[yocto] [meta-selinux][PATCH] policycoreutils: address QA issues

Joe MacDonald joe_macdonald at mentor.com
Fri Feb 20 18:33:44 PST 2015 

Both the fixfiles and sandbox utilities had dependencies on bash when they
didn't really need to.  Update sandbox and patch fixfiles.  ifgen is
python script, so ensure that python is listed as a runtime dependency.

Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
---
 recipes-security/selinux/policycoreutils.inc       |  7 +-
 .../policycoreutils-fixfiles-de-bashify.patch      | 92 ++++++++++++++++++++++
 .../policycoreutils-sandbox-de-bashify.patch       | 39 +++++++++
 3 files changed, 136 insertions(+), 2 deletions(-)
 create mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch
 create mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch

diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
index 44a5861..4846683 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -7,7 +7,10 @@ context."
 SECTION = "base"
 LICENSE = "GPLv2+"
 
-SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)}"
+SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+            file://policycoreutils-fixfiles-de-bashify.patch \
+            file://policycoreutils-sandbox-de-bashify.patch \
+           "
 
 PAM_SRC_URI = "file://pam.d/newrole \
                file://pam.d/run_init \
@@ -97,7 +100,7 @@ RDEPENDS_${BPN}-sepolicy += "\
 "
 # static link to libsepol
 DEPENDS_${BPN}-sepolgen-ifgen += "libsepol"
-RDEPENDS_${BPN}-sepolgen-ifgen += "libselinux-python"
+RDEPENDS_${BPN}-sepolgen-ifgen += "python libselinux-python"
 RDEPENDS_${BPN}-sestatus += "libselinux"
 RDEPENDS_${BPN}-setfiles += "\
 	libselinux \
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch b/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch
new file mode 100644
index 0000000..44d7525
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils/policycoreutils-fixfiles-de-bashify.patch
@@ -0,0 +1,92 @@
+From 25ca94680f2fe20f49b80e8b5b180a0dbb903f17 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald at mentor.com>
+Date: Fri, 20 Feb 2015 17:00:19 -0500
+Subject: [PATCH] fixfiles: de-bashify
+
+Most of the bashisms in fixfiles are pretty easy to work around, the only
+complex one is the use of PIPESTATUS.  The common solution to this is to
+use fifos but considering the action this script is performing, that's not
+necessarily the best option here.  Introducing a second invocation of rpm
+is minimal overhead on an operation that should happen very infrequently,
+so we'll try that instead.
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
+---
+ scripts/fixfiles | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+diff --git a/scripts/fixfiles b/scripts/fixfiles
+index 5c29eb9..10a5078 100755
+--- a/scripts/fixfiles
++++ b/scripts/fixfiles
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+ # fixfiles
+ #
+ # Script to restore labels on a SELinux box
+@@ -25,7 +25,7 @@
+ # number if the current kernel version is greater than 2.6.30, a negative
+ # number if the current is less than 2.6.30 and 0 if they are the same.
+ #
+-function useseclabel {
++useseclabel() {
+ 	VER=`uname -r`
+ 	SUP=2.6.30
+ 	expr '(' "$VER" : '\([^.]*\)' ')' '-' '(' "$SUP" : '\([^.]*\)' ')' '|' \
+@@ -91,9 +91,9 @@ exclude_dirs_from_relabelling() {
+ 	  # skip not absolute path
+ 	  # skip not directory
+ 	  [ -z "${i}" ] && continue
+-	  [[ "${i}" =~ "^[[:blank:]]*#" ]] && continue
+-	  [[ ! "${i}" =~ ^/.* ]] && continue
+-	  [[ ! -d "${i}" ]] && continue
++	  echo "${i}" | egrep -q '^[[:space:]]*#' && continue
++	  echo "${i}" | egrep -v '^/.*' && continue
++	  [ ! -d "${i}" ] && continue
+ 	  exclude_from_relabelling="$exclude_from_relabelling -e $i"
+ 	  logit "skipping the directory $i"
+ 	done < /etc/selinux/fixfiles_exclude_dirs
+@@ -205,8 +205,12 @@ fi
+ }
+ 
+ rpmlist() {
+-rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
+-[ ${PIPESTATUS[0]} != 0 ] && echo "$1 not found" >/dev/stderr
++    if rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" >/dev/null
++    then
++        rpm -q --qf '[%{FILESTATES} %{FILENAMES}\n]' "$1" | grep '^0 ' | cut -f2- -d ' '
++    else
++        echo "$1 not found" >/dev/stderr
++    fi
+ }
+ 
+ #
+@@ -233,10 +237,10 @@ if [ -n "${exclude_dirs}" ]
+ then
+ 	TEMPFCFILE=`mktemp ${FC}.XXXXXXXXXX`
+ 	test -z "$TEMPFCFILE" && exit
+-	/bin/cp -p ${FC} ${TEMPFCFILE} &>/dev/null || exit
+-	tmpdirs=${tempdirs//-e/}
+-	for p in ${tmpdirs}
++	/bin/cp -p ${FC} ${TEMPFCFILE} >/dev/null 2>&1 || exit
++	for p in ${tempdirs}
+ 	do
++		[ ${p} = "-e" ] && continue
+ 		p="${p%/}"
+ 		p1="${p}(/.*)? -- <<none>>"
+ 		echo "${p1}" >> $TEMPFCFILE
+@@ -288,7 +292,7 @@ relabel() {
+ 	restore Relabel
+     fi
+ 
+-    if [ $fullFlag == 1  ]; then
++    if [ $fullFlag = 1 ]; then
+ 	fullrelabel
+     fi
+ 
+-- 
+1.9.1
+
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch b/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch
new file mode 100644
index 0000000..c078ef6
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch
@@ -0,0 +1,39 @@
+From d3e778e0062ca441c80e2a3ef2b508f5566e1f70 Mon Sep 17 00:00:00 2001
+From: Joe MacDonald <joe_macdonald at mentor.com>
+Date: Fri, 20 Feb 2015 21:07:47 -0500
+Subject: [PATCH] sandbox: de-bashify
+
+There's no bashisms apparent in either the sandbox initscript nor the
+sandboxX script, so point them at /bin/sh instead.
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
+---
+ sandbox/sandbox.init | 2 +-
+ sandbox/sandboxX.sh  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sandbox/sandbox.init b/sandbox/sandbox.init
+index b3979bf..1893dc8 100644
+--- a/sandbox/sandbox.init
++++ b/sandbox/sandbox.init
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+ ## BEGIN INIT INFO
+ # Provides: sandbox
+ # Default-Start: 3 4 5
+diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
+index eaa500d..8755d75 100644
+--- a/sandbox/sandboxX.sh
++++ b/sandbox/sandboxX.sh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+ trap "" TERM
+ context=`id -Z | secon -t -l -P`
+ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
+-- 
+1.9.1
+
-- 
1.9.1

More information about the yocto mailing list