* [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions
@ 2013-09-25 19:32 Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 01/16] pcre: Add host build support Clayton Shotwell
` (16 more replies)
0 siblings, 17 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
This is Round 3 for the SELinux package additions.
General changes in this version:
- Reordered patches to ensure dependencies come before the packages.
- Removed the libsepol package since it has already been applied.
- Incorporated changes from Thomas and Arnout on many of the packages.
Per Thomas Petazzoni's <thomas.petazzoni@free-electrons.com> email, here is
a brief overview of SELinux and how I have implemented it in buildroot.
SELinux is made up of several packages and Linux kernel configurations.
The best reference, at least the most complete, is probably the SELinux
Notebook at the link below. The notebook details how SELinux works and
gives very good examples on how to implement SELinux policies.
http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html
Packages:
libsepol
libselinux
libsemanage
checkpolicy
sepolgen
setools
policycoreutils
refpolicy
For this implementation, I have added a package hierarchy that will allow
for both a debugging and a paired down release version. The debugging
version required Python support, and is therefore much larger while the
release version does not. To enable the release version, simply select
the refpolicy package (BR2_PACKAGE_REFPOLICY) and it selects all of the
necessary packages to enable SELinux. For the debugging version, select
the policycoreutils debugging configure option
(BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING). This will pull in Python
and a bunch of other packages into the build to debug the SELinux policy
on target.
Caveats:
1. The Linux kernel config will need to be changed to enable SELinux
support and extended attribute support on the file systems
2. The busybox config will need to be changed to remove some packages
or to build each executable as a stand-alone package. The busybox
symlinks don't work well with the default refpolicy.
3. The audit package will need to be enabled to log issues with the
SELinux policy, especially if it is in enforcing mode.
4. If a modular SELinux policy is selected,
BR2_PACKAGE_REFPOLICY_MONOLITHIC = n, then the policy will be compiled
on target during the first boot which will take a long time (about
a half hour on a pandaboard).
Clayton Shotwell (16):
pcre: Add host build support
libselinux: new package
ustr: new package
bzip2: Add host build shared library installation
libsemanage: new package
checkpolicy: new package
sepolgen: new package
sqlite: Add host build support
setools: new package
libcgroup: new package
python-pyparsing: Add host build option
audit: new package
policycoreutils: new package
python-pyxml: new package
refpolicy: new package
shadow: new package
package/Config.in | 16 +
package/Config.in.host | 1 +
package/audit/Config.in | 10 +
package/audit/S14auditd | 172 +++
...it-0001-cross-compile-header-creation-fix.patch | 1424 ++++++++++++++++++++
package/audit/audit-0002-remove-zos-plugin.patch | 35 +
package/audit/audit.mk | 58 +
package/bzip2/bzip2.mk | 2 +
package/checkpolicy/Config.in.host | 10 +
package/checkpolicy/checkpolicy.mk | 30 +
package/libcgroup/Config.in | 4 +
package/libcgroup/libcgroup.mk | 38 +
package/libselinux/Config.in | 19 +
package/libselinux/libselinux.mk | 94 ++
package/libsemanage/Config.in | 20 +
.../libsemanage-0001-execption-lib-path-fix.patch | 14 +
package/libsemanage/libsemanage.mk | 80 ++
package/pcre/pcre.mk | 1 +
package/policycoreutils/Config.in | 76 ++
package/policycoreutils/S15restorecond | 85 ++
.../policycoreutils-0001-cross-compile-fixes.patch | 332 +++++
package/policycoreutils/policycoreutils.mk | 230 ++++
package/python-pyparsing/python-pyparsing.mk | 47 +-
package/python-pyxml/Config.in | 11 +
package/python-pyxml/python-xml.mk | 58 +
package/refpolicy/Config.in | 58 +
package/refpolicy/S12selinux | 134 ++
package/refpolicy/config | 8 +
.../refpolicy-0001-gentoo-hardened-fixes.patch | 1250 +++++++++++++++++
package/refpolicy/refpolicy.mk | 80 ++
package/sepolgen/Config.in | 8 +
package/sepolgen/sepolgen.mk | 35 +
package/setools/Config.in | 21 +
.../setools/setools-0001-cross-compile-fixes.patch | 121 ++
.../setools-0002-swig-typedef-python-fixes.patch | 1014 ++++++++++++++
package/setools/setools.mk | 85 ++
package/shadow/Config.in | 13 +
package/shadow/shadow.mk | 49 +
package/sqlite/sqlite.mk | 1 +
package/ustr/Config.in | 11 +
.../ustr-0001-cross-compile-modifications.patch | 144 ++
package/ustr/ustr.mk | 55 +
42 files changed, 5941 insertions(+), 13 deletions(-)
create mode 100644 package/audit/Config.in
create mode 100755 package/audit/S14auditd
create mode 100644 package/audit/audit-0001-cross-compile-header-creation-fix.patch
create mode 100644 package/audit/audit-0002-remove-zos-plugin.patch
create mode 100644 package/audit/audit.mk
create mode 100644 package/checkpolicy/Config.in.host
create mode 100644 package/checkpolicy/checkpolicy.mk
create mode 100644 package/libcgroup/Config.in
create mode 100644 package/libcgroup/libcgroup.mk
create mode 100644 package/libselinux/Config.in
create mode 100644 package/libselinux/libselinux.mk
create mode 100644 package/libsemanage/Config.in
create mode 100644 package/libsemanage/libsemanage-0001-execption-lib-path-fix.patch
create mode 100644 package/libsemanage/libsemanage.mk
create mode 100644 package/policycoreutils/Config.in
create mode 100755 package/policycoreutils/S15restorecond
create mode 100644 package/policycoreutils/policycoreutils-0001-cross-compile-fixes.patch
create mode 100644 package/policycoreutils/policycoreutils.mk
create mode 100644 package/python-pyxml/Config.in
create mode 100644 package/python-pyxml/python-xml.mk
create mode 100644 package/refpolicy/Config.in
create mode 100644 package/refpolicy/S12selinux
create mode 100755 package/refpolicy/config
create mode 100644 package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch
create mode 100644 package/refpolicy/refpolicy.mk
create mode 100644 package/sepolgen/Config.in
create mode 100644 package/sepolgen/sepolgen.mk
create mode 100644 package/setools/Config.in
create mode 100644 package/setools/setools-0001-cross-compile-fixes.patch
create mode 100644 package/setools/setools-0002-swig-typedef-python-fixes.patch
create mode 100644 package/setools/setools.mk
create mode 100644 package/shadow/Config.in
create mode 100644 package/shadow/shadow.mk
create mode 100644 package/ustr/Config.in
create mode 100644 package/ustr/ustr-0001-cross-compile-modifications.patch
create mode 100644 package/ustr/ustr.mk
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 01/16] pcre: Add host build support
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 02/16] libselinux: new package Clayton Shotwell
` (15 subsequent siblings)
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- Changed order of patch to correct dependency issue (suggested by Thomas).
Changes v1 -> v2:
- No changes
package/pcre/pcre.mk | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/package/pcre/pcre.mk b/package/pcre/pcre.mk
index bf86a3d..1b59dbc 100644
--- a/package/pcre/pcre.mk
+++ b/package/pcre/pcre.mk
@@ -21,3 +21,4 @@ PCRE_CONF_OPT += $(if $(BR2_PACKAGE_PCRE_16),--enable-pcre16,--disable-pcre16)
PCRE_CONF_OPT += $(if $(BR2_PACKAGE_PCRE_32),--enable-pcre32,--disable-pcre32)
$(eval $(autotools-package))
+$(eval $(host-autotools-package))
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 02/16] libselinux: new package
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 01/16] pcre: Add host build support Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 03/16] ustr: " Clayton Shotwell
` (14 subsequent siblings)
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and BR2_LARGEFILE (suggested by Thomas).
- Corrected a minor issue in the mk file found during testing.
Changes v1 -> v2:
- Move Config.in entry into the libraries section since this is a
library.
- General cleanup to the mk file to conform to the standard format.
- Removed a dependency on the Linux kernel.
- Changed the original Python select in the Config.in to be a check
in the libselinux.mk file.
- Added a select for libsepol and pcre in the menuconfig instead of
just having package dependencies.
- Removed building the python bindings in the host configuration.
package/Config.in | 1 +
package/libselinux/Config.in | 19 ++++++++
package/libselinux/libselinux.mk | 94 ++++++++++++++++++++++++++++++++++++++
3 files changed, 114 insertions(+), 0 deletions(-)
create mode 100644 package/libselinux/Config.in
create mode 100644 package/libselinux/libselinux.mk
diff --git a/package/Config.in b/package/Config.in
index 1dd60d1..d2f651e 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -695,6 +695,7 @@ source "package/tzdata/Config.in"
endmenu
menu "Security"
+source "package/libselinux/Config.in"
source "package/libsepol/Config.in"
endmenu
diff --git a/package/libselinux/Config.in b/package/libselinux/Config.in
new file mode 100644
index 0000000..503805f
--- /dev/null
+++ b/package/libselinux/Config.in
@@ -0,0 +1,19 @@
+config BR2_PACKAGE_LIBSELINUX
+ bool "libselinux"
+ select BR2_PACKAGE_LIBSEPOL
+ select BR2_PACKAGE_PCRE
+ depends on BR2_TOOLCHAIN_HAS_THREADS
+ depends on BR2_LARGEFILE
+ help
+ libselinux is the runtime SELinux library that provides interfaces
+ (e.g. library functions for the SELinux kernel APIs like getcon(),
+ other support functions like getseuserbyname()) to SELinux-aware
+ applications. libselinux may use the shared libsepol to manipulate
+ the binary policy if necessary (e.g. to downgrade the policy format
+ to an older version supported by the kernel) when loading policy.
+
+ http://selinuxproject.org/page/Main_Page
+
+comment "libselinux support requires a toolchain with large file and threading support"
+ depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_LARGEFILE
+
diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
new file mode 100644
index 0000000..034d535
--- /dev/null
+++ b/package/libselinux/libselinux.mk
@@ -0,0 +1,94 @@
+################################################################################
+#
+# libselinux
+#
+################################################################################
+
+LIBSELINUX_VERSION = 2.1.13
+LIBSELINUX_SITE = http://userspace.selinuxproject.org/releases/20130423/
+LIBSELINUX_LICENSE = PublicDomain
+LIBSELINUX_LICENSE_FILES = LICENSE
+
+LIBSELINUX_DEPENDENCIES = libsepol pcre
+
+LIBSELINUX_INSTALL_STAGING = YES
+
+LIBSELINUX_MAKE_OPTS = \
+ $(TARGET_CONFIGURE_OPTS) \
+ LDFLAGS="$(TARGET_LDFLAGS) -lpcre -lpthread"
+
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+
+LIBSELINUX_DEPENDENCIES += python host-swig host-python
+LIBSELINUX_MAKE_OPTS += \
+ PYINC="-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
+ PYTHONLIBDIR="-L$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
+ PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+ SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
+
+define LIBSELINUX_PYTHON_BUILD_CMDS
+ # DESTDIR is needed during the compile to compute library and
+ # header paths.
+ $(MAKE) -C $(@D) $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR) swigify pywrap
+endef
+
+define LIBSELINUX_PYTHON_INSTALL_STAGING_CMDS
+ $(MAKE) -C $(@D) install-pywrap $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+endef
+
+define LIBSELINUX_PYTHON_INSTALL_TARGET_CMDS
+ $(MAKE) -C $(@D) install-pywrap $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
+endef
+
+endif
+
+define LIBSELINUX_BUILD_CMDS
+ # DESTDIR is needed during the compile to compute library and
+ # header paths.
+ $(MAKE) -C $(@D) $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all
+ $(LIBSELINUX_PYTHON_BUILD_CMDS)
+endef
+
+define LIBSELINUX_INSTALL_STAGING_CMDS
+ $(MAKE) -C $(@D) install $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+ $(LIBSELINUX_PYTHON_INSTALL_STAGING_CMDS)
+endef
+
+define LIBSELINUX_INSTALL_TARGET_CMDS
+ $(MAKE) -C $(@D) install $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
+ $(LIBSELINUX_PYTHON_INSTALL_TARGET_CMDS)
+endef
+
+define LIBSELINUX_CLEAN_CMDS
+ $(MAKE) -C $(@D) clean
+endef
+
+HOST_LIBSELINUX_DEPENDENCIES = host-libsepol host-pcre
+
+HOST_LIBSELINUX_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
+ LDFLAGS="$(HOST_LDFLAGS) -lpcre -lpthread"
+
+define HOST_LIBSELINUX_BUILD_CMDS
+ # DESTDIR is needed during the compile to compute library and
+ # header paths.
+ $(MAKE) -C $(@D) $(HOST_LIBSELINUX_MAKE_OPTS) DESTDIR=$(HOST_DIR) all
+endef
+
+define HOST_LIBSELINUX_INSTALL_CMDS
+ $(MAKE) -C $(@D) install $(HOST_LIBSELINUX_MAKE_OPTS) DESTDIR=$(HOST_DIR)
+ mv $(HOST_DIR)/lib/libselinux.so.1 $(HOST_DIR)/usr/lib
+ (cd $(HOST_DIR)/usr/lib; rm -f libselinux.so; \
+ ln -s libselinux.so.1 libselinux.so)
+ -rmdir $(HOST_DIR)/lib
+ (if [ -f $(HOST_DIR)/sbin/matchpathcon ]; then \
+ mv $(HOST_DIR)/sbin/matchpathcon $(HOST_DIR)/usr/sbin/; \
+ -rmdir $(HOST_DIR)/sbin; \
+ fi)
+endef
+
+define HOST_LIBSELINUX_CLEAN_CMDS
+ $(MAKE) -C $(@D) clean
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 03/16] ustr: new package
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 01/16] pcre: Add host build support Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 02/16] libselinux: new package Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 04/16] bzip2: Add host build shared library installation Clayton Shotwell
` (13 subsequent siblings)
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- Changes patch naming convention (suggested by Thomas).
- Added a dependency on BR2_LARGEFILE (suggested by Thomas).
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format.
- Fixed the patch naming to avoid using the version number.
- Cleaned up the patch to include a signed-off-by line.
- Added a check to only build static libraries if selected.
package/Config.in | 1 +
package/ustr/Config.in | 11 ++
.../ustr-0001-cross-compile-modifications.patch | 144 ++++++++++++++++++++
package/ustr/ustr.mk | 55 ++++++++
4 files changed, 211 insertions(+), 0 deletions(-)
create mode 100644 package/ustr/Config.in
create mode 100644 package/ustr/ustr-0001-cross-compile-modifications.patch
create mode 100644 package/ustr/ustr.mk
diff --git a/package/Config.in b/package/Config.in
index d2f651e..a9fd388 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -712,6 +712,7 @@ source "package/pcre/Config.in"
source "package/popt/Config.in"
source "package/readline/Config.in"
source "package/slang/Config.in"
+source "package/ustr/Config.in"
endmenu
menu "JSON/XML"
diff --git a/package/ustr/Config.in b/package/ustr/Config.in
new file mode 100644
index 0000000..0aa2251
--- /dev/null
+++ b/package/ustr/Config.in
@@ -0,0 +1,11 @@
+config BR2_PACKAGE_USTR
+ bool "ustr"
+ depends on BR2_LARGEFILE
+ help
+ A small, safe string library.
+
+ http://www.and.org/ustr/
+
+comment "ustr requires a toolchain with large file support"
+ depends on !BR2_LARGEFILE
+
diff --git a/package/ustr/ustr-0001-cross-compile-modifications.patch b/package/ustr/ustr-0001-cross-compile-modifications.patch
new file mode 100644
index 0000000..cdf17c5
--- /dev/null
+++ b/package/ustr/ustr-0001-cross-compile-modifications.patch
@@ -0,0 +1,144 @@
+Changes are to allow ustr verion 1.0.4 to cross compile in buildroot.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/ustr-compiler.h b/ustr-compiler.h
+--- a/ustr-compiler.h 2008-02-15 14:12:28.000000000 -0600
++++ b/ustr-compiler.h 2012-06-15 11:04:55.000000000 -0500
+@@ -13,10 +13,10 @@
+
+ /* We assume this is enough,
+ * C99 specifies that va_copy() exists and is a macro */
+-#ifdef va_copy
++#if defined va_copy
+ # define USTR_CONF_HAVE_VA_COPY 1
+ # define USTR__VA_COPY(x, y) va_copy(x, y)
+-#elif __va_copy
++#elif defined __va_copy
+ # define USTR_CONF_HAVE_VA_COPY 1
+ # define USTR__VA_COPY(x, y) __va_copy(x, y)
+ #else
+diff -urN a/Makefile b/Makefile
+--- a/Makefile 2008-03-05 21:38:00.000000000 -0600
++++ b/Makefile 2013-09-10 16:54:45.916874387 -0500
+@@ -8,8 +8,8 @@
+ VERS_ESONAME =1
+ VERS_ESO =$(VERS_ESONAME).0.4
+
+-DESTDIR =
+-prefix=/usr
++DESTDIR ?=
++prefix ?= /usr
+ datadir=$(prefix)/share
+ libdir=$(prefix)/lib
+ libexecdir=$(prefix)/libexec
+@@ -18,7 +18,7 @@
+ SHRDIR=$(datadir)/ustr-$(VERS_FULL)
+ DOCSHRDIR=$(datadir)/doc/ustr-devel-$(VERS_FULL)
+ EXAMDIR=$(SHRDIR)/examples
+-mandir=$(datadir)/doc/man
++mandir=$(datadir)/man
+ MBINDIR=$(libexecdir)/ustr-$(VERS_FULL)
+
+ ###############################################################################
+@@ -28,12 +28,12 @@
+ ###############################################################################
+ HIDE=@
+
+-CC = cc
+-AR = ar
+-RANLIB = ranlib
+-LDCONFIG = /sbin/ldconfig
++CC ?= cc
++AR ?= ar
++RANLIB ?= ranlib
+
+-CFLAGS = -O2 -g
++CFLAGS ?= -O2 -g
++LDFLAGS ?=
+
+ # Debug versions...
+ WARNS = -W -Wall -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Wno-format-zero-length -Wformat-nonliteral -Wformat-security # -Wfloat-equal -- no floats
+@@ -376,7 +376,7 @@
+ all-shared: all $(LIB_SHARED)
+ $(HIDE)echo Done shared
+
+-install: all-shared ustr.pc ustr-debug.pc
++install: all ustr.pc ustr-debug.pc
+ $(HIDE)echo Making directories
+ install -d $(DESTDIR)$(libdir)
+ install -d $(DESTDIR)$(includedir)
+@@ -389,16 +389,6 @@
+ install -d $(DESTDIR)$(libdir)/pkgconfig
+ $(HIDE)echo Installing files
+ install -m 644 -t $(DESTDIR)$(libdir) $(LIB_STATIC)
+- install -m 755 -t $(DESTDIR)$(libdir) $(LIB_SHARED)
+- -rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
+- ln -s $(OPT_LIB_SHARED) $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
+- -rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
+- ln -s $(OPT_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
+- -rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
+- ln -s $(DBG_LIB_SHARED) $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
+- -rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
+- ln -s $(DBG_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
+- $(LDCONFIG) -n $(DESTDIR)$(libdir)
+ install -pm 644 -t $(DESTDIR)$(includedir) $(SRC_HDRS)
+ install -pm 644 -t $(DESTDIR)$(SHRDIR) $(SRC_SRCS)
+ install -pm 644 -t $(DESTDIR)$(SHRDIR) $(XSRC_SRCS)
+@@ -409,13 +399,24 @@
+ install -m 755 -t $(DESTDIR)$(bindir) ustr-import
+ install -pm 644 -t $(DESTDIR)$(libdir)/pkgconfig ustr.pc ustr-debug.pc
+
++install-shared: all-shared install
++ $(HIDE)echo Installing files
++ install -m 755 -t $(DESTDIR)$(libdir) $(LIB_SHARED)
++ -rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
++ ln -s $(OPT_LIB_SHARED) $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
++ -rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
++ ln -s $(OPT_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
++ -rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
++ ln -s $(DBG_LIB_SHARED) $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
++ -rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
++ ln -s $(DBG_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
++
+ ustr-import-multilib: ustr-import-multilib.in
+ sed -e 's, at INCLUDEDIR@,$(includedir),g' -e 's, at MBINDIR@,$(MBINDIR),g' < $< > $@
+
+ install-multilib-linux: install autoconf_64b ustr-import-multilib
+ install -d $(DESTDIR)$(MBINDIR)
+- $(HIDE)mlib=`./autoconf_64b`; \
+- if test "x$$mlib" = "x1"; then mlib=64; else mlib=32; fi; \
++ $(HIDE))if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then mlib=64; else mlib=32; fi; \
+ mv -f $(DESTDIR)$(includedir)/ustr-conf-debug.h \
+ $(DESTDIR)$(includedir)/ustr-conf-debug-$$mlib.h; \
+ mv -f $(DESTDIR)$(includedir)/ustr-conf.h \
+@@ -451,7 +452,8 @@
+
+ ustr-import: ustr-import.in autoconf_64b autoconf_vsnprintf
+ $(HIDE)echo Creating $@
+- $(HIDE)sz64=`./autoconf_64b`; vsnp=`./autoconf_vsnprintf`; \
++ $(HIDE)if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then sz64=1; else sz64=0; fi; \
++ if test "`./autoconf_vsnprintf`" = 0; then vsnp=0; else vsnp=1; fi; \
+ sed -e 's, at INCLUDEDIR@,$(includedir),g' -e 's, at SHRDIR@,$(SHRDIR),g' -e 's, at VERS@,$(VERS),g' -e 's, at VERS_FULL@,$(VERS_FULL),g' -e "s, at HAVE_64bit_SIZE_MAX@,$$sz64,g" -e "s, at HAVE_RETARDED_VSNPRINTF@,$$vsnp,g" < $< > $@
+ $(HIDE)chmod 755 $@
+
+@@ -485,7 +487,8 @@
+ ustr-conf.h: ustr-conf.h.in autoconf_64b autoconf_vsnprintf
+ $(HIDE)echo Creating $@
+ $(HIDE)have_stdint_h=0; dbg1=0; dbg2=0; \
+- sz64=`./autoconf_64b`; vsnp=`./autoconf_vsnprintf`; \
++ if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then sz64=1; else sz64=0; fi; \
++ if test "`./autoconf_vsnprintf`" = 0; then vsnp=0; else vsnp=1; fi; \
+ if test -f "/usr/include/stdint.h"; then have_stdint_h=1; fi; \
+ if test -f "$(prefix)/include/stdint.h"; then have_stdint_h=1; fi; \
+ if test -f "$(includedir)/stdint.h"; then have_stdint_h=1; fi; \
+@@ -494,7 +497,8 @@
+ ustr-conf-debug.h: ustr-conf.h.in autoconf_64b autoconf_vsnprintf
+ $(HIDE)echo Creating $@
+ $(HIDE)have_stdint_h=0; dbg1=1; dbg2=1; \
+- sz64=`./autoconf_64b`; vsnp=`./autoconf_vsnprintf`; \
++ if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then sz64=1; else sz64=0; fi; \
++ if test "`./autoconf_vsnprintf`" = 0; then vsnp=0; else vsnp=1; fi; \
+ if test -f "/usr/include/stdint.h"; then have_stdint_h=1; fi; \
+ if test -f "$(prefix)/include/stdint.h"; then have_stdint_h=1; fi; \
+ if test -f "$(includedir)/stdint.h"; then have_stdint_h=1; fi; \
diff --git a/package/ustr/ustr.mk b/package/ustr/ustr.mk
new file mode 100644
index 0000000..f4a3b71
--- /dev/null
+++ b/package/ustr/ustr.mk
@@ -0,0 +1,55 @@
+################################################################################
+#
+# ustr
+#
+################################################################################
+
+USTR_VERSION = 1.0.4
+USTR_SOURCE = ustr-$(USTR_VERSION).tar.bz2
+USTR_SITE = http://www.and.org/ustr/$(USTR_VERSION)/
+USTR_LICENSE = BSD-2c MIT LGPLv2+
+USTR_LICENSE_FILES = LICENCE LICENSE_BSD LICENSE_LGPL LICENSE_MIT
+
+USTR_INSTALL_STAGING = YES
+
+ifeq ($(BR2_PREFER_STATIC_LIB),y)
+ USTR_BUILD_CMD = all
+ USTR_INSTALL_CMD = install
+else
+ USTR_BUILD_CMD = all all-shared
+ USTR_INSTALL_CMD = install install-shared
+endif
+
+define USTR_BUILD_CMDS
+ $(MAKE) -C $(@D) $(USTR_BUILD_CMD) $(TARGET_CONFIGURE_OPTS)
+endef
+
+define USTR_INSTALL_STAGING_CMDS
+ $(MAKE) -C $(@D) $(USTR_INSTALL_CMD) $(TARGET_CONFIGURE_OPTS) \
+ DESTDIR=$(STAGING_DIR)
+endef
+
+define USTR_INSTALL_TARGET_CMDS
+ $(MAKE) -C $(@D) $(USTR_INSTALL_CMD) $(TARGET_CONFIGURE_OPTS) \
+ DESTDIR=$(TARGET_DIR)
+endef
+
+define USTR_CLEAN_CMDS
+ $(MAKE) -C $(@D) clean
+endef
+
+define HOST_USTR_BUILD_CMDS
+ $(MAKE) -C $(@D) $(USTR_BUILD_CMD) $(HOST_CONFIGURE_OPTS)
+endef
+
+define HOST_USTR_INSTALL_CMDS
+ $(MAKE) -C $(@D) $(USTR_INSTALL_CMD) $(HOST_CONFIGURE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_USTR_CLEAN_CMDS
+ $(MAKE) -C $(@D) clean
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 04/16] bzip2: Add host build shared library installation
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
` (2 preceding siblings ...)
2013-09-25 19:32 ` [Buildroot] [PATCH v3 03/16] ustr: " Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 05/16] libsemanage: new package Clayton Shotwell
` (12 subsequent siblings)
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- Changed order of patch to correct dependency issue (suggested by Thomas).
Changes v1 -> v2:
- No changes
package/bzip2/bzip2.mk | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/package/bzip2/bzip2.mk b/package/bzip2/bzip2.mk
index 45d5108..5876837 100644
--- a/package/bzip2/bzip2.mk
+++ b/package/bzip2/bzip2.mk
@@ -71,6 +71,8 @@ endef
define HOST_BZIP2_INSTALL_CMDS
$(HOST_MAKE_ENV) \
$(MAKE) PREFIX=$(HOST_DIR)/usr -C $(@D) install
+ $(HOST_MAKE_ENV) $(MAKE) \
+ -f Makefile-libbz2_so PREFIX=$(HOST_DIR)/usr -C $(@D) install
endef
$(eval $(generic-package))
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 05/16] libsemanage: new package
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
` (3 preceding siblings ...)
2013-09-25 19:32 ` [Buildroot] [PATCH v3 04/16] bzip2: Add host build shared library installation Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 06/16] checkpolicy: " Clayton Shotwell
` (11 subsequent siblings)
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- Changes patch naming convention (suggested by Thomas).
- Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and BR2_LARGEFILE (suggested by Thomas).
Changes v1 -> v2:
- Move Config.in entry into the libraries section since this is a
library.
- General cleanup to the mk file to conform to the standard format.
- Fixed the patch naming to avoid using the version number.
- Cleaned up the patch to include a signed-off-by line.
- Changed package dependencies into selects in the config.
- Changed the original Python select in the Config.in to be a check
in the mk file.
- Removed building the python bindings in the host configuration.
package/Config.in | 1 +
package/libsemanage/Config.in | 20 +++++
.../libsemanage-0001-execption-lib-path-fix.patch | 14 ++++
package/libsemanage/libsemanage.mk | 80 ++++++++++++++++++++
4 files changed, 115 insertions(+), 0 deletions(-)
create mode 100644 package/libsemanage/Config.in
create mode 100644 package/libsemanage/libsemanage-0001-execption-lib-path-fix.patch
create mode 100644 package/libsemanage/libsemanage.mk
diff --git a/package/Config.in b/package/Config.in
index a9fd388..31eefed 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -696,6 +696,7 @@ endmenu
menu "Security"
source "package/libselinux/Config.in"
+source "package/libsemanage/Config.in"
source "package/libsepol/Config.in"
endmenu
diff --git a/package/libsemanage/Config.in b/package/libsemanage/Config.in
new file mode 100644
index 0000000..70a772d
--- /dev/null
+++ b/package/libsemanage/Config.in
@@ -0,0 +1,20 @@
+config BR2_PACKAGE_LIBSEMANAGE
+ bool "libsemanage"
+ select BR2_PACKAGE_LIBSELINUX
+ select BR2_PACKAGE_USTR
+ select BR2_PACKAGE_BZIP2
+ depends on BR2_TOOLCHAIN_HAS_THREADS
+ depends on BR2_LARGEFILE
+ help
+ libsemanage is the policy management library. It uses libsepol for binary
+ policy manipulation and libselinux for interacting with the SELinux
+ system. It also exec's helper programs for loading policy and for checking
+ whether the file_contexts configuration is valid (load_policy and
+ setfiles from policycoreutils) presently, although this may change at
+ least for the bootstrapping case (for rpm).
+
+ http://selinuxproject.org/page/Main_Page
+
+comment "libsemanage support requires a toolchain with large file and threading support"
+ depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_LARGEFILE
+
diff --git a/package/libsemanage/libsemanage-0001-execption-lib-path-fix.patch b/package/libsemanage/libsemanage-0001-execption-lib-path-fix.patch
new file mode 100644
index 0000000..cbcbea5
--- /dev/null
+++ b/package/libsemanage/libsemanage-0001-execption-lib-path-fix.patch
@@ -0,0 +1,14 @@
+Patch to correct a missing header file issue.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+--- a/src/exception.sh 2011-12-21 11:46:04.000000000 -0600
++++ b/src/exception.sh 2012-08-27 11:29:58.000000000 -0500
+@@ -9,6 +9,6 @@
+ }
+ "
+ }
+-gcc -x c -c - -aux-info temp.aux < ../include/semanage/semanage.h
++gcc -x c -c - -aux-info temp.aux -I../include < ../include/semanage/semanage.h
+ for i in `awk '/extern int/ { print $6 }' temp.aux`; do except $i ; done
+ rm -f -- temp.aux -.o
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
new file mode 100644
index 0000000..b8de72e
--- /dev/null
+++ b/package/libsemanage/libsemanage.mk
@@ -0,0 +1,80 @@
+################################################################################
+#
+# libsemanage
+#
+################################################################################
+
+LIBSEMANAGE_VERSION = 2.1.10
+LIBSEMANAGE_SITE = http://userspace.selinuxproject.org/releases/20130423/
+LIBSEPOL_LICENSE = LGPLv2.1+
+LIBSEPOL_LICENSE_FILES = COPYING
+
+LIBSEMANAGE_DEPENDENCIES = host-bison libselinux ustr bzip2
+
+LIBSEMANAGE_INSTALL_STAGING = YES
+
+LIBSEMANAGE_MAKE_OPT = $(TARGET_CONFIGURE_OPTS)
+
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+
+LIBSEMANAGE_DEPENDENCIES += python host-swig host-python
+LIBSEMANAGE_MAKE_OPT += \
+ PYINC="-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
+ PYTHONLIBDIR="-L$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
+ PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+ SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
+
+define LIBSEMANAGE_PYTHON_BUILD_CMDS
+ $(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(STAGING_DIR) swigify pywrap
+endef
+
+define LIBSEMANAGE_PYTHON_INSTALL_STAGING_CMDS
+ $(MAKE) -C $(@D) install-pywrap $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(STAGING_DIR)
+endef
+
+define LIBSEMANAGE_PYTHON_INSTALL_TARGET_CMDS
+ $(MAKE) -C $(@D) install-pywrap $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(TARGET_DIR)
+endef
+
+endif # End of BR2_PACKAGE_PYTHON
+
+define LIBSEMANAGE_BUILD_CMDS
+ # DESTDIR is needed during the compile to compute library and
+ # header paths.
+ $(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(STAGING_DIR) all
+ $(LIBSEMANAGE_PYTHON_BUILD_CMDS)
+endef
+
+define LIBSEMANAGE_INSTALL_STAGING_CMDS
+ $(MAKE) -C $(@D) install $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(STAGING_DIR)
+ $(LIBSEMANAGE_PYTHON_INSTALL_STAGING_CMDS)
+endef
+
+define LIBSEMANAGE_INSTALL_TARGET_CMDS
+ $(MAKE) -C $(@D) install $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(TARGET_DIR)
+ $(LIBSEMANAGE_PYTHON_INSTALL_TARGET_CMDS)
+endef
+
+define LIBSEMANAGE_CLEAN_CMDS
+ $(MAKE) -C $(@D) clean
+endef
+
+HOST_LIBSEMANAGE_DEPENDENCIES = host-bison host-libsepol \
+ host-libselinux host-ustr host-bzip2
+
+define HOST_LIBSEMANAGE_BUILD_CMDS
+ # DESTDIR is needed during the compile to compute library and
+ # header paths.
+ $(MAKE) -C $(@D) all $(HOST_CONFIGURE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_LIBSEMANAGE_INSTALL_CMDS
+ $(MAKE) -C $(@D) install $(HOST_CONFIGURE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_LIBSEMANAGE_CLEAN_CMDS
+ $(MAKE) -C $(@D) clean
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 06/16] checkpolicy: new package
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
` (4 preceding siblings ...)
2013-09-25 19:32 ` [Buildroot] [PATCH v3 05/16] libsemanage: new package Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 07/16] sepolgen: " Clayton Shotwell
` (10 subsequent siblings)
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- Added checkpolicy as a host package (suggested by Arnout).
