[yocto] [PATCH][meta-selinux] policycoreutils: enable mcstransd
wenzong fan
wenzong.fan at windriver.com
Tue Jul 7 20:31:23 PDT 2015
Ping ...
On 01/26/2015 03:38 PM, rongqing.li at windriver.com wrote:
> From: Roy Li <rongqing.li at windriver.com>
>
> mcstransd is a daemon to translate SELinux MCS/MLS sensitivity labels,
> policycoreutils includes mcstransd whose version is newer than that
> from http://mcstrans.sourcearchive.com/
>
> Signed-off-by: Roy Li <rongqing.li at windriver.com>
> ---
> recipes-security/selinux/policycoreutils.inc | 82 ++++++++++++++++++++--
> .../0001-mcstrans-fix-the-init-script.patch | 27 +++++++
> .../selinux/policycoreutils/enable-mcstrans.patch | 17 +++++
> recipes-security/selinux/policycoreutils_2.3.bb | 2 +
> recipes-security/selinux/policycoreutils_git.bb | 2 +
> 5 files changed, 126 insertions(+), 4 deletions(-)
> create mode 100644 recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch
> create mode 100644 recipes-security/selinux/policycoreutils/enable-mcstrans.patch
>
> diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
> index 44a5861..fa0b601 100644
> --- a/recipes-security/selinux/policycoreutils.inc
> +++ b/recipes-security/selinux/policycoreutils.inc
> @@ -13,11 +13,14 @@ PAM_SRC_URI = "file://pam.d/newrole \
> file://pam.d/run_init \
> "
>
> -DEPENDS += "libsepol libselinux libsemanage"
> +DEPENDS += "libsepol libselinux libsemanage libcap"
> EXTRA_DEPENDS = "libcap-ng libcgroup setools"
> DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"
>
> -inherit selinux
> +inherit selinux systemd pythonnative update-rc.d
> +
> +PROVIDES += "mcstrans"
> +
> DEPENDS += "${@target_selinux(d, 'libpam audit')}"
>
> RDEPENDS_${BPN}-audit2allow = "\
> @@ -113,7 +116,6 @@ RDEPENDS_${BPN} += "setools setools-libs ${BPN}-python"
> WARN_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${WARN_QA}', d)}"
> ERROR_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${ERROR_QA}', d)}"
>
> -inherit pythonnative
>
> PACKAGES =+ "\
> ${PN}-audit2allow \
> @@ -137,8 +139,31 @@ PACKAGES =+ "\
> ${PN}-sestatus \
> ${PN}-setfiles \
> ${PN}-setsebool \
> + mcstrans \
> + mcstrans-doc \
> system-config-selinux \
> "
> +PKGV_mcstrans = "0.3.2"
> +PKGV_mcstrans-doc = "0.3.2"
> +SUMMARY_mcstrans = "Daemon to translate SELinux MCS/MLS sensitivity labels"
> +DESCRIPTION_mcstrans = "\
> + Security-enhanced Linux is a feature of the Linux kernel and a number \
> + of utilities with enhanced security functionality designed to add \
> + mandatory access controls to Linux. The Security-enhanced Linux \
> + kernel contains new architectural components originally developed to \
> + improve the security of the Flask operating system. These \
> + architectural components provide general support for the enforcement \
> + of many kinds of mandatory access control policies, including those \
> + based on the concepts of Type Enforcement®, Role-based Access \
> + Control, and Multi-level Security. \
> + \
> + mcstrans provides an translation daemon to translate SELinux categories \
> + from internal representations to user defined representation. \
> + "
> +SUMMARY_mcstrans-doc = "${SUMMARY_mcstrans} man pages and examples"
> +DESCRIPTION_mcstrans-doc = "${DESCRIPTION_mcstrans} \
> + This package contains man pages and examples. \
> + "
> FILES_${PN}-audit2allow = "\
> ${bindir}/audit2allow \
> ${bindir}/audit2why \
> @@ -208,6 +233,23 @@ FILES_${PN}-setsebool += "\
> ${sbindir}/setsebool \
> ${datadir}/bash-completion/completions/setsebool \
> "
> +FILES_mcstrans = "\
> + ${base_sbindir}/mcstransd \
> + ${sbindir}/untranscon \
> + ${sbindir}/transcon \
> + ${sysconfdir}/init.d/mcstrans \
> + ${systemd_unitdir}/system/mcstrans.service \
> + ${sysconfdir}/default/volatiles/volatiles.80_mcstrans \
> + ${sysconfdir}/tmpfiles.d/setrans.conf \
> +"
> +
> +FILES_mcstrans-doc = "\
> + /usr/share/man/man8/mcstransd.8 \
> + /usr/share/man/man8/mcs.8 \
> + /usr/share/man/man8/setrans.conf.8 \
> + ${datadir}/mcstrans \
> +"
> +
> FILES_system-config-selinux = " \
> ${bindir}/sepolgen \
> ${datadir}/system-config-selinux/* \
> @@ -248,7 +290,24 @@ do_compile_prepend() {
>
> do_install_prepend() {
> export PYTHON=python
> - export SEMODULE_PATH=${sbindir}
> + export SEMODULE_PATH=${sbindir} SYSTEMDDIR=${D}/${systemd_unitdir}
> +}
> +
> +do_install_append_class-target() {
> + install -m 755 mcstrans/utils/untranscon ${D}${sbindir}/
> + install -m 755 mcstrans/utils/transcon ${D}${sbindir}/
> +
> + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
> + install -d ${D}${sysconfdir}/tmpfiles.d
> + echo "d ${localstatedir}/run/setrans - - - -" \
> + > ${D}${sysconfdir}/tmpfiles.d/setrans.conf
> + else
> + install -d ${D}${sysconfdir}/default/volatiles
> + echo "d root root 0755 /var/run/setrans none" \
> + >${D}${sysconfdir}/default/volatiles/volatiles.80_mcstrans
> + fi
> + install -d ${D}${datadir}/mcstrans
> + cp -r mcstrans/share/* ${D}${datadir}/mcstrans/.
