINUX_PAM_CONF_OPTS += --enable-audit
+ LINUX_PAM_DEPENDENCIES += audit
+else
+ LINUX_PAM_CONF_OPTS += --disable-audit
+endif
+
# Install default pam config (deny everything)
define LINUX_PAM_INSTALL_CONFIG
$(INSTALL) -m 0644 -D package/linux-pam/other.pam \
$(TARGET_DIR)/etc/pam.d/other
endef
+# Use the host-pam pam_conv1 app to create the pam.d files
+define LINUX_PAM_CONFIG_FILE_TARGET_INSTALL
+ if [ -d $(TARGET_DIR)/etc/pam.d/ ]; then \
+ mv $(TARGET_DIR)/etc/pam.d/ $(TARGET_DIR)/etc/pam.d.orig/; \
+ fi; \
+ cd $(TARGET_DIR)/etc/ && \
+ cat $(@D)/conf/pam.conf | $(HOST_DIR)/usr/bin/pam_conv1; \
+ if [ -d $(TARGET_DIR)/etc/pam.d.orig ]; then \
+ cp -a $(TARGET_DIR)/etc/pam.d/* $(TARGET_DIR)/etc/pam.d.orig/; \
+ rm -rf $(TARGET_DIR)/etc/pam.d/; \
+ mv $(TARGET_DIR)/etc/pam.d.orig/ $(TARGET_DIR)/etc/pam.d/; \
+ fi;
+ $(INSTALL) -D -m 0644 package/linux-pam/system-auth.pamd $(TARGET_DIR)/etc/pam.d/system-auth
+endef
+
+LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_CONFIG_FILE_TARGET_INSTALL
LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_INSTALL_CONFIG
+HOST_LINUX_PAM_DEPENDENCIES = host-flex host-pkgconf
+
+HOST_LINUX_PAM_CONF_OPTS = --disable-rpath \
+ --enable-read-both-confs \
+ --disable-regenerate-docu \
+ --disable-isadir \
+ --disable-nis \
+ --enable-securedir=/lib/security \
+ --disable-prelude \
+ --disable-cracklib \
+ --disable-lckpwdf \
+ --disable-db \
+ --disable-selinux \
+ --disable-audit \
+
+define HOST_LINUX_PAM_INSTALL_CMDS
+ $(INSTALL) -m 755 $(@D)/conf/pam_conv1/pam_conv1 $(HOST_DIR)/usr/bin/
+endef
$(eval $(autotools-package))
+$(eval $(host-autotools-package))
diff --git a/package/linux-pam/system-auth.pamd b/package/linux-pam/system-auth.pamd
new file mode 100644
index 0000000..2fa116a
--- /dev/null
+++ b/package/linux-pam/system-auth.pamd
@@ -0,0 +1,15 @@
+#%PAM-1.0
+auth required pam_env.so
+auth sufficient pam_unix.so
+auth required pam_deny.so
+
+account required pam_unix.so
+
+#password required pam_cracklib.so try_first_pass retry=3
+password sufficient pam_unix.so md5 shadow try_first_pass
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 06/16] busybox: added linux-pam support
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
` (4 preceding siblings ...)
2015-07-10 23:27 ` [Buildroot] [PATCH v8 05/16] linux-pam: " Clayton Shotwell
@ 2015-07-10 23:27 ` Clayton Shotwell
2015-07-14 12:29 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 07/16] sysvinit: added libselinux dependency Clayton Shotwell
` (9 subsequent siblings)
15 siblings, 1 reply; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:27 UTC (permalink / raw)
To: buildroot
From: Matt Weber <Matthew.Weber@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
Changes v7 -> v8:
- No changes
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- No changes
Changes v1 -> v4:
- Did not exist
---
package/busybox/busybox.mk | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 1df629b..098c24f 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -172,6 +172,13 @@ define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
endef
endif
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+define BUSYBOX_LINUX_PAM
+ $(call KCONFIG_ENABLE_OPT,CONFIG_PAM,$(BUSYBOX_BUILD_CONFIG))
+endef
+BUSYBOX_DEPENDENCIES += linux-pam
+endif
+
ifeq ($(BR2_PACKAGE_BUSYBOX_SELINUX),y)
BUSYBOX_DEPENDENCIES += host-pkgconf libselinux libsepol
define BUSYBOX_SET_SELINUX
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 07/16] sysvinit: added libselinux dependency
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
` (5 preceding siblings ...)
2015-07-10 23:27 ` [Buildroot] [PATCH v8 06/16] busybox: added linux-pam support Clayton Shotwell
@ 2015-07-10 23:27 ` Clayton Shotwell
2015-07-14 12:40 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 08/16] dbus: selinux file context support Clayton Shotwell
` (8 subsequent siblings)
15 siblings, 1 reply; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:27 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes v7 -> v8:
- No changes
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- Removed unnecessary += when adding buysbox dependency (Ryan B.)
- Removed duplicate assignment of OPTS (Matt W.)
- Added description to patch and signed off line (Clayton S.)
Changes v1 -> v4:
- Did not exist
---
...1-Fix-SELinux-compile-flags-and-libraries.patch | 44 ++++++++++++++++++++++
package/sysvinit/sysvinit.mk | 5 +++
2 files changed, 49 insertions(+)
create mode 100644 package/sysvinit/0001-Fix-SELinux-compile-flags-and-libraries.patch
diff --git a/package/sysvinit/0001-Fix-SELinux-compile-flags-and-libraries.patch b/package/sysvinit/0001-Fix-SELinux-compile-flags-and-libraries.patch
new file mode 100644
index 0000000..f857e07
--- /dev/null
+++ b/package/sysvinit/0001-Fix-SELinux-compile-flags-and-libraries.patch
@@ -0,0 +1,44 @@
+From e7dc523c1850534d98ab90dd02e07ee214e21f24 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Fri, 1 May 2015 10:58:47 -0500
+Subject: [PATCH] Fix SELinux compile flags and libraries
+
+The SELinux flags, added as CPPFLAGS, end up getting dropped by the
+Makefile. Also ensuring sulogin is linked against libsepol which is
+required.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ src/Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index e2b8028..bf1ae81 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -104,7 +104,7 @@ utmpdump: utmpdump.o
+
+ runlevel: runlevel.o
+
+-sulogin: LDLIBS += $(SULOGINLIBS) $(STATIC)
++sulogin: LDLIBS += $(SULOGINLIBS) $(INITLIBS) $(STATIC)
+ sulogin: sulogin.o
+
+ wall: dowall.o wall.o
+@@ -114,10 +114,10 @@ shutdown: dowall.o shutdown.o utmp.o reboot.h
+ bootlogd: LDLIBS += -lutil
+ bootlogd: bootlogd.o
+
+-sulogin.o: CPPFLAGS += $(SELINUX_DEF)
+-sulogin.o: sulogin.c
++sulogin.o: CFLAGS += $(SELINUX_DEF)
++sulogin.o: sulogin.c
+
+-init.o: CPPFLAGS += $(SELINUX_DEF)
++init.o: CFLAGS += $(SELINUX_DEF)
+ init.o: init.c init.h set.h reboot.h initreq.h
+
+ utmp.o: utmp.c init.h
+--
+1.9.1
+
diff --git a/package/sysvinit/sysvinit.mk b/package/sysvinit/sysvinit.mk
index 53640a4..9669a29 100644
--- a/package/sysvinit/sysvinit.mk
+++ b/package/sysvinit/sysvinit.mk
@@ -16,6 +16,11 @@ ifeq ($(BR2_PACKAGE_BUSYBOX),y)
SYSVINIT_DEPENDENCIES = busybox
endif
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+SYSVINIT_DEPENDENCIES += libselinux
+TARGET_CONFIGURE_OPTS += WITH_SELINUX="yes" ROOT="$(TARGET_DIR)"
+endif
+
define SYSVINIT_DEBIAN_PATCHES
if [ -d $(@D)/debian/patches ]; then \
$(APPLY_PATCHES) $(@D) $(@D)/debian/patches \*.patch; \
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 08/16] dbus: selinux file context support
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
` (6 preceding siblings ...)
2015-07-10 23:27 ` [Buildroot] [PATCH v8 07/16] sysvinit: added libselinux dependency Clayton Shotwell
@ 2015-07-10 23:27 ` Clayton Shotwell
2015-07-14 12:44 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 09/16] openssh: selinux and pam support Clayton Shotwell
` (7 subsequent siblings)
15 siblings, 1 reply; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:27 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes v7 -> v8:
- No changes
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5
- No changes
Changes v1 -> v4:
- Did not exist
---
package/dbus/S30dbus | 4 ++++
package/dbus/dbus.mk | 14 ++++++++++++++
2 files changed, 18 insertions(+)
mode change 100755 => 100644 package/dbus/S30dbus
diff --git a/package/dbus/S30dbus b/package/dbus/S30dbus
old mode 100755
new mode 100644
index 0d15c73..be51807
--- a/package/dbus/S30dbus
+++ b/package/dbus/S30dbus
@@ -17,6 +17,10 @@
[ -d /var/run/dbus ] || mkdir -p /var/run/dbus
[ -d /var/lock/subsys ] || mkdir -p /var/lock/subsys
[ -d /tmp/dbus ] || mkdir -p /tmp/dbus
+[ -d /var/lib/dbus ] || mkdir -p /var/lib/dbus
+if [ -e /sbin/restorecon ]; then
+ restorecon -R /var/run/dbus /var/lock/subsys /tmp/dbus /var/lib/dbus
+fi
RETVAL=0
diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk
index c810800..a5ec807 100644
--- a/package/dbus/dbus.mk
+++ b/package/dbus/dbus.mk
@@ -44,6 +44,20 @@ ifeq ($(BR2_microblaze),y)
DBUS_CONF_OPTS += --disable-inotify
endif
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+DBUS_CONF_OPTS += --enable-selinux
+DBUS_DEPENDENCIES += libselinux
+else
+DBUS_CONF_OPTS += --disable-selinux
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+DBUS_CONF_OPTS += --enable-libaudit
+DBUS_DEPENDENCIES += audit libcap-ng
+else
+DBUS_CONF_OPTS += --disable-libaudit
+endif
+
ifeq ($(BR2_PACKAGE_XLIB_LIBX11),y)
DBUS_CONF_OPTS += --with-x
DBUS_DEPENDENCIES += xlib_libX11
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 09/16] openssh: selinux and pam support
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
` (7 preceding siblings ...)
2015-07-10 23:27 ` [Buildroot] [PATCH v8 08/16] dbus: selinux file context support Clayton Shotwell
@ 2015-07-10 23:27 ` Clayton Shotwell
2015-07-14 15:24 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 10/16] util-linux: selinux, audit, " Clayton Shotwell
` (6 subsequent siblings)
15 siblings, 1 reply; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:27 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes v7 -> v8:
- Fixed sed calls to use macro (Suggested by Samuel)
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- New patch
- Added without assignments (Matt W.)
- Moved install pam define in conditional (Matt W.)
---
package/openssh/openssh.mk | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
index 11a844e..a4f4c94 100644
--- a/package/openssh/openssh.mk
+++ b/package/openssh/openssh.mk
@@ -30,8 +30,24 @@ endif
OPENSSH_DEPENDENCIES = zlib openssl
ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+define OPENSSH_INSTALL_PAM_CONF
+ $(INSTALL) -D -m 644 $(@D)/contrib/sshd.pam.generic $(TARGET_DIR)/etc/pam.d/sshd
+ $(SED) '/password required \/lib\/security\/pam_cracklib.so/d' $(TARGET_DIR)/etc/pam.d/sshd
+ $(SED) 's/\#UsePAM no/UsePAM yes/' $(TARGET_DIR)/etc/ssh/sshd_config
+endef
+
OPENSSH_DEPENDENCIES += linux-pam
OPENSSH_CONF_OPTS += --with-pam
+OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_PAM_CONF
+else
+OPENSSH_CONF_OPTS += --without-pam
+endif
+
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+OPENSSH_DEPENDENCIES += libselinux
+OPENSSH_CONF_OPTS += --with-selinux
+else
+OPENSSH_CONF_OPTS += --without-selinux
endif
define OPENSSH_INSTALL_INIT_SYSTEMD
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 10/16] util-linux: selinux, audit, and pam support
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
` (8 preceding siblings ...)
2015-07-10 23:27 ` [Buildroot] [PATCH v8 09/16] openssh: selinux and pam support Clayton Shotwell
@ 2015-07-10 23:27 ` Clayton Shotwell
2015-07-14 12:55 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 11/16] rsyslog: fix config file comment style Clayton Shotwell
` (5 subsequent siblings)
15 siblings, 1 reply; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:27 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
---
Changes v7 -> v8:
- No changes
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- New patch
- Added pam file tweaks for selinux support (Clayton S.)
---
package/util-linux/util-linux.mk | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
index 3ca147a..259334f 100644
--- a/package/util-linux/util-linux.mk
+++ b/package/util-linux/util-linux.mk
@@ -59,6 +59,20 @@ ifeq ($(BR2_PACKAGE_LIBCAP_NG),y)
UTIL_LINUX_DEPENDENCIES += libcap-ng
endif
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+UTIL_LINUX_DEPENDENCIES += libselinux
+UTIL_LINUX_CONF_OPTS += --with-selinux
+else
+UTIL_LINUX_CONF_OPTS += --without-selinux
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+UTIL_LINUX_DEPENDENCIES += audit
+UTIL_LINUX_CONF_OPTS += --with-audit
+else
+UTIL_LINUX_CONF_OPTS += --without-audit
+endif
+
# Used by cramfs utils
UTIL_LINUX_DEPENDENCIES += $(if $(BR2_PACKAGE_ZLIB),zlib)
@@ -146,9 +160,22 @@ define UTIL_LINUX_INSTALL_PAMFILES
$(INSTALL) -m 0644 package/util-linux/su.pam \
$(TARGET_DIR)/etc/pam.d/su-l
endef
+
+# Add the required hooks to the pam files if SELinux is enabled
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+define UTIL_LINUX_FIXUP_PAMFILES
+ for file in login su su-l ; do \
+ $(SED) '/selinux/d' $(TARGET_DIR)/etc/pam.d/$${file}; \
+ $(SED) '0,/session/s/session/session required pam_selinux.so close\nsession/' $(TARGET_DIR)/etc/pam.d/$${file}; \
+ echo "session required pam_selinux.so open" >> $(TARGET_DIR)/etc/pam.d/$${file}; \
+ done
+endef
+endif
+
endif
UTIL_LINUX_POST_INSTALL_TARGET_HOOKS += UTIL_LINUX_INSTALL_PAMFILES
+UTIL_LINUX_POST_INSTALL_TARGET_HOOKS += UTIL_LINUX_FIXUP_PAMFILES
# Install agetty->getty symlink to avoid breakage when there's no busybox
ifeq ($(BR2_PACKAGE_UTIL_LINUX_AGETTY),y)
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 11/16] rsyslog: fix config file comment style
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
` (9 preceding siblings ...)
2015-07-10 23:27 ` [Buildroot] [PATCH v8 10/16] util-linux: selinux, audit, " Clayton Shotwell
@ 2015-07-10 23:27 ` Clayton Shotwell
2015-07-11 7:28 ` Thomas Petazzoni
2015-07-12 22:51 ` Thomas Petazzoni
2015-07-10 23:27 ` [Buildroot] [PATCH v8 12/16] qemu x86 selinux: added common selinux support files Clayton Shotwell
` (4 subsequent siblings)
15 siblings, 2 replies; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:27 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
The upstream versions of rsyslog (v8 and higher) have this commit to fix
the config file comment issue. Carry this patch here until the version
is bumped.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
---
Changes v7 -> v8:
- Reverted change to make file in favor of using upstream patch
(Suggested by Samuel)
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
---
| 37 ++++++++++++++++++++++
1 file changed, 37 insertions(+)
create mode 100644 package/rsyslog/0001-fix-config-file-comments.patch
--git a/package/rsyslog/0001-fix-config-file-comments.patch b/package/rsyslog/0001-fix-config-file-comments.patch
new file mode 100644
index 0000000..bc5448d
--- /dev/null
+++ b/package/rsyslog/0001-fix-config-file-comments.patch
@@ -0,0 +1,37 @@
+From fe01c9ec4979c78b6a7caf045cab17ba52d4ad08 Mon Sep 17 00:00:00 2001
+From: Brad Barden <brad+github@mifflinet.net>
+Date: Sun, 11 Jan 2015 17:52:11 -0600
+Subject: [PATCH] bugfix header in platform/redhat/rsyslog.conf
+
+the "For more information" doc path includes the string "*/", breaking c-style comment format. fixes #202.
+---
+ platform/redhat/rsyslog.conf | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+diff --git a/platform/redhat/rsyslog.conf b/platform/redhat/rsyslog.conf
+index 340874d..3df6c7e 100644
+--- a/platform/redhat/rsyslog.conf
++++ b/platform/redhat/rsyslog.conf
+@@ -1,13 +1,12 @@
+-/* rsyslog configuration file (for Red Hat-based systems)
+- * note that most of this config file uses old-style format,
+- * because it is well-known AND quite suitable for simple cases
+- * like we have with the default config. For more advanced
+- * things, RainerScript configuration is suggested.
+- *
+- * For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
+- * or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
+- * If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+- */
++# rsyslog configuration file (for Red Hat-based systems)
++# note that most of this config file uses old-style format,
++# because it is well-known AND quite suitable for simple cases
++# like we have with the default config. For more advanced
++# things, RainerScript configuration is suggested.
++#
++# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
++# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
++# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+
+ #### MODULES ####
+
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 12/16] qemu x86 selinux: added common selinux support files
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
` (10 preceding siblings ...)
2015-07-10 23:27 ` [Buildroot] [PATCH v8 11/16] rsyslog: fix config file comment style Clayton Shotwell
@ 2015-07-10 23:27 ` Clayton Shotwell
2015-07-10 23:27 ` [Buildroot] [PATCH v8 13/16] qemu x86 selinux: base br defconfig Clayton Shotwell
` (3 subsequent siblings)
15 siblings, 0 replies; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:27 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
Add a default busybox SELinux config which disables init and uses
sysvinit. Add base skeleton with inittab and fstab tailored to selinux
Add base skeleton audit configuration (didn't seem to merit being
the package default).
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes v7 -> v8:
- No changes
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- Update the selinux busybox config to the latest version of busybox
(Clayton S.)