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format.
- Removed the option to do a target build because it should never
be needed during normal operation.
- Added checkpolicy as a host package. (Suggested by Arnout)
package/Config.in.host | 1 +
package/checkpolicy/Config.in.host | 10 ++++++++++
package/checkpolicy/checkpolicy.mk | 30 ++++++++++++++++++++++++++++++
3 files changed, 41 insertions(+), 0 deletions(-)
create mode 100644 package/checkpolicy/Config.in.host
create mode 100644 package/checkpolicy/checkpolicy.mk
diff --git a/package/Config.in.host b/package/Config.in.host
index 5fd2570..1b3e11b 100644
--- a/package/Config.in.host
+++ b/package/Config.in.host
@@ -1,5 +1,6 @@
menu "Host utilities"
+source "package/checkpolicy/Config.in.host"
source "package/dfu-util/Config.in.host"
source "package/dosfstools/Config.in.host"
source "package/e2fsprogs/Config.in.host"
diff --git a/package/checkpolicy/Config.in.host b/package/checkpolicy/Config.in.host
new file mode 100644
index 0000000..75794be
--- /dev/null
+++ b/package/checkpolicy/Config.in.host
@@ -0,0 +1,10 @@
+config BR2_PACKAGE_HOST_CHECKPOLICY
+ bool "host checkpolicy"
+ help
+ checkpolicy is the policy compiler. It uses libsepol to
+ generate the binary policy. checkpolicy uses the static
+ libsepol since it deals with low level details of the policy
+ that have not been encapsulated/abstracted by a proper
+ shared library interface.
+
+ http://selinuxproject.org/page/Main_Page
diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
new file mode 100644
index 0000000..0c82d63
--- /dev/null
+++ b/package/checkpolicy/checkpolicy.mk
@@ -0,0 +1,30 @@
+################################################################################
+#
+# checkpolicy
+#
+################################################################################
+
+CHECKPOLICY_VERSION = 2.1.12
+CHECKPOLICY_SITE = http://userspace.selinuxproject.org/releases/20130423/
+CHECKPOLICY_LICENSE = GPLv2
+CHECKPOLICY_LICENSE_FILES = COPYING
+
+HOST_CHECKPOLICY_DEPENDENCIES = host-libselinux host-flex host-bison
+
+HOST_CHECKPOLICY_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
+ LEX="$(HOST_DIR)/usr/bin/flex" \
+ YACC="$(HOST_DIR)/usr/bin/bison -y"
+
+define HOST_CHECKPOLICY_BUILD_CMDS
+ $(MAKE) -C $(@D) $(HOST_CHECKPOLICY_MAKE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_CHECKPOLICY_INSTALL_CMDS
+ $(MAKE) -C $(@D) install $(HOST_CHECKPOLICY_MAKE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_CHECKPOLICY_CLEAN_CMDS
+ $(MAKE) -C $(@D) clean
+endef
+
+$(eval $(host-generic-package))
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 07/16] sepolgen: new package
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
` (5 preceding siblings ...)
2013-09-25 19:32 ` [Buildroot] [PATCH v3 06/16] checkpolicy: " Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 08/16] sqlite: Add host build support Clayton Shotwell
` (9 subsequent siblings)
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- No changes.
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format.
- Changed package dependencies into selects in the config.
package/Config.in | 4 ++++
package/sepolgen/Config.in | 8 ++++++++
package/sepolgen/sepolgen.mk | 35 +++++++++++++++++++++++++++++++++++
3 files changed, 47 insertions(+), 0 deletions(-)
create mode 100644 package/sepolgen/Config.in
create mode 100644 package/sepolgen/sepolgen.mk
diff --git a/package/Config.in b/package/Config.in
index 31eefed..056a6ef 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -917,6 +917,10 @@ source "package/rtai/Config.in"
source "package/xenomai/Config.in"
endmenu
+menu "Security"
+source "package/sepolgen/Config.in"
+endmenu
+
menu "Shell and utilities"
source "package/at/Config.in"
if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
diff --git a/package/sepolgen/Config.in b/package/sepolgen/Config.in
new file mode 100644
index 0000000..2a4b49c
--- /dev/null
+++ b/package/sepolgen/Config.in
@@ -0,0 +1,8 @@
+config BR2_PACKAGE_SEPOLGEN
+ bool "sepolgen"
+ select BR2_PACKAGE_PYTHON
+ help
+ sepolgen is a python module/library that forms the core
+ of the modern audit2allow (a rewrite).
+
+ http://selinuxproject.org/page/Main_Page
diff --git a/package/sepolgen/sepolgen.mk b/package/sepolgen/sepolgen.mk
new file mode 100644
index 0000000..a8c4786
--- /dev/null
+++ b/package/sepolgen/sepolgen.mk
@@ -0,0 +1,35 @@
+################################################################################
+#
+# sepolgen
+#
+################################################################################
+
+SEPOLGEN_VERSION = 1.1.9
+SEPOLGEN_SITE = http://userspace.selinuxproject.org/releases/20130423/
+SEPOLGEN_LICENSE = GPLv2
+SEPOLGEN_LICENSE_FILES = COPYING
+
+SEPOLGEN_DEPENDENCIES = python
+
+SEPOLGEN_INSTALL_STAGING = YES
+
+SEPOLGEN_MAKE_CMDS = $(TARGET_CONFIGURE_OPTS) \
+ PYTHONLIBDIR=/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
+
+define SEPOLGEN_BUILD_CMDS
+ $(MAKE) -C $(@D) $(SEPOLGEN_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define SEPOLGEN_INSTALL_STAGING_CMDS
+ $(MAKE) -C $(@D) install $(SEPOLGEN_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define SEPOLGEN_INSTALL_TARGET_CMDS
+ $(MAKE) -C $(@D) install $(SEPOLGEN_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
+endef
+
+define SEPOLGEN_CLEAN_CMDS
+ $(MAKE) -C $(@D) clean
+endef
+
+$(eval $(generic-package))
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 08/16] sqlite: Add host build support
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
` (6 preceding siblings ...)
2013-09-25 19:32 ` [Buildroot] [PATCH v3 07/16] sepolgen: " Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 09/16] setools: new package Clayton Shotwell
` (8 subsequent siblings)
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- Changed order of patch to correct dependency issue (suggested by Thomas).
Changes v1 -> v2:
- No changes
package/sqlite/sqlite.mk | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
index d474619..4d93172 100644
--- a/package/sqlite/sqlite.mk
+++ b/package/sqlite/sqlite.mk
@@ -68,3 +68,4 @@ define SQLITE_UNINSTALL_STAGING_CMDS
endef
$(eval $(autotools-package))
+$(eval $(host-autotools-package))
\ No newline at end of file
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 09/16] setools: new package
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
` (7 preceding siblings ...)
2013-09-25 19:32 ` [Buildroot] [PATCH v3 08/16] sqlite: Add host build support Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 10/16] libcgroup: " Clayton Shotwell
` (7 subsequent siblings)
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- Changes patch naming convention (suggested by Thomas).
- Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and BR2_LARGEFILE (suggested by Thomas).
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format.
- Cleaned up the patch to include a signed-off-by line.
- Changed package dependencies into selects in the config.
- Changed the original Python select in the Config.in to be a check
in the mk file.
package/Config.in | 1 +
package/setools/Config.in | 21 +
.../setools/setools-0001-cross-compile-fixes.patch | 121 +++
.../setools-0002-swig-typedef-python-fixes.patch | 1014 ++++++++++++++++++++
package/setools/setools.mk | 85 ++
5 files changed, 1242 insertions(+), 0 deletions(-)
create mode 100644 package/setools/Config.in
create mode 100644 package/setools/setools-0001-cross-compile-fixes.patch
create mode 100644 package/setools/setools-0002-swig-typedef-python-fixes.patch
create mode 100644 package/setools/setools.mk
diff --git a/package/Config.in b/package/Config.in
index 056a6ef..a85cbdd 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -919,6 +919,7 @@ endmenu
menu "Security"
source "package/sepolgen/Config.in"
+source "package/setools/Config.in"
endmenu
menu "Shell and utilities"
diff --git a/package/setools/Config.in b/package/setools/Config.in
new file mode 100644
index 0000000..acc551f
--- /dev/null
+++ b/package/setools/Config.in
@@ -0,0 +1,21 @@
+config BR2_PACKAGE_SETOOLS
+ bool "setools"
+ select BR2_PACKAGE_LIBSELINUX
+ select BR2_PACKAGE_SQLITE
+ select BR2_PACKAGE_LIBXML2
+ select BR2_PACKAGE_BZIP2
+ depends on BR2_TOOLCHAIN_HAS_THREADS
+ depends on BR2_LARGEFILE
+ help
+ SETools is an open source project designed to facilitate SELinux policy
+ analysis. The primary tools are:
+
+ apol - analyze a SELinux policy.
+ seaudit - analyze audit messages from SELinux.
+ seaudit-report - generate highly-customized audit log reports.
+ sechecker - command line tool for performing modular checks on an SELinux policy.
+ sediff - semantic policy difference tool for SELinux.
+ secmds - command-line tools to analyze and search SELinux policy.
+
+comment "setools support requires a toolchain with large file and threading support"
+ depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_LARGEFILE
diff --git a/package/setools/setools-0001-cross-compile-fixes.patch b/package/setools/setools-0001-cross-compile-fixes.patch
new file mode 100644
index 0000000..c931039
--- /dev/null
+++ b/package/setools/setools-0001-cross-compile-fixes.patch
@@ -0,0 +1,121 @@
+Correct build issues to enable cross compiling. These rechanges require the
+package to be auto reconfigured.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/configure.ac b/configure.ac
+--- a/configure.ac 2013-01-16 10:36:24.000000000 -0600
++++ b/configure.ac 2013-07-12 08:22:10.380255248 -0500
+@@ -448,8 +448,9 @@
+ sepol_srcdir="")
+ if test "x${sepol_srcdir}" = "x"; then
+ sepol_srcdir=${sepol_devel_libdir}
+- AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],,
+- AC_MSG_ERROR([make sure libsepol-static is installed]))
++ if test ! -f ${sepol_srcdir}/libsepol.a; then
++ AC_MSG_ERROR([could not find precompiled libsepol.a])
++ fi
+ else
+ AC_MSG_CHECKING([for compatible sepol source tree])
+ sepol_version=${sepol_srcdir}/VERSION
+@@ -484,8 +485,9 @@
+ AC_CHECK_HEADER([sepol/policydb/policydb.h], , AC_MSG_ERROR([could not find sepol source tree]))
+ CFLAGS="${sepol_src_save_CFLAGS}"
+ CPPFLAGS="${sepol_src_save_CPPFLAGS}"
+- AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],,
+- AC_MSG_ERROR([could not find precompiled libsepol.a]))
++ if test ! -f ${sepol_srcdir}/libsepol.a; then
++ AC_MSG_ERROR([could not find precompiled libsepol.a])
++ fi
+ sepol_devel_incdir="${sepol_srcdir}/../include"
+ fi
+ SELINUX_CFLAGS="-I${sepol_devel_incdir} -I${selinux_devel_incdir}"
+@@ -578,12 +580,13 @@
+ [AC_LANG_SOURCE([
+ #include <sepol/policydb/expand.h>
+ int main () {
+- return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0);
++ return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0);
+ }])],
+ AC_MSG_RESULT([yes]),
+ AC_MSG_ERROR([this version of libsepol is incompatible with SETools]))
+ fi
+ sepol_new_expand_boolmap="yes"
++ sepol_new_user_role_mapping="yes"
+ else
+ sepol_new_expand_boolmap="no"
+ fi
+@@ -607,7 +610,8 @@
+ exit(EXIT_FAILURE);
+ }])],
+ sepol_policy_version_max=`cat conftest.data`,
+- AC_MSG_FAILURE([could not determine maximum libsepol policy version]))
++ AC_MSG_FAILURE([could not determine maximum libsepol policy version]),
++ sepol_policy_version_max="26")
+ AC_DEFINE_UNQUOTED(SEPOL_POLICY_VERSION_MAX, ${sepol_policy_version_max}, [maximum policy version supported by libsepol])
+ CFLAGS="${sepol_save_CFLAGS}"
+ CPPFLAGS="${sepol_save_CPPFLAGS}"
+@@ -631,7 +635,7 @@
+ changequote([,])dnl
+ selinux_save_CFLAGS="${CFLAGS}"
+ CFLAGS="${SELINUX_CFLAGS} ${SELINUX_LIB_FLAG} -lselinux -lsepol ${CFLAGS}"
+- gcc ${CFLAGS} -o conftest conftest.c >&5
++ ${CC} ${CFLAGS} -o conftest conftest.c >&5
+ selinux_policy_dir=`./conftest`
+ AC_MSG_RESULT(${selinux_policy_dir})
+ CFLAGS="${selinux_save_CFLAGS}"
+diff -urN a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c
+--- a/libqpol/src/policy_define.c 2013-01-16 10:36:24.000000000 -0600
++++ b/libqpol/src/policy_define.c 2013-07-12 08:22:10.380255248 -0500
+@@ -2135,7 +2135,7 @@
+ #ifdef HAVE_SEPOL_ROLE_ATTRS
+ if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
+ #elif HAVE_SEPOL_USER_ROLE_MAPPING
+- if (role_set_expand(&roles, &e_roles, policydbp, NULL))
++ if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
+ #else
+ if (role_set_expand(&roles, &e_roles, policydbp))
+ #endif
+diff -urN a/m4/ac_python_devel.m4 b/m4/ac_python_devel.m4
+--- a/m4/ac_python_devel.m4 2013-01-16 10:36:22.000000000 -0600
++++ b/m4/ac_python_devel.m4 2013-07-12 08:22:10.380255248 -0500
+@@ -234,7 +234,7 @@
+ AC_MSG_CHECKING([consistency of all components of python development environment])
+ AC_LANG_PUSH([C])
+ # save current global flags
+- LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
++ LIBS="$ac_save_LIBS $PYTHON_EXTRA_LIBS $PYTHON_LDFLAGS"
+ CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
+ AC_TRY_LINK([
+ #include <Python.h>
+diff -urN a/python/setools/Makefile.am b/python/setools/Makefile.am
+--- a/python/setools/Makefile.am 2013-01-16 10:36:22.000000000 -0600
++++ b/python/setools/Makefile.am 2013-07-12 08:22:19.200251011 -0500
+@@ -22,13 +22,13 @@
+ python-build: sesearch.c seinfo.c
+ @mkdir -p setools
+ @cp __init__.py setools
+- LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" INCLUDES="$(QPOL_CFLAGS) $(APOL_CFLAGS)" $(PYTHON) setup.py build
++ LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" LIBDIRS="$(PYTHON_LDFLAGS)" INCLUDES="$(PYTHON_CPPFLAGS) $(QPOL_CFLAGS) $(APOL_CFLAGS)" CC="$(CC)" CFLAGS="$(CFLAGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(LDFLAGS)" $(PYTHON) setup.py build_ext
+
+ install-exec-hook:
+- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++ $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr`
+
+ uninstall-hook:
+- $(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++ $(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr`
+
+ clean-local:
+ $(PYTHON) setup.py clean -a
+--- a/python/setools/setup.py 2013-01-16 10:36:22.000000000 -0600
++++ b/python/setools/setup.py 2013-09-04 09:17:48.452916991 -0500
+@@ -8,7 +8,7 @@
+ try:
+ inc=os.getenv("INCLUDES").split(" ")
+ INCLUDES=map(lambda x: x[2:], inc)
+- LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split())
++ LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split()) + map(lambda x: x[2:], os.getenv("LIBDIRS").split())
+ except:
+ INCLUDES=""
+ LIBDIRS=""
diff --git a/package/setools/setools-0002-swig-typedef-python-fixes.patch b/package/setools/setools-0002-swig-typedef-python-fixes.patch
new file mode 100644
index 0000000..999fed4
--- /dev/null
+++ b/package/setools/setools-0002-swig-typedef-python-fixes.patch
@@ -0,0 +1,1014 @@
+Correct swig typdef naming convention errors that cause the build to break.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+--- a/libapol/swig/apol.i 2010-04-23 11:22:08.000000000 -0500
++++ b/libapol/swig/apol.i 2012-08-29 08:04:29.000000000 -0500
+@@ -232,7 +232,7 @@
+ %newobject wrap_apol_str_to_internal_ip(char*);
+ %rename(apol_str_to_internal_ip) wrap_apol_str_to_internal_ip;
+ %inline %{
+- typedef struct apol_ip {
++ typedef struct {
+ uint32_t ip[4];
+ int proto;
+ } apol_ip_t;
+@@ -301,7 +301,7 @@
+ %inline %{
+ typedef struct apol_string_vector apol_string_vector_t;
+ %}
+-typedef struct apol_vector {} apol_vector_t;
++typedef struct {} apol_vector_t;
+ %extend apol_vector_t {
+ apol_vector_t() {
+ return apol_vector_create(NULL);
+@@ -377,7 +377,7 @@
+ return apol_vector_compare(a, b, NULL, NULL, &idx);
+ }
+ %}
+-typedef struct apol_string_vector {} apol_string_vector_t;
++typedef struct {} apol_string_vector_t;
+ %extend apol_string_vector_t {
+ apol_string_vector_t() {
+ return (apol_string_vector_t*)apol_vector_create(free);
+@@ -460,7 +460,7 @@
+ APOL_POLICY_PATH_TYPE_MONOLITHIC = 0,
+ APOL_POLICY_PATH_TYPE_MODULAR
+ } apol_policy_path_type_e;
+-typedef struct apol_policy_path {} apol_policy_path_t;
++typedef struct {} apol_policy_path_t;
+ %extend apol_policy_path_t {
+ apol_policy_path_t(apol_policy_path_type_e type, char * primary, apol_string_vector_t *modules = NULL) {
+ apol_policy_path_t *p;
+@@ -540,7 +540,7 @@
+ int apol_file_is_policy_path_list(const char *filename);
+
+ /* apol policy */
+-typedef struct apol_policy {} apol_policy_t;
++typedef struct {} apol_policy_t;
+ #define APOL_PERMMAP_MAX_WEIGHT 10
+ #define APOL_PERMMAP_MIN_WEIGHT 1
+ #define APOL_PERMMAP_UNMAPPED 0x00
+@@ -650,7 +650,7 @@
+ };
+
+ /* apol type query */
+-typedef struct apol_type_query {} apol_type_query_t;
++typedef struct {} apol_type_query_t;
+ %extend apol_type_query_t {
+ apol_type_query_t() {
+ apol_type_query_t *tq;
+@@ -692,7 +692,7 @@
+ };
+
+ /* apol attribute query */
+-typedef struct apol_attr_query {} apol_attr_query_t;
++typedef struct {} apol_attr_query_t;
+ %extend apol_attr_query_t {
+ apol_attr_query_t() {
+ apol_attr_query_t *aq;
+@@ -734,7 +734,7 @@
+ };
+
+ /* apol role query */
+-typedef struct apol_role_query {} apol_role_query_t;
++typedef struct {} apol_role_query_t;
+ %extend apol_role_query_t {
+ apol_role_query_t() {
+ apol_role_query_t *rq;
+@@ -786,7 +786,7 @@
+ int apol_role_has_type(apol_policy_t * p, qpol_role_t * r, qpol_type_t * t);
+
+ /* apol class query */
+-typedef struct apol_class_query {} apol_class_query_t;
++typedef struct {} apol_class_query_t;
+ %extend apol_class_query_t {
+ apol_class_query_t() {
+ apol_class_query_t *cq;
+@@ -837,7 +837,7 @@
+ };
+
+ /* apol common query */
+-typedef struct apol_common_query {} apol_common_query_t;
++typedef struct {} apol_common_query_t;
+ %extend apol_common_query_t {
+ apol_common_query_t() {
+ apol_common_query_t *cq;
+@@ -879,7 +879,7 @@
+ };
+
+ /* apol perm query */
+-typedef struct apol_perm_query {} apol_perm_query_t;
++typedef struct {} apol_perm_query_t;
+ %extend apol_perm_query_t {
+ apol_perm_query_t() {
+ apol_perm_query_t *pq;
+@@ -921,7 +921,7 @@
+ };
+
+ /* apol bool query */
+-typedef struct apol_bool_query {} apol_bool_query_t;
++typedef struct {} apol_bool_query_t;
+ %extend apol_bool_query_t {
+ apol_bool_query_t() {
+ apol_bool_query_t *bq;
+@@ -963,7 +963,7 @@
+ };
+
+ /* apol mls level */
+-typedef struct apol_mls_level {} apol_mls_level_t;
++typedef struct {} apol_mls_level_t;
+ %extend apol_mls_level_t {
+ apol_mls_level_t() {
+ apol_mls_level_t *aml;
+@@ -1122,11 +1122,11 @@
+ %typemap(in) apol_mls_level_t *lvl {
+ void *x = NULL;
+ Py_IncRef($input);
+- SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_level, 0 | 0 );
++ SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_level_t, 0 | 0 );
+ $1 = (apol_mls_level_t*)x;
+ }
+ #endif
+-typedef struct apol_mls_range {} apol_mls_range_t;
++typedef struct {} apol_mls_range_t;
+ %extend apol_mls_range_t {
+ apol_mls_range_t() {
+ apol_mls_range_t *amr;
+@@ -1276,7 +1276,7 @@
+ %}
+
+ /* apol level query */
+-typedef struct apol_level_query {} apol_level_query_t;
++typedef struct {} apol_level_query_t;
+ %extend apol_level_query_t {
+ apol_level_query_t() {
+ apol_level_query_t * alq;
+@@ -1327,7 +1327,7 @@
+ };
+
+ /* apol cat query */
+-typedef struct apol_cat_query {} apol_cat_query_t;
++typedef struct {} apol_cat_query_t;
+ %extend apol_cat_query_t {
+ apol_cat_query_t() {
+ apol_cat_query_t * acq;
+@@ -1373,11 +1373,11 @@
+ %typemap(in) apol_mls_range_t *rng {
+ void *x = NULL;
+ Py_IncRef($input);
+- SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_range, 0 | 0 );
++ SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_range_t, 0 | 0 );
+ $1 = (apol_mls_range_t*)x;
+ }
+ #endif
+-typedef struct apol_user_query {} apol_user_query_t;
++typedef struct {} apol_user_query_t;
+ %extend apol_user_query_t {
+ apol_user_query_t() {
+ apol_user_query_t *auq;
+@@ -1446,7 +1446,7 @@
+ };
+
+ /* apol context */
+-typedef struct apol_context {} apol_context_t;
++typedef struct {} apol_context_t;
+ %extend apol_context_t {
+ apol_context_t() {
+ apol_context_t *ctx;
+@@ -1581,7 +1581,7 @@
+ int apol_context_compare(apol_policy_t * p, apol_context_t * target, apol_context_t * search, unsigned int range_compare_type);
+
+ /* apol constraint query */
+-typedef struct apol_constraint_query {} apol_constraint_query_t;
++typedef struct {} apol_constraint_query_t;
+ %extend apol_constraint_query_t {
+ apol_constraint_query_t() {
+ apol_constraint_query_t *acq;
+@@ -1632,7 +1632,7 @@
+ };
+
+ /* apol validatetrans query */
+-typedef struct apol_validatetrans_query {} apol_validatetrans_query_t;
++typedef struct {} apol_validatetrans_query_t;
+ %extend apol_validatetrans_query_t {
+ apol_validatetrans_query_t() {
+ apol_validatetrans_query_t *avq;
+@@ -1678,11 +1678,11 @@
+ %typemap(in) apol_context_t *ctx {
+ void *x = NULL;
+ Py_IncRef($input);
+- SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_context, 0 | 0 );
++ SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_context_t, 0 | 0 );
+ $1 = (apol_context_t*)x;
+ }
+ #endif
+-typedef struct apol_genfscon_query {} apol_genfscon_query_t;
++typedef struct {} apol_genfscon_query_t;
+ %extend apol_genfscon_query_t {
+ apol_genfscon_query_t() {
+ apol_genfscon_query_t *agq;
+@@ -1744,7 +1744,7 @@
+ char *apol_genfscon_render(apol_policy_t * p, qpol_genfscon_t * genfscon);
+
+ /* apol fs_use query */
+-typedef struct apol_fs_use_query {} apol_fs_use_query_t;
++typedef struct {} apol_fs_use_query_t;
+ %extend apol_fs_use_query_t {
+ apol_fs_use_query_t() {
+ apol_fs_use_query_t *afq;
+@@ -1797,7 +1797,7 @@
+ char *apol_fs_use_render(apol_policy_t * p, qpol_fs_use_t * fsuse);
+
+ /* apol initial sid query */
+-typedef struct apol_isid_query {} apol_isid_query_t;
++typedef struct {} apol_isid_query_t;
+ %extend apol_isid_query_t {
+ apol_isid_query_t() {
+ apol_isid_query_t *aiq;
+@@ -1839,7 +1839,7 @@
+ };
+
+ /* apol portcon query */
+-typedef struct apol_portcon_query {} apol_portcon_query_t;
++typedef struct {} apol_portcon_query_t;
+ %extend apol_portcon_query_t {
+ apol_portcon_query_t() {
+ apol_portcon_query_t *apq;
+@@ -1883,7 +1883,7 @@
+ char *apol_portcon_render(apol_policy_t * p, qpol_portcon_t * portcon);
+
+ /* apol netifcon query */
+-typedef struct apol_netifcon_query {} apol_netifcon_query_t;
++typedef struct {} apol_netifcon_query_t;
+ %extend apol_netifcon_query_t {
+ apol_netifcon_query_t() {
+ apol_netifcon_query_t *anq;
+@@ -1930,7 +1930,7 @@
+ char *apol_netifcon_render(apol_policy_t * p, qpol_netifcon_t * netifcon);
+
+ /* apol nodecon query */
+-typedef struct apol_nodecon_query {} apol_nodecon_query_t;
++typedef struct {} apol_nodecon_query_t;
+ %extend apol_nodecon_query_t {
+ apol_nodecon_query_t() {
+ apol_nodecon_query_t *anq;
+@@ -2010,7 +2010,7 @@
+ char *apol_nodecon_render(apol_policy_t * p, qpol_nodecon_t * nodecon);
+
+ /* apol avrule query */
+-typedef struct apol_avrule_query {} apol_avrule_query_t;
++typedef struct {} apol_avrule_query_t;
+ %extend apol_avrule_query_t {
+ apol_avrule_query_t() {
+ apol_avrule_query_t *avq;
+@@ -2161,7 +2161,7 @@
+ %}
+
+ /* apol terule query */
+-typedef struct apol_terule_query {} apol_terule_query_t;
++typedef struct {} apol_terule_query_t;
+ %extend apol_terule_query_t {
+ apol_terule_query_t() {
+ apol_terule_query_t *atq;
+@@ -2285,7 +2285,7 @@
+ apol_vector_t *apol_terule_list_to_syn_terules(apol_policy_t * p, apol_vector_t * rules);
+
+ /* apol cond rule query */
+-typedef struct apol_cond_query {} apol_cond_query_t;
++typedef struct {} apol_cond_query_t;
+ %extend apol_cond_query_t {
+ apol_cond_query_t() {
+ apol_cond_query_t *acq;
+@@ -2329,7 +2329,7 @@
+ char *apol_cond_expr_render(apol_policy_t * p, qpol_cond_t * cond);
+
+ /* apol role allow query */
+-typedef struct apol_role_allow_query {} apol_role_allow_query_t;
++typedef struct {} apol_role_allow_query_t;
+ %extend apol_role_allow_query_t {
+ apol_role_allow_query_t() {
+ apol_role_allow_query_t *arq;
+@@ -2385,7 +2385,7 @@
+ char *apol_role_allow_render(apol_policy_t * policy, qpol_role_allow_t * rule);
+
+ /* apol role transition rule query */
+-typedef struct apol_role_trans_query {} apol_role_trans_query_t;
++typedef struct {} apol_role_trans_query_t;
+ %extend apol_role_trans_query_t {
+ apol_role_trans_query_t() {
+ apol_role_trans_query_t *arq;
+@@ -2450,7 +2450,7 @@
+ char *apol_role_trans_render(apol_policy_t * policy, qpol_role_trans_t * rule);
+
+ /* apol range transition rule query */
+-typedef struct apol_range_trans_query {} apol_range_trans_query_t;
++typedef struct {} apol_range_trans_query_t;
+ %extend apol_range_trans_query_t {
+ apol_range_trans_query_t() {
+ apol_range_trans_query_t *arq;
+@@ -2529,7 +2529,7 @@
+ #define APOL_DOMAIN_TRANS_SEARCH_VALID 0x01
+ #define APOL_DOMAIN_TRANS_SEARCH_INVALID 0x02
+ #define APOL_DOMAIN_TRANS_SEARCH_BOTH (APOL_DOMAIN_TRANS_SEARCH_VALID|APOL_DOMAIN_TRANS_SEARCH_INVALID)
+-typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t;
++typedef struct {} apol_domain_trans_analysis_t;
+ %extend apol_domain_trans_analysis_t {
+ apol_domain_trans_analysis_t() {
+ apol_domain_trans_analysis_t *dta;
+@@ -2620,7 +2620,7 @@
+ return v;
+ };
+ };
+-typedef struct apol_domain_trans_result {} apol_domain_trans_result_t;
++typedef struct {} apol_domain_trans_result_t;
+ %extend apol_domain_trans_result_t {
+ apol_domain_trans_result_t(apol_domain_trans_result_t *in) {
+ apol_domain_trans_result_t *dtr;
+@@ -2703,7 +2703,7 @@
+ *in = NULL;
+ }
+ %}
+-typedef struct apol_infoflow {} apol_infoflow_t;
++typedef struct {} apol_infoflow_t;
+ %extend apol_infoflow_t {
+ apol_infoflow_t() {
+ BEGIN_EXCEPTION
+@@ -2728,7 +2728,7 @@
+ return v;
+ };
+ };
+-typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t;
++typedef struct {} apol_infoflow_analysis_t;
+ %extend apol_infoflow_analysis_t {
+ apol_infoflow_analysis_t() {
+ apol_infoflow_analysis_t *aia;
+@@ -2821,7 +2821,7 @@
+ return;
+ };
+ };
+-typedef struct apol_infoflow_graph {} apol_infoflow_graph_t;
++typedef struct {} apol_infoflow_graph_t;
+ %extend apol_infoflow_graph_t {
+ apol_infoflow_graph_t() {
+ BEGIN_EXCEPTION
+@@ -2865,7 +2865,7 @@
+ return retval;
+ };
+ };
+-typedef struct apol_infoflow_result {} apol_infoflow_result_t;
++typedef struct {} apol_infoflow_result_t;
+ %extend apol_infoflow_result_t {
+ apol_infoflow_result_t() {
+ BEGIN_EXCEPTION
+@@ -2899,7 +2899,7 @@
+ return (apol_infoflow_result_t*)x;
+ };
+ %}
+-typedef struct apol_infoflow_step {} apol_infoflow_step_t;
++typedef struct {} apol_infoflow_step_t;
+ %extend apol_infoflow_step_t {
+ apol_infoflow_step_t() {
+ BEGIN_EXCEPTION
+@@ -2936,7 +2936,7 @@
+ #define APOL_RELABEL_DIR_FROM 0x02
+ #define APOL_RELABEL_DIR_BOTH (APOL_RELABEL_DIR_TO|APOL_RELABEL_DIR_FROM)
+ #define APOL_RELABEL_DIR_SUBJECT 0x04
+-typedef struct apol_relabel_analysis {} apol_relabel_analysis_t;
++typedef struct {} apol_relabel_analysis_t;
+ %extend apol_relabel_analysis_t {
+ apol_relabel_analysis_t() {
+ apol_relabel_analysis_t *ara;
+@@ -3009,7 +3009,7 @@
+ return;
+ };
+ };
+-typedef struct apol_relabel_result {} apol_relabel_result_t;
