[yocto] [PATCH][meta-selinux] policycoreutils: enable mcstransd

wenzong fan wenzong.fan at windriver.com
Tue Jul 7 20:31:23 PDT 2015 

Ping ...

On 01/26/2015 03:38 PM, rongqing.li at windriver.com wrote:
> From: Roy Li <rongqing.li at windriver.com>
>
> mcstransd is a daemon to translate SELinux MCS/MLS sensitivity labels,
> policycoreutils includes mcstransd whose version is newer than that
> from http://mcstrans.sourcearchive.com/
>
> Signed-off-by: Roy Li <rongqing.li at windriver.com>
> ---
>   recipes-security/selinux/policycoreutils.inc       | 82 ++++++++++++++++++++--
>   .../0001-mcstrans-fix-the-init-script.patch        | 27 +++++++
>   .../selinux/policycoreutils/enable-mcstrans.patch  | 17 +++++
>   recipes-security/selinux/policycoreutils_2.3.bb    |  2 +
>   recipes-security/selinux/policycoreutils_git.bb    |  2 +
>   5 files changed, 126 insertions(+), 4 deletions(-)
>   create mode 100644 recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch
>   create mode 100644 recipes-security/selinux/policycoreutils/enable-mcstrans.patch
>
> diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
> index 44a5861..fa0b601 100644
> --- a/recipes-security/selinux/policycoreutils.inc
> +++ b/recipes-security/selinux/policycoreutils.inc
> @@ -13,11 +13,14 @@ PAM_SRC_URI = "file://pam.d/newrole \
>                  file://pam.d/run_init \
>   "
>
> -DEPENDS += "libsepol libselinux libsemanage"
> +DEPENDS += "libsepol libselinux libsemanage libcap"
>   EXTRA_DEPENDS = "libcap-ng libcgroup setools"
>   DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"
>
> -inherit selinux
> +inherit selinux systemd pythonnative update-rc.d
> +
> +PROVIDES += "mcstrans"
> +
>   DEPENDS += "${@target_selinux(d, 'libpam audit')}"
>
>   RDEPENDS_${BPN}-audit2allow = "\
> @@ -113,7 +116,6 @@ RDEPENDS_${BPN} += "setools setools-libs ${BPN}-python"
>   WARN_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${WARN_QA}', d)}"
>   ERROR_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${ERROR_QA}', d)}"
>
> -inherit pythonnative
>
>   PACKAGES =+ "\
>   	${PN}-audit2allow \
> @@ -137,8 +139,31 @@ PACKAGES =+ "\
>   	${PN}-sestatus \
>   	${PN}-setfiles \
>   	${PN}-setsebool \
> +	mcstrans \
> +	mcstrans-doc \
>   	system-config-selinux \
>   "
> +PKGV_mcstrans = "0.3.2"
> +PKGV_mcstrans-doc = "0.3.2"
> +SUMMARY_mcstrans = "Daemon to translate SELinux MCS/MLS sensitivity labels"
> +DESCRIPTION_mcstrans = "\
> +        Security-enhanced Linux is a feature of the Linux kernel and a number \
> +        of utilities with enhanced security functionality designed to add \
> +        mandatory access controls to Linux.  The Security-enhanced Linux \
> +        kernel contains new architectural components originally developed to \
> +        improve the security of the Flask operating system. These \
> +        architectural components provide general support for the enforcement \
> +        of many kinds of mandatory access control policies, including those \
> +        based on the concepts of Type Enforcement®, Role-based Access \
> +        Control, and Multi-level Security. \
> +         \
> +        mcstrans provides an translation daemon to translate SELinux categories \
> +        from internal representations to user defined representation. \
> +        "
> +SUMMARY_mcstrans-doc = "${SUMMARY_mcstrans} man pages and examples"
> +DESCRIPTION_mcstrans-doc = "${DESCRIPTION_mcstrans} \
> +        This package contains man pages and examples. \
> +        "
>   FILES_${PN}-audit2allow = "\
>   	${bindir}/audit2allow \
>   	${bindir}/audit2why \
> @@ -208,6 +233,23 @@ FILES_${PN}-setsebool += "\
>   	${sbindir}/setsebool \
>   	${datadir}/bash-completion/completions/setsebool \
>   "
> +FILES_mcstrans = "\
> +	${base_sbindir}/mcstransd \
> +	${sbindir}/untranscon \
> +	${sbindir}/transcon \
> +	${sysconfdir}/init.d/mcstrans \
> +	${systemd_unitdir}/system/mcstrans.service \
> +	${sysconfdir}/default/volatiles/volatiles.80_mcstrans \
> +	${sysconfdir}/tmpfiles.d/setrans.conf \
> +"
> +
> +FILES_mcstrans-doc = "\
> +    /usr/share/man/man8/mcstransd.8 \
> +    /usr/share/man/man8/mcs.8 \
> +    /usr/share/man/man8/setrans.conf.8 \
> +    ${datadir}/mcstrans \
> +"
> +
>   FILES_system-config-selinux = " \
>       ${bindir}/sepolgen \
>       ${datadir}/system-config-selinux/* \
> @@ -248,7 +290,24 @@ do_compile_prepend() {
>
>   do_install_prepend() {
>   	export PYTHON=python
> -	export SEMODULE_PATH=${sbindir}