Changes v1 -> v4:
- Did not exist
---
board/common_selinux/busybox-selinux.config | 1058 ++++++++++++++++++++
board/common_selinux/post_build.sh | 30 +
.../common_selinux/skeleton/etc/audit/auditd.conf | 32 +
.../skeleton/etc/audit/rules.d/audit.rules | 3 +
board/common_selinux/skeleton/etc/fstab | 15 +
board/common_selinux/skeleton/etc/inittab | 29 +
board/common_selinux/skeleton_permissions.txt | 26 +
7 files changed, 1193 insertions(+)
create mode 100644 board/common_selinux/busybox-selinux.config
create mode 100755 board/common_selinux/post_build.sh
create mode 100644 board/common_selinux/skeleton/etc/audit/auditd.conf
create mode 100644 board/common_selinux/skeleton/etc/audit/rules.d/audit.rules
create mode 100755 board/common_selinux/skeleton/etc/fstab
create mode 100755 board/common_selinux/skeleton/etc/inittab
create mode 100755 board/common_selinux/skeleton_permissions.txt
diff --git a/board/common_selinux/busybox-selinux.config b/board/common_selinux/busybox-selinux.config
new file mode 100644
index 0000000..2e86c22
--- /dev/null
+++ b/board/common_selinux/busybox-selinux.config
@@ -0,0 +1,1058 @@
+#
+# Automatically generated make config: don't edit
+# Busybox version: 1.23.2
+# Wed May 6 10:14:52 2015
+#
+CONFIG_HAVE_DOT_CONFIG=y
+
+#
+# Busybox Settings
+#
+
+#
+# General Configuration
+#
+CONFIG_DESKTOP=y
+# CONFIG_EXTRA_COMPAT is not set
+CONFIG_INCLUDE_SUSv2=y
+# CONFIG_USE_PORTABLE_CODE is not set
+CONFIG_PLATFORM_LINUX=y
+CONFIG_FEATURE_BUFFERS_USE_MALLOC=y
+# CONFIG_FEATURE_BUFFERS_GO_ON_STACK is not set
+# CONFIG_FEATURE_BUFFERS_GO_IN_BSS is not set
+CONFIG_SHOW_USAGE=y
+CONFIG_FEATURE_VERBOSE_USAGE=y
+# CONFIG_FEATURE_COMPRESS_USAGE is not set
+CONFIG_FEATURE_INSTALLER=y
+# CONFIG_INSTALL_NO_USR is not set
+# CONFIG_LOCALE_SUPPORT is not set
+# CONFIG_UNICODE_SUPPORT is not set
+# CONFIG_UNICODE_USING_LOCALE is not set
+# CONFIG_FEATURE_CHECK_UNICODE_IN_ENV is not set
+CONFIG_SUBST_WCHAR=0
+CONFIG_LAST_SUPPORTED_WCHAR=0
+# CONFIG_UNICODE_COMBINING_WCHARS is not set
+# CONFIG_UNICODE_WIDE_WCHARS is not set
+# CONFIG_UNICODE_BIDI_SUPPORT is not set
+# CONFIG_UNICODE_NEUTRAL_TABLE is not set
+# CONFIG_UNICODE_PRESERVE_BROKEN is not set
+CONFIG_PAM=y
+CONFIG_FEATURE_USE_SENDFILE=y
+CONFIG_LONG_OPTS=y
+CONFIG_FEATURE_DEVPTS=y
+CONFIG_FEATURE_CLEAN_UP=y
+CONFIG_FEATURE_UTMP=y
+CONFIG_FEATURE_WTMP=y
+# CONFIG_FEATURE_PIDFILE is not set
+CONFIG_PID_FILE_PATH=""
+CONFIG_FEATURE_SUID=y
+# CONFIG_FEATURE_SUID_CONFIG is not set
+# CONFIG_FEATURE_SUID_CONFIG_QUIET is not set
+CONFIG_SELINUX=y
+# CONFIG_FEATURE_PREFER_APPLETS is not set
+CONFIG_BUSYBOX_EXEC_PATH="/proc/self/exe"
+CONFIG_FEATURE_SYSLOG=y
+CONFIG_FEATURE_HAVE_RPC=y
+
+#
+# Build Options
+#
+# CONFIG_STATIC is not set
+# CONFIG_PIE is not set
+# CONFIG_NOMMU is not set
+CONFIG_BUILD_LIBBUSYBOX=y
+CONFIG_FEATURE_INDIVIDUAL=y
+# CONFIG_FEATURE_SHARED_BUSYBOX is not set
+CONFIG_LFS=y
+CONFIG_CROSS_COMPILER_PREFIX=""
+CONFIG_SYSROOT=""
+CONFIG_EXTRA_CFLAGS=""
+CONFIG_EXTRA_LDFLAGS=""
+CONFIG_EXTRA_LDLIBS=""
+
+#
+# Debugging Options
+#
+# CONFIG_DEBUG is not set
+# CONFIG_DEBUG_PESSIMIZE is not set
+# CONFIG_UNIT_TEST is not set
+# CONFIG_WERROR is not set
+CONFIG_NO_DEBUG_LIB=y
+# CONFIG_DMALLOC is not set
+# CONFIG_EFENCE is not set
+
+#
+# Installation Options ("make install" behavior)
+#
+CONFIG_INSTALL_APPLET_SYMLINKS=y
+# CONFIG_INSTALL_APPLET_HARDLINKS is not set
+# CONFIG_INSTALL_APPLET_SCRIPT_WRAPPERS is not set
+# CONFIG_INSTALL_APPLET_DONT is not set
+# CONFIG_INSTALL_SH_APPLET_SYMLINK is not set
+# CONFIG_INSTALL_SH_APPLET_HARDLINK is not set
+# CONFIG_INSTALL_SH_APPLET_SCRIPT_WRAPPER is not set
+CONFIG_PREFIX="./_install"
+
+#
+# Busybox Library Tuning
+#
+# CONFIG_FEATURE_SYSTEMD is not set
+CONFIG_FEATURE_RTMINMAX=y
+CONFIG_PASSWORD_MINLEN=6
+CONFIG_MD5_SMALL=1
+CONFIG_SHA3_SMALL=1
+# CONFIG_FEATURE_FAST_TOP is not set
+# CONFIG_FEATURE_ETC_NETWORKS is not set
+CONFIG_FEATURE_USE_TERMIOS=y
+CONFIG_FEATURE_EDITING=y
+CONFIG_FEATURE_EDITING_MAX_LEN=1024
+CONFIG_FEATURE_EDITING_VI=y
+CONFIG_FEATURE_EDITING_HISTORY=999
+CONFIG_FEATURE_EDITING_SAVEHISTORY=y
+# CONFIG_FEATURE_EDITING_SAVE_ON_EXIT is not set
+CONFIG_FEATURE_REVERSE_SEARCH=y
+CONFIG_FEATURE_TAB_COMPLETION=y
+# CONFIG_FEATURE_USERNAME_COMPLETION is not set
+CONFIG_FEATURE_EDITING_FANCY_PROMPT=y
+# CONFIG_FEATURE_EDITING_ASK_TERMINAL is not set
+CONFIG_FEATURE_NON_POSIX_CP=y
+# CONFIG_FEATURE_VERBOSE_CP_MESSAGE is not set
+CONFIG_FEATURE_COPYBUF_KB=4
+CONFIG_FEATURE_SKIP_ROOTFS=y
+CONFIG_MONOTONIC_SYSCALL=y
+CONFIG_IOCTL_HEX2STR_ERROR=y
+CONFIG_FEATURE_HWIB=y
+
+#
+# Applets
+#
+
+#
+# Archival Utilities
+#
+# CONFIG_FEATURE_SEAMLESS_XZ is not set
+# CONFIG_FEATURE_SEAMLESS_LZMA is not set
+# CONFIG_FEATURE_SEAMLESS_BZ2 is not set
+# CONFIG_FEATURE_SEAMLESS_GZ is not set
+# CONFIG_FEATURE_SEAMLESS_Z is not set
+CONFIG_AR=y
+# CONFIG_FEATURE_AR_LONG_FILENAMES is not set
+CONFIG_FEATURE_AR_CREATE=y
+# CONFIG_UNCOMPRESS is not set
+CONFIG_GUNZIP=y
+CONFIG_BUNZIP2=y
+CONFIG_UNLZMA=y
+# CONFIG_FEATURE_LZMA_FAST is not set
+CONFIG_LZMA=y
+CONFIG_UNXZ=y
+CONFIG_XZ=y
+# CONFIG_BZIP2 is not set
+CONFIG_CPIO=y
+# CONFIG_FEATURE_CPIO_O is not set
+# CONFIG_FEATURE_CPIO_P is not set
+# CONFIG_DPKG is not set
+# CONFIG_DPKG_DEB is not set
+# CONFIG_FEATURE_DPKG_DEB_EXTRACT_ONLY is not set
+CONFIG_GZIP=y
+# CONFIG_FEATURE_GZIP_LONG_OPTIONS is not set
+CONFIG_GZIP_FAST=0
+# CONFIG_LZOP is not set
+# CONFIG_LZOP_COMPR_HIGH is not set
+# CONFIG_RPM is not set
+# CONFIG_RPM2CPIO is not set
+CONFIG_TAR=y
+CONFIG_FEATURE_TAR_CREATE=y
+# CONFIG_FEATURE_TAR_AUTODETECT is not set
+CONFIG_FEATURE_TAR_FROM=y
+# CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY is not set
+# CONFIG_FEATURE_TAR_OLDSUN_COMPATIBILITY is not set
+CONFIG_FEATURE_TAR_GNU_EXTENSIONS=y
+CONFIG_FEATURE_TAR_LONG_OPTIONS=y
+CONFIG_FEATURE_TAR_TO_COMMAND=y
+# CONFIG_FEATURE_TAR_UNAME_GNAME is not set
+# CONFIG_FEATURE_TAR_NOPRESERVE_TIME is not set
+CONFIG_FEATURE_TAR_SELINUX=y
+CONFIG_UNZIP=y
+
+#
+# Coreutils
+#
+CONFIG_BASENAME=y
+CONFIG_CAT=y
+CONFIG_DATE=y
+CONFIG_FEATURE_DATE_ISOFMT=y
+# CONFIG_FEATURE_DATE_NANO is not set
+CONFIG_FEATURE_DATE_COMPAT=y
+CONFIG_HOSTID=y
+CONFIG_ID=y
+CONFIG_GROUPS=y
+CONFIG_SHUF=y
+CONFIG_TEST=y
+CONFIG_FEATURE_TEST_64=y
+CONFIG_TOUCH=y
+CONFIG_FEATURE_TOUCH_NODEREF=y
+CONFIG_FEATURE_TOUCH_SUSV3=y
+CONFIG_TR=y
+CONFIG_FEATURE_TR_CLASSES=y
+CONFIG_FEATURE_TR_EQUIV=y
+CONFIG_UNLINK=y
+# CONFIG_BASE64 is not set
+CONFIG_WHO=y
+CONFIG_USERS=y
+# CONFIG_CAL is not set
+CONFIG_CATV=y
+CONFIG_CHGRP=y
+CONFIG_CHMOD=y
+CONFIG_CHOWN=y
+# CONFIG_FEATURE_CHOWN_LONG_OPTIONS is not set
+CONFIG_CHROOT=y
+CONFIG_CKSUM=y
+# CONFIG_COMM is not set
+CONFIG_CP=y
+# CONFIG_FEATURE_CP_LONG_OPTIONS is not set
+CONFIG_CUT=y
+CONFIG_DD=y
+CONFIG_FEATURE_DD_SIGNAL_HANDLING=y
+# CONFIG_FEATURE_DD_THIRD_STATUS_LINE is not set
+CONFIG_FEATURE_DD_IBS_OBS=y
+CONFIG_DF=y
+# CONFIG_FEATURE_DF_FANCY is not set
+CONFIG_DIRNAME=y
+CONFIG_DOS2UNIX=y
+CONFIG_UNIX2DOS=y
+CONFIG_DU=y
+CONFIG_FEATURE_DU_DEFAULT_BLOCKSIZE_1K=y
+CONFIG_ECHO=y
+CONFIG_FEATURE_FANCY_ECHO=y
+CONFIG_ENV=y
+# CONFIG_FEATURE_ENV_LONG_OPTIONS is not set
+# CONFIG_EXPAND is not set
+# CONFIG_FEATURE_EXPAND_LONG_OPTIONS is not set
+CONFIG_EXPR=y
+CONFIG_EXPR_MATH_SUPPORT_64=y
+CONFIG_FALSE=y
+CONFIG_FOLD=y
+# CONFIG_FSYNC is not set
+CONFIG_HEAD=y
+CONFIG_FEATURE_FANCY_HEAD=y
+CONFIG_INSTALL=y
+CONFIG_FEATURE_INSTALL_LONG_OPTIONS=y
+CONFIG_LN=y
+CONFIG_LOGNAME=y
+CONFIG_LS=y
+CONFIG_FEATURE_LS_FILETYPES=y
+CONFIG_FEATURE_LS_FOLLOWLINKS=y
+CONFIG_FEATURE_LS_RECURSIVE=y
+CONFIG_FEATURE_LS_SORTFILES=y
+CONFIG_FEATURE_LS_TIMESTAMPS=y
+CONFIG_FEATURE_LS_USERNAME=y
+CONFIG_FEATURE_LS_COLOR=y
+CONFIG_FEATURE_LS_COLOR_IS_DEFAULT=y
+CONFIG_MD5SUM=y
+CONFIG_MKDIR=y
+CONFIG_FEATURE_MKDIR_LONG_OPTIONS=y
+CONFIG_MKFIFO=y
+CONFIG_MKNOD=y
+CONFIG_MV=y
+CONFIG_FEATURE_MV_LONG_OPTIONS=y
+CONFIG_NICE=y
+CONFIG_NOHUP=y
+CONFIG_OD=y
+CONFIG_PRINTENV=y
+CONFIG_PRINTF=y
+CONFIG_PWD=y
+CONFIG_READLINK=y
+CONFIG_FEATURE_READLINK_FOLLOW=y
+CONFIG_REALPATH=y
+CONFIG_RM=y
+CONFIG_RMDIR=y
+# CONFIG_FEATURE_RMDIR_LONG_OPTIONS is not set
+CONFIG_SEQ=y
+CONFIG_SHA1SUM=y
+CONFIG_SHA256SUM=y
+CONFIG_SHA512SUM=y
+CONFIG_SHA3SUM=y
+CONFIG_SLEEP=y
+CONFIG_FEATURE_FANCY_SLEEP=y
+CONFIG_FEATURE_FLOAT_SLEEP=y
+CONFIG_SORT=y
+CONFIG_FEATURE_SORT_BIG=y
+# CONFIG_SPLIT is not set
+# CONFIG_FEATURE_SPLIT_FANCY is not set
+# CONFIG_STAT is not set
+# CONFIG_FEATURE_STAT_FORMAT is not set
+CONFIG_STTY=y
+# CONFIG_SUM is not set
+CONFIG_SYNC=y
+# CONFIG_TAC is not set
+CONFIG_TAIL=y
+CONFIG_FEATURE_FANCY_TAIL=y
+CONFIG_TEE=y
+CONFIG_FEATURE_TEE_USE_BLOCK_IO=y
+CONFIG_TRUE=y
+CONFIG_TTY=y
+CONFIG_UNAME=y
+# CONFIG_UNEXPAND is not set
+# CONFIG_FEATURE_UNEXPAND_LONG_OPTIONS is not set
+CONFIG_UNIQ=y
+CONFIG_USLEEP=y
+CONFIG_UUDECODE=y
+CONFIG_UUENCODE=y
+CONFIG_WC=y
+# CONFIG_FEATURE_WC_LARGE is not set
+CONFIG_WHOAMI=y
+CONFIG_YES=y
+
+#
+# Common options
+#
+CONFIG_FEATURE_VERBOSE=y
+
+#
+# Common options for cp and mv
+#
+CONFIG_FEATURE_PRESERVE_HARDLINKS=y
+
+#
+# Common options for ls, more and telnet
+#
+CONFIG_FEATURE_AUTOWIDTH=y
+
+#
+# Common options for df, du, ls
+#
+CONFIG_FEATURE_HUMAN_READABLE=y
+
+#
+# Common options for md5sum, sha1sum, sha256sum, sha512sum, sha3sum
+#
+CONFIG_FEATURE_MD5_SHA1_SUM_CHECK=y
+
+#
+# Console Utilities
+#
+CONFIG_CHVT=y
+# CONFIG_FGCONSOLE is not set
+CONFIG_CLEAR=y
+CONFIG_DEALLOCVT=y
+CONFIG_DUMPKMAP=y
+# CONFIG_KBD_MODE is not set
+CONFIG_LOADFONT=y
+CONFIG_LOADKMAP=y
+CONFIG_OPENVT=y
+CONFIG_RESET=y
+CONFIG_RESIZE=y
+CONFIG_FEATURE_RESIZE_PRINT=y
+CONFIG_SETCONSOLE=y
+# CONFIG_FEATURE_SETCONSOLE_LONG_OPTIONS is not set
+# CONFIG_SETFONT is not set
+# CONFIG_FEATURE_SETFONT_TEXTUAL_MAP is not set
+CONFIG_DEFAULT_SETFONT_DIR=""
+CONFIG_SETKEYCODES=y
+CONFIG_SETLOGCONS=y
+# CONFIG_SHOWKEY is not set
+
+#
+# Common options for loadfont and setfont
+#
+CONFIG_FEATURE_LOADFONT_PSF2=y
+CONFIG_FEATURE_LOADFONT_RAW=y
+
+#
+# Debian Utilities
+#
+CONFIG_MKTEMP=y
+CONFIG_PIPE_PROGRESS=y
+CONFIG_RUN_PARTS=y
+CONFIG_FEATURE_RUN_PARTS_LONG_OPTIONS=y
+# CONFIG_FEATURE_RUN_PARTS_FANCY is not set
+CONFIG_START_STOP_DAEMON=y
+CONFIG_FEATURE_START_STOP_DAEMON_FANCY=y
+CONFIG_FEATURE_START_STOP_DAEMON_LONG_OPTIONS=y
+CONFIG_WHICH=y
+
+#
+# Editors
+#
+CONFIG_AWK=y
+# CONFIG_FEATURE_AWK_LIBM is not set
+CONFIG_FEATURE_AWK_GNU_EXTENSIONS=y
+CONFIG_CMP=y
+CONFIG_DIFF=y
+# CONFIG_FEATURE_DIFF_LONG_OPTIONS is not set
+CONFIG_FEATURE_DIFF_DIR=y
+# CONFIG_ED is not set
+CONFIG_PATCH=y
+CONFIG_SED=y
+CONFIG_VI=y
+CONFIG_FEATURE_VI_MAX_LEN=4096
+CONFIG_FEATURE_VI_8BIT=y
+CONFIG_FEATURE_VI_COLON=y
+CONFIG_FEATURE_VI_YANKMARK=y
+CONFIG_FEATURE_VI_SEARCH=y
+# CONFIG_FEATURE_VI_REGEX_SEARCH is not set
+CONFIG_FEATURE_VI_USE_SIGNALS=y
+CONFIG_FEATURE_VI_DOT_CMD=y
+CONFIG_FEATURE_VI_READONLY=y
+CONFIG_FEATURE_VI_SETOPTS=y
+CONFIG_FEATURE_VI_SET=y
+CONFIG_FEATURE_VI_WIN_RESIZE=y
+CONFIG_FEATURE_VI_ASK_TERMINAL=y
+CONFIG_FEATURE_VI_UNDO=y
+CONFIG_FEATURE_VI_UNDO_QUEUE=y
+CONFIG_FEATURE_VI_UNDO_QUEUE_MAX=256
+CONFIG_FEATURE_ALLOW_EXEC=y
+
+#
+# Finding Utilities
+#
+CONFIG_FIND=y
+CONFIG_FEATURE_FIND_PRINT0=y
+CONFIG_FEATURE_FIND_MTIME=y
+CONFIG_FEATURE_FIND_MMIN=y
+CONFIG_FEATURE_FIND_PERM=y
+CONFIG_FEATURE_FIND_TYPE=y
+CONFIG_FEATURE_FIND_XDEV=y
+CONFIG_FEATURE_FIND_MAXDEPTH=y
+CONFIG_FEATURE_FIND_NEWER=y
+CONFIG_FEATURE_FIND_INUM=y
+CONFIG_FEATURE_FIND_EXEC=y
+CONFIG_FEATURE_FIND_EXEC_PLUS=y
+CONFIG_FEATURE_FIND_USER=y
+CONFIG_FEATURE_FIND_GROUP=y
+CONFIG_FEATURE_FIND_NOT=y
+CONFIG_FEATURE_FIND_DEPTH=y
+CONFIG_FEATURE_FIND_PAREN=y
+CONFIG_FEATURE_FIND_SIZE=y
+CONFIG_FEATURE_FIND_PRUNE=y
+# CONFIG_FEATURE_FIND_DELETE is not set
+CONFIG_FEATURE_FIND_PATH=y
+CONFIG_FEATURE_FIND_REGEX=y
+# CONFIG_FEATURE_FIND_CONTEXT is not set
+# CONFIG_FEATURE_FIND_LINKS is not set
+CONFIG_GREP=y
+CONFIG_FEATURE_GREP_EGREP_ALIAS=y
+CONFIG_FEATURE_GREP_FGREP_ALIAS=y
+CONFIG_FEATURE_GREP_CONTEXT=y
+CONFIG_XARGS=y
+# CONFIG_FEATURE_XARGS_SUPPORT_CONFIRMATION is not set
+CONFIG_FEATURE_XARGS_SUPPORT_QUOTES=y
+CONFIG_FEATURE_XARGS_SUPPORT_TERMOPT=y
+CONFIG_FEATURE_XARGS_SUPPORT_ZERO_TERM=y
+CONFIG_FEATURE_XARGS_SUPPORT_REPL_STR=y
+
+#
+# Init Utilities
+#
+# CONFIG_BOOTCHARTD is not set
+# CONFIG_FEATURE_BOOTCHARTD_BLOATED_HEADER is not set
+# CONFIG_FEATURE_BOOTCHARTD_CONFIG_FILE is not set
+# CONFIG_HALT is not set
+# CONFIG_FEATURE_CALL_TELINIT is not set
+CONFIG_TELINIT_PATH=""
+# CONFIG_INIT is not set
+# CONFIG_FEATURE_USE_INITTAB is not set
+# CONFIG_FEATURE_KILL_REMOVED is not set
+CONFIG_FEATURE_KILL_DELAY=0
+# CONFIG_FEATURE_INIT_SCTTY is not set
+# CONFIG_FEATURE_INIT_SYSLOG is not set
+# CONFIG_FEATURE_EXTRA_QUIET is not set
+# CONFIG_FEATURE_INIT_COREDUMPS is not set
+# CONFIG_FEATURE_INITRD is not set
+CONFIG_INIT_TERMINAL_TYPE=""
+CONFIG_MESG=y
+CONFIG_FEATURE_MESG_ENABLE_ONLY_GROUP=y
+
+#
+# Login/Password Management Utilities
+#
+# CONFIG_ADD_SHELL is not set
+# CONFIG_REMOVE_SHELL is not set
+# CONFIG_FEATURE_SHADOWPASSWDS is not set
+# CONFIG_USE_BB_PWD_GRP is not set
+# CONFIG_USE_BB_SHADOW is not set
+# CONFIG_USE_BB_CRYPT is not set
+# CONFIG_USE_BB_CRYPT_SHA is not set
+# CONFIG_ADDUSER is not set
+# CONFIG_FEATURE_ADDUSER_LONG_OPTIONS is not set
+# CONFIG_FEATURE_CHECK_NAMES is not set
+CONFIG_LAST_ID=0
+CONFIG_FIRST_SYSTEM_ID=0
+CONFIG_LAST_SYSTEM_ID=0
+# CONFIG_ADDGROUP is not set
+# CONFIG_FEATURE_ADDGROUP_LONG_OPTIONS is not set
+# CONFIG_FEATURE_ADDUSER_TO_GROUP is not set
+# CONFIG_DELUSER is not set
+# CONFIG_DELGROUP is not set
+# CONFIG_FEATURE_DEL_USER_FROM_GROUP is not set
+CONFIG_GETTY=y