++typedef struct {} apol_relabel_result_t;
+ %extend apol_relabel_result_t {
+ apol_relabel_result_t() {
+ BEGIN_EXCEPTION
+@@ -3040,7 +3040,7 @@
+ return (apol_relabel_result_t*)x;
+ };
+ %}
+-typedef struct apol_relabel_result_pair {} apol_relabel_result_pair_t;
++typedef struct {} apol_relabel_result_pair_t;
+ %extend apol_relabel_result_pair_t {
+ apol_relabel_result_pair_t() {
+ BEGIN_EXCEPTION
+@@ -3082,7 +3082,7 @@
+ #define APOL_TYPES_RELATION_DIRECT_FLOW 0x1000
+ #define APOL_TYPES_RELATION_TRANS_FLOW_AB 0x4000
+ #define APOL_TYPES_RELATION_TRANS_FLOW_BA 0x8000
+-typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t;
++typedef struct {} apol_types_relation_analysis_t;
+ %extend apol_types_relation_analysis_t {
+ apol_types_relation_analysis_t() {
+ apol_types_relation_analysis_t *atr;
+@@ -3137,7 +3137,7 @@
+ return;
+ };
+ };
+-typedef struct apol_types_relation_result {} apol_types_relation_result_t;
++typedef struct {} apol_types_relation_result_t;
+ %extend apol_types_relation_result_t {
+ apol_types_relation_result_t() {
+ BEGIN_EXCEPTION
+@@ -3192,7 +3192,7 @@
+ return apol_types_relation_result_get_domainsBA(self);
+ };
+ };
+-typedef struct apol_types_relation_access {} apol_types_relation_access_t;
++typedef struct {} apol_types_relation_access_t;
+ %extend apol_types_relation_access_t {
+ apol_types_relation_access_t() {
+ BEGIN_EXCEPTION
+--- a/libqpol/swig/qpol.i 2010-04-30 11:23:28.000000000 -0500
++++ b/libqpol/swig/qpol.i 2012-08-29 07:52:17.000000000 -0500
+@@ -226,7 +226,7 @@
+ #define QPOL_MODULE_UNKNOWN 0
+ #define QPOL_MODULE_BASE 1
+ #define QPOL_MODULE_OTHER 2
+-typedef struct qpol_module {} qpol_module_t;
++typedef struct {} qpol_module_t;
+ %extend qpol_module_t {
+ qpol_module_t(const char *path) {
+ qpol_module_t *m;
+@@ -310,7 +310,7 @@
+ #define QPOL_POLICY_OPTION_NO_NEVERALLOWS 0x00000001
+ #define QPOL_POLICY_OPTION_NO_RULES 0x00000002
+ #define QPOL_POLICY_OPTION_MATCH_SYSTEM 0x00000004
+-typedef struct qpol_policy {} qpol_policy_t;
++typedef struct {} qpol_policy_t;
+ typedef void (*qpol_callback_fn_t) (void *varg, struct qpol_policy * policy, int level, const char *fmt, va_list va_args);
+ #define QPOL_POLICY_UNKNOWN -1
+ #define QPOL_POLICY_KERNEL_SOURCE 0
+@@ -684,7 +684,7 @@
+ };
+
+ /* qpol iterator */
+-typedef struct qpol_iterator {} qpol_iterator_t;
++typedef struct {} qpol_iterator_t;
+ %extend qpol_iterator_t {
+ /* user never directly creates, but SWIG expects a constructor */
+ qpol_iterator_t() {
+@@ -734,7 +734,7 @@
+ };
+
+ /* qpol type */
+-typedef struct qpol_type {} qpol_type_t;
++typedef struct {} qpol_type_t;
+ %extend qpol_type_t {
+ qpol_type_t(qpol_policy_t *p, const char *name) {
+ BEGIN_EXCEPTION
+@@ -849,7 +849,7 @@
+ %}
+
+ /* qpol role */
+-typedef struct qpol_role {} qpol_role_t;
++typedef struct {} qpol_role_t;
+ %extend qpol_role_t {
+ qpol_role_t(qpol_policy_t *p, const char *name) {
+ const qpol_role_t *r;
+@@ -917,7 +917,7 @@
+ %}
+
+ /* qpol level */
+-typedef struct qpol_level {} qpol_level_t;
++typedef struct {} qpol_level_t;
+ %extend qpol_level_t {
+ qpol_level_t(qpol_policy_t *p, const char *name) {
+ const qpol_level_t *l;
+@@ -995,7 +995,7 @@
+ %}
+
+ /* qpol cat */
+-typedef struct qpol_cat {} qpol_cat_t;
++typedef struct {} qpol_cat_t;
+ %extend qpol_cat_t {
+ qpol_cat_t(qpol_policy_t *p, const char *name) {
+ const qpol_cat_t *c;
+@@ -1062,7 +1062,7 @@
+ %}
+
+ /* qpol mls range */
+-typedef struct qpol_mls_range {} qpol_mls_range_t;
++typedef struct {} qpol_mls_range_t;
+ %extend qpol_mls_range_t {
+ qpol_mls_range_t() {
+ BEGIN_EXCEPTION
+@@ -1103,7 +1103,7 @@
+ %}
+
+ /* qpol mls level */
+-typedef struct qpol_mls_level {} qpol_mls_level_t;
++typedef struct {} qpol_mls_level_t;
+ %extend qpol_mls_level_t {
+ qpol_mls_level_t() {
+ BEGIN_EXCEPTION
+@@ -1145,7 +1145,7 @@
+ %}
+
+ /* qpol user */
+-typedef struct qpol_user {} qpol_user_t;
++typedef struct {} qpol_user_t;
+ %extend qpol_user_t {
+ qpol_user_t(qpol_policy_t *p, const char *name) {
+ const qpol_user_t *u;
+@@ -1221,7 +1221,7 @@
+ %}
+
+ /* qpol bool */
+-typedef struct qpol_bool {} qpol_bool_t;
++typedef struct {} qpol_bool_t;
+ %extend qpol_bool_t {
+ qpol_bool_t(qpol_policy_t *p, const char *name) {
+ qpol_bool_t *b;
+@@ -1293,7 +1293,7 @@
+ %}
+
+ /* qpol context */
+-typedef struct qpol_context {} qpol_context_t;
++typedef struct {} qpol_context_t;
+ %extend qpol_context_t {
+ qpol_context_t() {
+ BEGIN_EXCEPTION
+@@ -1354,7 +1354,7 @@
+ %}
+
+ /* qpol class */
+-typedef struct qpol_class {} qpol_class_t;
++typedef struct {} qpol_class_t;
+ %extend qpol_class_t {
+ qpol_class_t(qpol_policy_t *p, const char *name) {
+ const qpol_class_t *c;
+@@ -1441,7 +1441,7 @@
+ %}
+
+ /* qpol common */
+-typedef struct qpol_common {} qpol_common_t;
++typedef struct {} qpol_common_t;
+ %extend qpol_common_t {
+ qpol_common_t(qpol_policy_t *p, const char *name) {
+ const qpol_common_t *c;
+@@ -1514,7 +1514,7 @@
+ #define QPOL_FS_USE_NONE 5U
+ #define QPOL_FS_USE_PSID 6U
+ #endif
+-typedef struct qpol_fs_use {} qpol_fs_use_t;
++typedef struct {} qpol_fs_use_t;
+ %extend qpol_fs_use_t {
+ qpol_fs_use_t(qpol_policy_t *p, const char *name) {
+ const qpol_fs_use_t *f;
+@@ -1592,7 +1592,7 @@
+ #define QPOL_CLASS_LNK_FILE 9U
+ #define QPOL_CLASS_SOCK_FILE 12U
+ #endif
+-typedef struct qpol_genfscon {} qpol_genfscon_t;
++typedef struct {} qpol_genfscon_t;
+ %extend qpol_genfscon_t {
+ qpol_genfscon_t(qpol_policy_t *p, const char *name, const char *path) {
+ qpol_genfscon_t *g;
+@@ -1655,7 +1655,7 @@
+ %}
+
+ /* qpol isid */
+-typedef struct qpol_isid {} qpol_isid_t;
++typedef struct {} qpol_isid_t;
+ %extend qpol_isid_t {
+ qpol_isid_t(qpol_policy_t *p, const char *name) {
+ const qpol_isid_t *i;
+@@ -1699,7 +1699,7 @@
+ %}
+
+ /* qpol netifcon */
+-typedef struct qpol_netifcon {} qpol_netifcon_t;
++typedef struct {} qpol_netifcon_t;
+ %extend qpol_netifcon_t {
+ qpol_netifcon_t(qpol_policy_t *p, const char *name) {
+ const qpol_netifcon_t *n;
+@@ -1755,7 +1755,7 @@
+ /* qpol nodecon */
+ #define QPOL_IPV4 0
+ #define QPOL_IPV6 1
+-typedef struct qpol_nodecon {} qpol_nodecon_t;
++typedef struct {} qpol_nodecon_t;
+ %extend qpol_nodecon_t {
+ qpol_nodecon_t(qpol_policy_t *p, int addr[4], int mask[4], int protocol) {
+ uint32_t a[4], m[4];
+@@ -1828,7 +1828,7 @@
+ /* from netinet/in.h */
+ #define IPPROTO_TCP 6
+ #define IPPROTO_UDP 17
+-typedef struct qpol_portcon {} qpol_portcon_t;
++typedef struct {} qpol_portcon_t;
+ %extend qpol_portcon_t {
+ qpol_portcon_t(qpol_policy_t *p, uint16_t low, uint16_t high, uint8_t protocol) {
+ const qpol_portcon_t *qp;
+@@ -1892,7 +1892,7 @@
+ %}
+
+ /* qpol constraint */
+-typedef struct qpol_constraint {} qpol_constraint_t;
++typedef struct {} qpol_constraint_t;
+ %extend qpol_constraint_t {
+ qpol_constraint_t() {
+ BEGIN_EXCEPTION
+@@ -1944,7 +1944,7 @@
+ %}
+
+ /* qpol validatetrans */
+-typedef struct qpol_validatetrans {} qpol_validatetrans_t;
++typedef struct {} qpol_validatetrans_t;
+ %extend qpol_validatetrans_t {
+ qpol_validatetrans_t() {
+ BEGIN_EXCEPTION
+@@ -2009,7 +2009,7 @@
+ #define QPOL_CEXPR_OP_DOM 3
+ #define QPOL_CEXPR_OP_DOMBY 4
+ #define QPOL_CEXPR_OP_INCOMP 5
+-typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t;
++typedef struct {} qpol_constraint_expr_node_t;
+ %extend qpol_constraint_expr_node_t {
+ qpol_constraint_expr_node_t() {
+ BEGIN_EXCEPTION
+@@ -2071,7 +2071,7 @@
+ %}
+
+ /* qpol role allow */
+-typedef struct qpol_role_allow {} qpol_role_allow_t;
++typedef struct {} qpol_role_allow_t;
+ %extend qpol_role_allow_t {
+ qpol_role_allow_t() {
+ BEGIN_EXCEPTION
+@@ -2112,7 +2112,7 @@
+ %}
+
+ /* qpol role trans */
+-typedef struct qpol_role_trans {} qpol_role_trans_t;
++typedef struct {} qpol_role_trans_t;
+ %extend qpol_role_trans_t {
+ qpol_role_trans_t() {
+ BEGIN_EXCEPTION
+@@ -2163,7 +2163,7 @@
+ %}
+
+ /* qpol range trans */
+-typedef struct qpol_range_trans {} qpol_range_trans_t;
++typedef struct {} qpol_range_trans_t;
+ %extend qpol_range_trans_t {
+ qpol_range_trans_t() {
+ BEGIN_EXCEPTION
+@@ -2226,7 +2226,7 @@
+ #define QPOL_RULE_NEVERALLOW 128
+ #define QPOL_RULE_AUDITALLOW 2
+ #define QPOL_RULE_DONTAUDIT 4
+-typedef struct qpol_avrule {} qpol_avrule_t;
++typedef struct {} qpol_avrule_t;
+ %extend qpol_avrule_t {
+ qpol_avrule_t() {
+ BEGIN_EXCEPTION
+@@ -2346,7 +2346,7 @@
+ #define QPOL_RULE_TYPE_TRANS 16
+ #define QPOL_RULE_TYPE_CHANGE 64
+ #define QPOL_RULE_TYPE_MEMBER 32
+-typedef struct qpol_terule {} qpol_terule_t;
++typedef struct {} qpol_terule_t;
+ %extend qpol_terule_t {
+ qpol_terule_t() {
+ BEGIN_EXCEPTION
+@@ -2462,7 +2462,7 @@
+ %}
+
+ /* qpol conditional */
+-typedef struct qpol_cond {} qpol_cond_t;
++typedef struct {} qpol_cond_t;
+ %extend qpol_cond_t {
+ qpol_cond_t() {
+ BEGIN_EXCEPTION
+@@ -2555,7 +2555,7 @@
+ #define QPOL_COND_EXPR_XOR 5 /* bool ^ bool */
+ #define QPOL_COND_EXPR_EQ 6 /* bool == bool */
+ #define QPOL_COND_EXPR_NEQ 7 /* bool != bool */
+-typedef struct qpol_cond_expr_node {} qpol_cond_expr_node_t;
++typedef struct {} qpol_cond_expr_node_t;
+ %extend qpol_cond_expr_node_t {
+ qpol_cond_expr_node_t() {
+ BEGIN_EXCEPTION
+@@ -2600,7 +2600,7 @@
+ %}
+
+ /* qpol type set */
+-typedef struct qpol_type_set {} qpol_type_set_t;
++typedef struct {} qpol_type_set_t;
+ %extend qpol_type_set_t {
+ qpol_type_set_t() {
+ BEGIN_EXCEPTION
+@@ -2663,7 +2663,7 @@
+ %}
+
+ /* qpol syn av rule */
+-typedef struct qpol_syn_avrule {} qpol_syn_avrule_t;
++typedef struct {} qpol_syn_avrule_t;
+ %extend qpol_syn_avrule_t {
+ qpol_syn_avrule_t() {
+ BEGIN_EXCEPTION
+@@ -2776,7 +2776,7 @@
+ %}
+
+ /* qpol syn te rule */
+-typedef struct qpol_syn_terule {} qpol_syn_terule_t;
++typedef struct {} qpol_syn_terule_t;
+ %extend qpol_syn_terule_t {
+ qpol_syn_terule_t() {
+ BEGIN_EXCEPTION
+--- a/libpoldiff/swig/poldiff.i 2007-10-31 16:03:33.000000000 -0500
++++ b/libpoldiff/swig/poldiff.i 2012-08-29 08:08:02.000000000 -0500
+@@ -258,7 +258,7 @@
+
+ /* for handling the get_stats function */
+ %{
+- typedef struct poldiff_stats {
++ typedef struct {
+ size_t stats[5];
+ } poldiff_stats_t;
+ poldiff_stats_t *poldiff_stats_create() {
+@@ -271,7 +271,7 @@
+ *x = NULL;
+ }
+ %}
+-typedef struct poldiff_stats {} poldiff_stats_t;
++typedef struct {} poldiff_stats_t;
+ %extend poldiff_stats_t {
+ poldiff_stats_t() {
+ poldiff_stats_t *s;
+@@ -336,17 +336,17 @@
+ %typemap(in) apol_policy_t *op {
+ void *x = NULL;
+ Py_IncRef($input);
+- SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy, 0 | 0 );
++ SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy_t, 0 | 0 );
+ $1 = (apol_policy_t*)x;
+ }
+ %typemap(in) apol_policy_t *mp {
+ void *x = NULL;
+ Py_IncRef($input);
+- SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy, 0 | 0 );
++ SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy_t, 0 | 0 );
+ $1 = (apol_policy_t*)x;
+ }
+ #endif
+-typedef struct poldiff {} poldiff_t;
++typedef struct {} poldiff_t;
+ %extend poldiff_t {
+ poldiff_t(apol_policy_t *op, apol_policy_t *mp) {
+ poldiff_t *p;
+@@ -476,7 +476,7 @@
+ };
+
+ /* attribute diff */
+-typedef struct poldiff_attrib {} poldiff_attrib_t;
++typedef struct {} poldiff_attrib_t;
+ %extend poldiff_attrib_t {
+ poldiff_attrib_t () {
+ BEGIN_EXCEPTION
+@@ -521,7 +521,7 @@
+ %}
+
+ /* av rule diff */
+-typedef struct poldiff_avrule {} poldiff_avrule_t;
++typedef struct {} poldiff_avrule_t;
+ %extend poldiff_avrule_t {
+ poldiff_avrule_t() {
+ BEGIN_EXCEPTION
+@@ -629,7 +629,7 @@
+ %}
+
+ /* boolean diff */
+-typedef struct poldiff_bool {} poldiff_bool_t;
++typedef struct {} poldiff_bool_t;
+ %extend poldiff_bool_t {
+ poldiff_bool_t() {
+ BEGIN_EXCEPTION
+@@ -668,7 +668,7 @@
+ %}
+
+ /* category diff */
+-typedef struct poldiff_cat {} poldiff_cat_t;
++typedef struct {} poldiff_cat_t;
+ %extend poldiff_cat_t {
+ poldiff_cat_t() {
+ BEGIN_EXCEPTION
+@@ -707,7 +707,7 @@
+ %}
+
+ /* class diff */
+-typedef struct poldiff_class {} poldiff_class_t;
++typedef struct {} poldiff_class_t;
+ %extend poldiff_class_t {
+ poldiff_class_t() {
+ BEGIN_EXCEPTION
+@@ -752,7 +752,7 @@
+ %}
+
+ /* common diff */
+-typedef struct poldiff_common {} poldiff_common_t;
++typedef struct {} poldiff_common_t;
+ %extend poldiff_common_t {
+ poldiff_common_t() {
+ BEGIN_EXCEPTION
+@@ -797,7 +797,7 @@
+ %}
+
+ /* level diff */
+-typedef struct poldiff_level {} poldiff_level_t;
++typedef struct {} poldiff_level_t;
+ %extend poldiff_level_t {
+ poldiff_level_t() {
+ BEGIN_EXCEPTION
+@@ -857,7 +857,7 @@
+ %}
+
+ /* range diff */
+-typedef struct poldiff_range {} poldiff_range_t;
++typedef struct {} poldiff_range_t;
+ %extend poldiff_range_t {
+ poldiff_range_t() {
+ BEGIN_EXCEPTION
+@@ -908,7 +908,7 @@
+ %}
+
+ /* range_transition rule diff */
+-typedef struct poldiff_range_trans {} poldiff_range_trans_t;
++typedef struct {} poldiff_range_trans_t;
+ %extend poldiff_range_trans_t {
+ poldiff_range_trans_t() {
+ BEGIN_EXCEPTION
+@@ -956,7 +956,7 @@
+ %}
+
+ /* role allow rule diff */
+-typedef struct poldiff_role_allow {} poldiff_role_allow_t;
++typedef struct {} poldiff_role_allow_t;
+ %extend poldiff_role_allow_t {
+ poldiff_role_allow_t() {
+ BEGIN_EXCEPTION
+@@ -1004,7 +1004,7 @@
+ %}
+
+ /* role_transition rule diff */
+-typedef struct poldiff_role_trans {} poldiff_role_trans_t;
++typedef struct {} poldiff_role_trans_t;
+ %extend poldiff_role_trans_t {
+ poldiff_role_trans_t() {
+ BEGIN_EXCEPTION
+@@ -1052,7 +1052,7 @@
+ %}
+
+ /* role diff */
+-typedef struct poldiff_role {} poldiff_role_t;
++typedef struct {} poldiff_role_t;
+ %extend poldiff_role_t {
+ poldiff_role_t() {
+ BEGIN_EXCEPTION
+@@ -1097,7 +1097,7 @@
+ %}
+
+ /* te rule diff */
+-typedef struct poldiff_terule {} poldiff_terule_t;
++typedef struct {} poldiff_terule_t;
+ %extend poldiff_terule_t {
+ poldiff_terule_t() {
+ BEGIN_EXCEPTION
+@@ -1178,7 +1178,7 @@
+ %}
+
+ /* type diff */
+-typedef struct poldiff_type {} poldiff_type_t;
++typedef struct {} poldiff_type_t;
+ %extend poldiff_type_t {
+ poldiff_type_t() {
+ BEGIN_EXCEPTION
+@@ -1223,7 +1223,7 @@
+ %}
+
+ /* user diff */
+-typedef struct poldiff_user {} poldiff_user_t;
++typedef struct {} poldiff_user_t;
+ %extend poldiff_user_t {
+ poldiff_user_t() {
+ BEGIN_EXCEPTION
+@@ -1280,7 +1280,7 @@
+ %}
+
+ /* type remap */
+-typedef struct poldiff_type_remap_entry {} poldiff_type_remap_entry_t;
++typedef struct {} poldiff_type_remap_entry_t;
+ %extend poldiff_type_remap_entry_t {
+ poldiff_type_remap_entry_t() {
+ BEGIN_EXCEPTION
+--- a/libseaudit/swig/seaudit.i 2007-10-31 16:03:33.000000000 -0500
++++ b/libseaudit/swig/seaudit.i 2012-08-29 08:11:39.000000000 -0500
+@@ -240,7 +240,7 @@
+ %{
+ typedef struct tm tm_t;
+ %}
+-typedef struct tm {
++typedef struct {
+ int tm_sec; /* seconds */
+ int tm_min; /* minutes */
+ int tm_hour; /* hours */
+@@ -278,7 +278,7 @@
+ SEAUDIT_LOG_TYPE_SYSLOG,
+ SEAUDIT_LOG_TYPE_AUDITD
+ } seaudit_log_type_e;
+-typedef struct seaudit_log {} seaudit_log_t;
++typedef struct {} seaudit_log_t;
+ %extend seaudit_log_t {
+ seaudit_log_t() {
+ seaudit_log_t *slog;
+@@ -355,7 +355,7 @@
+ SEAUDIT_MESSAGE_TYPE_AVC,
+ SEAUDIT_MESSAGE_TYPE_LOAD
+ } seaudit_message_type_e;
+-typedef struct seaudit_message {} seaudit_message_t;
++typedef struct {} seaudit_message_t;
+ %extend seaudit_message_t {
+ seaudit_message_t() {
+ BEGIN_EXCEPTION
+@@ -427,7 +427,7 @@
+ %}
+
+ /* seaudit load message */
+-typedef struct seaudit_load_message {} seaudit_load_message_t;
++typedef struct {} seaudit_load_message_t;
+ %extend seaudit_load_message_t {
+ seaudit_load_message_t() {
+ BEGIN_EXCEPTION
+@@ -448,7 +448,7 @@
+ %}
+
+ /* seaudit bool message */
+-typedef struct seaudit_bool_message {} seaudit_bool_message_t;
++typedef struct {} seaudit_bool_message_t;
+ %extend seaudit_bool_message_t {
+ seaudit_bool_message_t(void *msg) {
+ BEGIN_EXCEPTION
+@@ -475,7 +475,7 @@
+ SEAUDIT_AVC_DENIED,
+ SEAUDIT_AVC_GRANTED
+ } seaudit_avc_message_type_e;
+-typedef struct seaudit_avc_message {} seaudit_avc_message_t;
++typedef struct {} seaudit_avc_message_t;
+ %extend seaudit_avc_message_t {
+ seaudit_avc_message_t() {
+ BEGIN_EXCEPTION
+@@ -606,7 +606,7 @@
+ SEAUDIT_FILTER_DATE_MATCH_AFTER,
+ SEAUDIT_FILTER_DATE_MATCH_BETWEEN
+ } seaudit_filter_date_match_e;
+-typedef struct seaudit_filter {} seaudit_filter_t;
++typedef struct {} seaudit_filter_t;
+ %extend seaudit_filter_t {
+ seaudit_filter_t(char *name = NULL) {
+ seaudit_filter_t *sf = NULL;
+@@ -1012,7 +1012,7 @@
+ %}
+
+ /* seaudit sort */
+-typedef struct seaudit_sort {} seaudit_sort_t;
++typedef struct {} seaudit_sort_t;
+ %extend seaudit_sort_t {
+ seaudit_sort_t() {
+ BEGIN_EXCEPTION
+@@ -1101,17 +1101,17 @@
+ %typemap(in) seaudit_filter_t *filter {
+ void *x = NULL;
+ Py_IncRef($input);
+- SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_filter, 0 | 0 );
++ SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_filter_t, 0 | 0 );
+ $1 = (seaudit_filter_t*)x;
+ }
+ %typemap(in) seaudit_sort_t *ssort {
+ void *x = NULL;
+ Py_IncRef($input);
+- SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_sort, 0 | 0 );
++ SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_sort_t, 0 | 0 );
+ $1 = (seaudit_sort_t*)x;
+ }
+ #endif
+-typedef struct seaudit_model {} seaudit_model_t;
++typedef struct {} seaudit_model_t;
+ %extend seaudit_model_t {
+ seaudit_model_t(char *name = NULL, seaudit_log_t *slog = NULL) {
+ seaudit_model_t *smod;
+@@ -1309,7 +1309,7 @@
+ SEAUDIT_REPORT_FORMAT_TEXT,
+ SEAUDIT_REPORT_FORMAT_HTML
+ } seaudit_report_format_e;
+-typedef struct seaudit_report {} seaudit_report_t;
++typedef struct {} seaudit_report_t;
+ %extend seaudit_report_t {
+ seaudit_report_t(seaudit_model_t *m) {
+ seaudit_report_t *sr;
diff --git a/package/setools/setools.mk b/package/setools/setools.mk
new file mode 100644
index 0000000..ee3d73b
--- /dev/null
+++ b/package/setools/setools.mk
@@ -0,0 +1,85 @@
+################################################################################
+#
+# setools
+#
+################################################################################
+
+SETOOLS_VERSION = 3.3.8
+SETOOLS_SOURCE = setools-$(SETOOLS_VERSION).tar.bz2
+SETOOLS_SITE = http://oss.tresys.com/projects/setools/chrome/site/dists/setools-$(SETOOLS_VERSION)/
+SETOOLS_DEPENDENCIES = libselinux sqlite libxml2 bzip2
+
+SETOOLS_INSTALL_STAGING = YES
+
+SETOOLS_AUTORECONF = YES
+SETOOLS_AUTORECONF_OPT = -i -s
+
+# Notes: Need "disable-selinux-check" so the configure does not check to see if host has
+# selinux enabled.
+SETOOLS_CONF_OPT = \
+ --disable-debug \
+ --disable-gui \
+ --disable-bwidget-check \
+ --disable-selinux-check \
+ --disable-swig-java \
+ --disable-swig-python \
+ --disable-swig-tcl \
+ --with-sepol-devel="$(STAGING_DIR)/usr" \
+ --with-selinux-devel="$(STAGING_DIR)/usr" \
+
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+ SETOOLS_DEPENDENCIES += python host-python host-swig
+ SETOOLS_CONF_ENV += am_cv_pathless_PYTHON=python \
+ ac_cv_path_PYTHON=$(HOST_DIR)/usr/bin/python \
+ am_cv_python_version=$(PYTHON_VERSION) \
+ am_cv_python_platform=linux2 \
+ am_cv_python_pythondir=$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages \
+ am_cv_python_pyexecdir=$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages \
+ am_cv_python_includes=-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)
+ SETOOLS_CONF_OPT += \
+ --enable-swig-python \
+ PYTHON_CPPFLAGS="-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)" \
+ PYTHON_LDFLAGS="-L$(STAGING_DIR)/usr/lib/" \
+ PYTHON_SITE_PKG="$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages" \
+ PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil -lpython$(PYTHON_VERSION_MAJOR)"
+endif
+
+HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol host-sqlite \
+ host-libxml2 host-bzip2
+
+HOST_SETOOLS_AUTORECONF = YES
+HOST_SETOOLS_AUTORECONF_OPT = -i -s
+
+# Notes: Need "disable-selinux-check" so the configure does not check to see if host has
+# selinux enabled.
+HOST_SETOOLS_CONF_OPT = \
+ --disable-debug \
+ --disable-gui \
+ --disable-bwidget-check \
+ --disable-selinux-check \
+ --disable-swig-java \
+ --disable-swig-python \
+ --disable-swig-tcl \
+ --with-sepol-devel="$(HOST_DIR)/usr" \
+ --with-selinux-devel="$(HOST_DIR)/usr" \
+
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+ HOST_SETOOLS_DEPENDENCIES += host-python host-swig
+ HOST_SETOOLS_CONF_ENV += \
+ am_cv_pathless_PYTHON=python \
+ ac_cv_path_PYTHON=$(HOST_DIR)/usr/bin/python \
+ am_cv_python_version=$(PYTHON_VERSION) \
+ am_cv_python_platform=linux2 \
+ am_cv_python_pythondir=$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages \
+ am_cv_python_pyexecdir=$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages \
+ am_cv_python_includes=-I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)
+ HOST_SETOOLS_CONF_OPT += \
+ --enable-swig-python \
+ PYTHON_CPPFLAGS="-I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)" \
+ PYTHON_LDFLAGS="-L$(HOST_DIR)/usr/lib/" \
+ PYTHON_SITE_PKG="$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages" \
+ PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil -lpython$(PYTHON_VERSION_MAJOR)"
+endif
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 10/16] libcgroup: new package
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
` (8 preceding siblings ...)
2013-09-25 19:32 ` [Buildroot] [PATCH v3 09/16] setools: new package Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-10-01 19:48 ` Thomas Petazzoni
2013-09-25 19:32 ` [Buildroot] [PATCH v3 11/16] python-pyparsing: Add host build option Clayton Shotwell
` (6 subsequent siblings)
16 siblings, 1 reply; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- No changes.
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format.
- Corrected the license version and license file to be correct.
- Cleaned up the configure options to enable options for static
libraries and linux-pam if they are selected in the configuration.
package/Config.in | 1 +
package/libcgroup/Config.in | 4 ++++
package/libcgroup/libcgroup.mk | 38 ++++++++++++++++++++++++++++++++++++++
3 files changed, 43 insertions(+), 0 deletions(-)
create mode 100644 package/libcgroup/Config.in
create mode 100644 package/libcgroup/libcgroup.mk
diff --git a/package/Config.in b/package/Config.in
index a85cbdd..0a18d8d 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -659,6 +659,7 @@ source "package/libatomic_ops/Config.in"
source "package/libbsd/Config.in"
source "package/libcap/Config.in"
source "package/libcap-ng/Config.in"
+source "package/libcgroup/Config.in"
source "package/libdaemon/Config.in"
source "package/libelf/Config.in"
source "package/libevent/Config.in"
diff --git a/package/libcgroup/Config.in b/package/libcgroup/Config.in
new file mode 100644
index 0000000..17d2db2
--- /dev/null
+++ b/package/libcgroup/Config.in
@@ -0,0 +1,4 @@
+config BR2_PACKAGE_LIBCGROUP
+ bool "libcgroup"
+ help
+ libcgroup is a library that abstracts the control group file system in Linux.
diff --git a/package/libcgroup/libcgroup.mk b/package/libcgroup/libcgroup.mk
new file mode 100644
index 0000000..06f1e60
--- /dev/null
+++ b/package/libcgroup/libcgroup.mk
@@ -0,0 +1,38 @@
+################################################################################
+#
+# libcgroup
+#
+################################################################################
+
+LIBCGROUP_VERSION = 0.38
+LIBCGROUP_SOURCE = libcgroup-$(LIBCGROUP_VERSION).tar.bz2
+LIBCGROUP_SITE = http://sourceforge.net/projects/libcg/files/latest/download
+LIBCGROUP_LICENSE = LGPLv2.1
+LIBCGROUP_LICENSE_FILES = COPYING
+
+LIBCGROUP_INSTALL_STAGING = YES
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
+# large file support. See https://bugzilla.redhat.com/show_bug.cgi?id=574992
+# for more information.
+LIBCGROUP_CONF_ENV = \
+ CXXFLAGS+="-U_FILE_OFFSET_BITS" \
+ CFLAGS+="-U_FILE_OFFSET_BITS"
+
+LIBCGROUP_CONF_OPT = \
+ --disable-tools \
+ --disable-daemon \
+ --disable-initscript-install
+
+ifeq ($(BR2_PREFER_STATIC_LIB),y)
+ LIBCGROUP_CONF_OPT += --enable-static --disable-shared
+endif
+
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+ LIBCGROUP_DEPENDENCIES += linux-pam
+ LIBCGROUP_CONF_OPT += --enable-pam
+else
+ LIBCGROUP_CONF_OPT += --disable-pam
+endif
+
+$(eval $(autotools-package))
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 11/16] python-pyparsing: Add host build option
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
` (9 preceding siblings ...)
2013-09-25 19:32 ` [Buildroot] [PATCH v3 10/16] libcgroup: " Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 12/16] audit: new package Clayton Shotwell
` (5 subsequent siblings)
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- Changed order of patch to correct dependency issue (suggested by Thomas).
Changes v1 -> v2:
- No changes.
package/python-pyparsing/python-pyparsing.mk | 47 ++++++++++++++++++-------
1 files changed, 34 insertions(+), 13 deletions(-)
diff --git a/package/python-pyparsing/python-pyparsing.mk b/package/python-pyparsing/python-pyparsing.mk
index 7814ce3..b6ba40d 100644
--- a/package/python-pyparsing/python-pyparsing.mk
+++ b/package/python-pyparsing/python-pyparsing.mk
@@ -14,25 +14,46 @@ PYTHON_PYPARSING_DEPENDENCIES = python
# Shamelessly vampirised from python-pygame ;-)
define PYTHON_PYPARSING_BUILD_CMDS
- (cd $(@D); \
- CC="$(TARGET_CC)" \
- CFLAGS="$(TARGET_CFLAGS)" \
- LDSHARED="$(TARGET_CROSS)gcc -shared" \
- CROSS_COMPILING=yes \
- _python_sysroot=$(STAGING_DIR) \
- _python_srcdir=$(BUILD_DIR)/python$(PYTHON_VERSION) \
- _python_prefix=/usr \
- _python_exec_prefix=/usr \
- $(HOST_DIR)/usr/bin/python setup.py build \
+ (cd $(@D); \
+ CC="$(TARGET_CC)" \
+ CFLAGS="$(TARGET_CFLAGS)" \
+ LDSHARED="$(TARGET_CROSS)gcc -shared" \
+ CROSS_COMPILING=yes \
+ _python_sysroot=$(STAGING_DIR) \
+ _python_srcdir=$(BUILD_DIR)/python$(PYTHON_VERSION) \
+ _python_prefix=/usr \
+ _python_exec_prefix=/usr \
+ $(HOST_DIR)/usr/bin/python setup.py build \
)
endef
# Shamelessly vampirised from python-pygame ;-)
define PYTHON_PYPARSING_INSTALL_TARGET_CMDS
- (cd $(@D); \
- $(HOST_DIR)/usr/bin/python setup.py install \
- --prefix=$(TARGET_DIR)/usr \
+ (cd $(@D); \
+ $(HOST_DIR)/usr/bin/python setup.py install \
+ --prefix=$(TARGET_DIR)/usr \
+ )
+endef
+
+HOST_PYTHON_PYPARSING_DEPENDENCIES = host-python
+
+define HOST_PYTHON_PYPARSING_BUILD_CMDS
+ (cd $(@D); \
+ _python_sysroot=$(HOST_DIR) \
+ _python_srcdir=$(BUILD_DIR)/host-python$(PYTHON_VERSION) \
+ _python_prefix=/usr \
+ _python_exec_prefix=/usr \
+ $(HOST_DIR)/usr/bin/python setup.py build \
+ )
+endef
+
+define HOST_PYTHON_PYPARSING_INSTALL_CMDS
+ (cd $(@D); \
+ $(HOST_DIR)/usr/bin/python setup.py install \
+ --prefix=$(HOST_DIR)/usr \
)
endef
$(eval $(generic-package))
+$(eval $(host-generic-package))
+
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 12/16] audit: new package
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
` (10 preceding siblings ...)