> +	export SEMODULE_PATH=${sbindir} SYSTEMDDIR=${D}/${systemd_unitdir}
> +}
> +
> +do_install_append_class-target() {
> +	install -m 755 mcstrans/utils/untranscon ${D}${sbindir}/
> +	install -m 755 mcstrans/utils/transcon ${D}${sbindir}/
> +
> +	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
> +		install -d ${D}${sysconfdir}/tmpfiles.d
> +		echo "d ${localstatedir}/run/setrans - - - -" \
> +		    > ${D}${sysconfdir}/tmpfiles.d/setrans.conf
> +	else
> +		install -d ${D}${sysconfdir}/default/volatiles
> +		echo "d root root 0755 /var/run/setrans none" \
> +			>${D}${sysconfdir}/default/volatiles/volatiles.80_mcstrans
> +	fi
> +	install -d ${D}${datadir}/mcstrans
> +	cp -r mcstrans/share/* ${D}${datadir}/mcstrans/.
>   }
>
>   do_install_virtclass-native() {
> @@ -266,3 +325,18 @@ do_install_append_class-target() {
>   		install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
>   	fi
>   }
> +
> +SYSTEMD_SERVICE_mcstrans = "mcstrans.service"
> +INITSCRIPT_PACKAGES = "mcstrans"
> +INITSCRIPT_NAME_mcstrans = "mcstrans"
> +INITSCRIPT_PARAMS_mcstrans = "defaults"
> +
> +pkg_postinst_mcstrans () {
> +    if [ -z "$D" ]; then
> +        if command -v systemd-tmpfiles >/dev/null; then
> +            systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/setrans.conf
> +        elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
> +            ${sysconfdir}/init.d/populate-volatile.sh update
> +        fi
> +    fi
> +}
> diff --git a/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch b/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch
> new file mode 100644
> index 0000000..39be80a
> --- /dev/null
> +++ b/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch
> @@ -0,0 +1,27 @@
> +[PATCH] mcstrans: fix the init script
> +
> +Upstream-Status: Inappropriate [embedded specific]
> +
> +replace daemon with start-stop-daemon, due to not daemon functions
> +
> +Signed-off-by: Roy Li <rongqing.li at windriver.com>
> +---
> + mcstrans/src/mcstrans.init | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/mcstrans/src/mcstrans.init b/mcstrans/src/mcstrans.init
> +index 2804ec0..c660290 100644
> +--- a/mcstrans/src/mcstrans.init
> ++++ b/mcstrans/src/mcstrans.init
> +@@ -51,7 +51,7 @@ start(){
> + 	fi
> +
> + 	unset HOME MAIL USER USERNAME
> +-	daemon $prog "$EXTRAOPTIONS"
> ++	start-stop-daemon --start --quiet --exec $prog -- "$EXTRAOPTIONS"
> + 	RETVAL=$?
> + 	echo
> + 	if test $RETVAL = 0 ; then
> +--
> +1.9.1
> +
> diff --git a/recipes-security/selinux/policycoreutils/enable-mcstrans.patch b/recipes-security/selinux/policycoreutils/enable-mcstrans.patch
> new file mode 100644
> index 0000000..e923903
> --- /dev/null
> +++ b/recipes-security/selinux/policycoreutils/enable-mcstrans.patch
> @@ -0,0 +1,17 @@
> +Add the "mcstrans" subdir so it gets built too.
> +
> +Upstream-Status: Inappropriate [embedded specific]
> +
> +Signed-off-by: Roy Li <rongqing.li at windriver.com>
> +diff --git a/Makefile b/Makefile
> +index 83ebd45..3ae784f 100644
> +--- a/Makefile
> ++++ b/Makefile
> +@@ -1,5 +1,7 @@
> + SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
> +
> ++SUBDIRS += mcstrans
> ++
> + INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
> +
> + ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
> diff --git a/recipes-security/selinux/policycoreutils_2.3.bb b/recipes-security/selinux/policycoreutils_2.3.bb
> index 447e6c9..c837266 100644
> --- a/recipes-security/selinux/policycoreutils_2.3.bb
> +++ b/recipes-security/selinux/policycoreutils_2.3.bb
> @@ -13,4 +13,6 @@ SRC_URI += "\
>   	file://policycoreutils-semanage-edit-user.patch \
>   	file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \
>   	file://policycoreutils-fix-TypeError-for-seobject.py.patch \
> +	file://0001-mcstrans-fix-the-init-script.patch \
> +	file://enable-mcstrans.patch \
>   	"
> diff --git a/recipes-security/selinux/policycoreutils_git.bb b/recipes-security/selinux/policycoreutils_git.bb
> index 823edb2..b630797 100644
> --- a/recipes-security/selinux/policycoreutils_git.bb
> +++ b/recipes-security/selinux/policycoreutils_git.bb
> @@ -9,4 +9,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
>   SRC_URI += "\
>   	file://policycoreutils-fix-sepolicy-install-path.patch \
>   	file://policycoreutils-make-O_CLOEXEC-optional.patch \
> +	file://0001-mcstrans-fix-the-init-script.patch \
> +	file://enable-mcstrans.patch \
>   	"
>

More information about the yocto mailing list