[yocto] [PATCH 11/20] selinux-sandbox: add package 2.7 (20170804)
wenzong.fan at windriver.com
wenzong.fan at windriver.com
Tue Sep 12 19:42:53 PDT 2017
From: Wenzong Fan <wenzong.fan at windriver.com>
Move policycoreutils/sandbox to sandbox:
* Move and rebase patch:
- policycoreutils-sandbox-de-bashify.patch
* Cleanup policycoreutils.inc
Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
---
recipes-security/selinux/policycoreutils.inc | 17 -------------
recipes-security/selinux/selinux-sandbox.inc | 28 ++++++++++++++++++++++
.../sandbox-de-bashify.patch} | 13 +++++-----
recipes-security/selinux/selinux-sandbox_2.7.bb | 7 ++++++
4 files changed, 42 insertions(+), 23 deletions(-)
create mode 100644 recipes-security/selinux/selinux-sandbox.inc
rename recipes-security/selinux/{policycoreutils/policycoreutils-sandbox-de-bashify.patch => selinux-sandbox/sandbox-de-bashify.patch} (79%)
create mode 100644 recipes-security/selinux/selinux-sandbox_2.7.bb
diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
index e8f6e5f..9e45e0c 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -9,7 +9,6 @@ LICENSE = "GPLv2+"
SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
file://policycoreutils-fixfiles-de-bashify.patch \
- file://policycoreutils-sandbox-de-bashify.patch \
"
PAM_SRC_URI = "file://pam.d/newrole \
@@ -64,15 +63,6 @@ RDEPENDS_${BPN}-python += "\
libsemanage-python \
"
RDEPENDS_${BPN}-runinit += "libselinux"
-RDEPENDS_${BPN}-sandbox += "\
- python-math \
- python-shell \
- python-subprocess \
- python-textutils \
- python-unixadmin \
- libselinux-python \
- ${BPN}-python \
-"
RDEPENDS_${BPN}-secon += "libselinux"
RDEPENDS_${BPN}-semanage = "\
python-core \
@@ -128,7 +118,6 @@ PACKAGES =+ "\
${PN}-newrole \
${PN}-python \
${PN}-runinit \
- ${PN}-sandbox \
${PN}-secon \
${PN}-semanage \
${PN}-semodule \
@@ -171,12 +160,6 @@ FILES_${PN}-runinit += "\
${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \
"
FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/.debug/* ${prefix}/libexec/selinux/hll/.debug"
-FILES_${PN}-sandbox += "\
- ${datadir}/sandbox/* \
- ${bindir}/sandbox \
- ${sbindir}/seunshare \
- ${sysconfdir}/sysconfig/sandbox \
-"
FILES_${PN}-secon += "${bindir}/secon"
FILES_${PN}-semanage = "\
${sbindir}/semanage \
diff --git a/recipes-security/selinux/selinux-sandbox.inc b/recipes-security/selinux/selinux-sandbox.inc
new file mode 100644
index 0000000..8616dd7
--- /dev/null
+++ b/recipes-security/selinux/selinux-sandbox.inc
@@ -0,0 +1,28 @@
+SUMMARY = "Run cmd under an SELinux sandbox"
+DESCRIPTION = "\
+Run application within a tightly confined SELinux domain. The default \
+sandbox domain only allows applications the ability to read and write \
+stdin, stdout and any other file descriptors handed to it."
+
+SECTION = "base"
+LICENSE = "GPLv2+"
+
+SRC_URI += "file://sandbox-de-bashify.patch \
+"
+
+DEPENDS += "libcap-ng libselinux"
+
+RDEPENDS_${PN} += "\
+ python-math \
+ python-shell \
+ python-subprocess \
+ python-textutils \
+ python-unixadmin \
+ libselinux-python \
+ selinux-python \
+"
+
+FILES_${PN} += "\
+ ${datadir}/sandbox/sandboxX.sh \
+ ${datadir}/sandbox/start \
+"
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
similarity index 79%
rename from recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch
rename to recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
index c078ef6..18cef4b 100644
--- a/recipes-security/selinux/policycoreutils/policycoreutils-sandbox-de-bashify.patch
+++ b/recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch
@@ -9,25 +9,26 @@ sandboxX script, so point them at /bin/sh instead.
Upstream-Status: Pending
Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
+Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
---
sandbox/sandbox.init | 2 +-
sandbox/sandboxX.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
-diff --git a/sandbox/sandbox.init b/sandbox/sandbox.init
+diff --git a/sandbox.init b/sandbox.init
index b3979bf..1893dc8 100644
---- a/sandbox/sandbox.init
-+++ b/sandbox/sandbox.init
+--- a/sandbox.init
++++ b/sandbox.init
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
## BEGIN INIT INFO
# Provides: sandbox
# Default-Start: 3 4 5
-diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
+diff --git a/sandboxX.sh b/sandboxX.sh
index eaa500d..8755d75 100644
---- a/sandbox/sandboxX.sh
-+++ b/sandbox/sandboxX.sh
+--- a/sandboxX.sh
++++ b/sandboxX.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
diff --git a/recipes-security/selinux/selinux-sandbox_2.7.bb b/recipes-security/selinux/selinux-sandbox_2.7.bb
new file mode 100644
index 0000000..1307ce7
--- /dev/null
+++ b/recipes-security/selinux/selinux-sandbox_2.7.bb
@@ -0,0 +1,7 @@
+include selinux_20170804.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "7360e9dc7b1757b7f82face655982bfa"
+SRC_URI[sha256sum] = "9490620380ab6d428a92869002a51ada0343ca35fa2a6905595745902a64c541"
--
2.13.0
More information about the yocto
mailing list