2013-09-25 19:32 ` [Buildroot] [PATCH v3 11/16] python-pyparsing: Add host build option Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 13/16] policycoreutils: " Clayton Shotwell
` (4 subsequent siblings)
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- Changed order of patch to correct dependency issue (suggested by Thomas).
- Changes patch naming convention (suggested by Thomas).
- Added upstream submission link for patch (suggested by Thomas).
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format.
- Fixed the patch naming to avoid using the version number.
- Cleaned up the patch to include a signed-off-by line.
- Changed the original Python select in the Config.in to be a check
in the mk file.
package/Config.in | 1 +
package/audit/Config.in | 10 +
package/audit/S14auditd | 172 +++
| 1424 ++++++++++++++++++++
package/audit/audit-0002-remove-zos-plugin.patch | 35 +
package/audit/audit.mk | 58 +
6 files changed, 1700 insertions(+), 0 deletions(-)
create mode 100644 package/audit/Config.in
create mode 100755 package/audit/S14auditd
create mode 100644 package/audit/audit-0001-cross-compile-header-creation-fix.patch
create mode 100644 package/audit/audit-0002-remove-zos-plugin.patch
create mode 100644 package/audit/audit.mk
diff --git a/package/Config.in b/package/Config.in
index 0a18d8d..e551c42 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -949,6 +949,7 @@ endmenu
menu "System tools"
source "package/acl/Config.in"
source "package/attr/Config.in"
+source "package/audit/Config.in"
if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
source "package/bootutils/Config.in"
endif
diff --git a/package/audit/Config.in b/package/audit/Config.in
new file mode 100644
index 0000000..4766c10
--- /dev/null
+++ b/package/audit/Config.in
@@ -0,0 +1,10 @@
+config BR2_PACKAGE_AUDIT
+ bool "audit"
+ help
+ The audit package contains the user space utilities for
+ storing and searching the audit records generate by
+ the audit subsystem in the Linux 2.6 kernel
+
+ Note: The z/OS remote plugin is disabled in this package
+
+ http://people.redhat.com/sgrubb/audit/
diff --git a/package/audit/S14auditd b/package/audit/S14auditd
new file mode 100755
index 0000000..74a6249
--- /dev/null
+++ b/package/audit/S14auditd
@@ -0,0 +1,172 @@
+#!/bin/bash
+#
+# auditd This starts and stops auditd
+#
+# description: This starts the Linux Auditing System Daemon, \
+# which collects security related events in a dedicated \
+# audit log. If this daemon is turned off, audit events \
+# will be sent to syslog.
+#
+# processname: /sbin/auditd
+# config: /etc/sysconfig/auditd
+# config: /etc/audit/auditd.conf
+# pidfile: /var/run/auditd.pid
+#
+# Return values according to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+#
+prog="auditd"
+
+# Check that we are root ... so non-root users stop here
+test $EUID=0 || exit 4
+
+# Check config
+test -f /etc/sysconfig/auditd && . /etc/sysconfig/auditd
+
+RETVAL=0
+LOCK=/var/lock/subsys/auditd
+
+start(){
+ echo -n "Initializing $prog: "
+
+ if [ ! -e $LOCK ]; then
+ test -x /sbin/auditd || exit 5
+ test -f /etc/audit/auditd.conf || exit 6
+
+ # Create dir to store log files in if one doesn't exist
+ test -d /var/log/audit || mkdir -p /var/log/audit && /sbin/restorecon /var/log/audit
+
+ # Run audit daemon executable
+ $prog
+ RETVAL=$?
+ if test $RETVAL = 0 ; then
+ test -d /var/lock/subsys || mkdir -p /var/lock/subsys
+ touch $LOCK
+ # Load the default rules
+ test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/null
+ echo "OK"
+ else
+ echo "FAILED: auditd failed to start"
+ fi
+ else
+ echo "FAILED: auditd already started, stop first"
+ RETVAL=1
+ fi
+ return $RETVAL
+}
+
+stop(){
+ echo -n "Uninitializing $prog: "
+ if [ -e $LOCK ]; then
+ killall -TERM $prog
+ RETVAL=$?
+ if [ $RETVAL ]; then
+ rm -f $LOCK
+ # Remove watches so shutdown works cleanly
+ if test x"$AUDITD_CLEAN_STOP" != "x" ; then
+ if test "`echo $AUDITD_CLEAN_STOP | tr 'NO' 'no'`" != "no"
+ then
+ /sbin/auditctl -D >/dev/null
+ fi
+ fi
+ if test x"$AUDITD_STOP_DISABLE" != "x" ; then
+ if test "`echo $AUDITD_STOP_DISABLE | tr 'NO' 'no'`" != "no"
+ then
+ /sbin/auditctl -e 0 >/dev/null
+ fi
+ fi
+ echo "OK"
+ else
+ echo "FAILED: auditd not stopped"
+ fi
+ else
+ echo "FAILED: auditd not started"
+ RETVAL=1
+ fi
+ return $RETVAL
+}
+
+reload(){
+ echo -n "Reloading auditd configuration: "
+ if [ -e $LOCK ]; then
+ test -f /etc/audit/auditd.conf || exit 6
+ echo -n "Reloading configuration: "
+ killall -HUP $prog
+ RETVAL=$?
+ if [ $RETVAL ]; then
+ echo "OK"
+ else
+ echo "FAILED"
+ fi
+ else
+ echo "FAILED: auditd not started"
+ RETVAL=1
+ fi
+ return $RETVAL
+}
+
+rotate(){
+ echo -n "Rotating auditd logs: "
+ if [ -e $LOCK ]; then
+ killall -USR1 $prog
+ RETVAL=$?
+ if [ $RETVAL ]; then
+ echo "OK"
+ else
+ echo "FAILED"
+ fi
+ else
+ echo "FAILED: auditd not started"
+ RETVAL=1
+ fi
+ return $RETVAL
+}
+
+restart(){
+ test -f /etc/audit/auditd.conf || exit 6
+ stop
+ start
+ return $RETVAL
+}
+
+condrestart(){
+ [ -e $LOCK ] && restart
+ return 0
+}
+
+# See how we were called.
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart)
+ restart
+ ;;
+ reload)
+ reload
+ ;;
+ rotate)
+ rotate
+ ;;
+ resume)
+ resume
+ ;;
+ condrestart)
+ condrestart
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart|condrestart|reload|rotate}"
+ RETVAL=3
+ ;;
+esac
+
+exit $RETVAL
--git a/package/audit/audit-0001-cross-compile-header-creation-fix.patch b/package/audit/audit-0001-cross-compile-header-creation-fix.patch
new file mode 100644
index 0000000..78df6ee
--- /dev/null
+++ b/package/audit/audit-0001-cross-compile-header-creation-fix.patch
@@ -0,0 +1,1424 @@
+Rework the build system to generate the required header files using a
+Python script rather than compiling executables. This change has
+to be made because the executables that are generated are built for
+the target architecture and are generally not compilable on the host
+build machine.
+
+The code has been submitted to the audit maintainers for review.
+The first of three patches can be seen at the following link.
+https://www.redhat.com/archives/linux-audit/2013-August/msg00043.html
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/configure.ac b/configure.ac
+--- a/configure.ac 2013-07-29 16:37:01.000000000 -0500
++++ b/configure.ac 2013-08-21 13:29:55.760585744 -0500
+@@ -51,11 +51,14 @@
+ AC_PROG_CC
+ AC_PROG_INSTALL
+ AC_PROG_AWK
++AM_PATH_PYTHON
++AC_PYTHON_MODULE(pyparsing, 1)
+
+ echo .
+ echo Checking for header files
+ AC_HEADER_STDC
+ AC_HEADER_TIME
++AC_CHECK_HEADER([Python.h])
+
+ AC_C_CONST
+ AC_C_INLINE
+@@ -89,14 +92,13 @@
+ AC_MSG_RESULT(no)
+ else
+ AC_MSG_RESULT(testing)
+-AM_PATH_PYTHON
+-if test -f /usr/include/python${am_cv_python_version}/Python.h ; then
++if test x$ac_cv_header_Python_h != x ; then
+ python_found="yes"
+ AC_MSG_NOTICE(Python bindings will be built)
+ else
+ python_found="no"
+ if test x$use_python = xyes ; then
+- AC_MSG_ERROR([Python explicitly required and python headers found])
++ AC_MSG_ERROR([Python explicitly required and python headers not found])
+ else
+ AC_MSG_WARN("Python headers not found - python bindings will not be made")
+ fi
+diff -urN a/bindings/python/Makefile.am b/bindings/python/Makefile.am
+--- a/bindings/python/Makefile.am 2013-07-29 16:37:00.000000000 -0500
++++ b/bindings/python/Makefile.am 2013-09-11 08:18:41.437704969 -0500
+@@ -26,6 +26,6 @@
+ pyexec_LTLIBRARIES = auparse.la
+
+ auparse_la_SOURCES = auparse_python.c
+-auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) -I/usr/include/python$(PYTHON_VERSION) -fno-strict-aliasing
++auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) -fno-strict-aliasing
+ auparse_la_LDFLAGS = -module -avoid-version -Wl,-z,relro
+ auparse_la_LIBADD = ../../auparse/libauparse.la ../../lib/libaudit.la
+diff -urN /dev/null b/m4/ax_python_module.m4
+--- /dev/null 2013-06-19 11:25:31.230442052 -0500
++++ b/m4/ax_python_module.m4 2013-08-21 12:43:56.829882655 -0500
+@@ -0,0 +1,49 @@
++# ===========================================================================
++# http://www.gnu.org/software/autoconf-archive/ax_python_module.html
++# ===========================================================================
++#
++# SYNOPSIS
++#
++# AX_PYTHON_MODULE(modname[, fatal])
++#
++# DESCRIPTION
++#
++# Checks for Python module.
++#
++# If fatal is non-empty then absence of a module will trigger an error.
++#
++# LICENSE
++#
++# Copyright (c) 2008 Andrew Collier
++#
++# Copying and distribution of this file, with or without modification, are
++# permitted in any medium without royalty provided the copyright notice
++# and this notice are preserved. This file is offered as-is, without any
++# warranty.
++
++#serial 6
++
++AU_ALIAS([AC_PYTHON_MODULE], [AX_PYTHON_MODULE])
++AC_DEFUN([AX_PYTHON_MODULE],[
++ if test -z $PYTHON;
++ then
++ PYTHON="python"
++ fi
++ PYTHON_NAME=`basename $PYTHON`
++ AC_MSG_CHECKING($PYTHON_NAME module: $1)
++ $PYTHON -c "import $1" 2>/dev/null
++ if test $? -eq 0;
++ then
++ AC_MSG_RESULT(yes)
++ eval AS_TR_CPP(HAVE_PYMOD_$1)=yes
++ else
++ AC_MSG_RESULT(no)
++ eval AS_TR_CPP(HAVE_PYMOD_$1)=no
++ #
++ if test -n "$2"
++ then
++ AC_MSG_ERROR(failed to find required module $1)
++ exit 1
++ fi
++ fi
++])
+diff -urN a/auparse/Makefile.am b/auparse/Makefile.am
+--- a/auparse/Makefile.am 2013-07-29 16:37:01.000000000 -0500
++++ b/auparse/Makefile.am 2013-08-19 14:37:31.230510790 -0500
+@@ -52,8 +52,8 @@
+ rlimittabs.h recvtabs.h schedtabs.h seccomptabs.h \
+ seektabs.h shm_modetabs.h signaltabs.h sockoptnametabs.h \
+ socktabs.h sockleveltabs.h socktypetabs.h \
+- tcpoptnametabs.h typetabs.h umounttabs.h
+-noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \
++ tcpoptnametabs.h typetabs.h umounttabs.h \
++ gen_accesstabs_h gen_captabs_h gen_clock_h \
+ gen_clone-flagtabs_h \
+ gen_epoll_ctls_h gen_famtabs_h \
+ gen_fcntl-cmdtabs_h gen_flagtabs_h \
+@@ -69,187 +69,184 @@
+ gen_socktypetabs_h gen_tcpoptnametabs_h gen_typetabs_h \
+ gen_umounttabs_h
+
+-gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h
+-gen_accesstabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="accesstab.h"'
++gen_accesstabs_h: ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"accesstab.h\" -E -o $@ ../lib/gen_tables.c
+ accesstabs.h: gen_accesstabs_h Makefile
+- ./gen_accesstabs_h --i2s-transtab access > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s-transtab access gen_accesstabs_h $@
+
+-gen_captabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h captab.h
+-gen_captabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="captab.h"'
++gen_captabs_h: ../lib/gen_tables.c ../lib/gen_tables.h captab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"captab.h\" -E -o $@ ../lib/gen_tables.c
+ captabs.h: gen_captabs_h Makefile
+- ./gen_captabs_h --i2s cap > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s cap gen_captabs_h $@
+
+-gen_clock_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h
+-gen_clock_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="clocktab.h"'
++gen_clock_h: ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"clocktab.h\" -E -o $@ ../lib/gen_tables.c
+ clocktabs.h: gen_clock_h Makefile
+- ./gen_clock_h --i2s clock > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s clock gen_clock_h $@
+
+-gen_clone_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+- clone-flagtab.h
+-gen_clone_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="clone-flagtab.h"'
++gen_clone-flagtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h clone-flagtab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"clone-flagtab.h\" -E -o $@ ../lib/gen_tables.c
+ clone-flagtabs.h: gen_clone-flagtabs_h Makefile
+- ./gen_clone-flagtabs_h --i2s-transtab clone_flag > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s-transtab clone_flag gen_clone-flagtabs_h $@
+
+-gen_epoll_ctls_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h
+-gen_epoll_ctls_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="epoll_ctl.h"'
++gen_epoll_ctls_h: ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"epoll_ctl.h\" -E -o $@ ../lib/gen_tables.c
+ epoll_ctls.h: gen_epoll_ctls_h Makefile
+- ./gen_epoll_ctls_h --i2s epoll_ctl > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s epoll_ctl gen_epoll_ctls_h $@
+
+-gen_famtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h famtab.h
+-gen_famtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="famtab.h"'
++gen_famtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h famtab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"famtab.h\" -E -o $@ ../lib/gen_tables.c
+ famtabs.h: gen_famtabs_h Makefile
+- ./gen_famtabs_h --i2s fam > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s fam gen_famtabs_h $@
+
+-gen_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h flagtab.h
+ # ../auparse/ is used to avoid using ../lib/flagtab.h
+-gen_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="../auparse/flagtab.h"'
++gen_flagtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ../auparse/flagtab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"../auparse/flagtab.h\" -E -o $@ ../lib/gen_tables.c
+ flagtabs.h: gen_flagtabs_h Makefile
+- ./gen_flagtabs_h --i2s-transtab flag > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s-transtab flag gen_flagtabs_h $@
+
+-gen_fcntl_cmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+- fcntl-cmdtab.h
+-gen_fcntl_cmdtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="fcntl-cmdtab.h"'
++gen_fcntl-cmdtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h fcntl-cmdtab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"fcntl-cmdtab.h\" -E -o $@ ../lib/gen_tables.c
+ fcntl-cmdtabs.h: gen_fcntl-cmdtabs_h Makefile
+- ./gen_fcntl-cmdtabs_h --i2s fcntl > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s fcntl gen_fcntl-cmdtabs_h $@
+
+-gen_icmptypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h
+-gen_icmptypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="icmptypetab.h"'
++gen_icmptypetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"icmptypetab.h\" -E -o $@ ../lib/gen_tables.c
+ icmptypetabs.h: gen_icmptypetabs_h Makefile
+- ./gen_icmptypetabs_h --i2s icmptype > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s icmptype gen_icmptypetabs_h $@
+
+-gen_ipctabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h
+-gen_ipctabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipctab.h"'
++gen_ipctabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ipctab.h\" -E -o $@ ../lib/gen_tables.c
+ ipctabs.h: gen_ipctabs_h Makefile
+- ./gen_ipctabs_h --i2s ipc > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s ipc gen_ipctabs_h $@
+
+-gen_ipccmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h
+-gen_ipccmdtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipccmdtab.h"'
++gen_ipccmdtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ipccmdtab.h\" -E -o $@ ../lib/gen_tables.c
+ ipccmdtabs.h: gen_ipccmdtabs_h Makefile
+- ./gen_ipccmdtabs_h --i2s-transtab ipccmd > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s-transtab ipccmd gen_ipccmdtabs_h $@
+
+-gen_ipoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h
+-gen_ipoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipoptnametab.h"'
++gen_ipoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ipoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ ipoptnametabs.h: gen_ipoptnametabs_h Makefile
+- ./gen_ipoptnametabs_h --i2s ipoptname > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s ipoptname gen_ipoptnametabs_h $@
+
+-gen_ip6optnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h
+-gen_ip6optnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ip6optnametab.h"'
++gen_ip6optnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ip6optnametab.h\" -E -o $@ ../lib/gen_tables.c
+ ip6optnametabs.h: gen_ip6optnametabs_h Makefile
+- ./gen_ip6optnametabs_h --i2s ip6optname > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s ip6optname gen_ip6optnametabs_h $@
+
+-gen_mmaptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h
+-gen_mmaptabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="mmaptab.h"'
++gen_mmaptabs_h: ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"mmaptab.h\" -E -o $@ ../lib/gen_tables.c
+ mmaptabs.h: gen_mmaptabs_h Makefile
+- ./gen_mmaptabs_h --i2s-transtab mmap > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s-transtab mmap gen_mmaptabs_h $@
+
+-gen_mounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h
+-gen_mounttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="mounttab.h"'
++gen_mounttabs_h: ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"mounttab.h\" -E -o $@ ../lib/gen_tables.c
+ mounttabs.h: gen_mounttabs_h Makefile
+- ./gen_mounttabs_h --i2s-transtab mount > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s-transtab mount gen_mounttabs_h $@
+
+-gen_nfprototabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h
+-gen_nfprototabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="nfprototab.h"'
++gen_nfprototabs_h: ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"nfprototab.h\" -E -o $@ ../lib/gen_tables.c
+ nfprototabs.h: gen_nfprototabs_h Makefile
+- ./gen_nfprototabs_h --i2s nfproto > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s nfproto gen_nfprototabs_h $@
+
+-gen_open_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+- open-flagtab.h
+-gen_open_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="open-flagtab.h"'
++gen_open-flagtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h open-flagtab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"open-flagtab.h\" -E -o $@ ../lib/gen_tables.c
+ open-flagtabs.h: gen_open-flagtabs_h Makefile
+- ./gen_open-flagtabs_h --i2s-transtab open_flag > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s-transtab open_flag gen_open-flagtabs_h $@
+
+-gen_persontabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h persontab.h
+-gen_persontabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="persontab.h"'
++gen_persontabs_h: ../lib/gen_tables.c ../lib/gen_tables.h persontab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"persontab.h\" -E -o $@ ../lib/gen_tables.c
+ persontabs.h: gen_persontabs_h Makefile
+- ./gen_persontabs_h --i2s person > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s person gen_persontabs_h $@
+
+-gen_ptracetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h
+-gen_ptracetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ptracetab.h"'
++gen_ptracetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ptracetab.h\" -E -o $@ ../lib/gen_tables.c
+ ptracetabs.h: gen_ptracetabs_h Makefile
+- ./gen_ptracetabs_h --i2s ptrace > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s ptrace gen_ptracetabs_h $@
+
+-gen_prctl_opttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h
+-gen_prctl_opttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="prctl-opt-tab.h"'
++gen_prctl_opttabs_h: ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"prctl-opt-tab.h\" -E -o $@ ../lib/gen_tables.c
+ prctl_opttabs.h: gen_prctl_opttabs_h Makefile
+- ./gen_prctl_opttabs_h --i2s prctl_opt > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s prctl_opt gen_prctl_opttabs_h $@
+
+-gen_pktoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h
+-gen_pktoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="pktoptnametab.h"'
++gen_pktoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"pktoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ pktoptnametabs.h: gen_pktoptnametabs_h Makefile
+- ./gen_pktoptnametabs_h --i2s pktoptname > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s pktoptname gen_pktoptnametabs_h $@
+
+-gen_prottabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prottab.h
+-gen_prottabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="prottab.h"'
++gen_prottabs_h: ../lib/gen_tables.c ../lib/gen_tables.h prottab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"prottab.h\" -E -o $@ ../lib/gen_tables.c
+ prottabs.h: gen_prottabs_h Makefile
+- ./gen_prottabs_h --i2s-transtab prot > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s-transtab prot gen_prottabs_h $@
+
+-gen_recvtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h
+-gen_recvtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="recvtab.h"'
++gen_recvtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"recvtab.h\" -E -o $@ ../lib/gen_tables.c
+ recvtabs.h: gen_recvtabs_h Makefile
+- ./gen_recvtabs_h --i2s-transtab recv > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s-transtab recv gen_recvtabs_h $@
+
+-gen_rlimit_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h
+-gen_rlimit_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="rlimittab.h"'
++gen_rlimit_h: ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"rlimittab.h\" -E -o $@ ../lib/gen_tables.c
+ rlimittabs.h: gen_rlimit_h Makefile
+- ./gen_rlimit_h --i2s rlimit > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s rlimit gen_rlimit_h $@
+
+-gen_schedtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h
+-gen_schedtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="schedtab.h"'
++gen_schedtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"schedtab.h\" -E -o $@ ../lib/gen_tables.c
+ schedtabs.h: gen_schedtabs_h Makefile
+- ./gen_schedtabs_h --i2s sched > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s sched gen_schedtabs_h $@
+
+-gen_seccomptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h
+-gen_seccomptabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="seccomptab.h"'
++gen_seccomptabs_h: ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"seccomptab.h\" -E -o $@ ../lib/gen_tables.c
+ seccomptabs.h: gen_seccomptabs_h Makefile
+- ./gen_seccomptabs_h --i2s seccomp > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s seccomp gen_seccomptabs_h $@
+
+-gen_seektabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seektab.h
+-gen_seektabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="seektab.h"'
++gen_seektabs_h: ../lib/gen_tables.c ../lib/gen_tables.h seektab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"seektab.h\" -E -o $@ ../lib/gen_tables.c
+ seektabs.h: gen_seektabs_h Makefile
+- ./gen_seektabs_h --i2s seek > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s seek gen_seektabs_h $@
+
+-gen_shm_modetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h
+-gen_shm_modetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="shm_modetab.h"'
++gen_shm_modetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"shm_modetab.h\" -E -o $@ ../lib/gen_tables.c
+ shm_modetabs.h: gen_shm_modetabs_h Makefile
+- ./gen_shm_modetabs_h --i2s-transtab shm_mode > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s-transtab shm_mode gen_shm_modetabs_h $@
+
+-gen_signals_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h
+-gen_signals_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="signaltab.h"'
++gen_signals_h: ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"signaltab.h\" -E -o $@ ../lib/gen_tables.c
+ signaltabs.h: gen_signals_h Makefile
+- ./gen_signals_h --i2s signal > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s signal gen_signals_h $@
+
+-gen_sockleveltabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h
+-gen_sockleveltabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="sockleveltab.h"'
++gen_sockleveltabs_h: ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"sockleveltab.h\" -E -o $@ ../lib/gen_tables.c
+ sockleveltabs.h: gen_sockleveltabs_h Makefile
+- ./gen_sockleveltabs_h --i2s socklevel > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s socklevel gen_sockleveltabs_h $@
+
+-gen_sockoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h
+-gen_sockoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="sockoptnametab.h"'
++gen_sockoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"sockoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ sockoptnametabs.h: gen_sockoptnametabs_h Makefile
+- ./gen_sockoptnametabs_h --i2s sockoptname > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s sockoptname gen_sockoptnametabs_h $@
+
+-gen_socktabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktab.h
+-gen_socktabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="socktab.h"'
++gen_socktabs_h: ../lib/gen_tables.c ../lib/gen_tables.h socktab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"socktab.h\" -E -o $@ ../lib/gen_tables.c
+ socktabs.h: gen_socktabs_h Makefile
+- ./gen_socktabs_h --i2s sock > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s sock gen_socktabs_h $@
+
+-gen_socktypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h
+-gen_socktypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="socktypetab.h"'
++gen_socktypetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"socktypetab.h\" -E -o $@ ../lib/gen_tables.c
+ socktypetabs.h: gen_socktypetabs_h Makefile
+- ./gen_socktypetabs_h --i2s sock_type > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s sock_type gen_socktypetabs_h $@
+
+-gen_tcpoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h
+-gen_tcpoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="tcpoptnametab.h"'
++gen_tcpoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"tcpoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ tcpoptnametabs.h: gen_tcpoptnametabs_h Makefile
+- ./gen_tcpoptnametabs_h --i2s tcpoptname > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s tcpoptname gen_tcpoptnametabs_h $@
+
+-gen_typetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h typetab.h
+-gen_typetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="typetab.h"'
++gen_typetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h typetab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"typetab.h\" -E -o $@ ../lib/gen_tables.c
+ typetabs.h: gen_typetabs_h Makefile
+- ./gen_typetabs_h --s2i type > $@
++ $(PYTHON) ../lib/gen_tables.py --s2i type gen_typetabs_h $@
+
+-gen_umounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h
+-gen_umounttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="umounttab.h"'
++gen_umounttabs_h: ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"umounttab.h\" -E -o $@ ../lib/gen_tables.c
+ umounttabs.h: gen_umounttabs_h Makefile
+- ./gen_umounttabs_h --i2s-transtab umount > $@
++ $(PYTHON) ../lib/gen_tables.py --i2s-transtab umount gen_umounttabs_h $@
+
+diff -urN a/lib/gen_tables.c b/lib/gen_tables.c
+--- a/lib/gen_tables.c 2013-07-29 16:37:01.000000000 -0500
++++ b/lib/gen_tables.c 2013-08-19 10:09:03.060041420 -0500
+@@ -54,19 +54,6 @@
+ #define SHMGET 23
+ #define SHMCTL 24
+
+-
+-/* The ratio of table size to number of non-empty elements allowed for a
+- "direct" s2i table; if the ratio would be bigger, bsearch tables are used
+- instead.
+-
+- 2 looks like a lot at a first glance, but the bsearch tables need twice as
+- much space per element, so with the ratio equal to 2 the direct table uses
+- no more memory and is faster. */
+-#define DIRECT_THRESHOLD 2
+-
+-/* Allow more than one string defined for a single integer value */
+-static bool allow_duplicate_ints; /* = false; */
+-
+ struct value {
+ int val;
+ const char *s;
+@@ -83,335 +70,11 @@
+
+ #define NUM_VALUES (sizeof(values) / sizeof(*values))
+
+-/* Compare two "struct value" members by name. */
+-static int
+-cmp_value_strings(const void *xa, const void *xb)
+-{
+- const struct value *a, *b;
+-
+- a = xa;
+- b = xb;
+- return strcmp(a->s, b->s);
+-}
+-
+-/* Compare two "struct value" members by value. */
+-static int
+-cmp_value_vals(const void *xa, const void *xb)
+-{
+- const struct value *a, *b;
+-
+- a = xa;
+- b = xb;
+- if (a->val > b->val)
+- return 1;
+- if (a->val < b->val)
+- return -1;
+- /* Preserve the original order if there is an ambiguity, to always use
+- the first specified value. */
+- if (a->orig_index > b->orig_index)
+- return 1;
+- if (a->orig_index < b->orig_index)
+- return -1;
+- return 0;
+-}
+-
+-/* Compare two "struct value" members by orig_index. */
+-static int
+-cmp_value_orig_index(const void *xa, const void *xb)
+-{
+- const struct value *a, *b;
+-
+- a = xa;
+- b = xb;
+- if (a->orig_index > b->orig_index)
+- return 1;
+- if (a->orig_index < b->orig_index)
+- return -1;
+- return 0;
+-}
+-
+-/* Output the string table, initialize values[*]->s_offset. */
+-static void
+-output_strings(const char *prefix)
+-{
+- size_t i, offset;
+-
+- offset = 0;
+- for (i = 0; i < NUM_VALUES; i++) {
+- values[i].s_offset = offset;
+- offset += strlen(values[i].s) + 1;
+- }
+- printf("static const char %s_strings[] = \"", prefix);
+- assert(NUM_VALUES > 0);
+- for (i = 0; i < NUM_VALUES; i++) {
+- const char *c;
+-
+- if (i != 0 && i % 10 == 0)
+- fputs("\"\n"
+- "\t\"", stdout);
+- for (c = values[i].s; *c != '\0'; c++) {
+- assert(*c != '"' && *c != '\\'
+- && isprint((unsigned char)*c));
+- putc(*c, stdout);
+- }
+- if (i != NUM_VALUES - 1)
+- fputs("\\0", stdout);
+- }
+- fputs("\";\n", stdout);
+-}
+-
+-/* Output the string to integer mapping code.
+- Assume strings are all uppsercase or all lowercase if specified by
+- parameters; in that case, make the search case-insensitive.
+- values must be sorted by strings. */
+-static void
+-output_s2i(const char *prefix, bool uppercase, bool lowercase)
+-{
+- size_t i;
+-
+- for (i = 0; i < NUM_VALUES - 1; i++) {
+- assert(strcmp(values[i].s, values[i + 1].s) <= 0);
+- if (strcmp(values[i].s, values[i + 1].s) == 0) {
+- fprintf(stderr, "Duplicate value `%s': %d, %d\n",
+- values[i].s, values[i].val, values[i + 1].val);
+- abort();
+- }
+- }
+- printf("static const unsigned %s_s2i_s[] = {", prefix);
+- for (i = 0; i < NUM_VALUES; i++) {
+- if (i % 10 == 0)
+- fputs("\n\t", stdout);
+- assert(values[i].s_offset <= UINT_MAX);
+- printf("%zu,", values[i].s_offset);
+- }
+- printf("\n"
+- "};\n"
+- "static const int %s_s2i_i[] = {", prefix);
+- for (i = 0; i < NUM_VALUES; i++) {
+- if (i % 10 == 0)
+- fputs("\n\t", stdout);
+- printf("%d,", values[i].val);
+- }
+- fputs("\n"
+- "};\n", stdout);
+- assert(!(uppercase && lowercase));
+- if (uppercase) {
+- for (i = 0; i < NUM_VALUES; i++) {
+- const char *c;
+-
+- for (c = values[i].s; *c != '\0'; c++)
+- assert(isascii((unsigned char)*c)
+- && !GT_ISLOWER(*c));
+- }
+- } else if (lowercase) {
+- for (i = 0; i < NUM_VALUES; i++) {
+- const char *c;
+-
+- for (c = values[i].s; *c != '\0'; c++)
+- assert(isascii((unsigned char)*c)
+- && !GT_ISUPPER(*c));
+- }
+- }
+- if (uppercase || lowercase) {
+- printf("static int %s_s2i(const char *s, int *value) {\n"
+- "\tsize_t len, i;\n"
+- "\tlen = strlen(s);\n"
+- "\t{ char copy[len + 1];\n"
+- "\tfor (i = 0; i < len; i++) {\n"
+- "\t\tchar c = s[i];\n", prefix);
+- if (uppercase)
+- fputs("\t\tcopy[i] = GT_ISLOWER(c) ? c - 'a' + 'A' "
+- ": c;\n", stdout);
+- else
+- fputs("\t\tcopy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' "
+- ": c;\n", stdout);
+- printf("\t}\n"
+- "\tcopy[i] = 0;\n"
+- "\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %zu, "
+- "copy, value);\n"
+- "\t}\n"
+- "}\n", prefix, prefix, prefix, NUM_VALUES);
+- } else
+- printf("static int %s_s2i(const char *s, int *value) {\n"
+- "\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %zu, s, "
+- "value);\n"
+- "}\n", prefix, prefix, prefix, prefix, NUM_VALUES);
+-}
+-
+-/* Output the string to integer mapping table.