+# CONFIG_LOGIN is not set
+# CONFIG_LOGIN_SESSION_AS_CHILD is not set
+# CONFIG_LOGIN_SCRIPTS is not set
+# CONFIG_FEATURE_NOLOGIN is not set
+# CONFIG_FEATURE_SECURETTY is not set
+# CONFIG_PASSWD is not set
+# CONFIG_FEATURE_PASSWD_WEAK_CHECK is not set
+# CONFIG_CRYPTPW is not set
+# CONFIG_CHPASSWD is not set
+CONFIG_FEATURE_DEFAULT_PASSWD_ALGO=""
+# CONFIG_SU is not set
+# CONFIG_FEATURE_SU_SYSLOG is not set
+# CONFIG_FEATURE_SU_CHECKS_SHELLS is not set
+# CONFIG_SULOGIN is not set
+# CONFIG_VLOCK is not set
+
+#
+# Linux Ext2 FS Progs
+#
+# CONFIG_CHATTR is not set
+CONFIG_FSCK=y
+# CONFIG_LSATTR is not set
+# CONFIG_TUNE2FS is not set
+
+#
+# Linux Module Utilities
+#
+# CONFIG_MODINFO is not set
+# CONFIG_MODPROBE_SMALL is not set
+# CONFIG_FEATURE_MODPROBE_SMALL_OPTIONS_ON_CMDLINE is not set
+# CONFIG_FEATURE_MODPROBE_SMALL_CHECK_ALREADY_LOADED is not set
+# CONFIG_INSMOD is not set
+# CONFIG_RMMOD is not set
+# CONFIG_LSMOD is not set
+# CONFIG_FEATURE_LSMOD_PRETTY_2_6_OUTPUT is not set
+# CONFIG_MODPROBE is not set
+# CONFIG_FEATURE_MODPROBE_BLACKLIST is not set
+# CONFIG_DEPMOD is not set
+
+#
+# Options common to multiple modutils
+#
+# CONFIG_FEATURE_2_4_MODULES is not set
+# CONFIG_FEATURE_INSMOD_TRY_MMAP is not set
+# CONFIG_FEATURE_INSMOD_VERSION_CHECKING is not set
+# CONFIG_FEATURE_INSMOD_KSYMOOPS_SYMBOLS is not set
+# CONFIG_FEATURE_INSMOD_LOADINKMEM is not set
+# CONFIG_FEATURE_INSMOD_LOAD_MAP is not set
+# CONFIG_FEATURE_INSMOD_LOAD_MAP_FULL is not set
+# CONFIG_FEATURE_CHECK_TAINTED_MODULE is not set
+# CONFIG_FEATURE_MODUTILS_ALIAS is not set
+# CONFIG_FEATURE_MODUTILS_SYMBOLS is not set
+CONFIG_DEFAULT_MODULES_DIR=""
+CONFIG_DEFAULT_DEPMOD_FILE=""
+
+#
+# Linux System Utilities
+#
+# CONFIG_BLOCKDEV is not set
+CONFIG_FATATTR=y
+CONFIG_FSTRIM=y
+CONFIG_MDEV=y
+CONFIG_FEATURE_MDEV_CONF=y
+CONFIG_FEATURE_MDEV_RENAME=y
+# CONFIG_FEATURE_MDEV_RENAME_REGEXP is not set
+CONFIG_FEATURE_MDEV_EXEC=y
+# CONFIG_FEATURE_MDEV_LOAD_FIRMWARE is not set
+# CONFIG_REV is not set
+# CONFIG_ACPID is not set
+# CONFIG_FEATURE_ACPID_COMPAT is not set
+CONFIG_BLKID=y
+# CONFIG_FEATURE_BLKID_TYPE is not set
+CONFIG_DMESG=y
+CONFIG_FEATURE_DMESG_PRETTY=y
+# CONFIG_FBSET is not set
+# CONFIG_FEATURE_FBSET_FANCY is not set
+# CONFIG_FEATURE_FBSET_READMODE is not set
+CONFIG_FDFLUSH=y
+CONFIG_FDFORMAT=y
+CONFIG_FDISK=y
+# CONFIG_FDISK_SUPPORT_LARGE_DISKS is not set
+CONFIG_FEATURE_FDISK_WRITABLE=y
+# CONFIG_FEATURE_AIX_LABEL is not set
+# CONFIG_FEATURE_SGI_LABEL is not set
+# CONFIG_FEATURE_SUN_LABEL is not set
+# CONFIG_FEATURE_OSF_LABEL is not set
+CONFIG_FEATURE_GPT_LABEL=y
+CONFIG_FEATURE_FDISK_ADVANCED=y
+# CONFIG_FINDFS is not set
+# CONFIG_FLOCK is not set
+CONFIG_FREERAMDISK=y
+# CONFIG_FSCK_MINIX is not set
+# CONFIG_MKFS_EXT2 is not set
+# CONFIG_MKFS_MINIX is not set
+# CONFIG_FEATURE_MINIX2 is not set
+# CONFIG_MKFS_REISER is not set
+# CONFIG_MKFS_VFAT is not set
+CONFIG_GETOPT=y
+CONFIG_FEATURE_GETOPT_LONG=y
+CONFIG_HEXDUMP=y
+# CONFIG_FEATURE_HEXDUMP_REVERSE is not set
+# CONFIG_HD is not set
+CONFIG_HWCLOCK=y
+CONFIG_FEATURE_HWCLOCK_LONG_OPTIONS=y
+CONFIG_FEATURE_HWCLOCK_ADJTIME_FHS=y
+CONFIG_IPCRM=y
+CONFIG_IPCS=y
+CONFIG_LOSETUP=y
+CONFIG_LSPCI=y
+CONFIG_LSUSB=y
+CONFIG_MKSWAP=y
+# CONFIG_FEATURE_MKSWAP_UUID is not set
+CONFIG_MORE=y
+CONFIG_MOUNT=y
+# CONFIG_FEATURE_MOUNT_FAKE is not set
+CONFIG_FEATURE_MOUNT_VERBOSE=y
+CONFIG_FEATURE_MOUNT_HELPERS=y
+CONFIG_FEATURE_MOUNT_LABEL=y
+CONFIG_FEATURE_MOUNT_NFS=y
+CONFIG_FEATURE_MOUNT_CIFS=y
+CONFIG_FEATURE_MOUNT_FLAGS=y
+CONFIG_FEATURE_MOUNT_FSTAB=y
+# CONFIG_PIVOT_ROOT is not set
+CONFIG_RDATE=y
+# CONFIG_RDEV is not set
+CONFIG_READPROFILE=y
+# CONFIG_RTCWAKE is not set
+# CONFIG_SCRIPT is not set
+# CONFIG_SCRIPTREPLAY is not set
+CONFIG_SETARCH=y
+CONFIG_SWAPONOFF=y
+CONFIG_FEATURE_SWAPON_DISCARD=y
+# CONFIG_FEATURE_SWAPON_PRI is not set
+CONFIG_SWITCH_ROOT=y
+CONFIG_UMOUNT=y
+CONFIG_FEATURE_UMOUNT_ALL=y
+
+#
+# Common options for mount/umount
+#
+CONFIG_FEATURE_MOUNT_LOOP=y
+CONFIG_FEATURE_MOUNT_LOOP_CREATE=y
+# CONFIG_FEATURE_MTAB_SUPPORT is not set
+CONFIG_VOLUMEID=y
+
+#
+# Filesystem/Volume identification
+#
+# CONFIG_FEATURE_VOLUMEID_BTRFS is not set
+# CONFIG_FEATURE_VOLUMEID_CRAMFS is not set
+CONFIG_FEATURE_VOLUMEID_EXFAT=y
+CONFIG_FEATURE_VOLUMEID_EXT=y
+CONFIG_FEATURE_VOLUMEID_F2FS=y
+CONFIG_FEATURE_VOLUMEID_FAT=y
+# CONFIG_FEATURE_VOLUMEID_HFS is not set
+# CONFIG_FEATURE_VOLUMEID_ISO9660 is not set
+# CONFIG_FEATURE_VOLUMEID_JFS is not set
+# CONFIG_FEATURE_VOLUMEID_LINUXRAID is not set
+# CONFIG_FEATURE_VOLUMEID_LINUXSWAP is not set
+# CONFIG_FEATURE_VOLUMEID_LUKS is not set
+# CONFIG_FEATURE_VOLUMEID_NILFS is not set
+# CONFIG_FEATURE_VOLUMEID_NTFS is not set
+# CONFIG_FEATURE_VOLUMEID_OCFS2 is not set
+# CONFIG_FEATURE_VOLUMEID_REISERFS is not set
+# CONFIG_FEATURE_VOLUMEID_ROMFS is not set
+# CONFIG_FEATURE_VOLUMEID_SQUASHFS is not set
+# CONFIG_FEATURE_VOLUMEID_SYSV is not set
+# CONFIG_FEATURE_VOLUMEID_UDF is not set
+# CONFIG_FEATURE_VOLUMEID_XFS is not set
+
+#
+# Miscellaneous Utilities
+#
+# CONFIG_CONSPY is not set
+CONFIG_CROND=y
+# CONFIG_FEATURE_CROND_D is not set
+# CONFIG_FEATURE_CROND_CALL_SENDMAIL is not set
+CONFIG_FEATURE_CROND_DIR="/var/spool/cron"
+CONFIG_LESS=y
+CONFIG_FEATURE_LESS_MAXLINES=9999999
+CONFIG_FEATURE_LESS_BRACKETS=y
+CONFIG_FEATURE_LESS_FLAGS=y
+# CONFIG_FEATURE_LESS_MARKS is not set
+CONFIG_FEATURE_LESS_REGEXP=y
+# CONFIG_FEATURE_LESS_WINCH is not set
+# CONFIG_FEATURE_LESS_ASK_TERMINAL is not set
+# CONFIG_FEATURE_LESS_DASHCMD is not set
+# CONFIG_FEATURE_LESS_LINENUMS is not set
+# CONFIG_NANDWRITE is not set
+# CONFIG_NANDDUMP is not set
+# CONFIG_RFKILL is not set
+CONFIG_SETSERIAL=y
+# CONFIG_TASKSET is not set
+# CONFIG_FEATURE_TASKSET_FANCY is not set
+# CONFIG_UBIATTACH is not set
+# CONFIG_UBIDETACH is not set
+# CONFIG_UBIMKVOL is not set
+# CONFIG_UBIRMVOL is not set
+# CONFIG_UBIRSVOL is not set
+# CONFIG_UBIUPDATEVOL is not set
+# CONFIG_WALL is not set
+# CONFIG_ADJTIMEX is not set
+# CONFIG_BBCONFIG is not set
+# CONFIG_FEATURE_COMPRESS_BBCONFIG is not set
+# CONFIG_BEEP is not set
+CONFIG_FEATURE_BEEP_FREQ=0
+CONFIG_FEATURE_BEEP_LENGTH_MS=0
+# CONFIG_CHAT is not set
+# CONFIG_FEATURE_CHAT_NOFAIL is not set
+# CONFIG_FEATURE_CHAT_TTY_HIFI is not set
+# CONFIG_FEATURE_CHAT_IMPLICIT_CR is not set
+# CONFIG_FEATURE_CHAT_SWALLOW_OPTS is not set
+# CONFIG_FEATURE_CHAT_SEND_ESCAPES is not set
+# CONFIG_FEATURE_CHAT_VAR_ABORT_LEN is not set
+# CONFIG_FEATURE_CHAT_CLR_ABORT is not set
+CONFIG_CHRT=y
+CONFIG_CRONTAB=y
+CONFIG_DC=y
+# CONFIG_FEATURE_DC_LIBM is not set
+# CONFIG_DEVFSD is not set
+# CONFIG_DEVFSD_MODLOAD is not set
+# CONFIG_DEVFSD_FG_NP is not set
+# CONFIG_DEVFSD_VERBOSE is not set
+# CONFIG_FEATURE_DEVFS is not set
+CONFIG_DEVMEM=y
+CONFIG_EJECT=y
+# CONFIG_FEATURE_EJECT_SCSI is not set
+# CONFIG_FBSPLASH is not set
+# CONFIG_FLASHCP is not set
+# CONFIG_FLASH_LOCK is not set
+# CONFIG_FLASH_UNLOCK is not set
+# CONFIG_FLASH_ERASEALL is not set
+# CONFIG_IONICE is not set
+# CONFIG_INOTIFYD is not set
+CONFIG_LAST=y
+CONFIG_FEATURE_LAST_SMALL=y
+# CONFIG_FEATURE_LAST_FANCY is not set
+CONFIG_HDPARM=y
+CONFIG_FEATURE_HDPARM_GET_IDENTITY=y
+# CONFIG_FEATURE_HDPARM_HDIO_SCAN_HWIF is not set
+# CONFIG_FEATURE_HDPARM_HDIO_UNREGISTER_HWIF is not set
+# CONFIG_FEATURE_HDPARM_HDIO_DRIVE_RESET is not set
+# CONFIG_FEATURE_HDPARM_HDIO_TRISTATE_HWIF is not set
+# CONFIG_FEATURE_HDPARM_HDIO_GETSET_DMA is not set
+CONFIG_MAKEDEVS=y
+# CONFIG_FEATURE_MAKEDEVS_LEAF is not set
+CONFIG_FEATURE_MAKEDEVS_TABLE=y
+# CONFIG_MAN is not set
+CONFIG_MICROCOM=y
+CONFIG_MOUNTPOINT=y
+CONFIG_MT=y
+# CONFIG_RAIDAUTORUN is not set
+# CONFIG_READAHEAD is not set
+CONFIG_RUNLEVEL=y
+# CONFIG_RX is not set
+CONFIG_SETSID=y
+CONFIG_STRINGS=y
+CONFIG_TIME=y
+# CONFIG_TIMEOUT is not set
+# CONFIG_TTYSIZE is not set
+# CONFIG_VOLNAME is not set
+CONFIG_WATCHDOG=y
+
+#
+# Networking Utilities
+#
+CONFIG_NAMEIF=y
+# CONFIG_FEATURE_NAMEIF_EXTENDED is not set
+# CONFIG_NBDCLIENT is not set
+# CONFIG_NC is not set
+# CONFIG_NC_SERVER is not set
+# CONFIG_NC_EXTRA is not set
+# CONFIG_NC_110_COMPAT is not set
+CONFIG_PING=y
+# CONFIG_PING6 is not set
+CONFIG_FEATURE_FANCY_PING=y
+# CONFIG_WHOIS is not set
+CONFIG_FEATURE_IPV6=y
+# CONFIG_FEATURE_UNIX_LOCAL is not set
+# CONFIG_FEATURE_PREFER_IPV4_ADDRESS is not set
+# CONFIG_VERBOSE_RESOLUTION_ERRORS is not set
+# CONFIG_ARP is not set
+CONFIG_ARPING=y
+# CONFIG_BRCTL is not set
+# CONFIG_FEATURE_BRCTL_FANCY is not set
+# CONFIG_FEATURE_BRCTL_SHOW is not set
+CONFIG_DNSD=y
+CONFIG_ETHER_WAKE=y
+# CONFIG_FAKEIDENTD is not set
+# CONFIG_FTPD is not set
+# CONFIG_FEATURE_FTP_WRITE is not set
+# CONFIG_FEATURE_FTPD_ACCEPT_BROKEN_LIST is not set
+# CONFIG_FEATURE_FTP_AUTHENTICATION is not set
+# CONFIG_FTPGET is not set
+# CONFIG_FTPPUT is not set
+# CONFIG_FEATURE_FTPGETPUT_LONG_OPTIONS is not set
+CONFIG_HOSTNAME=y
+# CONFIG_HTTPD is not set
+# CONFIG_FEATURE_HTTPD_RANGES is not set
+# CONFIG_FEATURE_HTTPD_SETUID is not set
+# CONFIG_FEATURE_HTTPD_BASIC_AUTH is not set
+# CONFIG_FEATURE_HTTPD_AUTH_MD5 is not set
+# CONFIG_FEATURE_HTTPD_CGI is not set
+# CONFIG_FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR is not set
+# CONFIG_FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV is not set
+# CONFIG_FEATURE_HTTPD_ENCODE_URL_STR is not set
+# CONFIG_FEATURE_HTTPD_ERROR_PAGES is not set
+# CONFIG_FEATURE_HTTPD_PROXY is not set
+# CONFIG_FEATURE_HTTPD_GZIP is not set
+CONFIG_IFCONFIG=y
+CONFIG_FEATURE_IFCONFIG_STATUS=y
+CONFIG_FEATURE_IFCONFIG_SLIP=y
+CONFIG_FEATURE_IFCONFIG_MEMSTART_IOADDR_IRQ=y
+CONFIG_FEATURE_IFCONFIG_HW=y
+# CONFIG_FEATURE_IFCONFIG_BROADCAST_PLUS is not set
+# CONFIG_IFENSLAVE is not set
+# CONFIG_IFPLUGD is not set
+CONFIG_IFUPDOWN=y
+CONFIG_IFUPDOWN_IFSTATE_PATH="/var/run/ifstate"
+CONFIG_FEATURE_IFUPDOWN_IP=y
+# CONFIG_FEATURE_IFUPDOWN_IP_BUILTIN is not set
+# CONFIG_FEATURE_IFUPDOWN_IFCONFIG_BUILTIN is not set
+CONFIG_FEATURE_IFUPDOWN_IPV4=y
+CONFIG_FEATURE_IFUPDOWN_IPV6=y
+CONFIG_FEATURE_IFUPDOWN_MAPPING=y
+# CONFIG_FEATURE_IFUPDOWN_EXTERNAL_DHCP is not set
+# CONFIG_INETD is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_ECHO is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_DISCARD is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_TIME is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_DAYTIME is not set
+# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_CHARGEN is not set
+# CONFIG_FEATURE_INETD_RPC is not set
+CONFIG_IP=y
+CONFIG_FEATURE_IP_ADDRESS=y
+CONFIG_FEATURE_IP_LINK=y
+CONFIG_FEATURE_IP_ROUTE=y
+CONFIG_FEATURE_IP_TUNNEL=y
+CONFIG_FEATURE_IP_RULE=y
+CONFIG_FEATURE_IP_SHORT_FORMS=y
+# CONFIG_FEATURE_IP_RARE_PROTOCOLS is not set
+CONFIG_IPADDR=y
+CONFIG_IPLINK=y
+CONFIG_IPROUTE=y
+CONFIG_IPTUNNEL=y
+CONFIG_IPRULE=y
+# CONFIG_IPCALC is not set
+# CONFIG_FEATURE_IPCALC_FANCY is not set
+# CONFIG_FEATURE_IPCALC_LONG_OPTIONS is not set
+CONFIG_NETSTAT=y
+# CONFIG_FEATURE_NETSTAT_WIDE is not set
+# CONFIG_FEATURE_NETSTAT_PRG is not set
+CONFIG_NSLOOKUP=y
+# CONFIG_NTPD is not set
+# CONFIG_FEATURE_NTPD_SERVER is not set
+# CONFIG_FEATURE_NTPD_CONF is not set
+# CONFIG_PSCAN is not set
+CONFIG_ROUTE=y
+# CONFIG_SLATTACH is not set
+# CONFIG_TCPSVD is not set
+CONFIG_TELNET=y
+CONFIG_FEATURE_TELNET_TTYPE=y
+CONFIG_FEATURE_TELNET_AUTOLOGIN=y
+# CONFIG_TELNETD is not set
+# CONFIG_FEATURE_TELNETD_STANDALONE is not set
+# CONFIG_FEATURE_TELNETD_INETD_WAIT is not set
+CONFIG_TFTP=y
+# CONFIG_TFTPD is not set
+
+#
+# Common options for tftp/tftpd
+#
+CONFIG_FEATURE_TFTP_GET=y
+CONFIG_FEATURE_TFTP_PUT=y
+CONFIG_FEATURE_TFTP_BLOCKSIZE=y
+# CONFIG_FEATURE_TFTP_PROGRESS_BAR is not set
+# CONFIG_TFTP_DEBUG is not set
+CONFIG_TRACEROUTE=y
+# CONFIG_TRACEROUTE6 is not set
+# CONFIG_FEATURE_TRACEROUTE_VERBOSE is not set
+# CONFIG_FEATURE_TRACEROUTE_SOURCE_ROUTE is not set
+# CONFIG_FEATURE_TRACEROUTE_USE_ICMP is not set
+# CONFIG_TUNCTL is not set
+# CONFIG_FEATURE_TUNCTL_UG is not set
+# CONFIG_UDHCPC6 is not set
+# CONFIG_UDHCPD is not set
+# CONFIG_DHCPRELAY is not set
+# CONFIG_DUMPLEASES is not set
+# CONFIG_FEATURE_UDHCPD_WRITE_LEASES_EARLY is not set
+# CONFIG_FEATURE_UDHCPD_BASE_IP_ON_MAC is not set
+CONFIG_DHCPD_LEASES_FILE=""
+CONFIG_UDHCPC=y
+CONFIG_FEATURE_UDHCPC_ARPING=y
+CONFIG_FEATURE_UDHCPC_SANITIZEOPT=y
+# CONFIG_FEATURE_UDHCP_PORT is not set
+CONFIG_UDHCP_DEBUG=0
+# CONFIG_FEATURE_UDHCP_RFC3397 is not set
+CONFIG_FEATURE_UDHCP_8021Q=y
+CONFIG_UDHCPC_DEFAULT_SCRIPT="/usr/share/udhcpc/default.script"
+CONFIG_UDHCPC_SLACK_FOR_BUGGY_SERVERS=80
+CONFIG_IFUPDOWN_UDHCPC_CMD_OPTIONS="-R -n"
+# CONFIG_UDPSVD is not set
+CONFIG_VCONFIG=y
+CONFIG_WGET=y
+CONFIG_FEATURE_WGET_STATUSBAR=y
+CONFIG_FEATURE_WGET_AUTHENTICATION=y
+CONFIG_FEATURE_WGET_LONG_OPTIONS=y
+CONFIG_FEATURE_WGET_TIMEOUT=y
+# CONFIG_ZCIP is not set
+
+#
+# Print Utilities
+#
+# CONFIG_LPD is not set
+# CONFIG_LPR is not set
+# CONFIG_LPQ is not set
+
+#
+# Mail Utilities
+#
+# CONFIG_MAKEMIME is not set
+CONFIG_FEATURE_MIME_CHARSET=""
+# CONFIG_POPMAILDIR is not set
+# CONFIG_FEATURE_POPMAILDIR_DELIVERY is not set
+# CONFIG_REFORMIME is not set
+# CONFIG_FEATURE_REFORMIME_COMPAT is not set
+# CONFIG_SENDMAIL is not set
+
+#
+# Process Utilities
+#
+# CONFIG_IOSTAT is not set
+CONFIG_LSOF=y
+# CONFIG_MPSTAT is not set
+# CONFIG_NMETER is not set
+# CONFIG_PMAP is not set
+# CONFIG_POWERTOP is not set
+# CONFIG_PSTREE is not set
+# CONFIG_PWDX is not set
+# CONFIG_SMEMCAP is not set
+CONFIG_TOP=y
+CONFIG_FEATURE_TOP_CPU_USAGE_PERCENTAGE=y
+CONFIG_FEATURE_TOP_CPU_GLOBAL_PERCENTS=y
