From: wenzong fan <wenzong.fan@windriver.com>
To: <yocto@yoctoproject.org>
Subject: Re: [PATCH][meta-selinux] policycoreutils: enable mcstransd
Date: Wed, 8 Jul 2015 11:31:23 +0800 [thread overview]
Message-ID: <559C998B.4070902@windriver.com> (raw)
In-Reply-To: <1422257919-5468-1-git-send-email-rongqing.li@windriver.com>
Ping ...
On 01/26/2015 03:38 PM, rongqing.li@windriver.com wrote:
> From: Roy Li <rongqing.li@windriver.com>
>
> mcstransd is a daemon to translate SELinux MCS/MLS sensitivity labels,
> policycoreutils includes mcstransd whose version is newer than that
> from http://mcstrans.sourcearchive.com/
>
> Signed-off-by: Roy Li <rongqing.li@windriver.com>
> ---
> recipes-security/selinux/policycoreutils.inc | 82 ++++++++++++++++++++--
> .../0001-mcstrans-fix-the-init-script.patch | 27 +++++++
> .../selinux/policycoreutils/enable-mcstrans.patch | 17 +++++
> recipes-security/selinux/policycoreutils_2.3.bb | 2 +
> recipes-security/selinux/policycoreutils_git.bb | 2 +
> 5 files changed, 126 insertions(+), 4 deletions(-)
> create mode 100644 recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch
> create mode 100644 recipes-security/selinux/policycoreutils/enable-mcstrans.patch
>
> diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
> index 44a5861..fa0b601 100644
> --- a/recipes-security/selinux/policycoreutils.inc
> +++ b/recipes-security/selinux/policycoreutils.inc
> @@ -13,11 +13,14 @@ PAM_SRC_URI = "file://pam.d/newrole \
> file://pam.d/run_init \
> "
>
> -DEPENDS += "libsepol libselinux libsemanage"
> +DEPENDS += "libsepol libselinux libsemanage libcap"
> EXTRA_DEPENDS = "libcap-ng libcgroup setools"
> DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"
>
> -inherit selinux
> +inherit selinux systemd pythonnative update-rc.d
> +
> +PROVIDES += "mcstrans"
> +
> DEPENDS += "${@target_selinux(d, 'libpam audit')}"
>
> RDEPENDS_${BPN}-audit2allow = "\
> @@ -113,7 +116,6 @@ RDEPENDS_${BPN} += "setools setools-libs ${BPN}-python"
> WARN_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${WARN_QA}', d)}"
> ERROR_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${ERROR_QA}', d)}"
>
> -inherit pythonnative
>
> PACKAGES =+ "\
> ${PN}-audit2allow \
> @@ -137,8 +139,31 @@ PACKAGES =+ "\
> ${PN}-sestatus \
> ${PN}-setfiles \
> ${PN}-setsebool \
> + mcstrans \
> + mcstrans-doc \
> system-config-selinux \
> "
> +PKGV_mcstrans = "0.3.2"
> +PKGV_mcstrans-doc = "0.3.2"
> +SUMMARY_mcstrans = "Daemon to translate SELinux MCS/MLS sensitivity labels"
> +DESCRIPTION_mcstrans = "\
> + Security-enhanced Linux is a feature of the Linux kernel and a number \
> + of utilities with enhanced security functionality designed to add \
> + mandatory access controls to Linux. The Security-enhanced Linux \
> + kernel contains new architectural components originally developed to \
> + improve the security of the Flask operating system. These \
> + architectural components provide general support for the enforcement \
> + of many kinds of mandatory access control policies, including those \
> + based on the concepts of Type Enforcement®, Role-based Access \
> + Control, and Multi-level Security. \
> + \
> + mcstrans provides an translation daemon to translate SELinux categories \
> + from internal representations to user defined representation. \
> + "
> +SUMMARY_mcstrans-doc = "${SUMMARY_mcstrans} man pages and examples"
> +DESCRIPTION_mcstrans-doc = "${DESCRIPTION_mcstrans} \
> + This package contains man pages and examples. \
> + "
> FILES_${PN}-audit2allow = "\
> ${bindir}/audit2allow \
> ${bindir}/audit2why \
> @@ -208,6 +233,23 @@ FILES_${PN}-setsebool += "\
> ${sbindir}/setsebool \
> ${datadir}/bash-completion/completions/setsebool \
> "
> +FILES_mcstrans = "\
> + ${base_sbindir}/mcstransd \
> + ${sbindir}/untranscon \
> + ${sbindir}/transcon \
> + ${sysconfdir}/init.d/mcstrans \
> + ${systemd_unitdir}/system/mcstrans.service \
> + ${sysconfdir}/default/volatiles/volatiles.80_mcstrans \
> + ${sysconfdir}/tmpfiles.d/setrans.conf \
> +"
> +
> +FILES_mcstrans-doc = "\
> + /usr/share/man/man8/mcstransd.8 \
> + /usr/share/man/man8/mcs.8 \
> + /usr/share/man/man8/setrans.conf.8 \
> + ${datadir}/mcstrans \
> +"
> +
> FILES_system-config-selinux = " \
> ${bindir}/sepolgen \
> ${datadir}/system-config-selinux/* \
> @@ -248,7 +290,24 @@ do_compile_prepend() {
>
> do_install_prepend() {
> export PYTHON=python
> - export SEMODULE_PATH=${sbindir}
> + export SEMODULE_PATH=${sbindir} SYSTEMDDIR=${D}/${systemd_unitdir}
> +}
> +
> +do_install_append_class-target() {
> + install -m 755 mcstrans/utils/untranscon ${D}${sbindir}/
> + install -m 755 mcstrans/utils/transcon ${D}${sbindir}/
> +
> + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
> + install -d ${D}${sysconfdir}/tmpfiles.d
> + echo "d ${localstatedir}/run/setrans - - - -" \
> + > ${D}${sysconfdir}/tmpfiles.d/setrans.conf
> + else
> + install -d ${D}${sysconfdir}/default/volatiles
> + echo "d root root 0755 /var/run/setrans none" \
> + >${D}${sysconfdir}/default/volatiles/volatiles.80_mcstrans
> + fi
> + install -d ${D}${datadir}/mcstrans
> + cp -r mcstrans/share/* ${D}${datadir}/mcstrans/.