+- values must be sorted by strings. */
+-static void
+-output_i2s(const char *prefix)
+-{
+- struct value *unique_values;
+- int min_val, max_val;
+- size_t i, n;
+-
+- assert(NUM_VALUES > 0);
+- for (i = 0; i < NUM_VALUES - 1; i++) {
+- assert(values[i].val <= values[i + 1].val);
+- if (!allow_duplicate_ints
+- && values[i].val == values[i + 1].val) {
+- fprintf(stderr, "Duplicate value %d: `%s', `%s'\n",
+- values[i].val, values[i].s, values[i + 1].s);
+- abort();
+- }
+- }
+-
+- unique_values = malloc(NUM_VALUES * sizeof(*unique_values));
+- assert(unique_values != NULL);
+- n = 0;
+- for (i = 0; i < NUM_VALUES; i++) {
+- if (n == 0 || unique_values[n - 1].val != values[i].val) {
+- unique_values[n] = values[i];
+- n++;
+- }
+- }
+-
+- min_val = unique_values[0].val;
+- max_val = unique_values[n - 1].val;
+- if (((double)max_val - (double)min_val) / n <= DIRECT_THRESHOLD) {
+- int next_index;
+-
+- printf("static const unsigned %s_i2s_direct[] = {", prefix);
+- next_index = min_val;
+- i = 0;
+- for (;;) {
+- if ((next_index - min_val) % 10 == 0)
+- fputs("\n\t", stdout);
+- while (unique_values[i].val < next_index)
+- /* This can happen if (allow_duplicate_ints) */
+- i++;
+- if (unique_values[i].val == next_index) {
+- assert(unique_values[i].s_offset <= UINT_MAX);
+- printf("%zu,", unique_values[i].s_offset);
+- } else
+- fputs("-1u,", stdout);
+- if (next_index == max_val)
+- /* Done like this to avoid integer overflow */
+- break;
+- next_index++;
+- }
+- printf("\n"
+- "};\n"
+- "static const char *%s_i2s(int v) {\n"
+- "\treturn i2s_direct__(%s_strings, %s_i2s_direct, %d, "
+- "%d, v);\n"
+- "}\n", prefix, prefix, prefix, min_val, max_val);
+- } else {
+- printf("static const int %s_i2s_i[] = {", prefix);
+- for (i = 0; i < n; i++) {
+- if (i % 10 == 0)
+- fputs("\n\t", stdout);
+- printf("%d,", unique_values[i].val);
+- }
+- printf("\n"
+- "};\n"
+- "static const unsigned %s_i2s_s[] = {", prefix);
+- for (i = 0; i < n; i++) {
+- if (i % 10 == 0)
+- fputs("\n\t", stdout);
+- assert(unique_values[i].s_offset <= UINT_MAX);
+- printf("%zu,", unique_values[i].s_offset);
+- }
+- printf("\n"
+- "};\n"
+- "static const char *%s_i2s(int v) {\n"
+- "\treturn i2s_bsearch__(%s_strings, %s_i2s_i, %s_i2s_s, "
+- "%zu, v);\n"
+- "}\n", prefix, prefix, prefix, prefix, n);
+- }
+- free(unique_values);
+-}
+-
+-/* Output the string to integer mapping table as a transtab[].
+- values must be sorted in the desired order. */
+-static void
+-output_i2s_transtab(const char *prefix)
+-{
+- size_t i;
+- char *uc_prefix;
+-
+- printf("static const struct transtab %s_table[] = {", prefix);
+- for (i = 0; i < NUM_VALUES; i++) {
+- if (i % 10 == 0)
+- fputs("\n\t", stdout);
+- printf("{%d,%zu},", values[i].val, values[i].s_offset);
+- }
+- uc_prefix = strdup(prefix);
+- assert(uc_prefix != NULL);
+- for (i = 0; uc_prefix[i] != '\0'; i++)
+- uc_prefix[i] = toupper((unsigned char)uc_prefix[i]);
+- printf("\n"
+- "};\n"
+- "#define %s_NUM_ENTRIES "
+- "(sizeof(%s_table) / sizeof(*%s_table))\n", uc_prefix, prefix,
+- prefix);
+- free(uc_prefix);
+-}
+-
+ int
+ main(int argc, char **argv)
+ {
+- bool gen_i2s, gen_i2s_transtab, gen_s2i, uppercase, lowercase;
+- char *prefix;
+- size_t i;
+-
+ /* This is required by gen_tables.h */
+ assert(NUM_VALUES <= (SSIZE_MAX / 2 + 1));
+
+- /* To make sure GT_ISUPPER and GT_ISLOWER work. */
+- assert('Z' == 'A' + 25 && 'z' == 'a' + 25);
+- gen_i2s = false;
+- gen_i2s_transtab = false;
+- gen_s2i = false;
+- uppercase = false;
+- lowercase = false;
+- prefix = NULL;
+- assert (argc > 1);
+- for (i = 1; i < (size_t)argc; i++) {
+- if (strcmp(argv[i], "--i2s") == 0)
+- gen_i2s = true;
+- else if (strcmp(argv[i], "--i2s-transtab") == 0)
+- gen_i2s_transtab = true;
+- else if (strcmp(argv[i], "--s2i") == 0)
+- gen_s2i = true;
+- else if (strcmp(argv[i], "--uppercase") == 0)
+- uppercase = true;
+- else if (strcmp(argv[i], "--lowercase") == 0)
+- lowercase = true;
+- else if (strcmp(argv[i], "--duplicate-ints") == 0)
+- allow_duplicate_ints = true;
+- else {
+- assert(*argv[i] != '-');
+- assert(prefix == NULL);
+- prefix = argv[i];
+- }
+- }
+- assert(prefix != NULL);
+- assert(!(uppercase && lowercase));
+-
+- printf("/* This is a generated file, see Makefile.am for its "
+- "inputs. */\n");
+- for (i = 0; i < NUM_VALUES; i++)
+- values[i].orig_index = i;
+- qsort(values, NUM_VALUES, sizeof(*values), cmp_value_strings);
+- /* FIXME? if (gen_s2i), sort the strings in some other order
+- (e.g. "first 4 nodes in BFS of the bsearch tree first") to use the
+- cache better. */
+- /* FIXME? If the only thing generated is a transtab, keep the strings
+- in the original order to use the cache better. */
+- output_strings(prefix);
+- if (gen_s2i)
+- output_s2i(prefix, uppercase, lowercase);
+- if (gen_i2s) {
+- qsort(values, NUM_VALUES, sizeof(*values), cmp_value_vals);
+- output_i2s(prefix);
+- }
+- if (gen_i2s_transtab) {
+- qsort(values, NUM_VALUES, sizeof(*values),
+- cmp_value_orig_index);
+- output_i2s_transtab(prefix);
+- }
+ return EXIT_SUCCESS;
+ }
+diff -urN /dev/null b/lib/gen_tables.py
+--- /dev/null 2013-06-19 11:25:31.230442052 -0500
++++ b/lib/gen_tables.py 2013-08-19 14:27:55.639872141 -0500
+@@ -0,0 +1,458 @@
++#!/usr/bin/python
++################################################################################
++# Copyright 2013, Rockwell Collins. All rights reserved.
++#
++# This library is free software; you can redistribute it and/or
++# modify it under the terms of the GNU Lesser General Public
++# License as published by the Free Software Foundation; either
++# version 2.1 of the License, or (at your option) any later version.
++#
++# This library is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++# Lesser General Public License for more details.
++#
++# You should have received a copy of the GNU Lesser General Public
++# License along with this library; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
++#
++# Authors:
++# Clayton Shotwell <clshotwe@rockwellcollins.com>
++#
++# Description:
++# Generator of lookup tables to replace the gen_tables.c method developed
++# Miloslav Trmac <mitr@redhat.com> to make audit package cross compilable.
++# The logic in this script mimics the logic in gen_tables.c before the last
++# modification.
++#
++# Usage: gen_tables.py [-h] [--i2s] [--i2s-transtab] [--s2i]
++# [--uppercase | --lowercase] [--duplicate-ints]
++# prefix header source output
++#
++# Generate tables header files.
++#
++# positional arguments:
++# prefix The prefix of the output file to use
++# header The header file to parse table values from
++# source The source of the preprocessor from the compiler
++# output The output header file
++#
++# optional arguments:
++# -h, --help show this help message and exit
++# --i2s Generate i2s tables
++# --i2s-transtab Generate transtab tables
++# --s2i Generate s2i tables
++# --uppercase All characters are uppercase
++# --lowercase All characters are lowercase
++# --duplicate-ints Allow duplicate integers
++
++import argparse
++import ctypes
++import os
++import re
++import sys
++from operator import attrgetter
++from pyparsing import Group, Word, Suppress, alphas, alphanums, nums, cppStyleComment, \
++ Optional, ZeroOrMore
++
++# Number of entries to print per line
++NUM_ENTIRES_IN_LINE = 10
++
++# Global table entries variable that is used everywhere
++ENTRIES = []
++
++# The ratio of table size to number of non-empty elements allowed for a
++# "direct" s2i table; if the ratio would be bigger, bsearch tables are used
++# instead.
++#
++# 2 looks like a lot at a first glance, but the bsearch tables need twice as
++# much space per element, so with the ratio equal to 2 the direct table uses
++# no more memory and is faster.
++DIRECT_THRESHOLD = 2
++
++# Set to True to enable some debug output
++DEBUG = False
++
++class Entry:
++ def __init__(self, new_s, val):
++ self.st = new_s
++ self.val = val
++ self.offset = 0
++ self.orig_index = 0
++
++ def set_position(self, offset):
++ self.offset = offset
++
++ def set_orig_index(self, orig_index):
++ self.orig_index = orig_index
++
++ def get_str(self):
++ return self.st
++
++ def __repr__(self):
++ return "<Entry st=%s val=%s>" % (self.st, self.val)
++
++ def __str__(self):
++ return "Entry of st=%s, val=%s, offset=%d, orig_index=%d" % \
++ (self.st, self.val, self.offset, self.orig_index)
++
++def output_strings(prefix, outfile):
++ try:
++ # Calculate the position each entry will be in the string
++ index = 0
++ for i in range(len(ENTRIES)):
++ ENTRIES[i].set_position(index)
++ # Increment the index by the length of the name plus 1 for the null
++ # character at the end.
++ index += len(ENTRIES[i].get_str()) + 1
++ # Write out the strings
++ outfile.write("static const char %s_strings[] = \"" % prefix)
++ for i in range(len(ENTRIES)):
++ if (i != 0) and (i % NUM_ENTIRES_IN_LINE == 0):
++ outfile.write('"\n\t"')
++ outfile.write(ENTRIES[i].get_str())
++ if (i != (len(ENTRIES) - 1)):
++ outfile.write('\\0')
++ outfile.write('";\n')
++ except:
++ # If an error is found, raise the exception so the main function can close
++ # and delete the outfile
++ exc_type, exc_obj, exc_tb = sys.exc_info()
++ fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++ print("Unexpected error in output_strings:", exc_type, fname, exc_tb.tb_lineno)
++ raise
++
++def output_s2i(prefix, outfile, uppercase, lowercase):
++ try:
++ # Check for duplicate values
++ for i in range(len(ENTRIES) - 1):
++ assert (ENTRIES[i].get_str() <= ENTRIES[i + 1].get_str()), "Entries not in the correct order"
++ if (ENTRIES[i].get_str() == ENTRIES[i + 1].get_str()):
++ print("Duplicate value %s: %d, %d" % \
++ (ENTRIES[i].get_str(), ENTRIES[i].val, ENTRIES[i + 1].val))
++ raise
++
++ # Write out the index to value index values
++ outfile.write("static const unsigned %s_s2i_s[] = {" % prefix)
++ for i in range(len(ENTRIES)):
++ if (i % NUM_ENTIRES_IN_LINE == 0):
++ outfile.write('\n\t')
++ outfile.write("%i," % ENTRIES[i].offset)
++ outfile.write('\n};\n')
++
++ # Write out the string to value actual values
++ outfile.write("static const int %s_s2i_i[] = {" % prefix)
++ for i in range(len(ENTRIES)):
++ if (i % NUM_ENTIRES_IN_LINE == 0):
++ outfile.write('\n\t')
++ outfile.write("%i," % ENTRIES[i].val)
++ outfile.write('\n};\n')
++
++ # Verify the strings are all uppercase or lowercase depending on the arguments
++ # passed in
++ if uppercase:
++ for i in range(len(ENTRIES)):
++ assert (all(ord(c) < 128 for c in ENTRIES[i].get_str()) and \
++ ENTRIES[i].get_str().isupper()), "String %s is not uppercase" % ENTRIES[i].get_str()
++ if lowercase:
++ for i in range(len(ENTRIES)):
++ assert (all(ord(c) < 128 for c in ENTRIES[i].get_str()) and \
++ ENTRIES[i].get_str().islower()), "String %s is not lowercase" % ENTRIES[i].get_str()
++ if uppercase or lowercase:
++ outfile.write("static int %s_s2i(const char *s, int *value) {\n" \
++ "\tsize_t len, i;\n" \
++ "\tlen = strlen(s);\n" \
++ "\t{ char copy[len + 1];\n" \
++ "\tfor (i = 0; i < len; i++) {\n" \
++ "\t\tchar c = s[i];\n" % prefix)
++ if uppercase:
++ outfile.write("\t\tcopy[i] = GT_ISLOWER(c) ? c - 'a' + 'A' : c;\n")
++ else:
++ outfile.write("\t\tcopy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;\n")
++ outfile.write("\t}\n" \
++ "\tcopy[i] = 0;\n" \
++ "\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %d, copy, value);\n" \
++ "\t}\n" \
++ "}\n" % (prefix, prefix, prefix, len(ENTRIES)))
++ else:
++ outfile.write("static int %s_s2i(const char *s, int *value) {\n" \
++ "\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %d, s, value);\n" \
++ "}\n" % (prefix, prefix, prefix, prefix, len(ENTRIES)))
++ except:
++ # If an error is found, raise the exception so the main function can close
++ # and delete the outfile
++ exc_type, exc_obj, exc_tb = sys.exc_info()
++ fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++ print("Unexpected error in output_s2i:", exc_type, fname, exc_tb.tb_lineno)
++ raise
++
++def output_i2s(prefix, outfile, allow_duplicate_ints):
++ try:
++ # Check for duplicate values
++ for i in range(len(ENTRIES) - 1):
++ assert (ENTRIES[i].val <= ENTRIES[i + 1].val), "Entries not in the correct order"
++ if (not allow_duplicate_ints) and (ENTRIES[i].val == ENTRIES[i + 1].val):
++ print("Duplicate value %d: %s, %s" % (ENTRIES[i].val, ENTRIES[i].get_str(), \
++ ENTRIES[i + 1].get_str()))
++ raise
++
++ # Find all of the unique values
++ unique_entries = []
++ for i in range(len(ENTRIES)):
++ # If the unique_entries is empty or the last unique_entries entry is different from the
++ # entry being compared, append the entry
++ if (len(unique_entries) == 0) or (unique_entries[-1].val != ENTRIES[i].val):
++ unique_entries.append(ENTRIES[i])
++
++ # Determine which mapping to use based on the treshold
++ max_val = unique_entries[-1].val
++ min_val = unique_entries[0].val
++ if ((float(max_val - min_val)/len(unique_entries)) <= DIRECT_THRESHOLD):
++ outfile.write("static const unsigned %s_i2s_direct[] = {" % prefix)
++ next_index = min_val
++ i = 0
++ while True:
++ if (((next_index - min_val) % 10) == 0):
++ outfile.write("\n\t")
++ while (unique_entries[i].val < next_index):
++ # This can happen if (allow_duplicate_ints)
++ i += 1
++ if (unique_entries[i].val == next_index):
++ assert(unique_entries[i].offset <= sys.maxint)
++ outfile.write("%i," % unique_entries[i].offset)
++ else:
++ outfile.write("-1u,")
++ if (next_index == max_val):
++ break
++ next_index += 1
++ outfile.write("\n};\nstatic const char *%s_i2s(int v) {\n" \
++ "\treturn i2s_direct__(%s_strings, %s_i2s_direct, %d, %d, v);\n" \
++ "}\n" % (prefix, prefix, prefix, min_val, max_val))
++ else:
++ outfile.write("static const int %s_i2s_i[] = {" % prefix)
++ for i in range(len(unique_entries)):
++ if (i % 10 == 0):
++ outfile.write("\n\t")
++ outfile.write("%i," % unique_entries[i].val)
++ outfile.write("\n};\nstatic const unsigned %s_i2s_s[] = {" % prefix)
++ for i in range(len(unique_entries)):
++ if (i % 10 == 0):
++ outfile.write("\n\t")
++ assert(unique_entries[i].offset <= sys.maxint)
++ outfile.write("%i," % unique_entries[i].offset)
++ outfile.write("\n };\n static const char *%s_i2s(int v) {\n" \
++ "\treturn i2s_bsearch__(%s_strings, %s_i2s_i, %s_i2s_s, %u, v);\n" \
++ "}\n" % (prefix, prefix, prefix, prefix, len(unique_entries)))
++ except:
++ # If an error is found, raise the exception so the main function can close
++ # and delete the outfile
++ exc_type, exc_obj, exc_tb = sys.exc_info()
++ fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++ print("Unexpected error in output_i2s:", exc_type, fname, exc_tb.tb_lineno)
++ raise
++
++def output_i2s_transtab(prefix, outfile):
++ """
++ Output the string to integer mapping table as a transtab[].
++ values must be sorted in the desired order.
++ """
++ try:
++ outfile.write("static const struct transtab %s_table[] = {" % prefix)
++ for i in range(len(ENTRIES)):
++ if (i % NUM_ENTIRES_IN_LINE == 0):
++ outfile.write('\n\t')
++ outfile.write("{%i,%u}," % (ENTRIES[i].val, ENTRIES[i].offset))
++ outfile.write("\n};\n#define %s_NUM_ENTRIES (sizeof(%s_table) / sizeof(*%s_table))\n" % \
++ (prefix.upper(), prefix, prefix))
++ except:
++ # If an error is found, raise the exception so the main function can close
++ # and delete the outfile
++ exc_type, exc_obj, exc_tb = sys.exc_info()
++ fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++ print("Unexpected error in output_i2s_transtab:", exc_type, fname, exc_tb.tb_lineno)
++ raise
++
++def lookup_enum(look_str, buf):
++ try:
++ # Pull all of the enums out of the preprocessor output out only once
++ # to help speed up all of the lookups
++ if not hasattr(lookup_enum, "enums"):
++ if DEBUG:
++ print("Pulling out the enums from the preprocessor output")
++ # Regex pattern to parse out the enums from the preprocessor output
++ enum_regex = "enum.*?{(?P<s>.*?)}"
++ lookup_enum.enums = re.findall(enum_regex, buf, flags=(re.M | re.S))
++
++ # find which enum contains the string we are looking for
++ for i in range(len(lookup_enum.enums)):
++ if look_str in lookup_enum.enums[i]:
++ # Determine the value of the variable in the enum
++ enum_string = "enum preproc { " + lookup_enum.enums[i] + " }"
++ enum_string = "".join([line.strip() for line in enum_string])
++ if DEBUG:
++ print("Found %s in %s" % (look_str, enum_string))
++
++ identifier = Word(alphas, alphanums+'_')
++ opt_value = Word(nums, nums+'x+<>/*')
++
++ enum_value = Group(identifier('name') + Optional(Suppress('=') + opt_value('value')))
++ enum_list = Group(enum_value + ZeroOrMore(Suppress(',') + enum_value))
++ enum = Suppress('enum') + identifier('enum') + Suppress('{') + enum_list('list') + \
++ Suppress('}')
++ enum.ignore(cppStyleComment)
++
++ for item, start, stop in enum.scanString(enum_string):
++ temp = 0
++ for entry in item.list:
++ if DEBUG:
++ print("Checking %s against %s" % (look_str, entry.name))
++ if entry.name == look_str:
++ if entry.value != '':
++ # Need to call eval becuase some enums have math in them
++ try:
++ value = eval(entry.value)
++ except:
++ print("Found invalid value %s" % entry.value)
++ else:
++ value = temp
++ if DEBUG:
++ print("Matched the enum name to value %d" % value)
++ return value
++ temp += 1
++ except:
++ exc_type, exc_obj, exc_tb = sys.exc_info()
++ fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++ print("Unexpected error in output_i2s_transtab:", exc_type, fname, exc_tb.tb_lineno)
++ print("Unable to find enum value")
++ return None
++
++def evaluate_string(eval_str, buf):
++ if DEBUG:
++ print("Evaluating string %s" % eval_str)
++
++ # Regex expression for pulling apart the values in the preprocessor output
++ eval_regex = "(?P<val>\w+)"
++ # Since the string can be anything, it must be parsed into individual parts
++ # and evaluated separately to find any enum values
++ matches = re.findall(eval_regex, eval_str)
++ if len(matches) <= 0:
++ print("Could not find any matches")
++
++ local_s = eval_str
++ value = None
++ i = 0
++ for i in range(len(matches)):
++ try:
++ # If the current item is abled to evaled, there is nothing to do
++ val = eval(matches[i])
++ except:
++ try:
++ # Need to check to see if the last character is a "U" and remove it
++ # if this does not except, a valid number was found
++ if matches[i][-1] == 'U':
++ val = eval(matches[i][:-1])
++ local_s = local_s.replace(matches[i], "%d" % val)
++ else:
++ # Need to do a enum look up for anything that doesnt translate into a number
++ val = lookup_enum(matches[i], buf)
++ if val is not None:
++ local_s = local_s.replace(matches[i], "%d" % val)
++ except:
++ # This case will be hit if the "U" removal fails
++ val = lookup_enum(matches[i], buf)
++ if val is not None:
++ local_s = local_s.replace(matches[i], "%d" % val)
++ try:
++ # This will fail if all of the enums were not found rather
++ # than handling the failues in the above steps
++ # Also, need to convert to a signed 32 bit int for the output value
++ value = ctypes.c_int32(eval(local_s)).value
++ if DEBUG:
++ print("Found value %d for %s" % (value, matches[i]))
++ except:
++ print("Could not parse string %s" % local_s)
++
++ # Verify the mess above resulted in a number being found
++ if value is None:
++ print("Failed to find value for %s" % eval_str)
++ raise
++ return value
++
++def remove_output(outfile):
++ path = outfile.name
++ outfile.close()
++ os.remove(path)
++ sys.exit(1)
++
++def main():
++
++ # Setup the argument parser and parse the arguments given
++ parser = argparse.ArgumentParser(description='Generate tables header files.')
++ parser.add_argument('--i2s', dest='gen_i2s', action='store_true',
++ help='Generate i2s tables')
++ parser.add_argument('--i2s-transtab', dest='gen_i2s_transtab', action='store_true',
++ help='Generate transtab tables')
++ parser.add_argument('--s2i', dest='gen_s2i', action='store_true',
++ help='Generate s2i tables')
++ # Make sure uppercase and lowercase are mutually exclusive
++ group = parser.add_mutually_exclusive_group()
++ group.add_argument('--uppercase', dest='uppercase', action='store_true',
++ help='All characters are uppercase')
++ group.add_argument('--lowercase', dest='lowercase', action='store_true',
++ help='All characters are lowercase')
++ parser.add_argument('--duplicate-ints', dest='allow_duplicate_ints', action='store_true',
++ help='Allow duplicate integers')
++ parser.add_argument('prefix', help='The prefix of the output file to use')
++ parser.add_argument('source', type=argparse.FileType('r'),
++ help='The source of the preprocessor from the compiler')
++ parser.add_argument('output', type=argparse.FileType('w'),
++ help='The output header file')
++ args = parser.parse_args()
++
++ # Regex pattern to parse out the macro and string from the _S calls
++ source_regex = "{ \((?P<val>.*?)\), \(\"(?P<s>\S+)\"\), 0, 0 }"
++
++ # First parse the header file for all of the preprocessor source that need to
++ # be looked up
++ buf = args.source.read()
++ matches = re.findall(source_regex, buf, flags=re.MULTILINE)
++
++ # Check to make sure we have matches
++ if (len(matches) <= 0):
++ print("Failed to find valid source")
++ remove_output(args.output)
++ sys.exit(1)
++
++ try:
++ # Create all of the entry structures
++ global ENTRIES
++ for i in range(len(matches)):
++ ENTRIES.append(Entry(matches[i][1], evaluate_string(matches[i][0], buf)))
++ ENTRIES[i].set_orig_index(i)
++ if DEBUG:
++ print(ENTRIES[i])
++
++ # Sort the entries alphabetically
++ ENTRIES = sorted(ENTRIES, key=attrgetter('st'))
++ # Print out the output header
++ args.output.write("/* This is a generated file, see Makefile.am for its inputs. */\n")
++ output_strings(args.prefix, args.output)
++ if args.gen_s2i:
++ output_s2i(args.prefix, args.output, args.uppercase, args.lowercase)
++ if args.gen_i2s:
++ ENTRIES = sorted(ENTRIES, key=attrgetter('val'))
++ output_i2s(args.prefix, args.output, args.allow_duplicate_ints)
++ if args.gen_i2s_transtab:
++ ENTRIES = sorted(ENTRIES, key=attrgetter('orig_index'))
++ output_i2s_transtab(args.prefix, args.output)
++ except:
++ # On an error, close and remove the file before returning an error
++ print("Failed to write the output file correctly")
++ exc_type, exc_obj, exc_tb = sys.exc_info()
++ fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++ print("Unexpected error:", exc_type, fname, exc_tb.tb_lineno)
++ remove_output(args.output)
++ sys.exit(1)
++
++if __name__ == '__main__':
++ main()
+diff -urN a/lib/Makefile.am b/lib/Makefile.am
+--- a/lib/Makefile.am 2013-07-29 16:37:01.000000000 -0500
++++ b/lib/Makefile.am 2013-08-19 14:39:58.280509378 -0500
+@@ -40,119 +40,109 @@
+ BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \
+ ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \
+ msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \
+- s390x_tables.h x86_64_tables.h
+-if USE_ALPHA
+-BUILT_SOURCES += alpha_tables.h
+-endif
+-if USE_ARMEB
+-BUILT_SOURCES += armeb_tables.h
+-endif
+-if USE_AARCH64
+-BUILT_SOURCES += aarch64_tables.h
+-endif
+-noinst_PROGRAMS = gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \
++ s390x_tables.h x86_64_tables.h \
++ gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \
+ gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
+ gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \
+ gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \
+- gen_s390x_tables_h gen_x86_64_tables_h
++ gen_s390x_tables_h gen_x86_64_tables_h
+ if USE_ALPHA
+-noinst_PROGRAMS += gen_alpha_tables_h
++BUILT_SOURCES += alpha_tables.h gen_alpha_tables_h
+ endif
+ if USE_ARMEB
+-noinst_PROGRAMS += gen_armeb_tables_h
++BUILT_SOURCES += armeb_tables.h gen_armeb_tables_h
+ endif
+ if USE_AARCH64
+-noinst_PROGRAMS += gen_aarch64_tables_h
++BUILT_SOURCES += aarch64_tables.h gen_aarch64_tables_h
+ endif
+-gen_actiontabs_h_SOURCES = gen_tables.c gen_tables.h actiontab.h
+-gen_actiontabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="actiontab.h"'
++
++gen_actiontabs_h: gen_tables.c gen_tables.h actiontab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"actiontab.h\" -E -o $@ gen_tables.c
+ actiontabs.h: gen_actiontabs_h Makefile
+- ./gen_actiontabs_h --lowercase --i2s --s2i action > $@
++ $(PYTHON) gen_tables.py --lowercase --i2s --s2i action gen_actiontabs_h $@
+
+ if USE_ALPHA
+-gen_alpha_tables_h_SOURCES = gen_tables.c gen_tables.h alpha_table.h
+-gen_alpha_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="alpha_table.h"'
++gen_alpha_tables_h: gen_tables.c gen_tables.h alpha_table.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"alpha_table.h\" -E -o $@ gen_tables.c
+ alpha_tables.h: gen_alpha_tables_h Makefile
+- ./gen_alpha_tables_h --lowercase --i2s --s2i alpha_syscall > $@
++ $(PYTHON) gen_tables.py --lowercase --i2s --s2i alpha_syscall gen_alpha_tables_h $@
+ endif
+
+ if USE_ARMEB
+-gen_armeb_tables_h_SOURCES = gen_tables.c gen_tables.h armeb_table.h
+-gen_armeb_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="armeb_table.h"'
+-armeb_tables.h: gen_armeb_tables_h Makefile
+- ./gen_armeb_tables_h --lowercase --i2s --s2i armeb_syscall > $@
++gen_armeb_tables_h: gen_tables.c gen_tables.h armeb_table.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"armeb_table.h\" -E -o $@ gen_tables.c
++armeb_tables.h: gen_armeb_tables_h Makefile
++ $(PYTHON) gen_tables.py --lowercase --i2s --s2i armeb_syscall gen_armeb_tables_h $@
+ endif
+
+ if USE_AARCH64
+-gen_aarch64_tables_h_SOURCES = gen_tables.c gen_tables.h aarch64_table.h
+-gen_aarch64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="aarch64_table.h"'
++gen_aarch64_tables_h: gen_tables.c gen_tables.h aarch64_table.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"aarch64_table.h\" -E -o $@ gen_tables.c
+ aarch64_tables.h: gen_aarch64_tables_h Makefile
+- ./gen_aarch64_tables_h --lowercase --i2s --s2i aarch64_syscall > $@
++ $(PYTHON) gen_tables.py --lowercase --i2s --s2i aarch64_syscall gen_aarch64_tables_h $@
+ endif
+
+-gen_errtabs_h_SOURCES = gen_tables.c gen_tables.h errtab.h
+-gen_errtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="errtab.h"'
++gen_errtabs_h: gen_tables.c gen_tables.h errtab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"errtab.h\" -E -o $@ gen_tables.c
+ errtabs.h: gen_errtabs_h Makefile
+- ./gen_errtabs_h --duplicate-ints --uppercase --i2s --s2i err > $@
++ $(PYTHON) gen_tables.py --duplicate-ints --uppercase --i2s --s2i err gen_errtabs_h $@
+
+-gen_fieldtabs_h_SOURCES = gen_tables.c gen_tables.h fieldtab.h
+-gen_fieldtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="fieldtab.h"'
++gen_fieldtabs_h: gen_tables.c gen_tables.h fieldtab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"fieldtab.h\" -E -o $@ gen_tables.c
+ fieldtabs.h: gen_fieldtabs_h Makefile
+- ./gen_fieldtabs_h --duplicate-ints --lowercase --i2s --s2i field > $@
++ $(PYTHON) gen_tables.py --duplicate-ints --lowercase --i2s --s2i field gen_fieldtabs_h $@
+
+-gen_flagtabs_h_SOURCES = gen_tables.c gen_tables.h flagtab.h
+-gen_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="flagtab.h"'
++gen_flagtabs_h: gen_tables.c gen_tables.h flagtab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"flagtab.h\" -E -o $@ gen_tables.c
+ flagtabs.h: gen_flagtabs_h Makefile
+- ./gen_flagtabs_h --lowercase --i2s --s2i flag > $@
++ $(PYTHON) gen_tables.py --lowercase --i2s --s2i flag gen_flagtabs_h $@
+
+-gen_ftypetabs_h_SOURCES = gen_tables.c gen_tables.h ftypetab.h
+-gen_ftypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ftypetab.h"'
++gen_ftypetabs_h: gen_tables.c gen_tables.h ftypetab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ftypetab.h\" -E -o $@ gen_tables.c
+ ftypetabs.h: gen_ftypetabs_h Makefile
+- ./gen_ftypetabs_h --lowercase --i2s --s2i ftype > $@
++ $(PYTHON) gen_tables.py --lowercase --i2s --s2i ftype gen_ftypetabs_h $@
+
+-gen_i386_tables_h_SOURCES = gen_tables.c gen_tables.h i386_table.h
+-gen_i386_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="i386_table.h"'
++gen_i386_tables_h: gen_tables.c gen_tables.h i386_table.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"i386_table.h\" -E -o $@ gen_tables.c
+ i386_tables.h: gen_i386_tables_h Makefile
+- ./gen_i386_tables_h --duplicate-ints --lowercase --i2s --s2i \
+- i386_syscall > $@
++ $(PYTHON) gen_tables.py --duplicate-ints --lowercase --i2s --s2i i386_syscall gen_i386_tables_h $@
+
+-gen_ia64_tables_h_SOURCES = gen_tables.c gen_tables.h ia64_table.h
+-gen_ia64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ia64_table.h"'
++gen_ia64_tables_h: gen_tables.c gen_tables.h ia64_table.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ia64_table.h\" -E -o $@ gen_tables.c
+ ia64_tables.h: gen_ia64_tables_h Makefile
+- ./gen_ia64_tables_h --lowercase --i2s --s2i ia64_syscall > $@
++ $(PYTHON) gen_tables.py --lowercase --i2s --s2i ia64_syscall gen_ia64_tables_h $@
+
+-gen_machinetabs_h_SOURCES = gen_tables.c gen_tables.h machinetab.h
+-gen_machinetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="machinetab.h"'
++gen_machinetabs_h: gen_tables.c gen_tables.h machinetab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"machinetab.h\" -E -o $@ gen_tables.c
+ machinetabs.h: gen_machinetabs_h Makefile
+- ./gen_machinetabs_h --duplicate-ints --lowercase --i2s --s2i machine \
+- > $@
++ $(PYTHON) gen_tables.py --duplicate-ints --lowercase --i2s --s2i machine gen_machinetabs_h $@
+
+-gen_msg_typetabs_h_SOURCES = gen_tables.c gen_tables.h msg_typetab.h
+-gen_msg_typetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="msg_typetab.h"'
++gen_msg_typetabs_h: gen_tables.c gen_tables.h msg_typetab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"msg_typetab.h\" -E -o $@ gen_tables.c
+ msg_typetabs.h: gen_msg_typetabs_h Makefile
+- ./gen_msg_typetabs_h --uppercase --i2s --s2i msg_type > $@
++ $(PYTHON) gen_tables.py --uppercase --i2s --s2i msg_type gen_msg_typetabs_h $@
+
+-gen_optabs_h_SOURCES = gen_tables.c gen_tables.h optab.h
+-gen_optabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="optab.h"'
++gen_optabs_h: gen_tables.c gen_tables.h optab.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"optab.h\" -E -o $@ gen_tables.c
+ optabs.h: gen_optabs_h Makefile
+- ./gen_optabs_h --i2s op > $@
++ $(PYTHON) gen_tables.py --i2s op gen_optabs_h $@
+
+-gen_ppc_tables_h_SOURCES = gen_tables.c gen_tables.h ppc_table.h
+-gen_ppc_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ppc_table.h"'
++gen_ppc_tables_h: gen_tables.c gen_tables.h ppc_table.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ppc_table.h\" -E -o $@ gen_tables.c
+ ppc_tables.h: gen_ppc_tables_h Makefile
+- ./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@
++ $(PYTHON) gen_tables.py --lowercase --i2s --s2i ppc_syscall gen_ppc_tables_h $@
+
+-gen_s390_tables_h_SOURCES = gen_tables.c gen_tables.h s390_table.h
+-gen_s390_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390_table.h"'
++gen_s390_tables_h: gen_tables.c gen_tables.h s390_table.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"s390_table.h\" -E -o $@ gen_tables.c
+ s390_tables.h: gen_s390_tables_h Makefile
+- ./gen_s390_tables_h --lowercase --i2s --s2i s390_syscall > $@
++ $(PYTHON) gen_tables.py --lowercase --i2s --s2i s390_syscall gen_s390_tables_h $@
+
+-gen_s390x_tables_h_SOURCES = gen_tables.c gen_tables.h s390x_table.h
+-gen_s390x_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390x_table.h"'
++gen_s390x_tables_h: gen_tables.c gen_tables.h s390x_table.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"s390x_table.h\" -E -o $@ gen_tables.c
+ s390x_tables.h: gen_s390x_tables_h Makefile
+- ./gen_s390x_tables_h --lowercase --i2s --s2i s390x_syscall > $@
++ $(PYTHON) gen_tables.py --lowercase --i2s --s2i s390x_syscall gen_s390x_tables_h $@
+
+-gen_x86_64_tables_h_SOURCES = gen_tables.c gen_tables.h x86_64_table.h
+-gen_x86_64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="x86_64_table.h"'
++gen_x86_64_tables_h: gen_tables.c gen_tables.h x86_64_table.h
++ $(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"x86_64_table.h\" -E -o $@ gen_tables.c
+ x86_64_tables.h: gen_x86_64_tables_h Makefile
+- ./gen_x86_64_tables_h --lowercase --i2s --s2i x86_64_syscall > $@
++ $(PYTHON) gen_tables.py --lowercase --i2s --s2i x86_64_syscall gen_x86_64_tables_h $@
diff --git a/package/audit/audit-0002-remove-zos-plugin.patch b/package/audit/audit-0002-remove-zos-plugin.patch
new file mode 100644
index 0000000..576d8fa
--- /dev/null
+++ b/package/audit/audit-0002-remove-zos-plugin.patch
@@ -0,0 +1,35 @@
+Removed the step to build the zos-remote.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+---
+--- a/audisp/plugins/Makefile.am 2012-08-28 10:33:03.582396601 -0500
++++ b/audisp/plugins/Makefile.am 2012-08-28 10:33:14.162399662 -0500
+@@ -22,7 +22,7 @@
+
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+
+-SUBDIRS = builtins zos-remote remote
++SUBDIRS = builtins remote
+ #SUBDIRS = builtins zos-remote
+ if HAVE_PRELUDE
+ SUBDIRS += prelude
+--- a/audisp/plugins/Makefile.in 2012-08-28 10:33:03.592380390 -0500
++++ b/audisp/plugins/Makefile.in 2012-08-28 10:35:38.482397668 -0500
+@@ -84,7 +84,7 @@
+ distdir
+ ETAGS = etags
+ CTAGS = ctags
+-DIST_SUBDIRS = builtins zos-remote remote prelude
++DIST_SUBDIRS = builtins remote prelude
+ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ am__relativize = \
+ dir0=`pwd`; \
+@@ -242,7 +242,7 @@
+ top_builddir = @top_builddir@
+ top_srcdir = @top_srcdir@
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+-SUBDIRS = builtins zos-remote remote $(am__append_1)
++SUBDIRS = builtins remote $(am__append_1)
+ all: all-recursive
+
+ .SUFFIXES:
diff --git a/package/audit/audit.mk b/package/audit/audit.mk
new file mode 100644
index 0000000..e32b55f
--- /dev/null
+++ b/package/audit/audit.mk
@@ -0,0 +1,58 @@
+################################################################################
+#
+# audit
+#
+################################################################################
+
+AUDIT_VERSION:=2.3.2
+AUDIT_SITE:=http://people.redhat.com/sgrubb/audit/
+AUDIT_DEPENDENCIES = host-python-pyparsing
+AUDIT_LICENSE = GPLv2
+AUDIT_LICENSE_FILES = COPYING
+
+AUDIT_INSTALL_STAGING = YES
+
+AUDIT_AUTORECONF = YES
+AUDIT_AUTORECONF_OPT = -i -s -I m4
+
+# Audit will be looking for applications to be in the root
+# /sbin folder rather than in /usr/sbin folder
+AUDIT_CONF_OPT = --sbindir=/sbin
+
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+ AUDIT_DEPENDENCIES += python host-python host-swig
+ AUDIT_CONF_OPT += --with-python=yes
+ AUDIT_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)"
+else
+ AUDIT_CONF_OPT += --with-python=no
+endif
+
+ifeq ($(BR2_PACKAGE_LIBCAP_NG),y)
+ AUDIT_DEPENDENCIES += libcap-ng
+ AUDIT_CONF_OPT += --with-libcap-ng=yes
+else
+ AUDIT_CONF_OPT += --with-libcap-ng=no
+endif
+
+ifeq ($(BR2_armeb),y)
+ AUDIT_CONF_OPT += --with-armeb
+endif
+ifeq ($(BR2_arm),y)
+ AUDIT_CONF_OPT += --with-armeb
+endif
+ifeq ($(BR2_aarch64),y)
+ AUDIT_CONF_OPT += --with-aarch64
+endif
+
+ifeq ($(BR2_PREFER_STATIC_LIB),y)
+ AUDIT_CONF_OPT += --enable-shared=no
+endif
+
+define AUDIT_REPLACE_STARTUP_SCRIPT
+ $(INSTALL) -m 755 package/audit/S14auditd $(TARGET_DIR)/etc/init.d/
+ rm -rf $(TARGET_DIR)/etc/rc.d/
+endef
+
+AUDIT_POST_INSTALL_TARGET_HOOKS += AUDIT_REPLACE_STARTUP_SCRIPT
+
+$(eval $(autotools-package))
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 13/16] policycoreutils: new package
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
` (11 preceding siblings ...)