+# CONFIG_FEATURE_TOP_SMP_CPU is not set
+# CONFIG_FEATURE_TOP_DECIMALS is not set
+# CONFIG_FEATURE_TOP_SMP_PROCESS is not set
+# CONFIG_FEATURE_TOPMEM is not set
+CONFIG_UPTIME=y
+# CONFIG_FEATURE_UPTIME_UTMP_SUPPORT is not set
+CONFIG_FREE=y
+CONFIG_FUSER=y
+CONFIG_KILL=y
+CONFIG_KILLALL=y
+CONFIG_KILLALL5=y
+# CONFIG_PGREP is not set
+CONFIG_PIDOF=y
+CONFIG_FEATURE_PIDOF_SINGLE=y
+CONFIG_FEATURE_PIDOF_OMIT=y
+# CONFIG_PKILL is not set
+CONFIG_PS=y
+# CONFIG_FEATURE_PS_WIDE is not set
+# CONFIG_FEATURE_PS_LONG is not set
+# CONFIG_FEATURE_PS_TIME is not set
+# CONFIG_FEATURE_PS_ADDITIONAL_COLUMNS is not set
+# CONFIG_FEATURE_PS_UNUSUAL_SYSTEMS is not set
+CONFIG_RENICE=y
+CONFIG_BB_SYSCTL=y
+# CONFIG_FEATURE_SHOW_THREADS is not set
+CONFIG_WATCH=y
+
+#
+# Runit Utilities
+#
+# CONFIG_RUNSV is not set
+# CONFIG_RUNSVDIR is not set
+# CONFIG_FEATURE_RUNSVDIR_LOG is not set
+# CONFIG_SV is not set
+CONFIG_SV_DEFAULT_SERVICE_DIR=""
+# CONFIG_SVLOGD is not set
+# CONFIG_CHPST is not set
+# CONFIG_SETUIDGID is not set
+# CONFIG_ENVUIDGID is not set
+# CONFIG_ENVDIR is not set
+# CONFIG_SOFTLIMIT is not set
+
+#
+# SELinux Utilities
+#
+CONFIG_CHCON=y
+CONFIG_FEATURE_CHCON_LONG_OPTIONS=y
+# CONFIG_GETENFORCE is not set
+# CONFIG_GETSEBOOL is not set
+# CONFIG_LOAD_POLICY is not set
+# CONFIG_MATCHPATHCON is not set
+# CONFIG_RESTORECON is not set
+CONFIG_RUNCON=y
+CONFIG_FEATURE_RUNCON_LONG_OPTIONS=y
+CONFIG_SELINUXENABLED=y
+# CONFIG_SETENFORCE is not set
+# CONFIG_SETFILES is not set
+# CONFIG_FEATURE_SETFILES_CHECK_OPTION is not set
+# CONFIG_SETSEBOOL is not set
+# CONFIG_SESTATUS is not set
+
+#
+# Shells
+#
+CONFIG_ASH=y
+CONFIG_ASH_BASH_COMPAT=y
+CONFIG_ASH_IDLE_TIMEOUT=y
+CONFIG_ASH_JOB_CONTROL=y
+CONFIG_ASH_ALIAS=y
+CONFIG_ASH_GETOPTS=y
+CONFIG_ASH_BUILTIN_ECHO=y
+CONFIG_ASH_BUILTIN_PRINTF=y
+CONFIG_ASH_BUILTIN_TEST=y
+CONFIG_ASH_HELP=y
+CONFIG_ASH_CMDCMD=y
+# CONFIG_ASH_MAIL is not set
+CONFIG_ASH_OPTIMIZE_FOR_SIZE=y
+CONFIG_ASH_RANDOM_SUPPORT=y
+CONFIG_ASH_EXPAND_PRMT=y
+# CONFIG_CTTYHACK is not set
+# CONFIG_HUSH is not set
+# CONFIG_HUSH_BASH_COMPAT is not set
+# CONFIG_HUSH_BRACE_EXPANSION is not set
+# CONFIG_HUSH_HELP is not set
+# CONFIG_HUSH_INTERACTIVE is not set
+# CONFIG_HUSH_SAVEHISTORY is not set
+# CONFIG_HUSH_JOB is not set
+# CONFIG_HUSH_TICK is not set
+# CONFIG_HUSH_IF is not set
+# CONFIG_HUSH_LOOPS is not set
+# CONFIG_HUSH_CASE is not set
+# CONFIG_HUSH_FUNCTIONS is not set
+# CONFIG_HUSH_LOCAL is not set
+# CONFIG_HUSH_RANDOM_SUPPORT is not set
+# CONFIG_HUSH_EXPORT_N is not set
+# CONFIG_HUSH_MODE_X is not set
+# CONFIG_MSH is not set
+CONFIG_FEATURE_SH_IS_ASH=y
+# CONFIG_FEATURE_SH_IS_HUSH is not set
+# CONFIG_FEATURE_SH_IS_NONE is not set
+CONFIG_FEATURE_BASH_IS_ASH=y
+# CONFIG_FEATURE_BASH_IS_HUSH is not set
+# CONFIG_FEATURE_BASH_IS_NONE is not set
+CONFIG_SH_MATH_SUPPORT=y
+# CONFIG_SH_MATH_SUPPORT_64 is not set
+CONFIG_FEATURE_SH_EXTRA_QUIET=y
+# CONFIG_FEATURE_SH_STANDALONE is not set
+# CONFIG_FEATURE_SH_NOFORK is not set
+# CONFIG_FEATURE_SH_HISTFILESIZE is not set
+
+#
+# System Logging Utilities
+#
+# CONFIG_SYSLOGD is not set
+# CONFIG_FEATURE_ROTATE_LOGFILE is not set
+# CONFIG_FEATURE_REMOTE_LOG is not set
+# CONFIG_FEATURE_SYSLOGD_DUP is not set
+# CONFIG_FEATURE_SYSLOGD_CFG is not set
+CONFIG_FEATURE_SYSLOGD_READ_BUFFER_SIZE=0
+# CONFIG_FEATURE_IPC_SYSLOG is not set
+CONFIG_FEATURE_IPC_SYSLOG_BUFFER_SIZE=0
+# CONFIG_LOGREAD is not set
+# CONFIG_FEATURE_LOGREAD_REDUCED_LOCKING is not set
+# CONFIG_FEATURE_KMSG_SYSLOG is not set
+# CONFIG_KLOGD is not set
+# CONFIG_FEATURE_KLOGD_KLOGCTL is not set
+CONFIG_LOGGER=y
diff --git a/board/common_selinux/post_build.sh b/board/common_selinux/post_build.sh
new file mode 100755
index 0000000..3509de9
--- /dev/null
+++ b/board/common_selinux/post_build.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+################################################################################
+#
+# DESCRIPTION:
+# This script will do any "post-build" steps (after all packages are built
+# but before image creation). Any filesystem permission issues should be
+# fixed in this script.
+#
+# The script requires following variables to be passed into it.
+# $1 - the target directory (passed in by default by buildroot if
+# script is BR2_ROOTFS_POST_BUILD_SCRIPT)
+#
+################################################################################
+
+DEST_DIR=$1
+
+# For SELinux targets, the /var directory symlinks need to be removed
+# and replaced with actual folders. The removal is done here and the
+# recreation is done in the permissions file for the common_selinux
+# local_skeleton
+for link in ${DEST_DIR}/var/{cache,lock,log,run,spool,tmp} ${DEST_DIR}/var/lib/misc; do
+ if [ -h ${link} ]; then
+ echo "Removing symlink ${link}"
+ unlink ${link}
+ fi
+done
+
+# Replace the /run folder with a symlink to /var/run
+rm -rf ${DEST_DIR}/run
+ln -sf -t ${DEST_DIR} run var/run
diff --git a/board/common_selinux/skeleton/etc/audit/auditd.conf b/board/common_selinux/skeleton/etc/audit/auditd.conf
new file mode 100644
index 0000000..039b7f0
--- /dev/null
+++ b/board/common_selinux/skeleton/etc/audit/auditd.conf
@@ -0,0 +1,32 @@
+#
+# This file controls the configuration of the audit daemon
+#
+
+log_file = /var/log/audit/audit.log
+log_format = RAW
+log_group = root
+priority_boost = 4
+flush = INCREMENTAL
+freq = 20
+num_logs = 5
+disp_qos = lossy
+dispatcher = /usr/sbin/audispd
+name_format = NONE
+##name = mydomain
+max_log_file = 6
+max_log_file_action = ROTATE
+space_left = 75
+space_left_action = IGNORE
+action_mail_acct = root
+admin_space_left = 50
+admin_space_left_action = IGNORE
+disk_full_action = IGNORE
+disk_error_action = IGNORE
+##tcp_listen_port =
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+tcp_client_max_idle = 0
+enable_krb5 = no
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key
diff --git a/board/common_selinux/skeleton/etc/audit/rules.d/audit.rules b/board/common_selinux/skeleton/etc/audit/rules.d/audit.rules
new file mode 100644
index 0000000..7c90606
--- /dev/null
+++ b/board/common_selinux/skeleton/etc/audit/rules.d/audit.rules
@@ -0,0 +1,3 @@
+-D
+-b 1024
+-e 2
diff --git a/board/common_selinux/skeleton/etc/fstab b/board/common_selinux/skeleton/etc/fstab
new file mode 100755
index 0000000..d772349
--- /dev/null
+++ b/board/common_selinux/skeleton/etc/fstab
@@ -0,0 +1,15 @@
+# /etc/fstab: static file system information.
+#
+# <file system> <mount pt> <type> <options> <dump> <pass>
+/dev/root / ext3 rw,noauto 0 1
+proc /proc proc defaults 0 0
+devpts /dev/pts devpts defaults,gid=5,mode=620 0 0
+tmpfs /dev/shm tmpfs mode=0700,nodev,nosuid,noexec,size=1M 0 0
+tmpfs /tmp tmpfs mode=0700,nodev,nosuid,noexec,size=200M 0 0
+tmpfs /var/cache tmpfs mode=0700,nodev,nosuid,noexec,size=1M 0 0
+tmpfs /var/lock tmpfs mode=0700,nodev,nosuid,noexec,size=1M 0 0
+tmpfs /var/log tmpfs mode=0700,nodev,nosuid,noexec,size=50M 0 0
+tmpfs /var/run tmpfs mode=0700,nodev,nosuid,noexec,size=1M 0 0
+tmpfs /var/spool tmpfs mode=0700,nodev,nosuid,noexec,size=1M 0 0
+sysfs /sys sysfs defaults 0 0
+none /selinux selinuxfs noauto 0 0
diff --git a/board/common_selinux/skeleton/etc/inittab b/board/common_selinux/skeleton/etc/inittab
new file mode 100755
index 0000000..05e05b2
--- /dev/null
+++ b/board/common_selinux/skeleton/etc/inittab
@@ -0,0 +1,29 @@
+# /etc/inittab
+#
+# This inittab is a basic inittab sample for sysvinit, which mimics
+# Buildroot's default inittab for BusyBox.
+id:1:initdefault:
+
+proc::sysinit:/bin/mount -t proc proc /proc
+sysf::sysinit:/bin/mount -t sysfs sysfs /sys
+dpts::sysinit:/bin/mkdir -p /dev/pts -Z `matchpathcon -n /dev/pts`
+dshm::sysinit:/bin/mkdir -p /dev/shm -Z `matchpathcon -n /dev/shm`
+mpts::sysinit:/bin/mkdir -p /dev/pts
+mshm::sysinit:/bin/mkdir -p /dev/shm
+fsck::sysinit:/sbin/fsck -ARy
+moun::sysinit:/bin/mount -a
+host::sysinit:/bin/hostname -F /etc/hostname
+
+# now run any rc scripts
+init::bootwait:/etc/init.d/rcS
+
+S0::respawn:/sbin/getty -L ttyS0 115200 vt100 # GENERIC_SERIAL
+
+# Stuff to do before rebooting
+shd0:06:wait:/etc/init.d/rcK
+shd1:06:wait:/sbin/swapoff -a
+shd2:06:wait:/bin/umount -a -r
+
+# The usual halt or reboot actions
+lt0:0:wait:/sbin/halt -dhp
+reb0:6:wait:/sbin/reboot
diff --git a/board/common_selinux/skeleton_permissions.txt b/board/common_selinux/skeleton_permissions.txt
new file mode 100755
index 0000000..374adbc
--- /dev/null
+++ b/board/common_selinux/skeleton_permissions.txt
@@ -0,0 +1,26 @@
+################################################################################
+#
+# See <buildroot-source>/package/makedevs/README for details
+#
+# This device table is used to assign proper ownership and permissions
+# on the files in the local-skeleton directory. It doesn't create any device
+# file, as it is used in both static device configurations (where /dev/ is static)
+# and in dynamic configurations (where devtmpfs, mdev or udev are used).
+#
+# <name> <type> <mode> <uid> <gid> <major> <minor> <start> <inc> <count>
+
+# All the necessary file permissions for /etc
+/etc/audit/auditd.conf f 644 0 0 - - - - -
+/etc/audit/rules.d/audit.rules f 644 0 0 - - - - -
+/etc/fstab f 644 0 0 - - - - -
+/etc/inittab f 644 0 0 - - - - -
+
+# Setup entries for all of the /var/* directories that need proper
+# mount points
+/var/cache d 755 0 0 - - - - -
+/var/lib/misc d 755 0 0 - - - - -
+/var/lock d 755 0 0 - - - - -
+/var/log d 755 0 0 - - - - -
+/var/run d 755 0 0 - - - - -
+/var/spool d 755 0 0 - - - - -
+/var/tmp d 755 0 0 - - - - -
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 13/16] qemu x86 selinux: base br defconfig
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
` (11 preceding siblings ...)
2015-07-10 23:27 ` [Buildroot] [PATCH v8 12/16] qemu x86 selinux: added common selinux support files Clayton Shotwell
@ 2015-07-10 23:27 ` Clayton Shotwell
2015-07-10 23:28 ` [Buildroot] [PATCH v8 14/16] squashfs: Add xattr support Clayton Shotwell
` (2 subsequent siblings)
15 siblings, 0 replies; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:27 UTC (permalink / raw)
To: buildroot
From: Clayton Shotwell <clshotwe@rockwellcollins.com>
This will build a base SELinux system that boots with SELinux
in permissive mode. Also adding documentation on how to use it.
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes v7 -> v8:
- No changes
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- Update the qemu_x86_defconfig to the 4.0 kernel series (Clayton S.)
Changes v1 -> v4:
- Did not exist
---
board/qemu/x86/linux-4.0-selinux.config | 77 +++++++++++++++++++++++++++++++++
board/qemu/x86/readme.txt | 17 ++++++++
configs/qemu_x86_selinux_defconfig | 67 ++++++++++++++++++++++++++++
3 files changed, 161 insertions(+)
create mode 100644 board/qemu/x86/linux-4.0-selinux.config
create mode 100644 configs/qemu_x86_selinux_defconfig
diff --git a/board/qemu/x86/linux-4.0-selinux.config b/board/qemu/x86/linux-4.0-selinux.config
new file mode 100644
index 0000000..89ab0dc
--- /dev/null
+++ b/board/qemu/x86/linux-4.0-selinux.config
@@ -0,0 +1,77 @@
+# CONFIG_LOCALVERSION_AUTO is not set
+# CONFIG_SWAP is not set
+CONFIG_AUDIT=y
+# CONFIG_COMPAT_BRK is not set
+CONFIG_MODULES=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_IOSCHED_DEADLINE is not set
+# CONFIG_IOSCHED_CFQ is not set
+# CONFIG_X86_EXTENDED_PLATFORM is not set
+# CONFIG_SCHED_OMIT_FRAME_POINTER is not set
+# CONFIG_MTRR_SANITIZER is not set
+# CONFIG_SECCOMP is not set
+# CONFIG_RELOCATABLE is not set
+CONFIG_NET=y
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+CONFIG_INET=y
+CONFIG_IP_PNP=y
+# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
+# CONFIG_INET_XFRM_MODE_TUNNEL is not set
+# CONFIG_INET_XFRM_MODE_BEET is not set
+# CONFIG_INET_LRO is not set
+# CONFIG_INET_DIAG is not set
+# CONFIG_IPV6 is not set
+# CONFIG_WIRELESS is not set
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+# CONFIG_PREVENT_FIRMWARE_BUILD is not set
+# CONFIG_FIRMWARE_IN_KERNEL is not set
+# CONFIG_BLK_DEV is not set
+CONFIG_BLK_DEV_SD=y
+CONFIG_ATA=y
+CONFIG_ATA_PIIX=y
+CONFIG_NETDEVICES=y
+CONFIG_NE2K_PCI=y
+CONFIG_8139CP=y
+# CONFIG_WLAN is not set
+# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
+# CONFIG_INPUT_MOUSE is not set
+# CONFIG_SERIO_SERPORT is not set
+# CONFIG_LEGACY_PTYS is not set
+# CONFIG_DEVKMEM is not set
+CONFIG_SERIAL_8250=y
+CONFIG_SERIAL_8250_CONSOLE=y
+# CONFIG_HW_RANDOM is not set
+# CONFIG_HWMON is not set
+CONFIG_SOUND=y
+CONFIG_SND=y
+CONFIG_SND_HDA_INTEL=y
+# CONFIG_USB_SUPPORT is not set
+# CONFIG_X86_PLATFORM_DEVICES is not set
+# CONFIG_DMIID is not set
+CONFIG_EXT2_FS=y
+CONFIG_EXT2_FS_XATTR=y
+CONFIG_EXT2_FS_POSIX_ACL=y
+CONFIG_EXT2_FS_SECURITY=y
+CONFIG_EXT3_FS=y
+CONFIG_EXT3_FS_POSIX_ACL=y
+CONFIG_EXT3_FS_SECURITY=y
+# CONFIG_DNOTIFY is not set
+# CONFIG_INOTIFY_USER is not set
+CONFIG_TMPFS=y
+CONFIG_TMPFS_POSIX_ACL=y
+# CONFIG_MISC_FILESYSTEMS is not set
+CONFIG_NFS_FS=y
+CONFIG_ROOT_NFS=y
+# CONFIG_ENABLE_WARN_DEPRECATED is not set
+# CONFIG_ENABLE_MUST_CHECK is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_FRAME_POINTER is not set
+# CONFIG_X86_VERBOSE_BOOTUP is not set
+CONFIG_SECURITY=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_BOOTPARAM=y
+CONFIG_CRYPTO_ANSI_CPRNG=y
+# CONFIG_VIRTUALIZATION is not set
diff --git a/board/qemu/x86/readme.txt b/board/qemu/x86/readme.txt
index 85d5c60..032d714 100644
--- a/board/qemu/x86/readme.txt
+++ b/board/qemu/x86/readme.txt
@@ -5,3 +5,20 @@ Run the emulation with:
The login prompt will appear in the graphical window.