> }
>
> do_install_virtclass-native() {
> @@ -266,3 +325,18 @@ do_install_append_class-target() {
> install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
> fi
> }
> +
> +SYSTEMD_SERVICE_mcstrans = "mcstrans.service"
> +INITSCRIPT_PACKAGES = "mcstrans"
> +INITSCRIPT_NAME_mcstrans = "mcstrans"
> +INITSCRIPT_PARAMS_mcstrans = "defaults"
> +
> +pkg_postinst_mcstrans () {
> + if [ -z "$D" ]; then
> + if command -v systemd-tmpfiles >/dev/null; then
> + systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/setrans.conf
> + elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
> + ${sysconfdir}/init.d/populate-volatile.sh update
> + fi
> + fi
> +}
> diff --git a/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch b/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch
> new file mode 100644
> index 0000000..39be80a
> --- /dev/null
> +++ b/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch
> @@ -0,0 +1,27 @@
> +[PATCH] mcstrans: fix the init script
> +
> +Upstream-Status: Inappropriate [embedded specific]
> +
> +replace daemon with start-stop-daemon, due to not daemon functions
> +
> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
> +---
> + mcstrans/src/mcstrans.init | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/mcstrans/src/mcstrans.init b/mcstrans/src/mcstrans.init
> +index 2804ec0..c660290 100644
> +--- a/mcstrans/src/mcstrans.init
> ++++ b/mcstrans/src/mcstrans.init
> +@@ -51,7 +51,7 @@ start(){
> + fi
> +
> + unset HOME MAIL USER USERNAME
> +- daemon $prog "$EXTRAOPTIONS"
> ++ start-stop-daemon --start --quiet --exec $prog -- "$EXTRAOPTIONS"
> + RETVAL=$?
> + echo
> + if test $RETVAL = 0 ; then
> +--
> +1.9.1
> +
> diff --git a/recipes-security/selinux/policycoreutils/enable-mcstrans.patch b/recipes-security/selinux/policycoreutils/enable-mcstrans.patch
> new file mode 100644
> index 0000000..e923903
> --- /dev/null
> +++ b/recipes-security/selinux/policycoreutils/enable-mcstrans.patch
> @@ -0,0 +1,17 @@
> +Add the "mcstrans" subdir so it gets built too.
> +
> +Upstream-Status: Inappropriate [embedded specific]
> +
> +Signed-off-by: Roy Li <rongqing.li@windriver.com>
> +diff --git a/Makefile b/Makefile
> +index 83ebd45..3ae784f 100644
> +--- a/Makefile
> ++++ b/Makefile
> +@@ -1,5 +1,7 @@
> + SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
> +
> ++SUBDIRS += mcstrans
> ++
> + INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
> +
> + ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
> diff --git a/recipes-security/selinux/policycoreutils_2.3.bb b/recipes-security/selinux/policycoreutils_2.3.bb
> index 447e6c9..c837266 100644
> --- a/recipes-security/selinux/policycoreutils_2.3.bb
> +++ b/recipes-security/selinux/policycoreutils_2.3.bb
> @@ -13,4 +13,6 @@ SRC_URI += "\
> file://policycoreutils-semanage-edit-user.patch \
> file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \
> file://policycoreutils-fix-TypeError-for-seobject.py.patch \
> + file://0001-mcstrans-fix-the-init-script.patch \
> + file://enable-mcstrans.patch \
> "
> diff --git a/recipes-security/selinux/policycoreutils_git.bb b/recipes-security/selinux/policycoreutils_git.bb
> index 823edb2..b630797 100644
> --- a/recipes-security/selinux/policycoreutils_git.bb
> +++ b/recipes-security/selinux/policycoreutils_git.bb
> @@ -9,4 +9,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
> SRC_URI += "\
> file://policycoreutils-fix-sepolicy-install-path.patch \
> file://policycoreutils-make-O_CLOEXEC-optional.patch \
> + file://0001-mcstrans-fix-the-init-script.patch \
> + file://enable-mcstrans.patch \
> "
>
prev parent reply other threads:[~2015-07-08 3:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-26 7:38 [PATCH][meta-selinux] policycoreutils: enable mcstransd rongqing.li
2015-07-08 3:31 ` wenzong fan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=559C998B.4070902@windriver.com \
--to=wenzong.fan@windriver.com \
--cc=yocto@yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.