2013-09-25 19:32 ` [Buildroot] [PATCH v3 12/16] audit: new package Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 14/16] python-pyxml: " Clayton Shotwell
` (3 subsequent siblings)
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and BR2_LARGEFILE (suggested by Thomas).
- Changes patch naming convention (suggested by Thomas).
- Added selects for linux-pam and audit.
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format.
- Fixed the patch naming to avoid using the version number.
- Cleaned up the patch to include a signed-off-by line.
- Changed package dependencies into selects in the config.
package/Config.in | 1 +
package/policycoreutils/Config.in | 76 +++++
package/policycoreutils/S15restorecond | 85 +++++
.../policycoreutils-0001-cross-compile-fixes.patch | 332 ++++++++++++++++++++
package/policycoreutils/policycoreutils.mk | 230 ++++++++++++++
5 files changed, 724 insertions(+), 0 deletions(-)
create mode 100644 package/policycoreutils/Config.in
create mode 100755 package/policycoreutils/S15restorecond
create mode 100644 package/policycoreutils/policycoreutils-0001-cross-compile-fixes.patch
create mode 100644 package/policycoreutils/policycoreutils.mk
diff --git a/package/Config.in b/package/Config.in
index e551c42..2c45e2f 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -919,6 +919,7 @@ source "package/xenomai/Config.in"
endmenu
menu "Security"
+source "package/policycoreutils/Config.in"
source "package/sepolgen/Config.in"
source "package/setools/Config.in"
endmenu
diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
new file mode 100644
index 0000000..6551da8
--- /dev/null
+++ b/package/policycoreutils/Config.in
@@ -0,0 +1,76 @@
+config BR2_PACKAGE_POLICYCOREUTILS
+ bool "policycoreutils"
+ select BR2_PACKAGE_LIBSEMANAGE
+ select BR2_PACKAGE_LINUX_PAM
+ select BR2_PACKAGE_AUDIT
+ depends on BR2_TOOLCHAIN_HAS_THREADS
+ depends on BR2_LARGEFILE
+ help
+ Policycoreutils is a collection of policy utilities (originally
+ the "core" set of utilities needed to use SELinux, although it
+ has grown a bit over time), which have different dependencies.
+ sestatus, secon, run_init, and newrole only use libselinux.
+ load_policy and setfiles only use libselinux and libsepol.
+ semodule and semanage use libsemanage (and thus bring in
+ dependencies on libsepol and libselinux as well). setsebool
+ uses libselinux to make non-persistent boolean changes (via
+ the kernel interface) and uses libsemanage to make persistent
+ boolean changes.
+
+ The base package will install the following utilities:
+ load_policy
+ newrole
+ restorecond
+ run_init
+ secon
+ semodule
+ semodule_deps
+ semodule_expand
+ semodule_link
+ semodule_package
+ sepolgen-ifgen
+ sestatus
+ setfiles
+ setsebool
+
+ http://selinuxproject.org/page/Main_Page
+
+comment "policycoreutils support requires a toolchain with large file and threading support"
+ depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_LARGEFILE
+
+if BR2_PACKAGE_POLICYCOREUTILS
+
+config BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING
+ bool "Policy Debugging Utilities"
+ select BR2_PACKAGE_PYTHON
+ select BR2_PACKAGE_SEPOLGEN
+ select BR2_PACKAGE_SETOOLS
+ help
+ Enable policy debugging packages to be built. These are being included
+ separately because of dependencies.
+ audit2allow
+ audit2why
+ semanage
+ sepolicy
+ scripts
+
+config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
+ bool "restorecond Utility"
+ help
+ Enable restorecond to be built
+
+config BR2_PACKAGE_POLICYCOREUTILS_MCSTRANS
+ bool "mcstrans Utility"
+ select BR2_PACKAGE_PCRE
+ select BR2_PACKAGE_LIBCAP
+ help
+ Enable mcstrans to be built
+
+config BR2_PACKAGE_POLICYCOREUTILS_SANDBOX
+ bool "sandbox Utility"
+ select BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING
+ select BR2_PACKAGE_LIBCGROUP
+ help
+ Enable sandbox to be built
+
+endif
diff --git a/package/policycoreutils/S15restorecond b/package/policycoreutils/S15restorecond
new file mode 100755
index 0000000..e408281
--- /dev/null
+++ b/package/policycoreutils/S15restorecond
@@ -0,0 +1,85 @@
+#!/bin/sh
+#
+# restorecond: Daemon used to maintain path file context
+#
+# description: restorecond uses inotify to look for creation of new files \
+# listed in the /etc/selinux/restorecond.conf file, and restores the \
+# correct security context.
+#
+# processname: /usr/sbin/restorecond
+# config: /etc/selinux/restorecond.conf
+# pidfile: /var/run/restorecond.pid
+#
+# Return values according to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 2 - invalid or excess argument(s)
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+
+PATH=/sbin:/bin:/usr/bin:/usr/sbin
+
+[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || exit 7
+
+# Check that we are root ... so non-root users stop here
+test $EUID = 0 || exit 4
+
+test -x /usr/sbin/restorecond || exit 5
+test -f /etc/selinux/restorecond.conf || exit 6
+
+RETVAL=0
+
+start()
+{
+ echo -n $"Starting restorecond: "
+ unset HOME MAIL USER USERNAME
+ /usr/sbin/restorecond
+ RETVAL=$?
+ touch /var/lock/subsys/restorecond
+ echo
+ return $RETVAL
+}
+
+stop()
+{
+ echo -n $"Shutting down restorecond: "
+ killproc restorecond
+ RETVAL=$?
+ rm -f /var/lock/subsys/restorecond
+ echo
+ return $RETVAL
+}
+
+restart()
+{
+ stop
+ start
+}
+
+# See how we were called.
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ status)
+ status restorecond
+ RETVAL=$?
+ ;;
+ force-reload|restart|reload)
+ restart
+ ;;
+ condrestart)
+ [ -e /var/lock/subsys/restorecond ] && restart || :
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|restart|force-reload|status|condrestart}"
+ RETVAL=3
+esac
+
+exit $RETVAL
diff --git a/package/policycoreutils/policycoreutils-0001-cross-compile-fixes.patch b/package/policycoreutils/policycoreutils-0001-cross-compile-fixes.patch
new file mode 100644
index 0000000..8f47907
--- /dev/null
+++ b/package/policycoreutils/policycoreutils-0001-cross-compile-fixes.patch
@@ -0,0 +1,332 @@
+Patch to enable cross compile build and install.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/audit2allow/Makefile b/audit2allow/Makefile
+--- a/audit2allow/Makefile 2013-02-05 19:43:22.000000000 -0600
++++ b/audit2allow/Makefile 2013-08-23 09:16:21.282917254 -0500
+@@ -3,7 +3,7 @@
+ BINDIR ?= $(PREFIX)/bin
+ LIBDIR ?= $(PREFIX)/lib
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+
+ all: ;
+
+diff -urN a/load_policy/Makefile b/load_policy/Makefile
+--- a/load_policy/Makefile 2013-02-05 19:43:22.000000000 -0600
++++ b/load_policy/Makefile 2013-08-23 09:16:21.282917254 -0500
+@@ -3,7 +3,7 @@
+ SBINDIR ?= $(DESTDIR)/sbin
+ USRSBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+diff -urN a/Makefile b/Makefile
+--- a/Makefile 2013-02-05 19:43:22.000000000 -0600
++++ b/Makefile 2013-08-23 09:16:21.292985286 -0500
+@@ -1,8 +1,8 @@
+ SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
+
+-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
+
+-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
+ SUBDIRS += restorecond
+ endif
+
+diff -urN a/mcstrans/src/Makefile b/mcstrans/src/Makefile
+--- a/mcstrans/src/Makefile 2013-02-05 19:43:22.000000000 -0600
++++ b/mcstrans/src/Makefile 2013-08-23 09:41:18.782916946 -0500
+@@ -1,22 +1,8 @@
+-ARCH = $(shell uname -i)
+-ifeq "$(ARCH)" "x86_64"
+- # In case of 64 bit system, use these lines
+- LIBDIR=/usr/lib64
+-else
+-ifeq "$(ARCH)" "i686"
+- # In case of 32 bit system, use these lines
+- LIBDIR=/usr/lib
+-else
+-ifeq "$(ARCH)" "i386"
+- # In case of 32 bit system, use these lines
+- LIBDIR=/usr/lib
+-endif
+-endif
+-endif
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
+-SBINDIR ?= $(DESTDIR)/sbin
+-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
++LIBDIR ?= $(PREFIX)/lib
++SBINDIR ?= $(PREFIX)/sbin
++INITDIR ?= $(DESTDIR)/etc/init.d
+
+ PROG_SRC=mcstrans.c mcscolor.c mcstransd.c mls_level.c
+ PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
+@@ -40,5 +26,5 @@
+ install -m 755 $(INITSCRIPT).init $(INITDIR)/$(INITSCRIPT)
+
+ clean:
+- -rm -f $(OBJS) $(LOBJS) $(TARGET) $(PROG) $(PROG_OBJS) *~ \#*
++ -rm -f $(PROG) $(PROG_OBJS) *.o *~ \#*
+
+diff -urN a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
+--- a/mcstrans/utils/Makefile 2013-02-05 19:43:22.000000000 -0600
++++ b/mcstrans/utils/Makefile 2013-08-23 09:16:21.292985286 -0500
+@@ -1,24 +1,8 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
++LIBDIR ?= $(PREFIX)/lib
+ BINDIR ?= $(PREFIX)/sbin
+
+-ARCH = $(shell uname -i)
+-ifeq "$(ARCH)" "x86_64"
+- # In case of 64 bit system, use these lines
+- LIBDIR=/usr/lib64
+-else
+-ifeq "$(ARCH)" "i686"
+- # In case of 32 bit system, use these lines
+- LIBDIR=/usr/lib
+-else
+-ifeq "$(ARCH)" "i386"
+- # In case of 32 bit system, use these lines
+- LIBDIR=/usr/lib
+-endif
+-endif
+-endif
+-
+-
+ CFLAGS ?= -Wall
+ override CFLAGS += -I../src -D_GNU_SOURCE
+ LDLIBS += -L../src ../src/mcstrans.o ../src/mls_level.o -lselinux -lpcre $(LIBDIR)/libsepol.a
+diff -urN a/newrole/Makefile b/newrole/Makefile
+--- a/newrole/Makefile 2013-02-05 19:43:22.000000000 -0600
++++ b/newrole/Makefile 2013-08-23 09:16:21.292985286 -0500
+@@ -3,9 +3,9 @@
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR = /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++LOCALEDIR = $(DESTDIR)/usr/share/locale
++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ # Enable capabilities to permit newrole to generate audit records.
+ # This will make newrole a setuid root program.
+ # The capabilities used are: CAP_AUDIT_WRITE.
+@@ -24,7 +24,7 @@
+ EXTRA_OBJS =
+ override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ override CFLAGS += -DUSE_PAM
+ EXTRA_OBJS += hashtab.o
+ LDLIBS += -lpam -lpam_misc
+@@ -32,7 +32,7 @@
+ override CFLAGS += -D_XOPEN_SOURCE=500
+ LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ override CFLAGS += -DUSE_AUDIT
+ LDLIBS += -laudit
+ endif
+@@ -66,7 +66,7 @@
+ test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
+ install -m $(MODE) newrole $(BINDIR)
+ install -m 644 newrole.1 $(MANDIR)/man1/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
+ ifeq ($(LSPP_PRIV),y)
+ install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
+diff -urN a/restorecond/Makefile b/restorecond/Makefile
+--- a/restorecond/Makefile 2013-02-05 19:43:22.000000000 -0600
++++ b/restorecond/Makefile 2013-08-23 09:16:21.292985286 -0500
+@@ -2,24 +2,29 @@
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(PREFIX)/sbin
+ LIBDIR ?= $(PREFIX)/lib
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart
+ DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services
+
+ autostart_DATA = sealertauto.desktop
+-INITDIR = $(DESTDIR)/etc/rc.d/init.d
++INITDIR = $(DESTDIR)/etc/init.d
+ SELINUXDIR = $(DESTDIR)/etc/selinux
+
+-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
++ -I$(PREFIX)/lib/dbus-1.0/include
+ DBUSLIB = -ldbus-glib-1 -ldbus-1
+
+ CFLAGS ?= -g -Werror -Wall -W
+-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
++ -I$(PREFIX)/lib64/glib-2.0/include -I$(PREFIX)/lib/glib-2.0/include
+
+ LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
+
+ all: restorecond
+
++%.o: %.c
++ $(CC) $(CFLAGS) -c -o $@ $<
++
+ restorecond.o utmpwatcher.o stringslist.o user.o watch.o: restorecond.h
+
+ restorecond: ../setfiles/restore.o restorecond.o utmpwatcher.o stringslist.o user.o watch.o
+diff -urN a/run_init/Makefile b/run_init/Makefile
+--- a/run_init/Makefile 2013-02-05 19:43:22.000000000 -0600
++++ b/run_init/Makefile 2013-08-23 09:16:21.292985286 -0500
+@@ -4,21 +4,21 @@
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR ?= /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ override CFLAGS += -DUSE_PAM
+ LDLIBS += -lpam -lpam_misc
+ else
+ override CFLAGS += -D_XOPEN_SOURCE=500
+ LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ override CFLAGS += -DUSE_AUDIT
+ LDLIBS += -laudit
+ endif
+@@ -38,7 +38,7 @@
+ install -m 755 open_init_pty $(SBINDIR)
+ install -m 644 run_init.8 $(MANDIR)/man8/
+ install -m 644 open_init_pty.8 $(MANDIR)/man8/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
+ endif
+
+diff -urN a/semodule/Makefile b/semodule/Makefile
+--- a/semodule/Makefile 2013-02-05 19:43:22.000000000 -0600
++++ b/semodule/Makefile 2013-08-23 09:16:21.302924109 -0500
+@@ -2,7 +2,7 @@
+ PREFIX ?= $(DESTDIR)/usr
+ INCLUDEDIR ?= $(PREFIX)/include
+ SBINDIR ?= $(PREFIX)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ LIBDIR ?= $(PREFIX)/lib
+
+ CFLAGS ?= -Werror -Wall -W
+diff -urN a/sepolicy/Makefile b/sepolicy/Makefile
+--- a/sepolicy/Makefile 2013-02-05 19:43:22.000000000 -0600
++++ b/sepolicy/Makefile 2013-08-23 09:16:21.302924109 -0500
+@@ -5,25 +5,32 @@
+ BINDIR ?= $(PREFIX)/bin
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ PYTHON ?= /usr/bin/python
+ BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
+
+ BASHCOMPLETIONS=sepolicy-bash-completion.sh
+
++PYTHON_ARGS = LDSHARED="$(CC) -shared" \
++ CROSS_COMPILING=yes \
++ _python_sysroot=$(DESTDIR) \
++ _python_srcdir=$(PYTHON_SRC) \
++ _python_prefix=/usr \
++ _python_exec_prefix=/usr
++
+ all: python-build
+
+ python-build: info.c search.c common.h policy.h policy.c
+- $(PYTHON) setup.py build
++ $(PYTHON_ARGS) $(PYTHON) setup.py build
+
+ clean:
+ $(PYTHON) setup.py clean
+ -rm -rf build *~ \#* *pyc .#*
+
+ install:
+- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++ $(PYTHON_ARGS) $(PYTHON) setup.py install --prefix=$(PREFIX)
+ [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
+ install -m 755 sepolicy.py $(BINDIR)/sepolicy
+ -mkdir -p $(MANDIR)/man8
+diff -urN a/sestatus/Makefile b/sestatus/Makefile
+--- a/sestatus/Makefile 2013-02-05 19:43:22.000000000 -0600
++++ b/sestatus/Makefile 2013-08-23 09:16:21.302924109 -0500
+@@ -1,11 +1,11 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(PREFIX)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+ LIBDIR ?= $(PREFIX)/lib
+
+-CFLAGS = -Werror -Wall -W
++CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
+ LDLIBS = -lselinux -L$(LIBDIR)
+
+diff -urN a/setfiles/Makefile b/setfiles/Makefile
+--- a/setfiles/Makefile 2013-02-05 19:43:22.000000000 -0600
++++ b/setfiles/Makefile 2013-08-23 09:16:21.302924109 -0500
+@@ -1,24 +1,27 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(DESTDIR)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ LIBDIR ?= $(PREFIX)/lib
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+
+-PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
+-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
++PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk '{ print $$3 }')
++ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk '{ print $$3 }')
+
+-CFLAGS = -g -Werror -Wall -W
++CFLAGS ?= -g -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include
+ LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ override CFLAGS += -DUSE_AUDIT
+ LDLIBS += -laudit
+ endif
+
+ all: setfiles restorecon man
+
++%.o: %.c
++ $(CC) $(CFLAGS) -c -o $@ $<
++
+ setfiles: setfiles.o restore.o
+
+ restorecon: setfiles
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
new file mode 100644
index 0000000..d4926f3
--- /dev/null
+++ b/package/policycoreutils/policycoreutils.mk
@@ -0,0 +1,230 @@
+################################################################################
+#
+# policycoreutils
+#
+################################################################################
+
+POLICYCOREUTILS_VERSION = 2.1.14
+POLICYCOREUTILS_SITE = http://userspace.selinuxproject.org/releases/20130423/
+POLICYCOREUTILS_LICENSE = GPLv2
+POLICYCOREUTILS_LICENSE_FILES = COPYING
+
+# Both audit and linux-pam are required by the LSPP_PRIV=y option below
+POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng dbus-glib \
+ libglib2 linux-pam audit
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING),y)
+
+POLICYCOREUTILS_DEPENDENCIES += python host-python sepolgen setools
+
+POLICYCOREUTILS_DEBUGGING_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS) \
+ PYTHON="$(HOST_DIR)/usr/bin/python" \
+ PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+ PYTHON_SRC="$(BUILD_DIR)/python$(PYTHON_VERSION)"
+
+define POLICYCOREUTILS_DEBUGGING_BUILD_CMDS
+ $(MAKE) -C $(@D)/audit2allow $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/audit2why $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/scripts $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/semanage $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/sepolicy $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_DEBUGGING_INSTALL_TARGET_CMDS
+ $(MAKE) -C $(@D)/audit2allow $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+ DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/audit2why $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+ DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/scripts $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+ DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/semanage $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+ DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/sepolicy $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+ DESTDIR="$(TARGET_DIR)" install
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
+
+define POLICYCOREUTILS_RESTORECOND_BUILD_CMDS
+ $(MAKE) -C $(@D)/restorecond $(TARGET_CONFIGURE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_RESTORECOND_INSTALL_TARGET_CMDS
+ $(MAKE) -C $(@D)/restorecond $(TARGET_CONFIGURE_OPTS) \
+ DESTDIR="$(TARGET_DIR)" install
+ rm $(TARGET_DIR)/etc/init.d/restorecond
+ $(INSTALL) -m 0755 package/policycoreutils/S15restorecond \
+ $(TARGET_DIR)/etc/init.d/
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_MCSTRANS),y)
+
+POLICYCOREUTILS_DEPENDENCIES += pcre libcap
+
+define POLICYCOREUTILS_MCSTRANS_BUILD_CMDS
+ $(MAKE) -C $(@D)/mcstrans $(TARGET_CONFIGURE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_MCSTRANS_INSTALL_TARGET_CMDS
+ $(MAKE) -C $(@D)/mcstrans $(TARGET_CONFIGURE_OPTS) \
+ DESTDIR="$(TARGET_DIR)" install
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_MCSTRANS
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_SANDBOX),y)
+
+POLICYCOREUTILS_DEPENDENCIES += libcgroup
+
+define POLICYCOREUTILS_SANDBOX_BUILD_CMDS
+ $(MAKE) -C $(@D)/sandbox $(TARGET_CONFIGURE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_SANDBOX_INSTALL_TARGET_CMDS
+ $(MAKE) -C $(@D)/sandbox $(TARGET_CONFIGURE_OPTS) \
+ DESTDIR="$(TARGET_DIR)" install
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_SANDBOX
+
+define POLICYCOREUTILS_INSTALL_TARGET_PAM_CONFS
+ $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd \
+ $(TARGET_DIR)/etc/pam.d/newrole
+ $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd \
+ $(TARGET_DIR)/etc/pam.d/run_init
+endef
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+POLICYCOREUTILS_MAKE_OPTS = \
+ $(TARGET_CONFIGURE_OPTS) \
+ CFLAGS+="-U_FILE_OFFSET_BITS" \
+ LSPP_PRIV=y
+
+define POLICYCOREUTILS_BUILD_CMDS
+ $(MAKE) -C $(@D)/load_policy $(POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/newrole $(POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/restorecond $(POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/run_init $(POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/secon $(POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/semodule $(POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/semodule_deps $(POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/semodule_expand $(POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/semodule_link $(POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/semodule_package $(POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/sepolgen-ifgen $(POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/sestatus $(POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/setfiles $(POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(MAKE) -C $(@D)/setsebool $(POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR="$(STAGING_DIR)" all
+ $(POLICYCOREUTILS_DEBUGGING_BUILD_CMDS)
+ $(POLICYCOREUTILS_RESTORECOND_BUILD_CMDS)
+ $(POLICYCOREUTILS_MCSTRANS_BUILD_CMDS)
+ $(POLICYCOREUTILS_SANDBOX_BUILD_CMDS)
+endef
+
+define POLICYCOREUTILS_INSTALL_TARGET_CMDS
+ $(MAKE) -C $(@D)/load_policy DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/newrole DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/restorecond DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/run_init DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/secon DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/semodule DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/semodule_deps DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/semodule_expand DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/semodule_link DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/semodule_package DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/sepolgen-ifgen DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/sestatus DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/setfiles DESTDIR="$(TARGET_DIR)" install
+ $(MAKE) -C $(@D)/setsebool DESTDIR="$(TARGET_DIR)" install
+ $(POLICYCOREUTILS_INSTALL_TARGET_PAM_CONFS)
+ $(POLICYCOREUTILS_DEBUGGING_INSTALL_TARGET_CMDS)
+ $(POLICYCOREUTILS_RESTORECOND_INSTALL_TARGET_CMDS)
+ $(POLICYCOREUTILS_MCSTRANS_INSTALL_TARGET_CMDS)
+ $(POLICYCOREUTILS_SANDBOX_INSTALL_TARGET_CMDS)
+endef
+
+define POLICYCOREUTILS_CLEAN_CMDS
+ $(MAKE) -C $(@D) clean DESTDIR=$(STAGING_DIR)
+ $(MAKE) -C $(@D)/mcstrans clean DESTDIR=$(STAGING_DIR)
+ $(MAKE) -C $(@D)/restorecond clean DESTDIR=$(STAGING_DIR)
+endef
+
+HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+HOST_POLICYCOREUTILS_MAKE_OPTS = \
+ $(HOST_CONFIGURE_OPTS) \
+ CFLAGS+="-U_FILE_OFFSET_BITS" \
+ LSPP_PRIV=y
+
+# Note: We are only building the programs required by the refpolicy build
+define HOST_POLICYCOREUTILS_BUILD_CMDS
+ $(MAKE) -C $(@D)/semodule $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+ $(MAKE) -C $(@D)/semodule_package $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+ $(MAKE) -C $(@D)/semodule_link $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+ $(MAKE) -C $(@D)/semodule_expand $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+ $(MAKE) -C $(@D)/semodule_deps $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+ $(MAKE) -C $(@D)/load_policy $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+ $(MAKE) -C $(@D)/setfiles $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_POLICYCOREUTILS_INSTALL_CMDS
+ $(MAKE) -C $(@D)/semodule install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+ $(MAKE) -C $(@D)/semodule_package install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+ $(MAKE) -C $(@D)/semodule_link install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+ $(MAKE) -C $(@D)/semodule_expand install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+ $(MAKE) -C $(@D)/semodule_deps install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+ $(MAKE) -C $(@D)/load_policy install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+ $(MAKE) -C $(@D)/setfiles install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+ DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_POLICYCOREUTILS_CLEAN_CMDS
+ $(MAKE) -C $(@D) clean DESTDIR=$(HOST_DIR)
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 14/16] python-pyxml: new package
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
` (12 preceding siblings ...)
2013-09-25 19:32 ` [Buildroot] [PATCH v3 13/16] policycoreutils: " Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 15/16] refpolicy: " Clayton Shotwell
` (2 subsequent siblings)
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- No changes.
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format.
package/Config.in | 1 +
package/python-pyxml/Config.in | 11 +++++++
package/python-pyxml/python-xml.mk | 58 ++++++++++++++++++++++++++++++++++++
3 files changed, 70 insertions(+), 0 deletions(-)
create mode 100644 package/python-pyxml/Config.in
create mode 100644 package/python-pyxml/python-xml.mk
diff --git a/package/Config.in b/package/Config.in
index 2c45e2f..538a791 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -396,6 +396,7 @@ source "package/python-protobuf/Config.in"
source "package/python-pygame/Config.in"
source "package/python-pyparsing/Config.in"
source "package/python-pyro/Config.in"
+source "package/python-pyxml/Config.in"
source "package/python-pyzmq/Config.in"
source "package/python-serial/Config.in"
source "package/python-setuptools/Config.in"
diff --git a/package/python-pyxml/Config.in b/package/python-pyxml/Config.in
new file mode 100644
index 0000000..420f3ad
--- /dev/null
+++ b/package/python-pyxml/Config.in
@@ -0,0 +1,11 @@
+config BR2_PACKAGE_PYTHON_PYXML
+ bool "python-pyxml"
+ depends on BR2_PACKAGE_PYTHON
+ help
+ This is the Python XML package. The distribution contains a
+ validating XML parser, an implementation of the SAX and DOM
+ programming interfaces, an interface to the Expat parser (and the
+ Expat parser itself), and a C helper module that can speed up
+ xmllib.py by a factor of 5. There's even documentation!
+
+ http://pyxml.sourceforge.net/topics/index.html
diff --git a/package/python-pyxml/python-xml.mk b/package/python-pyxml/python-xml.mk
new file mode 100644
index 0000000..0723e42
--- /dev/null
+++ b/package/python-pyxml/python-xml.mk
@@ -0,0 +1,58 @@
+################################################################################
+#
+# python-pyxml
+#
+################################################################################
+
+PYTHON_PYXML_VERSION = 0.8.4
+PYTHON_PYXML_SOURCE = PyXML-$(PYTHON_PYXML_VERSION).tar.gz
+PYTHON_PYXML_SITE = http://sourceforge.net/projects/pyxml/files/pyxml/0.8.4/PyXML-0.8.4.tar.gz/download
+PYTHON_PYXML_LICENSE = BSD-3c
+PYTHON_PYXML_LICENSE_FILES = LICENSE
+
+PYTHON_PYXML_DEPENDENCIES = host-python python expat
+
+PYTHON_PYXML_INSTALL_STAGING = NO
+
+define PYTHON_PYXML_BUILD_CMDS
+ (cd $(@D); \
+ CC="$(TARGET_CC)" \
+ CFLAGS="$(TARGET_CFLAGS) -I$(STAGING_DIR)/usr/include" \
+ LDSHARED="$(TARGET_CC) -shared" \
+ LDFLAGS="$(TARGET_LDFLAGS) -L$(STAGING_DIR)/lib -L$(STAGING_DIR)/usr/lib" \
+ $(HOST_DIR)/usr/bin/python setup.py build_ext \
+ --include-dirs=$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR) \
+ --with-libexpat=$(STAGING_DIR)/usr \
+ )
+ (cd $(@D); $(HOST_DIR)/usr/bin/python setup.py build)
+endef
+
+define PYTHON_PYXML_CLEAN_CMDS
+ (cd $(@D); $(HOST_DIR)/usr/bin/python setup.py clean -a)
+endef
+
+define PYTHON_PYXML_INSTALL_STAGING_CMDS
+ (cd $(@D); $(HOST_DIR)/usr/bin/python setup.py install --prefix=$(STAGING_DIR)/usr)
+endef
+
+define PYTHON_PYXML_INSTALL_TARGET_CMDS
+ (cd $(@D); $(HOST_DIR)/usr/bin/python setup.py install --prefix=$(TARGET_DIR)/usr)
+endef
+
+HOST_PYTHON_PYXML_DEPENDENCIES = host-python
+
+define HOST_PYTHON_PYXML_BUILD_CMDS
+ (cd $(@D); $(HOST_DIR)/usr/bin/python setup.py build_ext --with-libexpat=$(HOST_DIR)/usr)
+ (cd $(@D); $(HOST_DIR)/usr/bin/python setup.py build)
+endef
+
+define HOST_PYTHON_PYXML_CLEAN_CMDS
+ (cd $(@D); $(HOST_DIR)/usr/bin/python setup.py clean)
+endef
+
+define HOST_PYTHON_PYXML_INSTALL_CMDS
+ (cd $(@D); $(HOST_DIR)/usr/bin/python setup.py install --prefix=$(HOST_DIR)/usr)
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 15/16] refpolicy: new package
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
` (13 preceding siblings ...)