Tested with QEMU 2.2.1
+
+-------------------------------------------------------------------
+
+Run the SElinux target emulation with:
+
+ qemu-system-i386 -M pc -kernel output/images/bzImage -drive file=output/images/rootfs.ext2,if=ide -append "root=/dev/sda rw console=ttyS0 selinux=1" -net nic,model=rtl8139 -net user -display none -serial stdio
+
+The emulation should reboot once the first time for relabeling and
+then provide a login prompt. The login is username root and password
+root because PAM requires a password in this secure configuration. To
+enable SELinux enforcing at boot, login and edit the
+/etc/selinux/config and set SELINUX to enforcing. Save and make sure
+to "sync" before restarting the emulation as the ext2 fs would
+otherwise corrupt when the emulation exits. After enforcing is
+default, the selinux= provided as part of the qemu "append" above can
+be used to turn enforcing on/off. This configuration would be tailored
+as part of a targets refpolicy customization.
diff --git a/configs/qemu_x86_selinux_defconfig b/configs/qemu_x86_selinux_defconfig
new file mode 100644
index 0000000..feb4534
--- /dev/null
+++ b/configs/qemu_x86_selinux_defconfig
@@ -0,0 +1,67 @@
+# Architecture
+BR2_x86_pentiumpro=y
+
+# Default to the latest Code Sourcery
+BR2_TOOLCHAIN_EXTERNAL=y
+
+# Select SYSV init to provide selinux enabled init
+BR2_INIT_SYSV=y
+
+# Default password to allow PAM login
+BR2_TARGET_GENERIC_ROOT_PASSWD="root"
+
+# Default the shell to bash, sh symlinks to busybox which
+# is not compatible with refpolicy
+BR2_SYSTEM_BIN_SH_BASH=y
+
+# Pull in SELinux specific file overlay to allow login
+# in enforcing mode.
+BR2_ROOTFS_DEVICE_TABLE="system/device_table.txt board/common_selinux/skeleton_permissions.txt"
+BR2_ROOTFS_OVERLAY="board/common_selinux/skeleton"
+BR2_ROOTFS_POST_BUILD_SCRIPT="board/common_selinux/post_build.sh"
+
+# Lock to a kernel that's been tested against selinux libs
+BR2_LINUX_KERNEL=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.0"
+BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/x86/linux-4.0-selinux.config"
+
+# Customized busybox config providing a tailored
+# balance of applets vs full apps
+BR2_PACKAGE_BUSYBOX_CONFIG="board/common_selinux/busybox-selinux.config"
+
+# Ensure busybox is built as individual binaries for the
+# SELinux refpolicy to work correctly
+BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES=y
+
+# Audit service
+BR2_PACKAGE_AUDIT=y
+
+# Enhanced authentication with selinux hooks
+BR2_PACKAGE_LINUX_PAM=y
+
+# Full version of login with SELinux support
+BR2_PACKAGE_UTIL_LINUX=y
+BR2_PACKAGE_UTIL_LINUX_BINARIES=y
+BR2_PACKAGE_UTIL_LINUX_LOGIN_UTILS=y
+
+# SSH daemon for secure login
+BR2_PACKAGE_OPENSSH=y
+
+# Provides tools for fs security context relabeling
+BR2_PACKAGE_POLICYCOREUTILS=y
+
+# SELinux policy config/definition
+BR2_PACKAGE_REFPOLICY=y
+
+# Logging daemon
+BR2_PACKAGE_RSYSLOG=y
+
+#rootfs with spare space for fs relabel activity
+BR2_TARGET_ROOTFS_EXT2=y
+BR2_TARGET_ROOTFS_EXT2_RESBLKS=5
+# BR2_TARGET_ROOTFS_TAR is not set
+
+# Offline tools for policy analysis/building
+BR2_PACKAGE_HOST_CHECKPOLICY=y
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 14/16] squashfs: Add xattr support
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
` (12 preceding siblings ...)
2015-07-10 23:27 ` [Buildroot] [PATCH v8 13/16] qemu x86 selinux: base br defconfig Clayton Shotwell
@ 2015-07-10 23:28 ` Clayton Shotwell
2015-07-11 7:31 ` Thomas Petazzoni
2015-07-10 23:28 ` [Buildroot] [PATCH v8 15/16] cpio: new package Clayton Shotwell
2015-07-10 23:28 ` [Buildroot] [PATCH v8 16/16] audit: Add startup script Clayton Shotwell
15 siblings, 1 reply; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:28 UTC (permalink / raw)
To: buildroot
Adding extended attribute support for the squashfs tools when the attr
package is selected. This is needed for SELinux support.
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
---
Changes v7 -> v8:
- Reverted changes to the host build options to leave xattr support
disabled due to too many host system dependencies issues.
- Cleaned up the target xattr options and added a dependency on attr
to ensure it is built before squashfs (Suggested by Thomas P.)
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
---
package/squashfs/squashfs.mk | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/package/squashfs/squashfs.mk b/package/squashfs/squashfs.mk
index 8ca9e2e..3204d05 100644
--- a/package/squashfs/squashfs.mk
+++ b/package/squashfs/squashfs.mk
@@ -10,8 +10,12 @@ SQUASHFS_SITE = http://downloads.sourceforge.net/project/squashfs/squashfs/squas
SQUASHFS_LICENSE = GPLv2+
SQUASHFS_LICENSE_FILES = COPYING
-# no libattr in BR
-SQUASHFS_MAKE_ARGS = XATTR_SUPPORT=0
+ifeq ($(BR2_PACKAGE_ATTR),y)
+SQUASHFS_DEPENDENCIES += attr
+SQUASHFS_MAKE_ARGS += XATTR_SUPPORT=1
+else
+SQUASHFS_MAKE_ARGS += XATTR_SUPPORT=0
+endif
ifeq ($(BR2_PACKAGE_SQUASHFS_LZ4),y)
SQUASHFS_DEPENDENCIES += lz4
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 15/16] cpio: new package
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
` (13 preceding siblings ...)
2015-07-10 23:28 ` [Buildroot] [PATCH v8 14/16] squashfs: Add xattr support Clayton Shotwell
@ 2015-07-10 23:28 ` Clayton Shotwell
2015-07-14 15:38 ` Samuel Martin
2015-07-10 23:28 ` [Buildroot] [PATCH v8 16/16] audit: Add startup script Clayton Shotwell
15 siblings, 1 reply; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:28 UTC (permalink / raw)
To: buildroot
Adding the cpio archive utility for the target and host. Patches have
been pulled from ArchLinux and Debian to fix CVE issues and compile
issues.
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
---
Changes v7 -> v8:
- Corrected the license to be GPLv3+ (Suggested by Thomas P.)
- Changed all of the patches to pull from the various source locations
since they were not being modified at all (Suggested by Thomas P.)
Changes v6 -> v7:
- Added dependency on argp-standalone package for uclibc toolchains
to fix build error (Clayton S.)
- Added hash file (Clayton S.)
Changes v5 -> v6:
- No changes
---
package/Config.in | 1 +
package/Config.in.host | 1 +
package/cpio/Config.in | 8 ++++++++
package/cpio/Config.in.host | 6 ++++++
package/cpio/cpio.hash | 9 +++++++++
package/cpio/cpio.mk | 27 +++++++++++++++++++++++++++
6 files changed, 52 insertions(+)
create mode 100644 package/cpio/Config.in
create mode 100644 package/cpio/Config.in.host
create mode 100644 package/cpio/cpio.hash
create mode 100644 package/cpio/cpio.mk
diff --git a/package/Config.in b/package/Config.in
index 2cc81fa..c6e5efe 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -149,6 +149,7 @@ endmenu
menu "Filesystem and flash utilities"
source "package/btrfs-progs/Config.in"
source "package/cifs-utils/Config.in"
+ source "package/cpio/Config.in"
source "package/cramfs/Config.in"
source "package/curlftpfs/Config.in"
source "package/dosfstools/Config.in"
diff --git a/package/Config.in.host b/package/Config.in.host
index 1e047aa..9a4f176 100644
--- a/package/Config.in.host
+++ b/package/Config.in.host
@@ -1,6 +1,7 @@
menu "Host utilities"
source "package/checkpolicy/Config.in.host"
+ source "package/cpio/Config.in.host"
source "package/cramfs/Config.in.host"
source "package/dfu-util/Config.in.host"
source "package/dos2unix/Config.in.host"
diff --git a/package/cpio/Config.in b/package/cpio/Config.in
new file mode 100644
index 0000000..1787f39
--- /dev/null
+++ b/package/cpio/Config.in
@@ -0,0 +1,8 @@
+config BR2_PACKAGE_CPIO
+ bool "cpio"
+ # Need argp.h support
+ select BR2_PACKAGE_ARGP_STANDALONE if BR2_TOOLCHAIN_USES_UCLIBC
+ help
+ cpio archive utility for creation and extraction.
+
+ https://www.gnu.org/software/cpio/
diff --git a/package/cpio/Config.in.host b/package/cpio/Config.in.host
new file mode 100644
index 0000000..e927952
--- /dev/null
+++ b/package/cpio/Config.in.host
@@ -0,0 +1,6 @@
+config BR2_PACKAGE_HOST_CPIO
+ bool "host cpio"
+ help
+ cpio archive utility for creation and extraction.
+
+ https://www.gnu.org/software/cpio/
diff --git a/package/cpio/cpio.hash b/package/cpio/cpio.hash
new file mode 100644
index 0000000..c52e86a
--- /dev/null
+++ b/package/cpio/cpio.hash
@@ -0,0 +1,9 @@
+# Locally calculated after checking pgp signature
+sha256 601b1d774cd6e4cd39416203c91ec59dbd65dd27d79d75e1a9b89497ea643978 cpio-2.11.tar.gz
+
+# Locally calculated
+sha256 903fb87e00813daf257be5d1680ad93770d320c707ab2ec345486958b2e8a21f cpio-2.11-stdio.in.patch
+sha256 6b6505a97dda75d24627d9ba461b45ab9ea4764e1a2788d6986eb2978434f25d cpio-2.11-CVE-2014-9112.patch
+sha256 0cf7c9749f1c1610aaf46e17eacd6614c5ef8c2114236bcdd08d53e929020ae5 cpio-2.11-testsuite-CVE-2014-9112.patch
+sha256 f1f587f70a38363691cbd4dfe89f962c8c57266277f0fbc781910c6a7065be7e cpio-2.11-check_for_symlinks-CVE-2015-1197.patch
+sha256 b3d317e3c5705d7f9e503f56540baf3cb6dd1d0e9be0261151a5b08378c2d98c cpio-2.11-stat.patch
diff --git a/package/cpio/cpio.mk b/package/cpio/cpio.mk
new file mode 100644
index 0000000..67871e2
--- /dev/null
+++ b/package/cpio/cpio.mk
@@ -0,0 +1,27 @@
+################################################################################
+#
+# cpio
+#
+################################################################################
+
+CPIO_VERSION = 2.11
+CPIO_SITE = http://ftp.gnu.org/gnu/cpio
+CPIO_LICENSE = GPLv3+
+CPIO_LICENSE_FILES = COPYING
+CPIO_PATCH = \
+ https://projects.archlinux.org/svntogit/packages.git/plain/cpio/trunk/cpio-2.11-stdio.in.patch \
+ https://projects.archlinux.org/svntogit/packages.git/plain/cpio/trunk/cpio-2.11-CVE-2014-9112.patch \
+ https://projects.archlinux.org/svntogit/packages.git/plain/cpio/trunk/cpio-2.11-testsuite-CVE-2014-9112.patch \
+ https://projects.archlinux.org/svntogit/packages.git/plain/cpio/trunk/cpio-2.11-check_for_symlinks-CVE-2015-1197.patch \
+ https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-arch/cpio/files/cpio-2.11-stat.patch
+
+# cpio uses argp.h which is not provided by uclibc by default.
+# Use the argp-standalone package to provide this but make sure
+# the host package does not try to use the host version.
+ifeq ($(BR2_TOOLCHAIN_USES_UCLIBC),y)
+CPIO_DEPENDENCIES += argp-standalone
+HOST_CPIO_DEPENDENCIES =
+endif
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 16/16] audit: Add startup script
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
` (14 preceding siblings ...)
2015-07-10 23:28 ` [Buildroot] [PATCH v8 15/16] cpio: new package Clayton Shotwell
@ 2015-07-10 23:28 ` Clayton Shotwell
15 siblings, 0 replies; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-10 23:28 UTC (permalink / raw)
To: buildroot
The startup script for the audit package did not meet the buildroot
standards when the package was initially merged. Adding a compliant
startup script for starting the audit daemon along with rotating the
logs and other features.
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
---
Changes v7 -> v8:
- New patch
---
package/audit/S01auditd | 80 +++++++++++++++++++++++++++++++++++++++++++++++++
package/audit/audit.mk | 4 +++
2 files changed, 84 insertions(+)
create mode 100644 package/audit/S01auditd
diff --git a/package/audit/S01auditd b/package/audit/S01auditd
new file mode 100644
index 0000000..1cbfc20
--- /dev/null
+++ b/package/audit/S01auditd
@@ -0,0 +1,80 @@
+#!/bin/sh
+#
+# auditd This starts and stops auditd
+#
+# description: This starts the Linux Auditing System Daemon,
+# which collects security related events in a dedicated
+# audit log. If this daemon is turned off, audit events
+# will be sent to syslog.
+#
+
+NAME=auditd
+DAEMON=/usr/sbin/${NAME}
+CONFIG=/etc/audit/auditd.conf
+PIDFILE=/var/run/${NAME}.pid
+
+start(){
+ echo -n "Starting ${NAME}: "
+
+ # Create dir to store log files in if one doesn't exist. Create
+ # the directory with SELinux permissions if possible
+ command -v matchpathcon >/dev/null 2>&1
+ if [ $? = 0 ]; then
+ mkdir -p /var/log/audit -Z `matchpathcon -n /var/log/audit`
+ else
+ mkdir -p /var/log/audit
+ fi
+
+ # Run audit daemon executable
+ start-stop-daemon -S -q -p ${PIDFILE} --exec ${DAEMON}
+
+ if [ $? = 0 ]; then
+ # Load the default rules
+ test -f /etc/audit/rules.d/audit.rules && /usr/sbin/auditctl -R /etc/audit/rules.d/audit.rules >/dev/null
+ echo "OK"
+ else
+ echo "Failed"
+ fi
+}
+
+stop(){
+ echo -n "Stopping ${NAME}: "
+
+ start-stop-daemon -K -q -p ${PIDFILE}
+ [ $? = 0 ] && echo "OK" || echo "FAIL"
+}
+
+reload(){
+ echo -n "Reloading ${NAME} configuration: "
+ start-stop-daemon --stop -s 1 -p ${PIDFILE} 1>/dev/null
+ [ $? = 0 ] && echo "OK" || echo "FAIL"
+}
+
+rotate(){
+ echo -n "Rotating ${NAME} logs: "
+ start-stop-daemon --stop -s 10 -p ${PIDFILE} 1>/dev/null
+ [ $? = 0 ] && echo "OK" || echo "FAIL"
+}
+
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart)
+ stop
+ start
+ ;;
+ reload)
+ reload
+ ;;
+ rotate)
+ rotate
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart|reload|rotate}"
+ exit 1
+ ;;
+esac
diff --git a/package/audit/audit.mk b/package/audit/audit.mk
index ab3e087..cf8cca6 100644
--- a/package/audit/audit.mk
+++ b/package/audit/audit.mk
@@ -34,6 +34,10 @@ ifeq ($(BR2_aarch64),y)
AUDIT_CONF_OPTS += --with-aarch64
endif
+define AUDIT_INSTALL_INIT_SYSV
+ $(INSTALL) -m 755 package/audit/S01auditd $(TARGET_DIR)/etc/init.d/
+endef
+
define AUDIT_INSTALL_CLEANUP
$(RM) -rf $(TARGET_DIR)/etc/rc.d
$(RM) -rf $(TARGET_DIR)/etc/sysconfig
--
1.9.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 11/16] rsyslog: fix config file comment style
2015-07-10 23:27 ` [Buildroot] [PATCH v8 11/16] rsyslog: fix config file comment style Clayton Shotwell
@ 2015-07-11 7:28 ` Thomas Petazzoni
2015-07-12 22:51 ` Thomas Petazzoni
1 sibling, 0 replies; 36+ messages in thread
From: Thomas Petazzoni @ 2015-07-11 7:28 UTC (permalink / raw)
To: buildroot
Dear Clayton Shotwell,
On Fri, 10 Jul 2015 18:27:57 -0500, Clayton Shotwell wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> The upstream versions of rsyslog (v8 and higher) have this commit to fix
> the config file comment issue. Carry this patch here until the version
> is bumped.
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>
> ---
> Changes v7 -> v8:
> - Reverted change to make file in favor of using upstream patch
> (Suggested by Samuel)
Applied, thanks.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 14/16] squashfs: Add xattr support
2015-07-10 23:28 ` [Buildroot] [PATCH v8 14/16] squashfs: Add xattr support Clayton Shotwell
@ 2015-07-11 7:31 ` Thomas Petazzoni
0 siblings, 0 replies; 36+ messages in thread
From: Thomas Petazzoni @ 2015-07-11 7:31 UTC (permalink / raw)
To: buildroot
Dear Clayton Shotwell,
On Fri, 10 Jul 2015 18:28:00 -0500, Clayton Shotwell wrote:
> Adding extended attribute support for the squashfs tools when the attr
> package is selected. This is needed for SELinux support.
>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>
> ---
> Changes v7 -> v8:
> - Reverted changes to the host build options to leave xattr support
> disabled due to too many host system dependencies issues.
> - Cleaned up the target xattr options and added a dependency on attr
> to ensure it is built before squashfs (Suggested by Thomas P.)
Applied, thanks.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 11/16] rsyslog: fix config file comment style
2015-07-10 23:27 ` [Buildroot] [PATCH v8 11/16] rsyslog: fix config file comment style Clayton Shotwell
2015-07-11 7:28 ` Thomas Petazzoni
@ 2015-07-12 22:51 ` Thomas Petazzoni
2015-07-13 12:25 ` Clayton Shotwell
1 sibling, 1 reply; 36+ messages in thread
From: Thomas Petazzoni @ 2015-07-12 22:51 UTC (permalink / raw)
To: buildroot
Dear Clayton Shotwell,
On Fri, 10 Jul 2015 18:27:57 -0500, Clayton Shotwell wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> The upstream versions of rsyslog (v8 and higher) have this commit to fix
> the config file comment issue. Carry this patch here until the version
> is bumped.
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
I had to revert this patch, because it was breaking the build:
http://autobuild.buildroot.org/results/208/2082f4e8dc5768b03c951f571b9aca976703f952/build-end.log
Indeed the patch you proposed to add to rsyslog is already part of
rsyslog 8.9.0 which we use in Buildroot.