> }
>
> do_install_virtclass-native() {
> @@ -266,3 +325,18 @@ do_install_append_class-target() {
> install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
> fi
> }
> +
> +SYSTEMD_SERVICE_mcstrans = "mcstrans.service"
> +INITSCRIPT_PACKAGES = "mcstrans"
> +INITSCRIPT_NAME_mcstrans = "mcstrans"
> +INITSCRIPT_PARAMS_mcstrans = "defaults"
> +
> +pkg_postinst_mcstrans () {
> + if [ -z "$D" ]; then
> + if command -v systemd-tmpfiles >/dev/null; then
> + systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/setrans.conf
> + elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
> + ${sysconfdir}/init.d/populate-volatile.sh update
> + fi
> + fi
> +}
> diff --git a/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch b/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch
> new file mode 100644
> index 0000000..39be80a
> --- /dev/null
> +++ b/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch
> @@ -0,0 +1,27 @@
> +[PATCH] mcstrans: fix the init script
> +
> +Upstream-Status: Inappropriate [embedded specific]
> +
> +replace daemon with start-stop-daemon, due to not daemon functions
> +
> +Signed-off-by: Roy Li <rongqing.li at windriver.com>
> +---
> + mcstrans/src/mcstrans.init | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/mcstrans/src/mcstrans.init b/mcstrans/src/mcstrans.init
> +index 2804ec0..c660290 100644
> +--- a/mcstrans/src/mcstrans.init
> ++++ b/mcstrans/src/mcstrans.init
> +@@ -51,7 +51,7 @@ start(){
> + fi
> +
> + unset HOME MAIL USER USERNAME
> +- daemon $prog "$EXTRAOPTIONS"
> ++ start-stop-daemon --start --quiet --exec $prog -- "$EXTRAOPTIONS"
> + RETVAL=$?
> + echo
> + if test $RETVAL = 0 ; then
> +--
> +1.9.1
> +
> diff --git a/recipes-security/selinux/policycoreutils/enable-mcstrans.patch b/recipes-security/selinux/policycoreutils/enable-mcstrans.patch
> new file mode 100644
> index 0000000..e923903
> --- /dev/null
> +++ b/recipes-security/selinux/policycoreutils/enable-mcstrans.patch
> @@ -0,0 +1,17 @@
> +Add the "mcstrans" subdir so it gets built too.
> +
> +Upstream-Status: Inappropriate [embedded specific]
> +
> +Signed-off-by: Roy Li <rongqing.li at windriver.com>
> +diff --git a/Makefile b/Makefile
> +index 83ebd45..3ae784f 100644
> +--- a/Makefile
> ++++ b/Makefile
> +@@ -1,5 +1,7 @@
> + SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
> +
> ++SUBDIRS += mcstrans
> ++
> + INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
> +
> + ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
> diff --git a/recipes-security/selinux/policycoreutils_2.3.bb b/recipes-security/selinux/policycoreutils_2.3.bb
> index 447e6c9..c837266 100644
> --- a/recipes-security/selinux/policycoreutils_2.3.bb
> +++ b/recipes-security/selinux/policycoreutils_2.3.bb
> @@ -13,4 +13,6 @@ SRC_URI += "\
> file://policycoreutils-semanage-edit-user.patch \
> file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \
> file://policycoreutils-fix-TypeError-for-seobject.py.patch \
> + file://0001-mcstrans-fix-the-init-script.patch \
> + file://enable-mcstrans.patch \
> "
> diff --git a/recipes-security/selinux/policycoreutils_git.bb b/recipes-security/selinux/policycoreutils_git.bb
> index 823edb2..b630797 100644
> --- a/recipes-security/selinux/policycoreutils_git.bb
> +++ b/recipes-security/selinux/policycoreutils_git.bb
> @@ -9,4 +9,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
> SRC_URI += "\
> file://policycoreutils-fix-sepolicy-install-path.patch \
> file://policycoreutils-make-O_CLOEXEC-optional.patch \
> + file://0001-mcstrans-fix-the-init-script.patch \
> + file://enable-mcstrans.patch \
> "
>
More information about the yocto
mailing list