2013-09-25 19:32 ` [Buildroot] [PATCH v3 14/16] python-pyxml: " Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 16/16] shadow: " Clayton Shotwell
2013-10-01 19:51 ` [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Thomas Petazzoni
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- Changes patch naming convention (suggested by Thomas).
- Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and BR2_LARGEFILE (suggested by Thomas).
- Removed configure option for a specific patch folder (suggested by Thomas).
- Removed distribution configuration option (suggested by Thomas).
- Changed the monolithic configuration option to a modular configuration option (suggested by Thomas).
- Removed the refpolicy name option (suggested by Thomas).
- Corrected gramatical and comment errors (suggested by Thomas).
- Multiple style corrections to the mk file (suggested by Thomas).
- Added a comment to clairfy the usage of the the host build options for a target build.
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format.
- Fixed the patch naming to match the standard 4 digit numbering.
- Changed package dependencies into selects in the config.
package/Config.in | 1 +
package/refpolicy/Config.in | 58 +
package/refpolicy/S12selinux | 134 +++
package/refpolicy/config | 8 +
.../refpolicy-0001-gentoo-hardened-fixes.patch | 1250 ++++++++++++++++++++
package/refpolicy/refpolicy.mk | 80 ++
6 files changed, 1531 insertions(+), 0 deletions(-)
create mode 100644 package/refpolicy/Config.in
create mode 100644 package/refpolicy/S12selinux
create mode 100755 package/refpolicy/config
create mode 100644 package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch
create mode 100644 package/refpolicy/refpolicy.mk
diff --git a/package/Config.in b/package/Config.in
index 538a791..dfe6dc1 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -921,6 +921,7 @@ endmenu
menu "Security"
source "package/policycoreutils/Config.in"
+source "package/refpolicy/Config.in"
source "package/sepolgen/Config.in"
source "package/setools/Config.in"
endmenu
diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
new file mode 100644
index 0000000..ee54889
--- /dev/null
+++ b/package/refpolicy/Config.in
@@ -0,0 +1,58 @@
+config BR2_PACKAGE_REFPOLICY
+ bool "refpolicy"
+ select BR2_PACKAGE_POLICYCOREUTILS
+ depends on BR2_TOOLCHAIN_HAS_THREADS
+ depends on BR2_LARGEFILE
+ help
+ The SELinux Reference Policy project (refpolicy) is a
+ complete SELinux policy that can be used as the system
+ policy for a variety of systems and used as the basis
+ for creating other policies. Reference Policy was originally
+ based on the NSA example policy, but aims to accomplish
+ many additional goals.
+
+ The current refpolicy does not fully support Buildroot
+ and needs modifications to work with the default system
+ file layout. These changes should be added as patches to
+ the refpolicy that modify a single SELinux policy.
+
+comment "refpolicy support requires a toolchain with large file and threading support"
+ depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_LARGEFILE
+
+if BR2_PACKAGE_REFPOLICY
+
+choice
+ prompt "SELinux policy type"
+ default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+
+ config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+ bool "Standard"
+ help
+ Standard SELinux policy
+
+ config BR2_PACKAGE_REFPOLICY_TYPE_MCS
+ bool "MCS"
+ help
+ SELinux policy with multi-catagory support
+
+ config BR2_PACKAGE_REFPOLICY_TYPE_MLS
+ bool "MLS"
+ help
+ SELinux policy with multi-catagory and multi-level support
+endchoice
+
+config BR2_PACKAGE_REFPOLICY_TYPE
+ string
+ default "standard" if BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+ default "mcs" if BR2_PACKAGE_REFPOLICY_TYPE_MCS
+ default "mls" if BR2_PACKAGE_REFPOLICY_TYPE_MLS
+
+config BR2_PACKAGE_REFPOLICY_MODULAR
+ bool "Build a modular SELinux policy"
+ help
+ Select Y to build a modular SELinux policy. By default,
+ a monolithing policy will be built to save space on the
+ target. A modular policy can also be built if policies
+ need to be modified without reloading the target.
+
+endif
diff --git a/package/refpolicy/S12selinux b/package/refpolicy/S12selinux
new file mode 100644
index 0000000..0ceea97
--- /dev/null
+++ b/package/refpolicy/S12selinux
@@ -0,0 +1,134 @@
+#!/bin/sh
+################################################################################
+#
+# This file labels the security contexts of memory based filesystems such as
+# /dev/ and checks for auto relabel request if '/.autorelabel' file exists.
+# The 'stop' argument drops the security mode to 'permissive'.
+#
+# This script is a heavily stripped down and modified version of the one used
+# in CentOS 6.2
+#
+################################################################################
+
+failed()
+{
+ echo $1
+ exit 1
+}
+
+setup_selinux() {
+ # Get SELinux config env vars
+ . /etc/selinux/config || failed "Failed to source the SELinux config"
+
+ # Create required directories
+ mkdir -p /etc/selinux/${SELINUXTYPE}/policy/ ||
+ failed "Failed to create the policy folder"
+ mkdir -p /etc/selinux/${SELINUXTYPE}/modules/active/modules || \
+ failed "Failed to create the modules folder"
+ if [ ! -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local ]
+ then
+ touch /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local || \
+ failed "Failed to create the file_contexts.local file"
+ fi
+
+ # Install modules
+ semodule -v -s ${SELINUXTYPE} -b /usr/share/selinux/${SELINUXTYPE}/base.pp \
+ -i $(ls /usr/share/selinux/${SELINUXTYPE}/*.pp | grep -v base) || \
+ failed "Failed to install the base policy"
+
+ # Load the policy to activate it
+ load_policy -i || failed "Failed to load the SELinux policy"
+}
+
+relabel_selinux() {
+ # if /sbin/init is not labeled correctly this process is running in the
+ # wrong context, so a reboot will be required after relabel
+ AUTORELABEL=
+
+ # Get SELinux config env vars
+ . /etc/selinux/config || failed "Failed to source the SELinux config"
+
+ # Switch to Permissive mode
+ echo "0" > /selinux/enforce || failed "Failed to disable enforcing mode"
+
+ echo
+ echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
+ echo "*** Relabeling could take a very long time, depending on file"
+ echo "*** system size and speed of hard drives."
+
+ # Relabel mount points
+ restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) \
+ >/dev/null 2>&1 || failed "Failed to relabel the mount points"
+
+ # Relabel file system
+ echo "Relabeling file systems"
+ restorecon -R -F / || failed "Failed to relabel the file system"
+
+ # Remove label
+ rm -f /.autorelabel || failed "Failed to remove the autorelabel flag"
+
+ # Reboot to activate relabeled file system
+ echo "Automatic reboot in progress."
+ reboot -f
+}
+
+start() {
+ echo -n "Initializing SELinux: "
+
+ # Check to see if the default policy has been installed
+ if [ "`sestatus | grep "SELinux status" | grep enabled`" == "" ]; then
+ setup_selinux
+ fi
+
+ # Check SELinux status
+ SELINUX_STATE=
+ if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then
+ if [ -r "/selinux/enforce" ] ; then
+ SELINUX_STATE=$(cat "/selinux/enforce")
+ else
+ # assume enforcing if you can't read it
+ SELINUX_STATE=1
+ fi
+ fi
+
+ # Context Label /dev/
+ if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ] && fgrep " /dev " /proc/mounts >/dev/null 2>&1 ; then
+ /sbin/restorecon -R -F /dev 2>/dev/null
+ fi
+
+ # Context Label tmpfs mounts
+ if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ]; then
+ /sbin/restorecon -R -F $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// && $3 =="tmpfs" { print $2 }' /etc/fstab) >/dev/null 2>&1
+ fi
+
+ # Clean up SELinux labels
+ if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ]; then
+ restorecon -F /etc/mtab /etc/ld.so.cache /etc/resolv.conf >/dev/null 2>&1
+ fi
+
+ # Check for filesystem relabel request
+ if [ -f /.autorelabel ] ; then
+ relabel_selinux
+ fi
+
+ echo "OK"
+}
+stop() {
+ # There is nothing to do
+ echo "OK"
+}
+
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ *)
+ echo "Usage: $0 {start|stop}"
+ exit 1
+ ;;
+esac
+
+exit $?
diff --git a/package/refpolicy/config b/package/refpolicy/config
new file mode 100755
index 0000000..5eee807
--- /dev/null
+++ b/package/refpolicy/config
@@ -0,0 +1,8 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=permissive
+# SELINUXTYPE= name of the selinux policy to use
+SELINUXTYPE=refpolicy
diff --git a/package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch b/package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch
new file mode 100644
index 0000000..c1c398f
--- /dev/null
+++ b/package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch
@@ -0,0 +1,1250 @@
+From: Dominick Grift <dominick.grift@gmail.com>
+Date: Fri, 16 Aug 2013 07:07:37 +0000 (+0200)
+Subject: Fix monolithic built
+X-Git-Url: http://git.overlays.gentoo.org/gitweb/?p=proj%2Fhardened-refpolicy.git;a=commitdiff_plain;h=86500de7
+
+Fix monolithic built
+
+Make unconfined_cronjob_t declaration mandatory, because else monolithic
+built fails due to duplicate declaration
+
+Deprecate kerberos_keytab_template:
+
+Keytab type declarations have to be mandatory, because else monolithic
+built fails due to out-of-scope
+
+This keytab solution does not make sense in its current implementation,
+as many corresponding file context specs are missing, and there are no
+type transtion rules
+
+Replaced two deprecated interface calls
+
+Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
+---
+
+diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
+index a1d1131..655cbe1 100644
+--- a/policy/modules/contrib/apache.if
++++ b/policy/modules/contrib/apache.if
+@@ -1203,9 +1203,9 @@ interface(`apache_admin',`
+ attribute httpd_script_domains, httpd_htaccess_type;
+ type httpd_t, httpd_config_t, httpd_log_t;
+ type httpd_modules_t, httpd_lock_t, httpd_helper_t;
+- type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t;
++ type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
+ type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
+- type httpd_initrc_exec_t, httpd_suexec_t;
++ type httpd_initrc_exec_t, httpd_keytab_t;
+ ')
+
+ allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
+@@ -1222,7 +1222,7 @@ interface(`apache_admin',`
+ miscfiles_manage_public_files($1)
+
+ files_search_etc($1)
+- admin_pattern($1, { httpd_config_t httpd_keytab_t })
++ admin_pattern($1, { httpd_keytab_t httpd_config_t })
+
+ logging_search_logs($1)
+ admin_pattern($1, httpd_log_t)
+diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
+index 0da7cc3..99bb9b5 100644
+--- a/policy/modules/contrib/apache.te
++++ b/policy/modules/contrib/apache.te
+@@ -1,4 +1,4 @@
+-policy_module(apache, 2.7.0)
++policy_module(apache, 2.7.1)
+
+ ########################################
+ #
+@@ -283,6 +283,9 @@ role httpd_helper_roles types httpd_helper_t;
+ type httpd_initrc_exec_t;
+ init_script_file(httpd_initrc_exec_t)
+
++type httpd_keytab_t;
++files_type(httpd_keytab_t)
++
+ type httpd_lock_t;
+ files_lock_file(httpd_lock_t)
+
+@@ -391,6 +394,8 @@ allow httpd_t httpd_config_t:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+
++allow httpd_t httpd_keytab_t:file read_file_perms;
++
+ allow httpd_t httpd_lock_t:file manage_file_perms;
+ files_lock_filetrans(httpd_t, httpd_lock_t, file)
+
+@@ -781,10 +786,11 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(httpd, httpd_t)
+ kerberos_manage_host_rcache(httpd_t)
++ kerberos_read_keytab(httpd_t)
+ kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
++ kerberos_use(httpd_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if
+index 089430a..f24e369 100644
+--- a/policy/modules/contrib/automount.if
++++ b/policy/modules/contrib/automount.if
+@@ -153,6 +153,7 @@ interface(`automount_admin',`
+ gen_require(`
+ type automount_t, automount_lock_t, automount_tmp_t;
+ type automount_var_run_t, automount_initrc_exec_t;
++ type automount_keytab_t;
+ ')
+
+ allow $1 automount_t:process { ptrace signal_perms };
+@@ -163,6 +164,9 @@ interface(`automount_admin',`
+ role_transition $2 automount_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_list_etc($1)
++ admin_pattern($1, automount_keytab_t)
++
+ files_list_var($1)
+ admin_pattern($1, automount_lock_t)
+
+diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
+index d4e58ea..27d2f40 100644
+--- a/policy/modules/contrib/automount.te
++++ b/policy/modules/contrib/automount.te
+@@ -1,4 +1,4 @@
+-policy_module(automount, 1.14.0)
++policy_module(automount, 1.14.1)
+
+ ########################################
+ #
+@@ -12,8 +12,8 @@ init_daemon_domain(automount_t, automount_exec_t)
+ type automount_initrc_exec_t;
+ init_script_file(automount_initrc_exec_t)
+
+-type automount_var_run_t;
+-files_pid_file(automount_var_run_t)
++type automount_keytab_t;
++files_type(automount_keytab_t)
+
+ type automount_lock_t;
+ files_lock_file(automount_lock_t)
+@@ -22,6 +22,9 @@ type automount_tmp_t;
+ files_tmp_file(automount_tmp_t)
+ files_mountpoint(automount_tmp_t)
+
++type automount_var_run_t;
++files_pid_file(automount_var_run_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -36,6 +39,8 @@ allow automount_t self:rawip_socket create_socket_perms;
+
+ can_exec(automount_t, automount_exec_t)
+
++allow automount_t automount_keytab_t:file read_file_perms;
++
+ allow automount_t automount_lock_t:file manage_file_perms;
+ files_lock_filetrans(automount_t, automount_lock_t, file)
+
+@@ -143,8 +148,9 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(automount, automount_t)
+ kerberos_read_config(automount_t)
++ kerberos_read_keytab(automount_t)
++ kerberos_use(automount_t)
+ kerberos_dontaudit_write_config(automount_t)
+ ')
+
+diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
+index 866a1e2..531a8f2 100644
+--- a/policy/modules/contrib/bind.if
++++ b/policy/modules/contrib/bind.if
+@@ -364,6 +364,7 @@ interface(`bind_admin',`
+ type named_t, named_tmp_t, named_log_t;
+ type named_cache_t, named_zone_t, named_initrc_exec_t;
+ type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
++ type named_keytab_t;
+ ')
+
+ allow $1 { named_t ndc_t }:process { ptrace signal_perms };
+@@ -381,7 +382,7 @@ interface(`bind_admin',`
+ admin_pattern($1, named_log_t)
+
+ files_list_etc($1)
+- admin_pattern($1, named_conf_t)
++ admin_pattern($1, { named_keytab_t named_conf_t })
+
+ files_list_var($1)
+ admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
+diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
+index b01e493..1241123 100644
+--- a/policy/modules/contrib/bind.te
++++ b/policy/modules/contrib/bind.te
+@@ -1,4 +1,4 @@
+-policy_module(bind, 1.13.0)
++policy_module(bind, 1.13.1)
+
+ ########################################
+ #
+@@ -44,6 +44,9 @@ files_type(named_cache_t)
+ type named_initrc_exec_t;
+ init_script_file(named_initrc_exec_t)
+
++type named_keytab_t;
++files_type(named_keytab_t)
++
+ type named_log_t;
+ logging_log_file(named_log_t)
+
+@@ -84,7 +87,7 @@ read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
+ manage_files_pattern(named_t, named_cache_t, named_cache_t)
+ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+
+-can_exec(named_t, named_exec_t)
++allow named_t named_keytab_t:file read_file_perms;
+
+ append_files_pattern(named_t, named_log_t, named_log_t)
+ create_files_pattern(named_t, named_log_t, named_log_t)
+@@ -100,6 +103,8 @@ manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
+ manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
+ files_pid_filetrans(named_t, named_var_run_t, { dir file sock_file })
+
++can_exec(named_t, named_exec_t)
++
+ allow named_t named_zone_t:dir list_dir_perms;
+ read_files_pattern(named_t, named_zone_t, named_zone_t)
+ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+@@ -182,7 +187,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(named, named_t)
++ kerberos_read_keytab(named_t)
++ kerberos_use(named_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
+index d865049..41bb279 100644
+--- a/policy/modules/contrib/cron.te
++++ b/policy/modules/contrib/cron.te
+@@ -1,4 +1,4 @@
+-policy_module(cron, 2.6.0)
++policy_module(cron, 2.6.1)
+
+ gen_require(`
+ class passwd rootok;
+@@ -701,22 +701,22 @@ optional_policy(`
+ # Unconfined local policy
+ #
+
+-optional_policy(`
+- type unconfined_cronjob_t;
+- domain_type(unconfined_cronjob_t)
+- domain_cron_exemption_target(unconfined_cronjob_t)
++type unconfined_cronjob_t;
++domain_type(unconfined_cronjob_t)
++domain_cron_exemption_target(unconfined_cronjob_t)
+
+- dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
++dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
+
+- unconfined_domain(unconfined_cronjob_t)
++tunable_policy(`cron_userdomain_transition',`
++ dontaudit crond_t unconfined_cronjob_t:process transition;
++ dontaudit crond_t unconfined_cronjob_t:fd use;
++ dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
++',`
++ allow crond_t unconfined_cronjob_t:process transition;
++ allow crond_t unconfined_cronjob_t:fd use;
++ allow crond_t unconfined_cronjob_t:key manage_key_perms;
++')
+
+- tunable_policy(`cron_userdomain_transition',`
+- dontaudit crond_t unconfined_cronjob_t:process transition;
+- dontaudit crond_t unconfined_cronjob_t:fd use;
+- dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
+- ',`
+- allow crond_t unconfined_cronjob_t:process transition;
+- allow crond_t unconfined_cronjob_t:fd use;
+- allow crond_t unconfined_cronjob_t:key manage_key_perms;
+- ')
++optional_policy(`
++ unconfined_domain(unconfined_cronjob_t)
+ ')
+diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if
+index 9fa7ffb..64775fd 100644
+--- a/policy/modules/contrib/cvs.if
++++ b/policy/modules/contrib/cvs.if
+@@ -59,7 +59,7 @@ interface(`cvs_exec',`
+ interface(`cvs_admin',`
+ gen_require(`
+ type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
+- type cvs_data_t, cvs_var_run_t;
++ type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
+ ')
+
+ allow $1 cvs_t:process { ptrace signal_perms };
+@@ -70,6 +70,9 @@ interface(`cvs_admin',`
+ role_transition $2 cvs_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_search_etc($1)
++ admin_pattern($1, cvs_keytab_t)
++
+ files_list_tmp($1)
+ admin_pattern($1, cvs_tmp_t)
+
+diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
+index 6c544e5..17df324 100644
+--- a/policy/modules/contrib/cvs.te
++++ b/policy/modules/contrib/cvs.te
+@@ -1,4 +1,4 @@
+-policy_module(cvs, 1.10.0)
++policy_module(cvs, 1.10.1)
+
+ ########################################
+ #
+@@ -24,6 +24,9 @@ files_type(cvs_data_t)
+ type cvs_initrc_exec_t;
+ init_script_file(cvs_initrc_exec_t)
+
++type cvs_keytab_t;
++files_type(cvs_keytab_t)
++
+ type cvs_tmp_t;
+ files_tmp_file(cvs_tmp_t)
+
+@@ -44,6 +47,8 @@ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+
++allow cvs_t cvs_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+ manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file })
+@@ -87,8 +92,9 @@ tunable_policy(`allow_cvs_read_shadow',`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(cvs, cvs_t)
+ kerberos_read_config(cvs_t)
++ kerberos_read_keytab(cvs_t)
++ kerberos_use(cvs_t)
+ kerberos_dontaudit_write_config(cvs_t)
+ ')
+
+diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if
+index 6508280..83bfda6 100644
+--- a/policy/modules/contrib/cyrus.if
++++ b/policy/modules/contrib/cyrus.if
+@@ -61,6 +61,7 @@ interface(`cyrus_admin',`
+ gen_require(`
+ type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
+ type cyrus_var_run_t, cyrus_initrc_exec_t;
++ type cyrus_keytab_t;
+ ')
+
+ allow $1 cyrus_t:process { ptrace signal_perms };
+@@ -71,6 +72,9 @@ interface(`cyrus_admin',`
+ role_transition $2 cyrus_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_list_etc($1)
++ admin_pattern($1, cyrus_keytab_t)
++
+ files_list_tmp($1)
+ admin_pattern($1, cyrus_tmp_t)
+
+diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
+index 0cef3ef..4283f2d 100644
+--- a/policy/modules/contrib/cyrus.te
++++ b/policy/modules/contrib/cyrus.te
+@@ -1,4 +1,4 @@
+-policy_module(cyrus, 1.13.0)
++policy_module(cyrus, 1.13.1)
+
+ ########################################
+ #
+@@ -12,6 +12,9 @@ init_daemon_domain(cyrus_t, cyrus_exec_t)
+ type cyrus_initrc_exec_t;
+ init_script_file(cyrus_initrc_exec_t)
+
++type cyrus_keytab_t;
++files_type(cyrus_keytab_t)
++
+ type cyrus_tmp_t;
+ files_tmp_file(cyrus_tmp_t)
+
+@@ -41,6 +44,8 @@ allow cyrus_t self:unix_dgram_socket sendto;
+ allow cyrus_t self:unix_stream_socket { accept connectto listen };
+ allow cyrus_t self:tcp_socket { accept listen };
+
++allow cyrus_t cyrus_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+ manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+ files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { dir file })
+@@ -116,7 +121,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(cyrus, cyrus_t)
++ kerberos_read_keytab(cyrus_t)
++ kerberos_use(cyrus_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if
+index dbcac59..d5badb7 100644
+--- a/policy/modules/contrib/dovecot.if
++++ b/policy/modules/contrib/dovecot.if
+@@ -143,6 +143,7 @@ interface(`dovecot_admin',`
+ type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t;
+ type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t;
+ type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t;
++ type dovecot_keytab_t;
+ ')
+
+ allow $1 dovecot_t:process { ptrace signal_perms };
+@@ -154,7 +155,7 @@ interface(`dovecot_admin',`
+ allow $2 system_r;
+
+ files_list_etc($1)
+- admin_pattern($1, dovecot_etc_t)
++ admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
+
+ logging_list_logs($1)
+ admin_pattern($1, dovecot_var_log_t)
+diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
+index 3a6e733..0aabc7e 100644
+--- a/policy/modules/contrib/dovecot.te
++++ b/policy/modules/contrib/dovecot.te
+@@ -1,4 +1,4 @@
+-policy_module(dovecot, 1.16.0)
++policy_module(dovecot, 1.16.1)
+
+ ########################################
+ #
+@@ -38,6 +38,9 @@ files_config_file(dovecot_etc_t)
+ type dovecot_initrc_exec_t;
+ init_script_file(dovecot_initrc_exec_t)
+
++type dovecot_keytab_t;
++files_type(dovecot_keytab_t)
++
+ type dovecot_passwd_t;
+ files_type(dovecot_passwd_t)
+
+@@ -99,6 +102,8 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+ allow dovecot_t dovecot_cert_t:file read_file_perms;
+ allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
+
++allow dovecot_t dovecot_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+ manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+ files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
+@@ -182,9 +187,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(dovecot, dovecot_t)
+ kerberos_manage_host_rcache(dovecot_t)
++ kerberos_read_keytab(dovecot_t)
+ kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
++ kerberos_use(dovecot_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
+index 6041113..94a8269 100644
+--- a/policy/modules/contrib/exim.if
++++ b/policy/modules/contrib/exim.if
+@@ -244,6 +244,7 @@ interface(`exim_admin',`
+ gen_require(`
+ type exim_t, exim_spool_t, exim_log_t;
+ type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
++ type exim_keytab_t;
+ ')
+
+ allow $1 exim_t:process { ptrace signal_perms };
+@@ -254,6 +255,9 @@ interface(`exim_admin',`
+ role_transition $2 exim_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_search_etc($1)
++ admin_pattern($1, exim_keytab_t)
++
+ files_search_spool($1)
+ admin_pattern($1, exim_spool_t)
+
+diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
+index c9c04ee..7e8cf42 100644
+--- a/policy/modules/contrib/exim.te
++++ b/policy/modules/contrib/exim.te
+@@ -1,4 +1,4 @@
+-policy_module(exim, 1.6.0)
++policy_module(exim, 1.6.1)
+
+ ########################################
+ #
+@@ -45,6 +45,9 @@ mta_agent_executable(exim_exec_t)
+ type exim_initrc_exec_t;
+ init_script_file(exim_initrc_exec_t)
+
++type exim_keytab_t;
++files_type(exim_keytab_t)
++
+ type exim_log_t;
+ logging_log_file(exim_log_t)
+
+@@ -68,6 +71,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
+ allow exim_t self:unix_stream_socket { accept listen };
+ allow exim_t self:tcp_socket { accept listen };
+
++allow exim_t exim_keytab_t:file read_file_perms;
++
+ append_files_pattern(exim_t, exim_log_t, exim_log_t)
+ create_files_pattern(exim_t, exim_log_t, exim_log_t)
+ setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
+@@ -188,7 +193,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(exim, exim_t)
++ kerberos_read_keytab(exim_t)
++ kerberos_use(exim_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
+index d062080..4498143 100644
+--- a/policy/modules/contrib/ftp.if
++++ b/policy/modules/contrib/ftp.if
+@@ -176,6 +176,7 @@ interface(`ftp_admin',`
+ type ftpd_etc_t, ftpd_lock_t, sftpd_t;
+ type ftpd_var_run_t, xferlog_t, anon_sftpd_t;
+ type ftpd_initrc_exec_t, ftpdctl_tmp_t;
++ type ftpd_keytab_t;
+ ')
+
+ allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+@@ -192,7 +193,7 @@ interface(`ftp_admin',`
+ admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t })
+
+ files_list_etc($1)
+- admin_pattern($1, ftpd_etc_t)
++ admin_pattern($1, { ftpd_etc_t ftpd_keytab_t })
+
+ files_list_var($1)
+ admin_pattern($1, ftpd_lock_t)
+diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
+index 544c512..36838c2 100644
+--- a/policy/modules/contrib/ftp.te
++++ b/policy/modules/contrib/ftp.te
+@@ -1,4 +1,4 @@
+-policy_module(ftp, 1.15.0)
++policy_module(ftp, 1.15.1)
+
+ ########################################
+ #
+@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t)
+ type ftpd_initrc_exec_t;
+ init_script_file(ftpd_initrc_exec_t)
+
++type ftpd_keytab_t;
++files_type(ftpd_keytab_t)
++
+ type ftpd_lock_t;
+ files_lock_file(ftpd_lock_t)
+
+@@ -176,6 +179,8 @@ allow ftpd_t self:key manage_key_perms;
+
+ allow ftpd_t ftpd_etc_t:file read_file_perms;
+
++allow ftpd_t ftpd_keytab_t:file read_file_perms;
++
+ allow ftpd_t ftpd_lock_t:file manage_file_perms;
+ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+
+@@ -359,8 +364,9 @@ optional_policy(`
+ optional_policy(`
+ selinux_validate_context(ftpd_t)
+
+- kerberos_keytab_template(ftpd, ftpd_t)
++ kerberos_read_keytab(ftpd_t)
+ kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
++ kerberos_use(ftpd_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
+index f9de9fc..f6c00d8 100644
+--- a/policy/modules/contrib/kerberos.if
++++ b/policy/modules/contrib/kerberos.if
+@@ -354,22 +354,7 @@ interface(`kerberos_etc_filetrans_keytab',`
+ ## </param>
+ #
+ template(`kerberos_keytab_template',`
+-
+- ########################################
+- #
+- # Declarations
+- #
+-
+- type $1_keytab_t;
+- files_type($1_keytab_t)
+-
+- ########################################
+- #
+- # Policy
+- #
+-
+- allow $2 $1_keytab_t:file read_file_perms;
+-
++ refpolicywarn(`$0($*) has been deprecated.')