Which means you sent this patch without even trying to apply it on
rsyslog. Bad! :-)
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 11/16] rsyslog: fix config file comment style
2015-07-12 22:51 ` Thomas Petazzoni
@ 2015-07-13 12:25 ` Clayton Shotwell
0 siblings, 0 replies; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-13 12:25 UTC (permalink / raw)
To: buildroot
Thomas,
On Sun, Jul 12, 2015 at 5:51 PM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Dear Clayton Shotwell,
>
> On Fri, 10 Jul 2015 18:27:57 -0500, Clayton Shotwell wrote:
>> From: Matt Weber <matthew.weber@rockwellcollins.com>
>>
>> The upstream versions of rsyslog (v8 and higher) have this commit to fix
>> the config file comment issue. Carry this patch here until the version
>> is bumped.
>>
>> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
>> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>
> I had to revert this patch, because it was breaking the build:
>
> http://autobuild.buildroot.org/results/208/2082f4e8dc5768b03c951f571b9aca976703f952/build-end.log
>
> Indeed the patch you proposed to add to rsyslog is already part of
> rsyslog 8.9.0 which we use in Buildroot.
>
> Which means you sent this patch without even trying to apply it on
> rsyslog. Bad! :-)
You are correct. My bad. That is what I get for trying to rush things
before heading out on a Friday.
Thanks,
Clayton
Clayton Shotwell
Senior Software Engineer, Rockwell Collins
clayton.shotwell at rockwellcollins.com
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 01/16] policycoreutils: new package
2015-07-10 23:27 ` [Buildroot] [PATCH v8 01/16] policycoreutils: new package Clayton Shotwell
@ 2015-07-14 12:26 ` Samuel Martin
2015-07-14 14:28 ` Clayton Shotwell
0 siblings, 1 reply; 36+ messages in thread
From: Samuel Martin @ 2015-07-14 12:26 UTC (permalink / raw)
To: buildroot
Clayton, all,
On Sat, Jul 11, 2015 at 1:27 AM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
[...]
> diff --git a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> new file mode 100644
> index 0000000..016980f
> --- /dev/null
> +++ b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
> @@ -0,0 +1,258 @@
> +From a8eea90050551e42d4dc81867853f351282f9f90 Mon Sep 17 00:00:00 2001
> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> +Date: Fri, 10 Jul 2015 11:44:08 -0500
> +Subject: [PATCH 1/3] Add DESTDIR to all paths that use an absolute path
> +
> +To aid in cross compiling, add the DESTDIR variable to the start of all
> +of the paths used during compilation. Most paths already used DESTDIR.
> +
> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> +---
> + Makefile | 4 ++--
> + audit2allow/Makefile | 2 +-
> + load_policy/Makefile | 2 +-
> + mcstrans/src/Makefile | 11 +++++++----
> + mcstrans/utils/Makefile | 9 ++++++---
> + newrole/Makefile | 12 ++++++------
> + restorecond/Makefile | 6 ++++--
> + run_init/Makefile | 12 ++++++------
> + sepolicy/Makefile | 2 +-
> + setfiles/Makefile | 4 ++--
> + 10 files changed, 36 insertions(+), 28 deletions(-)
> +
> +diff --git a/Makefile b/Makefile
> +index 3980799..0fca022 100644
> +--- a/Makefile
> ++++ b/Makefile
> +@@ -1,8 +1,8 @@
> + SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
> +
> +-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
> ++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
> +
> +-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
> ++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
> + SUBDIRS += restorecond
> + endif
> +
> +diff --git a/audit2allow/Makefile b/audit2allow/Makefile
> +index 88635d4..933e520 100644
> +--- a/audit2allow/Makefile
> ++++ b/audit2allow/Makefile
> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> + BINDIR ?= $(PREFIX)/bin
> + LIBDIR ?= $(PREFIX)/lib
> + MANDIR ?= $(PREFIX)/share/man
> +-LOCALEDIR ?= /usr/share/locale
> ++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
nit: could be set to: $(PREFIX)/share/locale
> +
> + all: ;
> +
> +diff --git a/load_policy/Makefile b/load_policy/Makefile
> +index 7c5bab0..4129d8f 100644
> +--- a/load_policy/Makefile
> ++++ b/load_policy/Makefile
> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> + SBINDIR ?= $(DESTDIR)/sbin
> + USRSBINDIR ?= $(PREFIX)/sbin
> + MANDIR ?= $(PREFIX)/share/man
> +-LOCALEDIR ?= /usr/share/locale
> ++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
ditto
> +
> + CFLAGS ?= -Werror -Wall -W
> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> +diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
> +index fb44490..1982b43 100644
> +--- a/mcstrans/src/Makefile
> ++++ b/mcstrans/src/Makefile
> +@@ -1,15 +1,18 @@
> + ARCH = $(shell uname -i)
This can break target build, no? Unless you set ARCH=... on the right
of make. (I don't something like that in the *.mk.)
Note that for the host, BR2_HOSTARCH is also defined.
> + ifeq "$(ARCH)" "x86_64"
> + # In case of 64 bit system, use these lines
> +- LIBDIR=/usr/lib64
> +-else
> ++ LIBDIR=$(DESTDIR)/usr/lib64
> ++else
> + ifeq "$(ARCH)" "i686"
> + # In case of 32 bit system, use these lines
> +- LIBDIR=/usr/lib
> ++ LIBDIR=$(DESTDIR)/usr/lib
> + else
> + ifeq "$(ARCH)" "i386"
> + # In case of 32 bit system, use these lines
> +- LIBDIR=/usr/lib
> ++ LIBDIR=$(DESTDIR)/usr/lib
> ++else
> ++ # Default to these lines if arch is unknown
> ++ LIBDIR=$(DESTDIR)/usr/lib
> + endif
> + endif
Note that a couple of targets set BR2_ARCH to i486 or i586, see [1].
> + endif
> +diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
> +index 1ffb027..dcdc68b 100644
> +--- a/mcstrans/utils/Makefile
> ++++ b/mcstrans/utils/Makefile
> +@@ -5,15 +5,18 @@ BINDIR ?= $(PREFIX)/sbin
> + ARCH = $(shell uname -i)
ditto here and below.
> + ifeq "$(ARCH)" "x86_64"
> + # In case of 64 bit system, use these lines
> +- LIBDIR=/usr/lib64
> ++ LIBDIR=$(DESTDIR)/usr/lib64
> + else
> + ifeq "$(ARCH)" "i686"
> + # In case of 32 bit system, use these lines
> +- LIBDIR=/usr/lib
> ++ LIBDIR=$(DESTDIR)/usr/lib
> + else
> + ifeq "$(ARCH)" "i386"
> + # In case of 32 bit system, use these lines
> +- LIBDIR=/usr/lib
> ++ LIBDIR=$(DESTDIR)/usr/lib
> ++else
> ++ # Default to these lines if arch is unknown
> ++ LIBDIR=$(DESTDIR)/usr/lib
> + endif
> + endif
> + endif
> +diff --git a/newrole/Makefile b/newrole/Makefile
> +index 646cd4d..a876ff3 100644
> +--- a/newrole/Makefile
> ++++ b/newrole/Makefile
> +@@ -3,9 +3,9 @@ PREFIX ?= $(DESTDIR)/usr
> + BINDIR ?= $(PREFIX)/bin
> + MANDIR ?= $(PREFIX)/share/man
> + ETCDIR ?= $(DESTDIR)/etc
> +-LOCALEDIR = /usr/share/locale
> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> ++LOCALEDIR = $(DESTDIR)/usr/share/locale
or s@/usr@$(PREFIX)@
> ++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
ditto
> ++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
ditto
> + # Enable capabilities to permit newrole to generate audit records.
> + # This will make newrole a setuid root program.
> + # The capabilities used are: CAP_AUDIT_WRITE.
> +@@ -24,7 +24,7 @@ CFLAGS ?= -Werror -Wall -W
> + EXTRA_OBJS =
> + override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> + LDLIBS += -lselinux -L$(PREFIX)/lib
> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> ++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
ditto
> + override CFLAGS += -DUSE_PAM
> + EXTRA_OBJS += hashtab.o
> + LDLIBS += -lpam -lpam_misc
> +@@ -32,7 +32,7 @@ else
> + override CFLAGS += -D_XOPEN_SOURCE=500
> + LDLIBS += -lcrypt
> + endif
> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> ++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
ditto
> + override CFLAGS += -DUSE_AUDIT
> + LDLIBS += -laudit
> + endif
> +@@ -66,7 +66,7 @@ install: all
> + test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
> + install -m $(MODE) newrole $(BINDIR)
> + install -m 644 newrole.1 $(MANDIR)/man1/
> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> ++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
ditto
> + test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
> + ifeq ($(LSPP_PRIV),y)
> + install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
> +diff --git a/restorecond/Makefile b/restorecond/Makefile
> +index 3074542..7c40f95 100644
> +--- a/restorecond/Makefile
> ++++ b/restorecond/Makefile
> +@@ -10,11 +10,13 @@ autostart_DATA = sealertauto.desktop
> + INITDIR = $(DESTDIR)/etc/rc.d/init.d
> + SELINUXDIR = $(DESTDIR)/etc/selinux
> +
> +-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
> ++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
> ++ -I$(PREFIX)/lib/dbus-1.0/include
> + DBUSLIB = -ldbus-glib-1 -ldbus-1
> +
> + CFLAGS ?= -g -Werror -Wall -W
> +-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
> ++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
> ++ -I$(PREFIX)/lib64/glib-2.0/include -I$(PREFIX)/lib/glib-2.0/include
> +
> + LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
> +
> +diff --git a/run_init/Makefile b/run_init/Makefile
> +index 12b39b4..3c6f58a 100644
> +--- a/run_init/Makefile
> ++++ b/run_init/Makefile
> +@@ -4,21 +4,21 @@ PREFIX ?= $(DESTDIR)/usr
> + SBINDIR ?= $(PREFIX)/sbin
> + MANDIR ?= $(PREFIX)/share/man
> + ETCDIR ?= $(DESTDIR)/etc
> +-LOCALEDIR ?= /usr/share/locale
> +-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> ++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
> ++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
> ++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
ditto
> +
> + CFLAGS ?= -Werror -Wall -W
> + override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> + LDLIBS += -lselinux -L$(PREFIX)/lib
> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> ++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
ditto
> + override CFLAGS += -DUSE_PAM
> + LDLIBS += -lpam -lpam_misc
> + else
> + override CFLAGS += -D_XOPEN_SOURCE=500
> + LDLIBS += -lcrypt
> + endif
> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> ++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
ditto
> + override CFLAGS += -DUSE_AUDIT
> + LDLIBS += -laudit
> + endif
> +@@ -38,7 +38,7 @@ install: all
> + install -m 755 open_init_pty $(SBINDIR)
> + install -m 644 run_init.8 $(MANDIR)/man8/
> + install -m 644 open_init_pty.8 $(MANDIR)/man8/
> +-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
> ++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
ditto
> + install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
> + endif
> +
> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> +index 11b534f..1074d26 100644
> +--- a/sepolicy/Makefile
> ++++ b/sepolicy/Makefile
> +@@ -5,7 +5,7 @@ LIBDIR ?= $(PREFIX)/lib
> + BINDIR ?= $(PREFIX)/bin
> + SBINDIR ?= $(PREFIX)/sbin
> + MANDIR ?= $(PREFIX)/share/man
> +-LOCALEDIR ?= /usr/share/locale
> ++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
ditto
> + PYTHON ?= /usr/bin/python
> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> + SHAREDIR ?= $(PREFIX)/share/sandbox
> +diff --git a/setfiles/Makefile b/setfiles/Makefile
> +index 4b44b3c..dc04d9a 100644
> +--- a/setfiles/Makefile
> ++++ b/setfiles/Makefile
> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
> + SBINDIR ?= $(DESTDIR)/sbin
> + MANDIR = $(PREFIX)/share/man
> + LIBDIR ?= $(PREFIX)/lib
> +-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
> ++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
ditto
> +
> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
> +@@ -12,7 +12,7 @@ CFLAGS = -g -Werror -Wall -W
> + override CFLAGS += -I$(PREFIX)/include
> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
> +
> +-ifeq ($(AUDITH), /usr/include/libaudit.h)
> ++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
ditto
> + override CFLAGS += -DUSE_AUDIT
> + LDLIBS += -laudit
> + endif
> +--
> +1.9.1
> +
> diff --git a/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
> new file mode 100644
> index 0000000..54aecae
> --- /dev/null
> +++ b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
> @@ -0,0 +1,57 @@
> +From 656740d38ad34cbd5a89e900dab82ec521d0a522 Mon Sep 17 00:00:00 2001
> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> +Date: Fri, 10 Jul 2015 11:47:09 -0500
> +Subject: [PATCH 2/3] Allow CFLAGS to be overwritten
> +
> +Allow all CFLAGS declarations to be overwritten to aid in cross
> +compiling.
> +
> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> +---
> + sepolicy/Makefile | 2 +-
> + sestatus/Makefile | 2 +-
> + setfiles/Makefile | 2 +-
> + 3 files changed, 3 insertions(+), 3 deletions(-)
> +
> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> +index 1074d26..9d44ac2 100644
> +--- a/sepolicy/Makefile
> ++++ b/sepolicy/Makefile
> +@@ -9,7 +9,7 @@ LOCALEDIR ?= $(DESTDIR)/usr/share/locale
> + PYTHON ?= /usr/bin/python
> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> + SHAREDIR ?= $(PREFIX)/share/sandbox
> +-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
> ++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
Ditch -Werror here please, otherwise it will always be in the CFLAGS :-/
> +
> + BASHCOMPLETIONS=sepolicy-bash-completion.sh
> +
> +diff --git a/sestatus/Makefile b/sestatus/Makefile
> +index c5db7a3..c04ff00 100644
> +--- a/sestatus/Makefile
> ++++ b/sestatus/Makefile
> +@@ -5,7 +5,7 @@ MANDIR = $(PREFIX)/share/man
> + ETCDIR ?= $(DESTDIR)/etc
> + LIBDIR ?= $(PREFIX)/lib
> +
> +-CFLAGS = -Werror -Wall -W
> ++CFLAGS ?= -Werror -Wall -W
> + override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
> + LDLIBS = -lselinux -L$(LIBDIR)
> +
> +diff --git a/setfiles/Makefile b/setfiles/Makefile
> +index dc04d9a..67d9ef0 100644
> +--- a/setfiles/Makefile
> ++++ b/setfiles/Makefile
> +@@ -8,7 +8,7 @@ AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
> +
> +-CFLAGS = -g -Werror -Wall -W
> ++CFLAGS ?= -g -Werror -Wall -W
> + override CFLAGS += -I$(PREFIX)/include
> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
> +
> +--
> +1.9.1
> +
> diff --git a/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
> new file mode 100644
> index 0000000..4e35d92
> --- /dev/null
> +++ b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
> @@ -0,0 +1,42 @@
> +From c8f1022be057cfe28101fbd0d6dedf6f42477ffc Mon Sep 17 00:00:00 2001
> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> +Date: Fri, 10 Jul 2015 11:56:49 -0500
> +Subject: [PATCH 3/3] Change sepolicy python install arguments to be a variable
> +
> +To allow the python install arguments to be overwritten, change the
> +arguments to be a variable. This also cleans up the DESTDIR detection a
> +little bit.
> +
> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> +---
> + sepolicy/Makefile | 7 ++++++-
> + 1 file changed, 6 insertions(+), 1 deletion(-)
> +
> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
> +index 9d44ac2..bd8a383 100644
> +--- a/sepolicy/Makefile
> ++++ b/sepolicy/Makefile
> +@@ -7,6 +7,11 @@ SBINDIR ?= $(PREFIX)/sbin
> + MANDIR ?= $(PREFIX)/share/man
> + LOCALEDIR ?= $(DESTDIR)/usr/share/locale
> + PYTHON ?= /usr/bin/python
> ++ifneq (,$(DESTDIR))
> ++PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
Why not a += ?
Can it be preset through the env. or command line?
> ++else
> ++PYTHON_INSTALL_ARGS ?=
> ++endif
> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
> + SHAREDIR ?= $(PREFIX)/share/sandbox
> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
> +@@ -23,7 +28,7 @@ clean:
> + -rm -rf build *~ \#* *pyc .#*
> +
> + install:
> +- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
> ++ $(PYTHON) setup.py install $(PYTHON_INSTALL_ARGS)
> + [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
> + install -m 755 sepolicy.py $(BINDIR)/sepolicy
> + -mkdir -p $(MANDIR)/man8
> +--
> +1.9.1
> +
> diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
> new file mode 100644
> index 0000000..1dc01c4
> --- /dev/null
> +++ b/package/policycoreutils/Config.in
> @@ -0,0 +1,59 @@
> +config BR2_PACKAGE_POLICYCOREUTILS
> + bool "policycoreutils"
> + select BR2_PACKAGE_LIBSEMANAGE
> + select BR2_PACKAGE_LIBCAP_NG
> + select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
> + depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
> + depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # uses fts.h
> + help
> + Policycoreutils is a collection of policy utilities (originally
> + the "core" set of utilities needed to use SELinux, although it
> + has grown a bit over time), which have different dependencies.
> + sestatus, secon, run_init, and newrole only use libselinux.
> + load_policy and setfiles only use libselinux and libsepol.
> + semodule and semanage use libsemanage (and thus bring in
> + dependencies on libsepol and libselinux as well). setsebool
> + uses libselinux to make non-persistent boolean changes (via
> + the kernel interface) and uses libsemanage to make persistent
> + boolean changes.
> +
> + The base package will install the following utilities:
> + load_policy
> + newrole
> + restorecond
> + run_init
> + secon
> + semodule
> + semodule_deps
> + semodule_expand
> + semodule_link
> + semodule_package
> + sepolgen-ifgen
> + sestatus
> + setfiles
> + setsebool
> +
> + http://selinuxproject.org/page/Main_Page
> +
> +comment "policycoreutils needs a glibc or musl toolchain w/ threads"
> + depends on !BR2_TOOLCHAIN_HAS_THREADS \
> + || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
> +
> +if BR2_PACKAGE_POLICYCOREUTILS
> +
> +config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
> + bool "restorecond Utility"
> + select BR2_PACKAGE_DBUS_GLIB
> + depends on BR2_PACKAGE_DBUS
Why a "depends on" instead of a select?
> + depends on BR2_USE_WCHAR # glib2
> + depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
> + depends on BR2_USE_MMU # glib2
> + help
> + Enable restorecond to be built
> +
> +comment "restorecond needs a toolchain w/ wchar, threads, dbus"
> + depends on BR2_USE_MMU
> + depends on BR2_PACKAGE_DBUS
> + depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
> +
> +endif
> diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
> new file mode 100644
> index 0000000..575dd25
> --- /dev/null
> +++ b/package/policycoreutils/policycoreutils.hash
> @@ -0,0 +1,2 @@
> +# https://github.com/SELinuxProject/selinux/wiki/Releases
> +sha256 b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5 policycoreutils-2.1.14.tar.gz
> diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
> new file mode 100644
> index 0000000..2b954b9
> --- /dev/null
> +++ b/package/policycoreutils/policycoreutils.mk
> @@ -0,0 +1,107 @@
> +################################################################################
> +#
> +# policycoreutils
> +#
> +################################################################################
> +
> +POLICYCOREUTILS_VERSION = 2.1.14
> +POLICYCOREUTILS_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
> +POLICYCOREUTILS_LICENSE = GPLv2
> +POLICYCOREUTILS_LICENSE_FILES = COPYING
> +
> +# gettext for load_policy.c use of libintl_* functions
> +POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if $(BR2_NEEDS_GETTEXT),gettext)
> +
> +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
> +POLICYCOREUTILS_DEPENDENCIES += linux-pam
> +POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
> +define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
> + $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd $(TARGET_DIR)/etc/pam.d/newrole
> + $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd $(TARGET_DIR)/etc/pam.d/run_init
> +endef
> +endif
> +
> +ifeq ($(BR2_PACKAGE_AUDIT),y)
> +POLICYCOREUTILS_DEPENDENCIES += audit
> +POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
> +endif
> +
> +# Enable LSPP_PRIV if both audit and linux pam are enabled
> +ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
> +POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
> +endif
> +
> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
> +# large file support.
> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
> +POLICYCOREUTILS_MAKE_OPTS = \
s/=/+=/
Otherwise, options set for linux-pam and audit are lost.
Also, no ARCH=$(BR2_ARCH) in the *_MAKE_OPTS (see my comment above)?
> + CC="$(TARGET_CC)" \
> + CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
> + LDFLAGS="$(TARGET_LDFLAGS) $(if $(BR2_NEEDS_GETTEXT),-lintl)"
> +
> +POLICYCOREUTILS_MAKE_DIRS = load_policy newrole run_init \
> + secon semodule semodule_deps semodule_expand semodule_link \
> + semodule_package sepolgen-ifgen sestatus setfiles setsebool
> +
> +ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
> +POLICYCOREUTILS_DEPENDENCIES += dbus-glib
> +POLICYCOREUTILS_MAKE_DIRS += restorecond
> +endif
> +
> +define POLICYCOREUTILS_BUILD_CMDS
> + for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
> + $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all || exit 1 ; \
> + done
> +endef
> +
> +define POLICYCOREUTILS_INSTALL_TARGET_CMDS
> + for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
> + $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install || exit 1 ; \
> + done
> +endef
> +
> +HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage host-dbus-glib host-sepolgen host-setools
> +
> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
> +# large file support.
> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
> +HOST_POLICYCOREUTILS_MAKE_OPTS = \
> + CC="$(HOSTCC)" \
> + CFLAGS="$(HOST_CFLAGS) -U_FILE_OFFSET_BITS" \
> + PYTHON="$(HOST_DIR)/usr/bin/python" \
> + PYTHON_INSTALL_ARGS="$(HOST_PKG_PYTHON_DISTUTILS_INSTALL_OPTS)"
> +
> +
> +ifeq ($(BR2_PACKAGE_PYTHON3),y)
> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python3
> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
> + PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
> +else
> +HOST_POLICYCOREUTILS_DEPENDENCIES += host-python
> +HOST_POLICYCOREUTILS_MAKE_OPTS += \
> + PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
> +endif
> +
> +# Note: We are only building the programs required by the refpolicy build
> +HOST_POLICYCOREUTILS_MAKE_DIRS = load_policy semodule semodule_deps semodule_expand semodule_link \
> + semodule_package setfiles restorecond audit2allow audit2why scripts semanage sepolicy
> +
> +define HOST_POLICYCOREUTILS_BUILD_CMDS
> + for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
> + $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) all || exit 1 ; \
> + done
> +endef
> +
> +define HOST_POLICYCOREUTILS_INSTALL_CMDS
> + for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
> + $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) install || exit 1 ; \
> + done
> + # Fix python paths
> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2allow
> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2why
> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolgen-ifgen
> + $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolicy
> +endef
> +
> +$(eval $(generic-package))
> +$(eval $(host-generic-package))
> --
> 1.9.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
[1] http://git.buildroot.net/buildroot/tree/arch/Config.in.x86#n201
Regards,
--
Samuel
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 06/16] busybox: added linux-pam support
2015-07-10 23:27 ` [Buildroot] [PATCH v8 06/16] busybox: added linux-pam support Clayton Shotwell
@ 2015-07-14 12:29 ` Samuel Martin
0 siblings, 0 replies; 36+ messages in thread
From: Samuel Martin @ 2015-07-14 12:29 UTC (permalink / raw)
To: buildroot
On Sat, Jul 11, 2015 at 1:27 AM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> From: Matt Weber <Matthew.Weber@rockwellcollins.com>
>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Regards,
--
Samuel
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 07/16] sysvinit: added libselinux dependency
2015-07-10 23:27 ` [Buildroot] [PATCH v8 07/16] sysvinit: added libselinux dependency Clayton Shotwell
@ 2015-07-14 12:40 ` Samuel Martin
0 siblings, 0 replies; 36+ messages in thread
From: Samuel Martin @ 2015-07-14 12:40 UTC (permalink / raw)
To: buildroot
On Sat, Jul 11, 2015 at 1:27 AM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Regards,
--
Samuel
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 08/16] dbus: selinux file context support
2015-07-10 23:27 ` [Buildroot] [PATCH v8 08/16] dbus: selinux file context support Clayton Shotwell
@ 2015-07-14 12:44 ` Samuel Martin
0 siblings, 0 replies; 36+ messages in thread
From: Samuel Martin @ 2015-07-14 12:44 UTC (permalink / raw)
To: buildroot
On Sat, Jul 11, 2015 at 1:27 AM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Regards,
--
Samuel
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 10/16] util-linux: selinux, audit, and pam support
2015-07-10 23:27 ` [Buildroot] [PATCH v8 10/16] util-linux: selinux, audit, " Clayton Shotwell
@ 2015-07-14 12:55 ` Samuel Martin
0 siblings, 0 replies; 36+ messages in thread
From: Samuel Martin @ 2015-07-14 12:55 UTC (permalink / raw)
To: buildroot
On Sat, Jul 11, 2015 at 1:27 AM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Regards,
--
Samuel
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 01/16] policycoreutils: new package
2015-07-14 12:26 ` Samuel Martin
@ 2015-07-14 14:28 ` Clayton Shotwell
2015-07-14 20:49 ` Arnout Vandecappelle
0 siblings, 1 reply; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-14 14:28 UTC (permalink / raw)
To: buildroot
Samuel,
On Tue, Jul 14, 2015 at 7:26 AM, Samuel Martin <s.martin49@gmail.com> wrote:
> Clayton, all,
>
> On Sat, Jul 11, 2015 at 1:27 AM, Clayton Shotwell
> <clayton.shotwell@rockwellcollins.com> wrote:
> [...]
>> diff --git a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
>> new file mode 100644
>> index 0000000..016980f
>> --- /dev/null
>> +++ b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
>> @@ -0,0 +1,258 @@
>> +From a8eea90050551e42d4dc81867853f351282f9f90 Mon Sep 17 00:00:00 2001
>> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> +Date: Fri, 10 Jul 2015 11:44:08 -0500
>> +Subject: [PATCH 1/3] Add DESTDIR to all paths that use an absolute path
>> +
>> +To aid in cross compiling, add the DESTDIR variable to the start of all
>> +of the paths used during compilation. Most paths already used DESTDIR.
>> +
>> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> +---
>> + Makefile | 4 ++--
>> + audit2allow/Makefile | 2 +-
>> + load_policy/Makefile | 2 +-
>> + mcstrans/src/Makefile | 11 +++++++----
>> + mcstrans/utils/Makefile | 9 ++++++---
>> + newrole/Makefile | 12 ++++++------
>> + restorecond/Makefile | 6 ++++--
>> + run_init/Makefile | 12 ++++++------
>> + sepolicy/Makefile | 2 +-
>> + setfiles/Makefile | 4 ++--
>> + 10 files changed, 36 insertions(+), 28 deletions(-)
>> +
>> +diff --git a/Makefile b/Makefile
>> +index 3980799..0fca022 100644
>> +--- a/Makefile
>> ++++ b/Makefile
>> +@@ -1,8 +1,8 @@
>> + SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
>> +
>> +-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
>> ++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
>> +
>> +-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
>> ++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
>> + SUBDIRS += restorecond
>> + endif
>> +
>> +diff --git a/audit2allow/Makefile b/audit2allow/Makefile
>> +index 88635d4..933e520 100644
>> +--- a/audit2allow/Makefile
>> ++++ b/audit2allow/Makefile
>> +@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
>> + BINDIR ?= $(PREFIX)/bin
>> + LIBDIR ?= $(PREFIX)/lib
>> + MANDIR ?= $(PREFIX)/share/man
>> +-LOCALEDIR ?= /usr/share/locale
>> ++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
> nit: could be set to: $(PREFIX)/share/locale
That does make it a little cleaner. I'll change all of the DESTDIR to
PREFIX for this change.
>> +
>> + CFLAGS ?= -Werror -Wall -W
>> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
>> +diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
>> +index fb44490..1982b43 100644
>> +--- a/mcstrans/src/Makefile
>> ++++ b/mcstrans/src/Makefile
>> +@@ -1,15 +1,18 @@
>> + ARCH = $(shell uname -i)
> This can break target build, no? Unless you set ARCH=... on the right
> of make. (I don't something like that in the *.mk.)
> Note that for the host, BR2_HOSTARCH is also defined.
Good point. Seems like a lot of trouble to determine which lib
directory to use. I'll look making the ARCH variable a ?= and see
about defining the ARCH in policycoreutils.mk.
>> + ifeq "$(ARCH)" "x86_64"
>> + # In case of 64 bit system, use these lines
>> +- LIBDIR=/usr/lib64
>> +-else
>> ++ LIBDIR=$(DESTDIR)/usr/lib64
>> ++else
>> + ifeq "$(ARCH)" "i686"
>> + # In case of 32 bit system, use these lines
>> +- LIBDIR=/usr/lib
>> ++ LIBDIR=$(DESTDIR)/usr/lib
>> + else
>> + ifeq "$(ARCH)" "i386"
>> + # In case of 32 bit system, use these lines
>> +- LIBDIR=/usr/lib
>> ++ LIBDIR=$(DESTDIR)/usr/lib
>> ++else
>> ++ # Default to these lines if arch is unknown
>> ++ LIBDIR=$(DESTDIR)/usr/lib
>> + endif
>> + endif
> Note that a couple of targets set BR2_ARCH to i486 or i586, see [1].
I'll have to look through some different architecture to see which
ones use lib and which use lib64.
[...]
>> diff --git a/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
>> new file mode 100644
>> index 0000000..54aecae
>> --- /dev/null
>> +++ b/package/policycoreutils/0002-Allow-CFLAGS-to-be-overwritten.patch
>> @@ -0,0 +1,57 @@
>> +From 656740d38ad34cbd5a89e900dab82ec521d0a522 Mon Sep 17 00:00:00 2001
>> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> +Date: Fri, 10 Jul 2015 11:47:09 -0500
>> +Subject: [PATCH 2/3] Allow CFLAGS to be overwritten
>> +
>> +Allow all CFLAGS declarations to be overwritten to aid in cross
>> +compiling.
>> +
>> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> +---
>> + sepolicy/Makefile | 2 +-
>> + sestatus/Makefile | 2 +-
>> + setfiles/Makefile | 2 +-
>> + 3 files changed, 3 insertions(+), 3 deletions(-)
>> +
>> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
>> +index 1074d26..9d44ac2 100644
>> +--- a/sepolicy/Makefile
>> ++++ b/sepolicy/Makefile
>> +@@ -9,7 +9,7 @@ LOCALEDIR ?= $(DESTDIR)/usr/share/locale
>> + PYTHON ?= /usr/bin/python
>> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
>> + SHAREDIR ?= $(PREFIX)/share/sandbox
>> +-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
>> ++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
> Ditch -Werror here please, otherwise it will always be in the CFLAGS :-/
Will it? I would assume it would only apply for the calls in this
Makefile. I checked the make output and could not find a reference to
any of the flags being used. I'm going to leave it as is for now.
>> +
>> + BASHCOMPLETIONS=sepolicy-bash-completion.sh
>> +
>> +diff --git a/sestatus/Makefile b/sestatus/Makefile
>> +index c5db7a3..c04ff00 100644
>> +--- a/sestatus/Makefile
>> ++++ b/sestatus/Makefile
>> +@@ -5,7 +5,7 @@ MANDIR = $(PREFIX)/share/man
>> + ETCDIR ?= $(DESTDIR)/etc
>> + LIBDIR ?= $(PREFIX)/lib
>> +
>> +-CFLAGS = -Werror -Wall -W
>> ++CFLAGS ?= -Werror -Wall -W
>> + override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
>> + LDLIBS = -lselinux -L$(LIBDIR)
>> +
>> +diff --git a/setfiles/Makefile b/setfiles/Makefile
>> +index dc04d9a..67d9ef0 100644
>> +--- a/setfiles/Makefile
>> ++++ b/setfiles/Makefile
>> +@@ -8,7 +8,7 @@ AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
>> + PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
>> + ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
>> +
>> +-CFLAGS = -g -Werror -Wall -W
>> ++CFLAGS ?= -g -Werror -Wall -W
>> + override CFLAGS += -I$(PREFIX)/include
>> + LDLIBS = -lselinux -lsepol -L$(LIBDIR)
>> +
>> +--
>> +1.9.1
>> +
>> diff --git a/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
>> new file mode 100644
>> index 0000000..4e35d92
>> --- /dev/null
>> +++ b/package/policycoreutils/0003-Change-sepolicy-python-install-arguments-to-be-a-var.patch
>> @@ -0,0 +1,42 @@
>> +From c8f1022be057cfe28101fbd0d6dedf6f42477ffc Mon Sep 17 00:00:00 2001
>> +From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> +Date: Fri, 10 Jul 2015 11:56:49 -0500
>> +Subject: [PATCH 3/3] Change sepolicy python install arguments to be a variable
>> +
>> +To allow the python install arguments to be overwritten, change the
>> +arguments to be a variable. This also cleans up the DESTDIR detection a
>> +little bit.
>> +
>> +Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> +---
>> + sepolicy/Makefile | 7 ++++++-
>> + 1 file changed, 6 insertions(+), 1 deletion(-)
>> +
>> +diff --git a/sepolicy/Makefile b/sepolicy/Makefile
>> +index 9d44ac2..bd8a383 100644
>> +--- a/sepolicy/Makefile
>> ++++ b/sepolicy/Makefile
>> +@@ -7,6 +7,11 @@ SBINDIR ?= $(PREFIX)/sbin
>> + MANDIR ?= $(PREFIX)/share/man
>> + LOCALEDIR ?= $(DESTDIR)/usr/share/locale
>> + PYTHON ?= /usr/bin/python
>> ++ifneq (,$(DESTDIR))
>> ++PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
> Why not a += ?
> Can it be preset through the env. or command line?
I was looking at the python package framework and it handles the host
vs target builds quite differently. The --root needs to be set to / in
the target builds and not set at all for the host builds. By doing it
this way, I can keep the original file almost the same but still
provide the hooks Buildroot needs to install it in the correct place.
>> ++else
>> ++PYTHON_INSTALL_ARGS ?=
>> ++endif
>> + BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
>> + SHAREDIR ?= $(PREFIX)/share/sandbox
>> + override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
>> +@@ -23,7 +28,7 @@ clean:
>> + -rm -rf build *~ \#* *pyc .#*
>> +
>> + install:
>> +- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
>> ++ $(PYTHON) setup.py install $(PYTHON_INSTALL_ARGS)
>> + [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
>> + install -m 755 sepolicy.py $(BINDIR)/sepolicy
>> + -mkdir -p $(MANDIR)/man8
>> +--
>> +1.9.1
>> +
>> diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
>> new file mode 100644
>> index 0000000..1dc01c4
>> --- /dev/null
>> +++ b/package/policycoreutils/Config.in
>> @@ -0,0 +1,59 @@
>> +config BR2_PACKAGE_POLICYCOREUTILS
>> + bool "policycoreutils"
>> + select BR2_PACKAGE_LIBSEMANAGE
>> + select BR2_PACKAGE_LIBCAP_NG
>> + select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
>> + depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
>> + depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # uses fts.h
>> + help
>> + Policycoreutils is a collection of policy utilities (originally
>> + the "core" set of utilities needed to use SELinux, although it
>> + has grown a bit over time), which have different dependencies.
>> + sestatus, secon, run_init, and newrole only use libselinux.
>> + load_policy and setfiles only use libselinux and libsepol.
>> + semodule and semanage use libsemanage (and thus bring in
>> + dependencies on libsepol and libselinux as well). setsebool
>> + uses libselinux to make non-persistent boolean changes (via
>> + the kernel interface) and uses libsemanage to make persistent
>> + boolean changes.
>> +
>> + The base package will install the following utilities:
>> + load_policy
>> + newrole
>> + restorecond
>> + run_init
>> + secon
>> + semodule
>> + semodule_deps
>> + semodule_expand
>> + semodule_link
>> + semodule_package
>> + sepolgen-ifgen
>> + sestatus
>> + setfiles
>> + setsebool
>> +
>> + http://selinuxproject.org/page/Main_Page
>> +
>> +comment "policycoreutils needs a glibc or musl toolchain w/ threads"
>> + depends on !BR2_TOOLCHAIN_HAS_THREADS \
>> + || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
>> +
>> +if BR2_PACKAGE_POLICYCOREUTILS
>> +
>> +config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
>> + bool "restorecond Utility"
>> + select BR2_PACKAGE_DBUS_GLIB
>> + depends on BR2_PACKAGE_DBUS
> Why a "depends on" instead of a select?
This was a suggestion from Thomas P. Since DBUS is a large package
with a lot of infrastructure, depend on it (it is also a dependency of
DBUS_GLIB) and select dbus-glib
>> + depends on BR2_USE_WCHAR # glib2
>> + depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
>> + depends on BR2_USE_MMU # glib2
>> + help
>> + Enable restorecond to be built
>> +
>> +comment "restorecond needs a toolchain w/ wchar, threads, dbus"
>> + depends on BR2_USE_MMU
>> + depends on BR2_PACKAGE_DBUS
>> + depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
>> +
>> +endif
>> diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
>> new file mode 100644
>> index 0000000..575dd25
>> --- /dev/null
>> +++ b/package/policycoreutils/policycoreutils.hash
>> @@ -0,0 +1,2 @@
>> +# https://github.com/SELinuxProject/selinux/wiki/Releases
>> +sha256 b6881741f9f9988346a73bfeccb0299941dc117349753f0ef3f23ee86f06c1b5 policycoreutils-2.1.14.tar.gz
>> diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
>> new file mode 100644
>> index 0000000..2b954b9
>> --- /dev/null
>> +++ b/package/policycoreutils/policycoreutils.mk
>> @@ -0,0 +1,107 @@
>> +################################################################################
>> +#
>> +# policycoreutils
>> +#
>> +################################################################################
>> +
>> +POLICYCOREUTILS_VERSION = 2.1.14
>> +POLICYCOREUTILS_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20130423
>> +POLICYCOREUTILS_LICENSE = GPLv2
>> +POLICYCOREUTILS_LICENSE_FILES = COPYING
>> +
>> +# gettext for load_policy.c use of libintl_* functions
>> +POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if $(BR2_NEEDS_GETTEXT),gettext)
>> +
>> +ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
>> +POLICYCOREUTILS_DEPENDENCIES += linux-pam
>> +POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
>> +define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
>> + $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd $(TARGET_DIR)/etc/pam.d/newrole
>> + $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd $(TARGET_DIR)/etc/pam.d/run_init
>> +endef
>> +endif
>> +
>> +ifeq ($(BR2_PACKAGE_AUDIT),y)
>> +POLICYCOREUTILS_DEPENDENCIES += audit
>> +POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
>> +endif
>> +
>> +# Enable LSPP_PRIV if both audit and linux pam are enabled
>> +ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
>> +POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
>> +endif
>> +
>> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
>> +# large file support.
>> +# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
>> +POLICYCOREUTILS_MAKE_OPTS = \
> s/=/+=/
> Otherwise, options set for linux-pam and audit are lost.
>
> Also, no ARCH=$(BR2_ARCH) in the *_MAKE_OPTS (see my comment above)?
Will add per comment above.
Thanks,
Clayton
Clayton Shotwell
Senior Software Engineer, Rockwell Collins
clayton.shotwell at rockwellcollins.com
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 02/16] refpolicy: new package
2015-07-10 23:27 ` [Buildroot] [PATCH v8 02/16] refpolicy: " Clayton Shotwell
@ 2015-07-14 14:50 ` Samuel Martin
2015-07-14 14:59 ` Clayton Shotwell
0 siblings, 1 reply; 36+ messages in thread
From: Samuel Martin @ 2015-07-14 14:50 UTC (permalink / raw)
To: buildroot
Clayton, all,
On Sat, Jul 11, 2015 at 1:27 AM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> From: Clayton Shotwell <clshotwe@rockwellcollins.com>
>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
But still some nits ;-)
[...]
> diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
> new file mode 100644
> index 0000000..b6af100
> --- /dev/null
> +++ b/package/refpolicy/Config.in
> @@ -0,0 +1,99 @@
> +config BR2_PACKAGE_REFPOLICY
> + bool "refpolicy"
> + select BR2_PACKAGE_POLICYCOREUTILS
> + select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX
> + depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
> + depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # policycoreutils
> + help
> + The SELinux Reference Policy project (refpolicy) is a
> + complete SELinux policy that can be used as the system
> + policy for a variety of systems and used as the basis
> + for creating other policies. Reference Policy was originally
> + based on the NSA example policy, but aims to accomplish
> + many additional goals.
> +
> + The current refpolicy does not fully support Buildroot
> + and needs modifications to work with the default system
> + file layout. These changes should be added as patches to
nit: s/layout. These/layout. These/
> + the refpolicy that modify a single SELinux policy.
> +
> +comment "refpolicy needs a toolchain w/ threads, glibc or musl"
> + depends on !BR2_TOOLCHAIN_HAS_THREADS \
> + || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
> +
[...]
> diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
> new file mode 100644
> index 0000000..dbc662d
> --- /dev/null
> +++ b/package/refpolicy/refpolicy.mk
> @@ -0,0 +1,120 @@
> +################################################################################
> +#
> +# refpolicy
> +#
> +################################################################################
> +
> +ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
> +REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
> +REFPOLICY_VERSION = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
> +REFPOLICY_SITE_METHOD = git
> +REFPOLICY_DEPENDENCIES += refpolicy-contrib
> +else
> +REFPOLICY_VERSION = 2.20130424
> +REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
> +REFPOLICY_SITE = http://oss.tresys.com/files/refpolicy/
> +endif
> +REFPOLICY_LICENSE = GPLv2
> +REFPOLICY_LICENSE_FILES = COPYING
> +
> +# Cannot use multiple threads to build the reference policy
> +REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)
> +
> +REFPOLICY_DEPENDENCIES += host-m4 host-checkpolicy host-policycoreutils \
> + host-setools host-gawk host-python policycoreutils
> +
> +REFPOLICY_INSTALL_STAGING = YES
> +
> +REFPOLICY_POLICY_NAME = br_policy
> +
> +# To apply board specific customizations, create a refpolicy folder in
> +# BR2_GLOBAL_PATCH_DIR. These patches will be applied after the patches
> +# in package/refpolicy
> +
> +# Passing the HOST_CONFIGURE_OPTS to the target build because all of the
> +# build utilities are expected to be on system. This fools the make files
> +# into using the host built utilities to compile the SELinux policy for
> +# the target.
> +#
> +# Note, the TEST_TOOLCHAIN option will also set the
> +# LD_LIBRARY_PATH at run time.
> +REFPOLICY_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
> + TEST_TOOLCHAIN="$(HOST_DIR)"
> +
> +# Build requires python2 to run
> +REFPOLICY_MAKE_ENV = \
> + PYTHON="$(HOST_DIR)/usr/bin/python2" \
> + AWK="$(HOST_DIR)/usr/bin/gawk" \
> + M4="$(HOST_DIR)/usr/bin/m4"
> +
> +
> +ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
> + REFPOLICY_MONOLITHIC = n
> +else
> + REFPOLICY_MONOLITHIC = y
> +endif
> +
> +ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
> +define REFPOLICY_GIT_SUBMODULE_SETUP
> + rsync -ar $(RSYNC_VCS_EXCLUSIONS) $(REFPOLICY_CONTRIB_DIR)/* $(@D)/policy/modules/contrib/
nit: wrap at ~70-80 characters
> +endef
> +else
> +REFPOLICY_MODULES_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_MODULES_FILE))
> +define REFPOLICY_CUSTOM_MODULES_CONF
> + cp $(REFPOLICY_MODULES_FILE) $(@D)/policy/modules.conf
> +endef
> +endif
> +
[...]
Regards,
--
Samuel
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 02/16] refpolicy: new package
2015-07-14 14:50 ` Samuel Martin
@ 2015-07-14 14:59 ` Clayton Shotwell
0 siblings, 0 replies; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-14 14:59 UTC (permalink / raw)
To: buildroot
Samuel,
On Tue, Jul 14, 2015 at 9:50 AM, Samuel Martin <s.martin49@gmail.com> wrote:
> Clayton, all,
>
> On Sat, Jul 11, 2015 at 1:27 AM, Clayton Shotwell
> <clayton.shotwell@rockwellcollins.com> wrote:
>> From: Clayton Shotwell <clshotwe@rockwellcollins.com>
>>
>> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
>
> Reviewed-by: Samuel Martin <s.martin49@gmail.com>
> But still some nits ;-)
>
> [...]
>> diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
>> new file mode 100644
>> index 0000000..b6af100
>> --- /dev/null
>> +++ b/package/refpolicy/Config.in
>> @@ -0,0 +1,99 @@
>> +config BR2_PACKAGE_REFPOLICY
>> + bool "refpolicy"
>> + select BR2_PACKAGE_POLICYCOREUTILS
>> + select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX
>> + depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
>> + depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # policycoreutils
>> + help
>> + The SELinux Reference Policy project (refpolicy) is a
>> + complete SELinux policy that can be used as the system
>> + policy for a variety of systems and used as the basis
>> + for creating other policies. Reference Policy was originally
>> + based on the NSA example policy, but aims to accomplish
>> + many additional goals.
>> +
>> + The current refpolicy does not fully support Buildroot
>> + and needs modifications to work with the default system
>> + file layout. These changes should be added as patches to
> nit: s/layout. These/layout. These/
Fixed.
>> + the refpolicy that modify a single SELinux policy.
>> +
>> +comment "refpolicy needs a toolchain w/ threads, glibc or musl"
>> + depends on !BR2_TOOLCHAIN_HAS_THREADS \
>> + || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
>> +
>
> [...]
>
>> diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
>> new file mode 100644
>> index 0000000..dbc662d
>> --- /dev/null
>> +++ b/package/refpolicy/refpolicy.mk
>> @@ -0,0 +1,120 @@
>> +################################################################################
>> +#
>> +# refpolicy
>> +#
>> +################################################################################
>> +
>> +ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
>> +REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
>> +REFPOLICY_VERSION = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
>> +REFPOLICY_SITE_METHOD = git
>> +REFPOLICY_DEPENDENCIES += refpolicy-contrib
>> +else
>> +REFPOLICY_VERSION = 2.20130424
>> +REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
>> +REFPOLICY_SITE = http://oss.tresys.com/files/refpolicy/
>> +endif
>> +REFPOLICY_LICENSE = GPLv2
>> +REFPOLICY_LICENSE_FILES = COPYING
>> +
>> +# Cannot use multiple threads to build the reference policy
>> +REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)
>> +
>> +REFPOLICY_DEPENDENCIES += host-m4 host-checkpolicy host-policycoreutils \
>> + host-setools host-gawk host-python policycoreutils
>> +
>> +REFPOLICY_INSTALL_STAGING = YES
>> +
>> +REFPOLICY_POLICY_NAME = br_policy
>> +
>> +# To apply board specific customizations, create a refpolicy folder in
>> +# BR2_GLOBAL_PATCH_DIR. These patches will be applied after the patches
>> +# in package/refpolicy
>> +
>> +# Passing the HOST_CONFIGURE_OPTS to the target build because all of the
>> +# build utilities are expected to be on system. This fools the make files
>> +# into using the host built utilities to compile the SELinux policy for
>> +# the target.
>> +#
>> +# Note, the TEST_TOOLCHAIN option will also set the
>> +# LD_LIBRARY_PATH at run time.
>> +REFPOLICY_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
>> + TEST_TOOLCHAIN="$(HOST_DIR)"
>> +
>> +# Build requires python2 to run
>> +REFPOLICY_MAKE_ENV = \
>> + PYTHON="$(HOST_DIR)/usr/bin/python2" \
>> + AWK="$(HOST_DIR)/usr/bin/gawk" \
>> + M4="$(HOST_DIR)/usr/bin/m4"
>> +
>> +
>> +ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
>> + REFPOLICY_MONOLITHIC = n
>> +else
>> + REFPOLICY_MONOLITHIC = y
>> +endif
>> +
>> +ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
>> +define REFPOLICY_GIT_SUBMODULE_SETUP
>> + rsync -ar $(RSYNC_VCS_EXCLUSIONS) $(REFPOLICY_CONTRIB_DIR)/* $(@D)/policy/modules/contrib/
> nit: wrap at ~70-80 characters
Fixed.
Thanks,
Clayton
Clayton Shotwell
Senior Software Engineer, Rockwell Collins
clayton.shotwell at rockwellcollins.com
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 04/16] busybox: selinux support
2015-07-10 23:27 ` [Buildroot] [PATCH v8 04/16] busybox: selinux support Clayton Shotwell
@ 2015-07-14 14:59 ` Samuel Martin
0 siblings, 0 replies; 36+ messages in thread
From: Samuel Martin @ 2015-07-14 14:59 UTC (permalink / raw)
To: buildroot
On Sat, Jul 11, 2015 at 1:27 AM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> Add a configure option to enable the SELinux support in the
> busybox configuration from the Buildroot menuconfig.
>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Regards,
--
Samuel
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 05/16] linux-pam: selinux support
2015-07-10 23:27 ` [Buildroot] [PATCH v8 05/16] linux-pam: " Clayton Shotwell
@ 2015-07-14 15:12 ` Samuel Martin
0 siblings, 0 replies; 36+ messages in thread
From: Samuel Martin @ 2015-07-14 15:12 UTC (permalink / raw)
To: buildroot
On Sat, Jul 11, 2015 at 1:27 AM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Regards,
--
Samuel
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 03/16] busybox: applets as individual binaries
2015-07-10 23:27 ` [Buildroot] [PATCH v8 03/16] busybox: applets as individual binaries Clayton Shotwell
@ 2015-07-14 15:19 ` Samuel Martin
0 siblings, 0 replies; 36+ messages in thread
From: Samuel Martin @ 2015-07-14 15:19 UTC (permalink / raw)
To: buildroot
On Sat, Jul 11, 2015 at 1:27 AM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> The individual binaries option of busybox allows for the applets
> that would usually be symlinks to be built as individual applications
> that link against a shared library.
>
> This feature is needed for SELinux to allow the applications to run
> under the correct SELinux context.
>
> The patch being added allows the individual applications to be
> installed and will be upstreamed to the busybox developers.
>
> The initial work for this change was done by Thomas Petazzoni
> <thomas.petazzoni@free-electrons.com>.
>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Regards,
--
Samuel
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 09/16] openssh: selinux and pam support
2015-07-10 23:27 ` [Buildroot] [PATCH v8 09/16] openssh: selinux and pam support Clayton Shotwell
@ 2015-07-14 15:24 ` Samuel Martin
0 siblings, 0 replies; 36+ messages in thread
From: Samuel Martin @ 2015-07-14 15:24 UTC (permalink / raw)
To: buildroot
On Sat, Jul 11, 2015 at 1:27 AM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Regards,
--
Samuel
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 15/16] cpio: new package
2015-07-10 23:28 ` [Buildroot] [PATCH v8 15/16] cpio: new package Clayton Shotwell
@ 2015-07-14 15:38 ` Samuel Martin
2015-07-14 16:08 ` Clayton Shotwell
0 siblings, 1 reply; 36+ messages in thread
From: Samuel Martin @ 2015-07-14 15:38 UTC (permalink / raw)
To: buildroot
Clayton, all,
On Sat, Jul 11, 2015 at 1:28 AM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> Adding the cpio archive utility for the target and host. Patches have
> been pulled from ArchLinux and Debian to fix CVE issues and compile
> issues.
According to the url, patches are pulled from ArchLinux and Gentoo.
>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>
> ---
> Changes v7 -> v8:
> - Corrected the license to be GPLv3+ (Suggested by Thomas P.)
> - Changed all of the patches to pull from the various source locations
> since they were not being modified at all (Suggested by Thomas P.)
>
> Changes v6 -> v7:
> - Added dependency on argp-standalone package for uclibc toolchains
> to fix build error (Clayton S.)
> - Added hash file (Clayton S.)
>
> Changes v5 -> v6:
> - No changes
> ---
> package/Config.in | 1 +
> package/Config.in.host | 1 +
> package/cpio/Config.in | 8 ++++++++
> package/cpio/Config.in.host | 6 ++++++
> package/cpio/cpio.hash | 9 +++++++++
> package/cpio/cpio.mk | 27 +++++++++++++++++++++++++++
> 6 files changed, 52 insertions(+)
> create mode 100644 package/cpio/Config.in
> create mode 100644 package/cpio/Config.in.host
> create mode 100644 package/cpio/cpio.hash
> create mode 100644 package/cpio/cpio.mk
>
> diff --git a/package/Config.in b/package/Config.in
> index 2cc81fa..c6e5efe 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -149,6 +149,7 @@ endmenu
> menu "Filesystem and flash utilities"
> source "package/btrfs-progs/Config.in"
> source "package/cifs-utils/Config.in"
> + source "package/cpio/Config.in"
> source "package/cramfs/Config.in"
> source "package/curlftpfs/Config.in"
> source "package/dosfstools/Config.in"
> diff --git a/package/Config.in.host b/package/Config.in.host
> index 1e047aa..9a4f176 100644
> --- a/package/Config.in.host
> +++ b/package/Config.in.host
> @@ -1,6 +1,7 @@
> menu "Host utilities"
>
> source "package/checkpolicy/Config.in.host"
> + source "package/cpio/Config.in.host"
> source "package/cramfs/Config.in.host"
> source "package/dfu-util/Config.in.host"
> source "package/dos2unix/Config.in.host"
> diff --git a/package/cpio/Config.in b/package/cpio/Config.in
> new file mode 100644
> index 0000000..1787f39
> --- /dev/null
> +++ b/package/cpio/Config.in
> @@ -0,0 +1,8 @@
> +config BR2_PACKAGE_CPIO
> + bool "cpio"
> + # Need argp.h support
> + select BR2_PACKAGE_ARGP_STANDALONE if BR2_TOOLCHAIN_USES_UCLIBC
> + help
> + cpio archive utility for creation and extraction.
> +
> + https://www.gnu.org/software/cpio/
> diff --git a/package/cpio/Config.in.host b/package/cpio/Config.in.host
> new file mode 100644
> index 0000000..e927952
> --- /dev/null
> +++ b/package/cpio/Config.in.host
> @@ -0,0 +1,6 @@
> +config BR2_PACKAGE_HOST_CPIO
> + bool "host cpio"
> + help
> + cpio archive utility for creation and extraction.
> +
> + https://www.gnu.org/software/cpio/
> diff --git a/package/cpio/cpio.hash b/package/cpio/cpio.hash
> new file mode 100644
> index 0000000..c52e86a
> --- /dev/null
> +++ b/package/cpio/cpio.hash
> @@ -0,0 +1,9 @@
> +# Locally calculated after checking pgp signature
> +sha256 601b1d774cd6e4cd39416203c91ec59dbd65dd27d79d75e1a9b89497ea643978 cpio-2.11.tar.gz
> +
> +# Locally calculated
> +sha256 903fb87e00813daf257be5d1680ad93770d320c707ab2ec345486958b2e8a21f cpio-2.11-stdio.in.patch
> +sha256 6b6505a97dda75d24627d9ba461b45ab9ea4764e1a2788d6986eb2978434f25d cpio-2.11-CVE-2014-9112.patch
> +sha256 0cf7c9749f1c1610aaf46e17eacd6614c5ef8c2114236bcdd08d53e929020ae5 cpio-2.11-testsuite-CVE-2014-9112.patch
> +sha256 f1f587f70a38363691cbd4dfe89f962c8c57266277f0fbc781910c6a7065be7e cpio-2.11-check_for_symlinks-CVE-2015-1197.patch
> +sha256 b3d317e3c5705d7f9e503f56540baf3cb6dd1d0e9be0261151a5b08378c2d98c cpio-2.11-stat.patch
> diff --git a/package/cpio/cpio.mk b/package/cpio/cpio.mk
> new file mode 100644
> index 0000000..67871e2
> --- /dev/null
> +++ b/package/cpio/cpio.mk
> @@ -0,0 +1,27 @@
> +################################################################################
> +#
> +# cpio
> +#
> +################################################################################
> +
> +CPIO_VERSION = 2.11
> +CPIO_SITE = http://ftp.gnu.org/gnu/cpio
> +CPIO_LICENSE = GPLv3+
> +CPIO_LICENSE_FILES = COPYING
> +CPIO_PATCH = \
> + https://projects.archlinux.org/svntogit/packages.git/plain/cpio/trunk/cpio-2.11-stdio.in.patch \
> + https://projects.archlinux.org/svntogit/packages.git/plain/cpio/trunk/cpio-2.11-CVE-2014-9112.patch \
> + https://projects.archlinux.org/svntogit/packages.git/plain/cpio/trunk/cpio-2.11-testsuite-CVE-2014-9112.patch \
> + https://projects.archlinux.org/svntogit/packages.git/plain/cpio/trunk/cpio-2.11-check_for_symlinks-CVE-2015-1197.patch \
> + https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-arch/cpio/files/cpio-2.11-stat.patch
> +
> +# cpio uses argp.h which is not provided by uclibc by default.
> +# Use the argp-standalone package to provide this but make sure
> +# the host package does not try to use the host version.
> +ifeq ($(BR2_TOOLCHAIN_USES_UCLIBC),y)
> +CPIO_DEPENDENCIES += argp-standalone
> +HOST_CPIO_DEPENDENCIES =
> +endif
> +
> +$(eval $(autotools-package))
> +$(eval $(host-autotools-package))
> --
> 1.9.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
Regards,
--
Samuel
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 15/16] cpio: new package
2015-07-14 15:38 ` Samuel Martin
@ 2015-07-14 16:08 ` Clayton Shotwell
0 siblings, 0 replies; 36+ messages in thread
From: Clayton Shotwell @ 2015-07-14 16:08 UTC (permalink / raw)
To: buildroot
Samuel,
On Tue, Jul 14, 2015 at 10:38 AM, Samuel Martin <s.martin49@gmail.com> wrote:
> Clayton, all,
>
> On Sat, Jul 11, 2015 at 1:28 AM, Clayton Shotwell
> <clayton.shotwell@rockwellcollins.com> wrote:
>> Adding the cpio archive utility for the target and host. Patches have
>> been pulled from ArchLinux and Debian to fix CVE issues and compile
>> issues.
> According to the url, patches are pulled from ArchLinux and Gentoo.
That is in fact correct. I'll update the comment so it is correct.
Thanks,
Clayton
Clayton Shotwell
Senior Software Engineer, Rockwell Collins
clayton.shotwell at rockwellcollins.com
^ permalink raw reply [flat|nested] 36+ messages in thread
* [Buildroot] [PATCH v8 01/16] policycoreutils: new package
2015-07-14 14:28 ` Clayton Shotwell
@ 2015-07-14 20:49 ` Arnout Vandecappelle
0 siblings, 0 replies; 36+ messages in thread
From: Arnout Vandecappelle @ 2015-07-14 20:49 UTC (permalink / raw)
To: buildroot
On 07/14/15 16:28, Clayton Shotwell wrote:
> I'll have to look through some different architecture to see which
> ones use lib and which use lib64.
That shouldn't matter for us, since we symlink lib64 -> lib (or lib32 -> lib).
Regards,
Arnout
--
Arnout Vandecappelle arnout at mind be
Senior Embedded Software Architect +32-16-286500
Essensium/Mind http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF
^ permalink raw reply [flat|nested] 36+ messages in thread
end of thread, other threads:[~2015-07-14 20:49 UTC | newest]
Thread overview: 36+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-07-10 23:27 [Buildroot] [PATCH v8 00/16] SELinux Buildroot Additions Clayton Shotwell
2015-07-10 23:27 ` [Buildroot] [PATCH v8 01/16] policycoreutils: new package Clayton Shotwell
2015-07-14 12:26 ` Samuel Martin
2015-07-14 14:28 ` Clayton Shotwell
2015-07-14 20:49 ` Arnout Vandecappelle
2015-07-10 23:27 ` [Buildroot] [PATCH v8 02/16] refpolicy: " Clayton Shotwell
2015-07-14 14:50 ` Samuel Martin
2015-07-14 14:59 ` Clayton Shotwell
2015-07-10 23:27 ` [Buildroot] [PATCH v8 03/16] busybox: applets as individual binaries Clayton Shotwell
2015-07-14 15:19 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 04/16] busybox: selinux support Clayton Shotwell
2015-07-14 14:59 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 05/16] linux-pam: " Clayton Shotwell
2015-07-14 15:12 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 06/16] busybox: added linux-pam support Clayton Shotwell
2015-07-14 12:29 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 07/16] sysvinit: added libselinux dependency Clayton Shotwell
2015-07-14 12:40 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 08/16] dbus: selinux file context support Clayton Shotwell
2015-07-14 12:44 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 09/16] openssh: selinux and pam support Clayton Shotwell
2015-07-14 15:24 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 10/16] util-linux: selinux, audit, " Clayton Shotwell
2015-07-14 12:55 ` Samuel Martin
2015-07-10 23:27 ` [Buildroot] [PATCH v8 11/16] rsyslog: fix config file comment style Clayton Shotwell
2015-07-11 7:28 ` Thomas Petazzoni
2015-07-12 22:51 ` Thomas Petazzoni
2015-07-13 12:25 ` Clayton Shotwell
2015-07-10 23:27 ` [Buildroot] [PATCH v8 12/16] qemu x86 selinux: added common selinux support files Clayton Shotwell
2015-07-10 23:27 ` [Buildroot] [PATCH v8 13/16] qemu x86 selinux: base br defconfig Clayton Shotwell
2015-07-10 23:28 ` [Buildroot] [PATCH v8 14/16] squashfs: Add xattr support Clayton Shotwell
2015-07-11 7:31 ` Thomas Petazzoni
2015-07-10 23:28 ` [Buildroot] [PATCH v8 15/16] cpio: new package Clayton Shotwell
2015-07-14 15:38 ` Samuel Martin
2015-07-14 16:08 ` Clayton Shotwell
2015-07-10 23:28 ` [Buildroot] [PATCH v8 16/16] audit: Add startup script Clayton Shotwell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.