+ kerberos_read_keytab($2)
+ kerberos_use($2)
+ ')
+diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if
+index de2508e..7f09b4a 100644
+--- a/policy/modules/contrib/ldap.if
++++ b/policy/modules/contrib/ldap.if
+@@ -116,7 +116,7 @@ interface(`ldap_admin',`
+ type slapd_t, slapd_tmp_t, slapd_replog_t;
+ type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
+ type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
+- type slapd_db_t;
++ type slapd_db_t, slapd_keytab_t;
+ ')
+
+ allow $1 slapd_t:process { ptrace signal_perms };
+@@ -128,7 +128,7 @@ interface(`ldap_admin',`
+ allow $2 system_r;
+
+ files_list_etc($1)
+- admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t })
++ admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
+
+ files_list_locks($1)
+ admin_pattern($1, slapd_lock_t)
+diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
+index 71b00f8..131dc88 100644
+--- a/policy/modules/contrib/ldap.te
++++ b/policy/modules/contrib/ldap.te
+@@ -1,4 +1,4 @@
+-policy_module(ldap, 1.11.0)
++policy_module(ldap, 1.11.1)
+
+ ########################################
+ #
+@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
+ type slapd_initrc_exec_t;
+ init_script_file(slapd_initrc_exec_t)
+
++type slapd_keytab_t;
++files_type(slapd_keytab_t)
++
+ type slapd_lock_t;
+ files_lock_file(slapd_lock_t)
+
+@@ -60,6 +63,8 @@ manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+
+ allow slapd_t slapd_etc_t:file read_file_perms;
+
++allow slapd_t slapd_keytab_t:file read_file_perms;
++
+ allow slapd_t slapd_lock_t:file manage_file_perms;
+ files_lock_filetrans(slapd_t, slapd_lock_t, file)
+
+@@ -131,11 +136,12 @@ ifdef(`distro_gentoo',`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(slapd, slapd_t)
+ kerberos_manage_host_rcache(slapd_t)
++ kerberos_read_keytab(slapd_t)
+ kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55")
++ kerberos_use(slapd_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
+index 6e26d71..8e7d1e7 100644
+--- a/policy/modules/contrib/postfix.if
++++ b/policy/modules/contrib/postfix.if
+@@ -714,6 +714,7 @@ interface(`postfix_admin',`
+ type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
+ type postfix_data_t, postfix_var_run_t, postfix_public_t;
+ type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
++ type postfix_keytab_t;
+ ')
+
+ allow $1 postfix_domain:process { ptrace signal_perms };
+@@ -725,7 +726,7 @@ interface(`postfix_admin',`
+ allow $2 system_r;
+
+ files_search_etc($1)
+- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t })
++ admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
+
+ files_search_spool($1)
+ admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type })
+diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
+index 0cb7938..dd7259f 100644
+--- a/policy/modules/contrib/postfix.te
++++ b/policy/modules/contrib/postfix.te
+@@ -1,4 +1,4 @@
+-policy_module(postfix, 1.15.0)
++policy_module(postfix, 1.15.1)
+
+ ########################################
+ #
+@@ -36,6 +36,9 @@ files_config_file(postfix_etc_t)
+ type postfix_exec_t;
+ application_executable_file(postfix_exec_t)
+
++type postfix_keytab_t;
++files_type(postfix_keytab_t)
++
+ postfix_server_domain_template(local)
+ mta_mailserver_delivery(postfix_local_t)
+
+@@ -209,6 +212,8 @@ allow postfix_master_t postfix_etc_t:file rw_file_perms;
+ allow postfix_master_t postfix_data_t:dir manage_dir_perms;
+ allow postfix_master_t postfix_data_t:file manage_file_perms;
+
++allow postfix_master_t postfix_keytab_t:file read_file_perms;
++
+ allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+
+ allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
+@@ -314,7 +319,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(postfix, postfix_t)
++ kerberos_read_keytab(postfix_master_t)
++ kerberos_use(postfix_master_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
+index fbbc398..cc426e6 100644
+--- a/policy/modules/contrib/procmail.te
++++ b/policy/modules/contrib/procmail.te
+@@ -1,4 +1,4 @@
+-policy_module(procmail, 1.13.0)
++policy_module(procmail, 1.13.1)
+
+ ########################################
+ #
+@@ -122,7 +122,7 @@ optional_policy(`
+ postfix_read_spool_files(procmail_t)
+ postfix_read_local_state(procmail_t)
+ postfix_read_master_state(procmail_t)
+- postfix_rw_master_pipes(procmail_t)
++ postfix_rw_inherited_master_pipes(procmail_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
+index 83cccf9..8742944 100644
+--- a/policy/modules/contrib/qmail.te
++++ b/policy/modules/contrib/qmail.te
+@@ -1,4 +1,4 @@
+-policy_module(qmail, 1.6.0)
++policy_module(qmail, 1.6.1)
+
+ ########################################
+ #
+@@ -42,6 +42,9 @@ qmail_child_domain_template(qmail_send, qmail_start_t)
+ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+ qmail_child_domain_template(qmail_splogger, qmail_start_t)
+
++type qmail_keytab_t;
++files_type(qmail_keytab_t)
++
+ type qmail_spool_t;
+ files_type(qmail_spool_t)
+
+@@ -241,6 +244,8 @@ allow qmail_smtpd_t self:process signal_perms;
+ allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
+ allow qmail_smtpd_t self:tcp_socket create_socket_perms;
+
++allow qmail_smtpd_t qmail_keytab_t:file read_file_perms;
++
+ allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;
+
+ dev_read_rand(qmail_smtpd_t)
+@@ -253,7 +258,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(qmail, qmail_smtpd_t)
++ kerberos_read_keytab(qmail_smtpd_t)
++ kerberos_use(qmail_smtpd_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
+index 20696cc..5916f81 100644
+--- a/policy/modules/contrib/rlogin.te
++++ b/policy/modules/contrib/rlogin.te
+@@ -1,4 +1,4 @@
+-policy_module(rlogin, 1.11.0)
++policy_module(rlogin, 1.11.1)
+
+ ########################################
+ #
+@@ -16,6 +16,9 @@ term_login_pty(rlogind_devpts_t)
+ type rlogind_home_t;
+ userdom_user_home_content(rlogind_home_t)
+
++type rlogind_keytab_t;
++files_type(rlogind_keytab_t)
++
+ type rlogind_tmp_t;
+ files_tmp_file(rlogind_tmp_t)
+
+@@ -37,6 +40,8 @@ term_create_pty(rlogind_t, rlogind_devpts_t)
+
+ allow rlogind_t rlogind_home_t:file read_file_perms;
+
++allow rlogind_t rlogind_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+ manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+ files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file })
+@@ -98,9 +103,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(rlogind, rlogind_t)
++ kerberos_read_keytab(rlogind_t)
+ kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
+ kerberos_manage_host_rcache(rlogind_t)
++ kerberos_use(rlogind_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
+index 07f5eb0..157afd9 100644
+--- a/policy/modules/contrib/rpc.if
++++ b/policy/modules/contrib/rpc.if
+@@ -394,7 +394,7 @@ interface(`rpc_admin',`
+ attribute rpc_domain;
+ type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
+ type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
+- type nfsd_ro_t, nfsd_rw_t;
++ type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;
+ ')
+
+ allow $1 rpc_domain:process { ptrace signal_perms };
+@@ -406,7 +406,7 @@ interface(`rpc_admin',`
+ allow $2 system_r;
+
+ files_list_etc($1)
+- admin_pattern($1, exports_t)
++ admin_pattern($1, { gssd_keytab_t exports_t })
+
+ files_list_var_lib($1)
+ admin_pattern($1, var_lib_nfs_t)
+diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
+index 1e6b44d..a8de8bd 100644
+--- a/policy/modules/contrib/rpc.te
++++ b/policy/modules/contrib/rpc.te
+@@ -1,4 +1,4 @@
+-policy_module(rpc, 1.15.0)
++policy_module(rpc, 1.15.1)
+
+ ########################################
+ #
+@@ -30,6 +30,9 @@ files_config_file(exports_t)
+
+ rpc_domain_template(gssd)
+
++type gssd_keytab_t;
++files_type(gssd_keytab_t)
++
+ type gssd_tmp_t;
+ files_tmp_file(gssd_tmp_t)
+
+@@ -271,6 +274,8 @@ allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+ allow gssd_t self:process { getsched setsched };
+ allow gssd_t self:fifo_file rw_fifo_file_perms;
+
++allow gssd_t gssd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+ manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+ files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+@@ -309,9 +314,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(gssd, gssd_t)
+ kerberos_manage_host_rcache(gssd_t)
++ kerberos_read_keytab(gssd_t)
+ kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
++ kerberos_use(gssd_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
+index 575e3e3..864e089 100644
+--- a/policy/modules/contrib/rshd.te
++++ b/policy/modules/contrib/rshd.te
+@@ -1,4 +1,4 @@
+-policy_module(rshd, 1.8.0)
++policy_module(rshd, 1.8.1)
+
+ ########################################
+ #
+@@ -10,6 +10,9 @@ type rshd_exec_t;
+ auth_login_pgm_domain(rshd_t)
+ inetd_tcp_service_domain(rshd_t, rshd_exec_t)
+
++type rshd_keytab_t;
++files_type(rshd_keytab_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -20,6 +23,8 @@ allow rshd_t self:process { signal_perms setsched setpgid setexec };
+ allow rshd_t self:fifo_file rw_fifo_file_perms;
+ allow rshd_t self:tcp_socket create_stream_socket_perms;
+
++allow rshd_t rshd_keytab_t:file read_file_perms;
++
+ kernel_read_kernel_sysctls(rshd_t)
+
+ corenet_all_recvfrom_unlabeled(rshd_t)
+@@ -54,9 +59,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(rshd, rshd_t)
+ kerberos_manage_host_rcache(rshd_t)
++ kerberos_read_keytab(rshd_t)
+ kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0")
++ kerberos_use(rshd_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
+index aee75af..50d07fb 100644
+--- a/policy/modules/contrib/samba.if
++++ b/policy/modules/contrib/samba.if
+@@ -689,6 +689,7 @@ interface(`samba_admin',`
+ type samba_etc_t, samba_share_t, samba_initrc_exec_t;
+ type swat_var_run_t, swat_tmp_t, winbind_log_t;
+ type winbind_var_run_t, winbind_tmp_t;
++ type smbd_keytab_t;
+ ')
+
+ allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
+@@ -700,7 +701,7 @@ interface(`samba_admin',`
+ allow $2 system_r;
+
+ files_list_etc($1)
+- admin_pattern($1, samba_etc_t)
++ admin_pattern($1, { samba_etc_t smbd_keytab_t })
+
+ logging_list_logs($1)
+ admin_pattern($1, { samba_log_t winbind_log_t })
+diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
+index 54b89a6..98daaef 100644
+--- a/policy/modules/contrib/samba.te
++++ b/policy/modules/contrib/samba.te
+@@ -1,4 +1,4 @@
+-policy_module(samba, 1.16.0)
++policy_module(samba, 1.16.1)
+
+ #################################
+ #
+@@ -142,6 +142,9 @@ type smbd_t;
+ type smbd_exec_t;
+ init_daemon_domain(smbd_t, smbd_exec_t)
+
++type smbd_keytab_t;
++files_type(smbd_keytab_t)
++
+ type smbd_tmp_t;
+ files_tmp_file(smbd_tmp_t)
+
+@@ -271,6 +274,8 @@ allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }
+
+ allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
+
++allow smbd_t smbd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
+ append_files_pattern(smbd_t, samba_log_t, samba_log_t)
+ create_files_pattern(smbd_t, samba_log_t, samba_log_t)
+@@ -468,8 +473,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ kerberos_read_keytab(smbd_t)
+ kerberos_use(smbd_t)
+- kerberos_keytab_template(smbd, smbd_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if
+index b2f388a..8c3c151 100644
+--- a/policy/modules/contrib/sasl.if
++++ b/policy/modules/contrib/sasl.if
+@@ -39,6 +39,7 @@ interface(`sasl_connect',`
+ interface(`sasl_admin',`
+ gen_require(`
+ type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t;
++ type saslauthd_keytab_t;
+ ')
+
+ allow $1 saslauthd_t:process { ptrace signal_perms };
+@@ -49,6 +50,9 @@ interface(`sasl_admin',`
+ role_transition $2 saslauthd_initrc_exec_t system_r;
+ allow $2 system_r;
+
++ files_list_etc($1)
++ admin_pattern($1, saslauthd_keytab_t)
++
+ files_list_pids($1)
+ admin_pattern($1, saslauthd_var_run_t)
+ ')
+diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
+index 20ebffb..6c3bc20 100644
+--- a/policy/modules/contrib/sasl.te
++++ b/policy/modules/contrib/sasl.te
+@@ -1,4 +1,4 @@
+-policy_module(sasl, 1.15.0)
++policy_module(sasl, 1.15.1)
+
+ ########################################
+ #
+@@ -20,6 +20,9 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
+ type saslauthd_initrc_exec_t;
+ init_script_file(saslauthd_initrc_exec_t)
+
++type saslauthd_keytab_t;
++files_type(saslauthd_keytab_t)
++
+ type saslauthd_var_run_t;
+ files_pid_file(saslauthd_var_run_t)
+
+@@ -34,6 +37,8 @@ allow saslauthd_t self:process { setsched signal_perms };
+ allow saslauthd_t self:fifo_file rw_fifo_file_perms;
+ allow saslauthd_t self:unix_stream_socket { accept listen };
+
++allow saslauthd_t saslauthd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+ manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+ manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+@@ -92,9 +97,10 @@ tunable_policy(`allow_saslauthd_read_shadow',`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(saslauthd, saslauthd_t)
++ kerberos_read_keytab(saslauthd_t)
+ kerberos_manage_host_rcache(saslauthd_t)
+ kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0")
++ kerberos_use(saslauthd_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if
+index 88e753f..35ad2a7 100644
+--- a/policy/modules/contrib/sendmail.if
++++ b/policy/modules/contrib/sendmail.if
+@@ -354,6 +354,7 @@ interface(`sendmail_admin',`
+ gen_require(`
+ type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
+ type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
++ type sendmail_keytab_t;
+ ')
+
+ allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
+@@ -363,6 +364,9 @@ interface(`sendmail_admin',`
+ domain_system_change_exemption($1)
+ role_transition $2 sendmail_initrc_exec_t system_r;
+
++ files_list_etc($1)
++ admin_pattern($1, sendmail_keytab_t)
++
+ logging_list_logs($1)
+ admin_pattern($1, sendmail_log_t)
+
+diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
+index 320db21..12700b4 100644
+--- a/policy/modules/contrib/sendmail.te
++++ b/policy/modules/contrib/sendmail.te
+@@ -1,4 +1,4 @@
+-policy_module(sendmail, 1.12.0)
++policy_module(sendmail, 1.12.1)
+
+ ########################################
+ #
+@@ -13,6 +13,9 @@ roleattribute system_r sendmail_unconfined_roles;
+ type sendmail_initrc_exec_t;
+ init_script_file(sendmail_initrc_exec_t)
+
++type sendmail_keytab_t;
++files_type(sendmail_keytab_t)
++
+ type sendmail_log_t;
+ logging_log_file(sendmail_log_t)
+
+@@ -43,6 +46,8 @@ allow sendmail_t self:fifo_file rw_fifo_file_perms;
+ allow sendmail_t self:unix_stream_socket { accept listen };
+ allow sendmail_t self:tcp_socket { accept listen };
+
++allow sendmail_t sendmail_keytab_t:file read_file_perms;
++
+ allow sendmail_t sendmail_log_t:dir setattr_dir_perms;
+ append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+ create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+@@ -154,7 +159,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(sendmail, sendmail_t)
++ kerberos_read_keytab(sendmail_t)
++ kerberos_use(sendmail_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
+index 02fba54..cc58e35 100644
+--- a/policy/modules/contrib/spamassassin.te
++++ b/policy/modules/contrib/spamassassin.te
+@@ -1,4 +1,4 @@
+-policy_module(spamassassin, 2.6.0)
++policy_module(spamassassin, 2.6.1)
+
+ ########################################
+ #
+@@ -262,7 +262,7 @@ optional_policy(`
+ postfix_domtrans_postdrop(spamc_t)
+ postfix_search_spool(spamc_t)
+ postfix_rw_local_pipes(spamc_t)
+- postfix_rw_master_pipes(spamc_t)
++ postfix_rw_inherited_master_pipes(spamc_t)
+ ')
+
+ ########################################
+diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
+index b9e2061..bcef8b5 100644
+--- a/policy/modules/contrib/telnet.te
++++ b/policy/modules/contrib/telnet.te
+@@ -1,4 +1,4 @@
+-policy_module(telnet, 1.11.0)
++policy_module(telnet, 1.11.1)
+
+ ########################################
+ #
+@@ -12,6 +12,9 @@ inetd_service_domain(telnetd_t, telnetd_exec_t)
+ type telnetd_devpts_t;
+ term_login_pty(telnetd_devpts_t)
+
++type telnetd_keytab_t;
++files_type(telnetd_keytab_t)
++
+ type telnetd_tmp_t;
+ files_tmp_file(telnetd_tmp_t)
+
+@@ -30,6 +33,8 @@ allow telnetd_t self:fifo_file rw_fifo_file_perms;
+ allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty(telnetd_t, telnetd_devpts_t)
+
++allow telnetd_t telnetd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+ manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+ files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
+@@ -85,9 +90,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(telnetd, telnetd_t)
++ kerberos_read_keytab(telnetd_t)
+ kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0")
+ kerberos_manage_host_rcache(telnetd_t)
++ kerberos_use(telnetd_t)
+ ')
+
+ optional_policy(`
+diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
+index e30a42e..c8bc302 100644
+--- a/policy/modules/contrib/virt.if
++++ b/policy/modules/contrib/virt.if
+@@ -1148,7 +1148,7 @@ interface(`virt_admin',`
+ type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
+ type virt_var_run_t, virt_tmp_t, virt_log_t;
+ type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
+- type virt_etc_t, svirt_cache_t;
++ type virt_etc_t, svirt_cache_t, virtd_keytab_t;
+ ')
+
+ allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
+@@ -1168,7 +1168,7 @@ interface(`virt_admin',`
+ admin_pattern($1, { virt_tmp_type virt_tmp_t })
+
+ files_search_etc($1)
+- admin_pattern($1, { virt_etc_t virt_etc_rw_t })
++ admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
+
+ logging_search_logs($1)
+ admin_pattern($1, virt_log_t)
+diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
+index 9230f0d..f2916f7 100644
+--- a/policy/modules/contrib/virt.te
++++ b/policy/modules/contrib/virt.te
+@@ -1,4 +1,4 @@
+-policy_module(virt, 1.7.0)
++policy_module(virt, 1.7.1)
+
+ ########################################
+ #
+@@ -142,6 +142,9 @@ domain_subj_id_change_exemption(virtd_t)
+ type virtd_initrc_exec_t;
+ init_script_file(virtd_initrc_exec_t)
+
++type virtd_keytab_t;
++files_type(virtd_keytab_t)
++
+ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
+ ')
+@@ -438,6 +441,8 @@ manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+ manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
+ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
+
++allow virtd_t virtd_keytab_t:file read_file_perms;
++
+ allow virtd_t svirt_var_run_t:file relabel_file_perms;
+ manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+ manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+@@ -700,7 +705,8 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- kerberos_keytab_template(virtd, virtd_t)
++ kerberos_read_keytab(virtd_t)
++ kerberos_use(virtd_t)
+ ')
+
+ optional_policy(`
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
new file mode 100644
index 0000000..2b7b2b0
--- /dev/null
+++ b/package/refpolicy/refpolicy.mk
@@ -0,0 +1,80 @@
+################################################################################
+#
+# refpolicy
+#
+################################################################################
+
+REFPOLICY_VERSION = 2.20130424
+REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
+REFPOLICY_SITE = http://oss.tresys.com/files/refpolicy/
+REFPOLICY_LICENSE = GPLv2
+REFPOLICY_LICENSE_FILES = COPYING
+
+# Cannot use multiple threads to build the reference policy
+REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)
+
+REFPOLICY_DEPENDENCIES = host-m4 host-checkpolicy host-policycoreutils \
+ host-setools host-python-pyxml policycoreutils
+
+REFPOLICY_INSTALL_STAGING = YES
+
+# To apply board specific customizations, create a refpolicy folder in
+# BR2_GLOBAL_PATCH_DIR. These patches will be applied after the patches
+# in package/refpolicy
+
+# Pointing to the host compiler to build a sort application during the build.
+# The host compiler tools are not used for any part of the refpolicy build.
+# Note, the TEST_TOOLCHAIN option will also set the
+# LD_LIBRARY_PATH at run time.
+REFPOLICY_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
+ TEST_TOOLCHAIN="$(HOST_DIR)"
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
+ BR2_PACKAGE_REFPOLICY_MONOLITHIC = n
+else
+ BR2_PACKAGE_REFPOLICY_MONOLITHIC = y
+endif
+
+define REFPOLICY_CONFIGURE_CMDS
+ $(REFPOLICY_MAKE) -C $(@D) bare $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+ $(SED) "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
+ $(SED) "/MONOLITHIC/c\MONOLITHIC = $(BR2_PACKAGE_REFPOLICY_MONOLITHIC)" $(@D)/build.conf
+ $(REFPOLICY_MAKE) -C $(@D) conf $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_BUILD_CMDS
+ $(REFPOLICY_MAKE) -C $(@D) $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_CLEAN_CMDS
+ $(REFPOLICY_MAKE) -C $(@D) clean $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_INSTALL_STAGING_CMDS
+ $(REFPOLICY_MAKE) -C $(@D) install-src install-headers install-docs \
+ $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_INSTALL_TARGET_CMDS
+ $(REFPOLICY_MAKE) -C $(@D) install $(REFPOLICY_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
+ $(INSTALL) -m 0755 -D package/refpolicy/config $(TARGET_DIR)/etc/selinux/config
+ $(SED) "/^SELINUXTYPE/c\SELINUXTYPE=$(BR2_PACKAGE_REFPOLICY_NAME)" \
+ $(TARGET_DIR)/etc/selinux/config
+endef
+
+define REFPOLICY_INSTALL_INIT_SYSV
+ $(INSTALL) -m 0755 -D package/refpolicy/S12selinux \
+ $(TARGET_DIR)/etc/init.d/S12selinux
+endef
+
+define REFPOLICY_POLICY_COMPILE
+ $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/policy
+ $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/modules/active/modules
+ $(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files
+ touch $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files/file_contexts.local
+endef
+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
+ REFPOLICY_POST_INSTALL_TARGET_HOOKS += REFPOLICY_POLICY_COMPILE
+endif
+
+$(eval $(generic-package))
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 16/16] shadow: new package
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
` (14 preceding siblings ...)
2013-09-25 19:32 ` [Buildroot] [PATCH v3 15/16] refpolicy: " Clayton Shotwell
@ 2013-09-25 19:32 ` Clayton Shotwell
2013-10-01 19:51 ` [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Thomas Petazzoni
16 siblings, 0 replies; 22+ messages in thread
From: Clayton Shotwell @ 2013-09-25 19:32 UTC (permalink / raw)
To: buildroot
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v2 -> v3:
- Corrected spelling error.
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format.
package/Config.in | 3 ++
package/shadow/Config.in | 13 ++++++++++++
package/shadow/shadow.mk | 49 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 65 insertions(+), 0 deletions(-)
create mode 100644 package/shadow/Config.in
create mode 100644 package/shadow/shadow.mk
diff --git a/package/Config.in b/package/Config.in
index dfe6dc1..e302759 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -941,6 +941,9 @@ source "package/lockfile-progs/Config.in"
source "package/logrotate/Config.in"
source "package/logsurfer/Config.in"
source "package/screen/Config.in"
+if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
+source "package/shadow/Config.in"
+endif
source "package/sudo/Config.in"
if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
source "package/time/Config.in"
diff --git a/package/shadow/Config.in b/package/shadow/Config.in
new file mode 100644
index 0000000..5692ac6
--- /dev/null
+++ b/package/shadow/Config.in
@@ -0,0 +1,13 @@
+config BR2_PACKAGE_SHADOW
+ bool "shadow"
+ help
+ The shadow-utils package includes the necessary programs for
+ converting UNIX password files to the shadow password format, plus
+ programs for managing user and group accounts. The pwconv command
+ converts passwords to the shadow password format. The pwunconv command
+ unconverts shadow passwords and generates an npasswd file (a standard
+ UNIX password file). The pwck command checks the integrity of password
+ and shadow files. The lastlog command prints out the last login times
+ for all users. The useradd, userdel, and usermod commands are used for
+ managing user accounts. The groupadd, groupdel, and groupmod commands
+ are used for managing group accounts.
diff --git a/package/shadow/shadow.mk b/package/shadow/shadow.mk
new file mode 100644
index 0000000..32d3875
--- /dev/null
+++ b/package/shadow/shadow.mk
@@ -0,0 +1,49 @@
+################################################################################
+#
+# shadow
+#
+################################################################################
+
+SHADOW_VERSION = 4.1.5.1
+SHADOW_SOURCE = shadow-$(SHADOW_VERSION).tar.bz2
+SHADOW_SITE = http://pkg-shadow.alioth.debian.org/releases/
+SHADOW_LICENSE = BSD
+SHADOW_LICENSE_FILES = COPYING
+SHADOW_DEPENDENCIES = acl attr busybox
+
+SHADOW_INSTALL_STAGING = NO
+
+SHADOW_CONF_OPT = --disable-nls
+
+# Shadow configuration to support audit
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+SHADOW_DEPENDENCIES += audit
+SHADOW_CONF_OPT += --with-audit=yes
+endif
+
+# Shadow with linux-pam support
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+SHADOW_DEPENDENCIES += linux-pam
+SHADOW_CONF_OPT += --with-libpam=yes
+endif
+
+# Shadow with selinux support
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+SHADOW_DEPENDENCIES += libselinux libsemanage
+SHADOW_CONF_OPT += --with-selinux=yes
+endif
+
+# Comment out all config entries that conflict with using PAM
+define SHADOW_LOGIN_CONFIGURATION
+ for FUNCTION in FAIL_DELAY FAILLOG_ENAB LASTLOG_ENAB MAIL_CHECK_ENAB \
+ OBSCURE_CHECKS_ENAB PORTTIME_CHECKS_ENAB QUOTAS_ENAB CONSOLE MOTD_FILE \
+ FTMP_FILE NOLOGINS_FILE ENV_HZ PASS_MIN_LEN SU_WHEEL_ONLY CRACKLIB_DICTPATH \
+ PASS_CHANGE_TRIES PASS_ALWAYS_WARN CHFN_AUTH ENCRYPT_METHOD ENVIRON_FILE ; \
+ do \
+ sed -i "s/^$${FUNCTION}/# &/" $(TARGET_DIR)/etc/login.defs ; \
+ done
+endef
+
+SHADOW_POST_INSTALL_TARGET_HOOKS += SHADOW_LOGIN_CONFIGURATION
+
+$(eval $(autotools-package))
--
1.7.1
^ permalink raw reply related [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 10/16] libcgroup: new package
2013-09-25 19:32 ` [Buildroot] [PATCH v3 10/16] libcgroup: " Clayton Shotwell
@ 2013-10-01 19:48 ` Thomas Petazzoni
2013-10-01 20:04 ` clshotwe at rockwellcollins.com
0 siblings, 1 reply; 22+ messages in thread
From: Thomas Petazzoni @ 2013-10-01 19:48 UTC (permalink / raw)
To: buildroot
Dear Clayton Shotwell,
On this one, we're almost ready to go. A few comments below.
On Wed, 25 Sep 2013 14:32:45 -0500, Clayton Shotwell wrote:
> diff --git a/package/libcgroup/Config.in b/package/libcgroup/Config.in
> new file mode 100644
> index 0000000..17d2db2
> --- /dev/null
> +++ b/package/libcgroup/Config.in
> @@ -0,0 +1,4 @@
> +config BR2_PACKAGE_LIBCGROUP
> + bool "libcgroup"
> + help
> + libcgroup is a library that abstracts the control group file system in Linux.
I believe this line is slightly too long. Also, the upstream URL is
missing. It should probably be:
http://libcg.sourceforge.net/
> diff --git a/package/libcgroup/libcgroup.mk b/package/libcgroup/libcgroup.mk
> new file mode 100644
> index 0000000..06f1e60
> --- /dev/null
> +++ b/package/libcgroup/libcgroup.mk
> @@ -0,0 +1,38 @@
> +################################################################################
> +#
> +# libcgroup
> +#
> +################################################################################
> +
> +LIBCGROUP_VERSION = 0.38
> +LIBCGROUP_SOURCE = libcgroup-$(LIBCGROUP_VERSION).tar.bz2
> +LIBCGROUP_SITE = http://sourceforge.net/projects/libcg/files/latest/download
> +LIBCGROUP_LICENSE = LGPLv2.1
> +LIBCGROUP_LICENSE_FILES = COPYING
> +
> +LIBCGROUP_INSTALL_STAGING = YES
> +
> +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
> +# large file support. See https://bugzilla.redhat.com/show_bug.cgi?id=574992
> +# for more information.
> +LIBCGROUP_CONF_ENV = \
> + CXXFLAGS+="-U_FILE_OFFSET_BITS" \
> + CFLAGS+="-U_FILE_OFFSET_BITS"
> +
> +LIBCGROUP_CONF_OPT = \
> + --disable-tools \
> + --disable-daemon \
> + --disable-initscript-install
> +
> +ifeq ($(BR2_PREFER_STATIC_LIB),y)
> + LIBCGROUP_CONF_OPT += --enable-static --disable-shared
> +endif
This part is not needed, as it is passed by the autotools
infrastructure already.
Maybe you want to resend just this patch with those fixes, so we can
get it merged quickly, independently of the other SELinux changes.
Thanks!
Thomas
--
Thomas Petazzoni, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
` (15 preceding siblings ...)
2013-09-25 19:32 ` [Buildroot] [PATCH v3 16/16] shadow: " Clayton Shotwell
@ 2013-10-01 19:51 ` Thomas Petazzoni
2013-10-01 20:32 ` clshotwe at rockwellcollins.com
16 siblings, 1 reply; 22+ messages in thread
From: Thomas Petazzoni @ 2013-10-01 19:51 UTC (permalink / raw)
To: buildroot
Dear Clayton Shotwell,
On Wed, 25 Sep 2013 14:32:35 -0500, Clayton Shotwell wrote:
> For this implementation, I have added a package hierarchy that will allow
> for both a debugging and a paired down release version. The debugging
> version required Python support, and is therefore much larger while the
> release version does not. To enable the release version, simply select
> the refpolicy package (BR2_PACKAGE_REFPOLICY) and it selects all of the
> necessary packages to enable SELinux. For the debugging version, select
> the policycoreutils debugging configure option
> (BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING). This will pull in Python
> and a bunch of other packages into the build to debug the SELinux policy
> on target.
I still don't quite understand when Python is needed exactly. For
example, in your PATCH 02/16 that adds the libselinux package, the
Python support is enabled as soon as the Python interpreter is enabled.
Is this libselinux Python stuff only needed to *debug* SELinux on the
target?
If so, then we clearly don't want to enable it as soon as Python is
enabled in the Buildroot configuration: an user can perfectly want a
Python interpreter to be installed on the target and to use SELinux,
but not to have the SELinux debugging stuff.
I'd really like to understand this point before moving on with those
packages.
Best regards,
Thomas
--
Thomas Petazzoni, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 10/16] libcgroup: new package
2013-10-01 19:48 ` Thomas Petazzoni
@ 2013-10-01 20:04 ` clshotwe at rockwellcollins.com
2013-10-01 21:14 ` Thomas Petazzoni
0 siblings, 1 reply; 22+ messages in thread
From: clshotwe at rockwellcollins.com @ 2013-10-01 20:04 UTC (permalink / raw)
To: buildroot
Thomas,
Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote on 10/01/2013
02:48:53 PM:
> I believe this line is slightly too long. Also, the upstream URL is
> missing. It should probably be:
>
> http://libcg.sourceforge.net/
I can fix both of those.
> > diff --git a/package/libcgroup/libcgroup.mk
b/package/libcgroup/libcgroup.mk
> > new file mode 100644
> > index 0000000..06f1e60
> > --- /dev/null
> > +++ b/package/libcgroup/libcgroup.mk
> > @@ -0,0 +1,38 @@
> >
>
+################################################################################
> > +#
> > +# libcgroup
> > +#
> >
>
+################################################################################
> > +
> > +LIBCGROUP_VERSION = 0.38
> > +LIBCGROUP_SOURCE = libcgroup-$(LIBCGROUP_VERSION).tar.bz2
> > +LIBCGROUP_SITE = http://sourceforge.net/projects/libcg/files/
> latest/download
> > +LIBCGROUP_LICENSE = LGPLv2.1
> > +LIBCGROUP_LICENSE_FILES = COPYING
> > +
> > +LIBCGROUP_INSTALL_STAGING = YES
> > +
> > +# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc
fts.h
> > +# large file support. See https://bugzilla.redhat.com/
> show_bug.cgi?id=574992
> > +# for more information.
> > +LIBCGROUP_CONF_ENV = \
> > + CXXFLAGS+="-U_FILE_OFFSET_BITS" \
> > + CFLAGS+="-U_FILE_OFFSET_BITS"
> > +
> > +LIBCGROUP_CONF_OPT = \
> > + --disable-tools \
> > + --disable-daemon \
> > + --disable-initscript-install
> > +
> > +ifeq ($(BR2_PREFER_STATIC_LIB),y)
> > + LIBCGROUP_CONF_OPT += --enable-static --disable-shared
> > +endif
>
> This part is not needed, as it is passed by the autotools
> infrastructure already.
I'll remove it.
> Maybe you want to resend just this patch with those fixes, so we can
> get it merged quickly, independently of the other SELinux changes.
Should I do that with all of the simple patches?
Thanks,
Clayton
Clayton Shotwell
Software Engineer
clshotwe at rockwellcollins.com
www.rockwellcollins.com
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions
2013-10-01 19:51 ` [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Thomas Petazzoni
@ 2013-10-01 20:32 ` clshotwe at rockwellcollins.com
0 siblings, 0 replies; 22+ messages in thread
From: clshotwe at rockwellcollins.com @ 2013-10-01 20:32 UTC (permalink / raw)
To: buildroot
Thomas,
Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote on 10/01/2013
02:51:20 PM:
> > For this implementation, I have added a package hierarchy that will
allow
> > for both a debugging and a paired down release version. The debugging
> > version required Python support, and is therefore much larger while
the
> > release version does not. To enable the release version, simply
select
> > the refpolicy package (BR2_PACKAGE_REFPOLICY) and it selects all of
the
> > necessary packages to enable SELinux. For the debugging version,
select
> > the policycoreutils debugging configure option
> > (BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING). This will pull in
Python
> > and a bunch of other packages into the build to debug the SELinux
policy
> > on target.
>
> I still don't quite understand when Python is needed exactly. For
> example, in your PATCH 02/16 that adds the libselinux package, the
> Python support is enabled as soon as the Python interpreter is enabled.
>
> Is this libselinux Python stuff only needed to *debug* SELinux on the
> target?
That is correct. The Python bindings are not used for standard system
operation. The libselinux build creates the bindings that allow the
audit2allow (part of they policycoreutils package) to analyze the SELinux
audit logs and generate policy fixes. This is a very handy tool for
creating fixes to the SELinux policy.
> If so, then we clearly don't want to enable it as soon as Python is
> enabled in the Buildroot configuration: an user can perfectly want a
> Python interpreter to be installed on the target and to use SELinux,
> but not to have the SELinux debugging stuff.
There will not be many files added when Python is enabled. I could also
see somebody wanting to build a Python application that leverages the
libselinux bindings (less likely). I can add back in the SELinux debugging
handles to each of the packages to make it a configuration option. I
removed that feature after the first revision.
> I'd really like to understand this point before moving on with those
> packages.
Sounds like I really need to get that documentation completed.
Thanks,
Clayton
Clayton Shotwell
Software Engineer
clshotwe at rockwellcollins.com
www.rockwellcollins.com
^ permalink raw reply [flat|nested] 22+ messages in thread
* [Buildroot] [PATCH v3 10/16] libcgroup: new package
2013-10-01 20:04 ` clshotwe at rockwellcollins.com
@ 2013-10-01 21:14 ` Thomas Petazzoni
0 siblings, 0 replies; 22+ messages in thread
From: Thomas Petazzoni @ 2013-10-01 21:14 UTC (permalink / raw)
To: buildroot
Clayton,
On Tue, 1 Oct 2013 15:04:47 -0500, clshotwe at rockwellcollins.com wrote:
> > Maybe you want to resend just this patch with those fixes, so we can
> > get it merged quickly, independently of the other SELinux changes.
>
> Should I do that with all of the simple patches?
It's a matter of strategy. When a relatively simple patch is part of a
larger, more complicated patch series, then it is unlikely to get
committed until the entire patch series gets committed. So,
strategically speaking, you might want to progressively reduce the size
of your patch series by merging parts of it that are independent of the
rest of the series, but are needed for it. Your libcgroup package is a
good candidate :)
Best regards,
Thomas
--
Thomas Petazzoni, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2013-10-01 21:14 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-25 19:32 [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 01/16] pcre: Add host build support Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 02/16] libselinux: new package Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 03/16] ustr: " Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 04/16] bzip2: Add host build shared library installation Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 05/16] libsemanage: new package Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 06/16] checkpolicy: " Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 07/16] sepolgen: " Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 08/16] sqlite: Add host build support Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 09/16] setools: new package Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 10/16] libcgroup: " Clayton Shotwell
2013-10-01 19:48 ` Thomas Petazzoni
2013-10-01 20:04 ` clshotwe at rockwellcollins.com
2013-10-01 21:14 ` Thomas Petazzoni
2013-09-25 19:32 ` [Buildroot] [PATCH v3 11/16] python-pyparsing: Add host build option Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 12/16] audit: new package Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 13/16] policycoreutils: " Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 14/16] python-pyxml: " Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 15/16] refpolicy: " Clayton Shotwell
2013-09-25 19:32 ` [Buildroot] [PATCH v3 16/16] shadow: " Clayton Shotwell
2013-10-01 19:51 ` [Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions Thomas Petazzoni
2013-10-01 20:32 ` clshotwe at rockwellcollins.com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox