[Buildroot] [ PATCH v4 00/20] SELinux Buildroot Additions

[Buildroot] [ PATCH v4 00/20] SELinux Buildroot Additions

[Clayton Shotwell]

This is round 4 for the SELinux package additions.
General changes for this round include:
  - Incorporating many changes from Thomas Petazzoni (Thank again!).
  - Removal of clean make options.
  - Cleanup of the refpolicy build to rename the generated policy
    and limit the number of package policies that get built. More
    can be added in later.
  - Changed the audit startup script to launch before the logging
    script.
  - Cleaned up the dependencies on several packages.
  - Added busybox SELinux configuration options to enable SELinux
    support and also make all of the busybox applications stand-
    alone binaries rather than symlinks (work done by Thomas).
  - Added a basic x86 configuration that has SELinux enabled.

This round of change enables SELinux to be built by enabling
the BR2_PACKAGE_REFPOLICY and enabling the following kernel config
options. 
	CONFIG_AUDIT
	CONFIG_SECURITY
	CONFIG_SECURITY_NETWORK
	CONFIG_SECURITY_SELINUX
	CONFIG_SECURITY_SELINUX_BOOTPARAM
	CONFIG_EXT2_FS_XATTR
	CONFIG_EXT2_FS_SECURITY

I have tested this version of the patches using a buildroot glibc
toolchain. The SELinux policy does not currently support most of
Buildroot system but it is definitely a start. There will need to
be more customization work done in the future to get packages fully
supported.

Clayton Shotwell (17):
  pcre: Add host build support
  libselinux: new package
  ustr: new package
  bzip2: Add host build shared library installation
  libsemanage: new package
  checkpolicy: new package
  sepolgen: new package
  sqlite: Add host build support
  setools: new package
  python-pyparsing: Add host build option
  audit: new package
  policycoreutils: new package
  python-pyxml: new package
  refpolicy: new package
  shadow: new package
  refpolicy: Add busybox selections
  configs: Add SELinux x86 qemu config

Thomas Petazzoni (3):
  busybox: add option to install individual binaries
  busybox: add option to enable SELinux support
  busybox: ensure it finds pkg-config by setting PATH

 board/qemu/x86/linux-3.12-selinux.config           |   72 +
 configs/qemu_x86_selinux_defconfig                 |   27 +
 package/Config.in                                  |   15 +
 package/Config.in.host                             |    1 +
 package/audit/Config.in                            |   24 +
 package/audit/S01auditd                            |  172 +++
 ...it-0001-cross-compile-header-creation-fix.patch | 1424 ++++++++++++++++++++
 package/audit/audit-0002-remove-zos-plugin.patch   |   35 +
 package/audit/audit.mk                             |   61 +
 ...ags-strip-non-l-arguments-returned-by-pkg.patch |   28 +
 package/busybox/Config.in                          |    6 +
 package/busybox/busybox.mk                         |   33 +
 package/bzip2/bzip2.mk                             |    2 +
 package/checkpolicy/Config.in.host                 |   10 +
 package/checkpolicy/checkpolicy.mk                 |   26 +
 package/libselinux/Config.in                       |   29 +
 package/libselinux/libselinux.mk                   |   88 ++
 package/libsemanage/Config.in                      |   30 +
 .../libsemanage-0001-execption-lib-path-fix.patch  |   14 +
 package/libsemanage/libsemanage.mk                 |   72 +
 package/pcre/pcre.mk                               |    1 +
 package/policycoreutils/Config.in                  |   88 ++
 package/policycoreutils/S15restorecond             |   85 ++
 .../policycoreutils-0001-cross-compile-fixes.patch |  332 +++++
 package/policycoreutils/policycoreutils.mk         |  231 ++++
 package/python-pyparsing/python-pyparsing.mk       |   47 +-
 package/python-pyxml/Config.in                     |   11 +
 package/python-pyxml/python-xml.mk                 |   50 +
 package/refpolicy/Config.in                        |   74 +
 package/refpolicy/S12selinux                       |  137 ++
 package/refpolicy/config                           |    8 +
 package/refpolicy/modules.conf                     |  406 ++++++
 .../refpolicy-0001-gentoo-hardened-fixes.patch     | 1250 +++++++++++++++++
 package/refpolicy/refpolicy-0002-awk-fix.patch     |   37 +
 package/refpolicy/refpolicy.mk                     |   82 ++
 package/sepolgen/Config.in                         |   14 +
 package/sepolgen/sepolgen.mk                       |   31 +
 package/setools/Config.in                          |   33 +
 .../setools/setools-0001-cross-compile-fixes.patch |  121 ++
 .../setools-0002-swig-typedef-python-fixes.patch   | 1014 ++++++++++++++
 package/setools/setools.mk                         |   85 ++
 package/shadow/Config.in                           |   13 +
 package/shadow/shadow.mk                           |   50 +
 package/sqlite/sqlite.mk                           |    1 +
 package/ustr/Config.in                             |   11 +
 .../ustr-0001-cross-compile-modifications.patch    |  144 ++
 package/ustr/ustr.mk                               |   47 +
 47 files changed, 6559 insertions(+), 13 deletions(-)
 create mode 100644 board/qemu/x86/linux-3.12-selinux.config
 create mode 100644 configs/qemu_x86_selinux_defconfig
 create mode 100644 package/audit/Config.in
 create mode 100755 package/audit/S01auditd
 create mode 100644 package/audit/audit-0001-cross-compile-header-creation-fix.patch
 create mode 100644 package/audit/audit-0002-remove-zos-plugin.patch
 create mode 100644 package/audit/audit.mk
 create mode 100644 package/busybox/1.21.1/0004-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
 create mode 100644 package/checkpolicy/Config.in.host
 create mode 100644 package/checkpolicy/checkpolicy.mk
 create mode 100644 package/libselinux/Config.in
 create mode 100644 package/libselinux/libselinux.mk
 create mode 100644 package/libsemanage/Config.in
 create mode 100644 package/libsemanage/libsemanage-0001-execption-lib-path-fix.patch
 create mode 100644 package/libsemanage/libsemanage.mk
 create mode 100644 package/policycoreutils/Config.in
 create mode 100755 package/policycoreutils/S15restorecond
 create mode 100644 package/policycoreutils/policycoreutils-0001-cross-compile-fixes.patch
 create mode 100644 package/policycoreutils/policycoreutils.mk
 create mode 100644 package/python-pyxml/Config.in
 create mode 100644 package/python-pyxml/python-xml.mk
 create mode 100644 package/refpolicy/Config.in
 create mode 100644 package/refpolicy/S12selinux
 create mode 100755 package/refpolicy/config
 create mode 100644 package/refpolicy/modules.conf
 create mode 100644 package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch
 create mode 100644 package/refpolicy/refpolicy-0002-awk-fix.patch
 create mode 100644 package/refpolicy/refpolicy.mk
 create mode 100644 package/sepolgen/Config.in
 create mode 100644 package/sepolgen/sepolgen.mk
 create mode 100644 package/setools/Config.in
 create mode 100644 package/setools/setools-0001-cross-compile-fixes.patch
 create mode 100644 package/setools/setools-0002-swig-typedef-python-fixes.patch
 create mode 100644 package/setools/setools.mk
 create mode 100644 package/shadow/Config.in
 create mode 100644 package/shadow/shadow.mk
 create mode 100644 package/ustr/Config.in
 create mode 100644 package/ustr/ustr-0001-cross-compile-modifications.patch
 create mode 100644 package/ustr/ustr.mk

[Buildroot] [ PATCH v4 01/20] pcre: Add host build support

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v3 -> v4:
  - No changes.
Changes v2 -> v3:
  - Changed order of patch to correct dependency issue (suggested by Thomas).
Changes v1 -> v2:
  - No changes
---
 package/pcre/pcre.mk |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/package/pcre/pcre.mk b/package/pcre/pcre.mk
index 2637354..000ce54 100644
--- a/package/pcre/pcre.mk
+++ b/package/pcre/pcre.mk
@@ -23,3 +23,4 @@ PCRE_CONF_OPT += $(if $(BR2_PACKAGE_PCRE_UTF),--enable-utf,--disable-utf)
 PCRE_CONF_OPT += $(if $(BR2_PACKAGE_PCRE_UCP),--enable-unicode-properties,--disable-unicode-properties)
 
 $(eval $(autotools-package))
+$(eval $(host-autotools-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 02/20] libselinux: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v3 -> v4:
  - Re-added the Python bindings configure option (suggested
    by Thomas).
  - Added the creation of the selinux mount point to the
    install step (suggested by Thomas).
  - Cleaned up configure comments (suggested by Thomas).
  - Removed the package clean command.
Changes v2 -> v3:
  - Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and
    BR2_LARGEFILE (suggested by Thomas).
  - Corrected a minor issue in the mk file found during testing.
Changes v1 -> v2:
  - Move Config.in entry into the libraries section since this is a
    library.
  - General cleanup to the mk file to conform to the standard format.
  - Removed a dependency on the Linux kernel.
  - Changed the original Python select in the Config.in to be a check
    in the libselinux.mk file.
  - Added a select for libsepol and pcre in the menuconfig instead of
    just having package dependencies.
  - Removed building the python bindings in the host configuration.
---
 package/Config.in                |    1 +
 package/libselinux/Config.in     |   29 ++++++++++++
 package/libselinux/libselinux.mk |   88 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 118 insertions(+), 0 deletions(-)
 create mode 100644 package/libselinux/Config.in
 create mode 100644 package/libselinux/libselinux.mk

diff --git a/package/Config.in b/package/Config.in
index eb96aeb..bc4a0d4 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -725,6 +725,7 @@ source "package/tzdata/Config.in"
 endmenu
 
 menu "Security"
+source "package/libselinux/Config.in"
 source "package/libsepol/Config.in"
 endmenu
 
diff --git a/package/libselinux/Config.in b/package/libselinux/Config.in
new file mode 100644
index 0000000..14182c3
--- /dev/null
+++ b/package/libselinux/Config.in
@@ -0,0 +1,29 @@
+config BR2_PACKAGE_LIBSELINUX
+	bool "libselinux"
+	select BR2_PACKAGE_LIBSEPOL
+	select BR2_PACKAGE_PCRE
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on BR2_LARGEFILE
+	help
+	  libselinux is the runtime SELinux library that provides
+	  interfaces (e.g. library functions for the SELinux kernel
+	  APIs like getcon(), other support functions like
+	  getseuserbyname()) to SELinux-aware applications. libselinux
+	  may use the shared libsepol to manipulate the binary policy
+	  if necessary (e.g. to downgrade the policy format to an
+	  older version supported by the kernel) when loading policy.
+
+	  http://selinuxproject.org/page/Main_Page
+
+comment "libselinux needs a toolchain w/ largefile, threads"
+        depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_LARGEFILE
+
+if BR2_PACKAGE_LIBSELINUX
+
+config BR2_PACKAGE_LIBSELINUX_PYTHON_BINDINGS
+	select BR2_PACKAGE_PYTHON
+	bool "python bindings"
+	help
+	  enable building python bindings
+
+endif
diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
new file mode 100644
index 0000000..035d721
--- /dev/null
+++ b/package/libselinux/libselinux.mk
@@ -0,0 +1,88 @@
+################################################################################
+#
+# libselinux
+#
+################################################################################
+
+LIBSELINUX_VERSION = 2.1.13
+LIBSELINUX_SITE = http://userspace.selinuxproject.org/releases/20130423/
+LIBSELINUX_LICENSE = PublicDomain
+LIBSELINUX_LICENSE_FILES = LICENSE
+
+LIBSELINUX_DEPENDENCIES = libsepol pcre
+
+LIBSELINUX_INSTALL_STAGING = YES
+
+LIBSELINUX_MAKE_OPTS = \
+	$(TARGET_CONFIGURE_OPTS) \
+	LDFLAGS="$(TARGET_LDFLAGS) -lpcre -lpthread"
+
+ifeq ($(BR2_PACKAGE_LIBSELINUX_PYTHON_BINDINGS),y)
+
+LIBSELINUX_DEPENDENCIES += python host-swig host-python
+LIBSELINUX_MAKE_OPTS += \
+	PYINC="-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
+	PYTHONLIBDIR="-L$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
+	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
+
+define LIBSELINUX_PYTHON_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and 
+	# header paths.
+	$(MAKE) -C $(@D) $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR) swigify pywrap
+endef
+
+define LIBSELINUX_PYTHON_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install-pywrap $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+endef
+
+define LIBSELINUX_PYTHON_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install-pywrap $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
+endef
+
+endif
+
+define LIBSELINUX_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and 
+	# header paths.
+	$(MAKE) -C $(@D) $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all
+	$(LIBSELINUX_PYTHON_BUILD_CMDS)
+endef
+
+define LIBSELINUX_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+	$(LIBSELINUX_PYTHON_INSTALL_STAGING_CMDS)
+endef
+
+define LIBSELINUX_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install $(LIBSELINUX_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
+	$(LIBSELINUX_PYTHON_INSTALL_TARGET_CMDS)
+	# Create the selinuxfs mount point
+	mkdir $(TARGET_DIR)/selinux
+endef
+
+HOST_LIBSELINUX_DEPENDENCIES = host-libsepol host-pcre
+
+HOST_LIBSELINUX_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
+	LDFLAGS="$(HOST_LDFLAGS) -lpcre -lpthread"
+
+define HOST_LIBSELINUX_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and 
+	# header paths.
+	$(MAKE) -C $(@D) $(HOST_LIBSELINUX_MAKE_OPTS) DESTDIR=$(HOST_DIR) all
+endef
+
+define HOST_LIBSELINUX_INSTALL_CMDS
+	$(MAKE) -C $(@D) install $(HOST_LIBSELINUX_MAKE_OPTS) DESTDIR=$(HOST_DIR)
+	mv $(HOST_DIR)/lib/libselinux.so.1 $(HOST_DIR)/usr/lib
+	(cd $(HOST_DIR)/usr/lib; rm -f libselinux.so; \
+		ln -s libselinux.so.1 libselinux.so)
+	-rmdir $(HOST_DIR)/lib
+	(if [ -f $(HOST_DIR)/sbin/matchpathcon ]; then \
+		mv $(HOST_DIR)/sbin/matchpathcon $(HOST_DIR)/usr/sbin/; \
+		-rmdir $(HOST_DIR)/sbin; \
+	fi)
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 03/20] ustr: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v3 -> v4:
  - Removed the clean command.
Changes v2 -> v3:
  - Changes patch naming convention (suggested by Thomas).
  - Added a dependency on BR2_LARGEFILE (suggested by Thomas).
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Fixed the patch naming to avoid using the version number.
  - Cleaned up the patch to include a signed-off-by line.
  - Added a check to only build static libraries if selected.
---
 package/Config.in                                  |    1 +
 package/ustr/Config.in                             |   11 ++
 .../ustr-0001-cross-compile-modifications.patch    |  144 ++++++++++++++++++++
 package/ustr/ustr.mk                               |   47 +++++++
 4 files changed, 203 insertions(+), 0 deletions(-)
 create mode 100644 package/ustr/Config.in
 create mode 100644 package/ustr/ustr-0001-cross-compile-modifications.patch
 create mode 100644 package/ustr/ustr.mk

diff --git a/package/Config.in b/package/Config.in
index bc4a0d4..11cfcab 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -742,6 +742,7 @@ source "package/pcre/Config.in"
 source "package/popt/Config.in"
 source "package/readline/Config.in"
 source "package/slang/Config.in"
+source "package/ustr/Config.in"
 endmenu
 
 endmenu
diff --git a/package/ustr/Config.in b/package/ustr/Config.in
new file mode 100644
index 0000000..0aa2251
--- /dev/null
+++ b/package/ustr/Config.in
@@ -0,0 +1,11 @@
+config BR2_PACKAGE_USTR
+	bool "ustr"
+	depends on BR2_LARGEFILE
+	help
+	  A small, safe string library.
+	  
+	  http://www.and.org/ustr/
+
+comment "ustr requires a toolchain with large file support"
+	depends on !BR2_LARGEFILE
+
diff --git a/package/ustr/ustr-0001-cross-compile-modifications.patch b/package/ustr/ustr-0001-cross-compile-modifications.patch
new file mode 100644
index 0000000..cdf17c5
--- /dev/null
+++ b/package/ustr/ustr-0001-cross-compile-modifications.patch
@@ -0,0 +1,144 @@
+Changes are to allow ustr verion 1.0.4 to cross compile in buildroot.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/ustr-compiler.h b/ustr-compiler.h
+--- a/ustr-compiler.h	2008-02-15 14:12:28.000000000 -0600
++++ b/ustr-compiler.h	2012-06-15 11:04:55.000000000 -0500
+@@ -13,10 +13,10 @@
+ 
+ /* We assume this is enough,
+  * C99 specifies that va_copy() exists and is a macro */
+-#ifdef va_copy
++#if defined va_copy
+ # define USTR_CONF_HAVE_VA_COPY 1
+ # define USTR__VA_COPY(x, y)   va_copy(x, y)
+-#elif __va_copy
++#elif defined __va_copy
+ # define USTR_CONF_HAVE_VA_COPY 1
+ # define USTR__VA_COPY(x, y) __va_copy(x, y)
+ #else
+diff -urN a/Makefile b/Makefile
+--- a/Makefile	2008-03-05 21:38:00.000000000 -0600
++++ b/Makefile	2013-09-10 16:54:45.916874387 -0500
+@@ -8,8 +8,8 @@
+ VERS_ESONAME =1
+ VERS_ESO     =$(VERS_ESONAME).0.4
+ 
+-DESTDIR =
+-prefix=/usr
++DESTDIR ?= 
++prefix ?= /usr
+ datadir=$(prefix)/share
+ libdir=$(prefix)/lib
+ libexecdir=$(prefix)/libexec
+@@ -18,7 +18,7 @@
+ SHRDIR=$(datadir)/ustr-$(VERS_FULL)
+ DOCSHRDIR=$(datadir)/doc/ustr-devel-$(VERS_FULL)
+ EXAMDIR=$(SHRDIR)/examples
+-mandir=$(datadir)/doc/man
++mandir=$(datadir)/man
+ MBINDIR=$(libexecdir)/ustr-$(VERS_FULL)
+ 
+ ###############################################################################
+@@ -28,12 +28,12 @@
+ ###############################################################################
+ HIDE=@
+ 
+-CC = cc
+-AR = ar
+-RANLIB = ranlib
+-LDCONFIG = /sbin/ldconfig
++CC ?= cc
++AR ?= ar
++RANLIB ?= ranlib
+ 
+-CFLAGS  = -O2 -g
++CFLAGS ?= -O2 -g
++LDFLAGS ?= 
+ 
+ # Debug versions...
+ WARNS = -W -Wall -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Waggregate-return -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Wno-format-zero-length -Wformat-nonliteral -Wformat-security # -Wfloat-equal -- no floats
+@@ -376,7 +376,7 @@
+ all-shared: all $(LIB_SHARED)
+ 		$(HIDE)echo Done shared
+ 
+-install: all-shared ustr.pc ustr-debug.pc
++install: all ustr.pc ustr-debug.pc
+ 		$(HIDE)echo Making directories
+ 		install -d $(DESTDIR)$(libdir)
+ 		install -d $(DESTDIR)$(includedir)
+@@ -389,16 +389,6 @@
+ 		install -d $(DESTDIR)$(libdir)/pkgconfig
+ 		$(HIDE)echo Installing files
+ 		install -m 644 -t $(DESTDIR)$(libdir) $(LIB_STATIC)
+-		install -m 755 -t $(DESTDIR)$(libdir) $(LIB_SHARED)
+-		-rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
+-		ln -s $(OPT_LIB_SHARED) $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
+-		-rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
+-		ln -s $(OPT_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
+-		-rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
+-		ln -s $(DBG_LIB_SHARED) $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
+-		-rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
+-		ln -s $(DBG_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
+-		$(LDCONFIG) -n $(DESTDIR)$(libdir)
+ 		install -pm 644 -t $(DESTDIR)$(includedir) $(SRC_HDRS)
+ 		install -pm 644 -t $(DESTDIR)$(SHRDIR) $(SRC_SRCS)
+ 		install -pm 644 -t $(DESTDIR)$(SHRDIR) $(XSRC_SRCS)
+@@ -409,13 +399,24 @@
+ 		install -m 755 -t $(DESTDIR)$(bindir) ustr-import
+ 		install -pm 644 -t $(DESTDIR)$(libdir)/pkgconfig ustr.pc ustr-debug.pc
+ 
++install-shared: all-shared install
++		$(HIDE)echo Installing files
++		install -m 755 -t $(DESTDIR)$(libdir) $(LIB_SHARED)
++		-rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
++		ln -s $(OPT_LIB_SHARED) $(DESTDIR)$(libdir)/$(OPT_LIB_SHARED_NAME)
++		-rm -f $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
++		ln -s $(OPT_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(OPT_LIB_SHAREDEV)
++		-rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
++		ln -s $(DBG_LIB_SHARED) $(DESTDIR)$(libdir)/$(DBG_LIB_SHARED_NAME)
++		-rm -f $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
++		ln -s $(DBG_LIB_SHARED_NAME) $(DESTDIR)$(libdir)/$(DBG_LIB_SHAREDEV)
++
+ ustr-import-multilib: ustr-import-multilib.in
+ 		sed -e 's, at INCLUDEDIR@,$(includedir),g' -e 's, at MBINDIR@,$(MBINDIR),g' < $< > $@
+ 
+ install-multilib-linux: install autoconf_64b ustr-import-multilib
+ 		install -d $(DESTDIR)$(MBINDIR)
+-		$(HIDE)mlib=`./autoconf_64b`; \
+-                   if test "x$$mlib" = "x1"; then mlib=64; else mlib=32; fi; \
++		$(HIDE))if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then mlib=64; else mlib=32; fi; \
+                    mv -f $(DESTDIR)$(includedir)/ustr-conf-debug.h \
+                          $(DESTDIR)$(includedir)/ustr-conf-debug-$$mlib.h; \
+                    mv -f $(DESTDIR)$(includedir)/ustr-conf.h \
+@@ -451,7 +452,8 @@
+ 
+ ustr-import: ustr-import.in autoconf_64b autoconf_vsnprintf
+ 		$(HIDE)echo Creating $@
+-		$(HIDE)sz64=`./autoconf_64b`; vsnp=`./autoconf_vsnprintf`; \
++		$(HIDE)if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then sz64=1; else sz64=0; fi; \
++		if test "`./autoconf_vsnprintf`" = 0; then vsnp=0; else vsnp=1; fi; \
+ 		sed -e 's, at INCLUDEDIR@,$(includedir),g' -e 's, at SHRDIR@,$(SHRDIR),g' -e 's, at VERS@,$(VERS),g'  -e 's, at VERS_FULL@,$(VERS_FULL),g' -e "s, at HAVE_64bit_SIZE_MAX@,$$sz64,g" -e "s, at HAVE_RETARDED_VSNPRINTF@,$$vsnp,g" < $< > $@
+ 		$(HIDE)chmod 755 $@
+ 
+@@ -485,7 +487,8 @@
+ ustr-conf.h: ustr-conf.h.in autoconf_64b autoconf_vsnprintf
+ 		$(HIDE)echo Creating $@
+ 		$(HIDE)have_stdint_h=0; dbg1=0; dbg2=0; \
+-                sz64=`./autoconf_64b`; vsnp=`./autoconf_vsnprintf`; \
++                if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then sz64=1; else sz64=0; fi; \
++                if test "`./autoconf_vsnprintf`" = 0; then vsnp=0; else vsnp=1; fi; \
+                 if test -f "/usr/include/stdint.h"; then have_stdint_h=1; fi; \
+                 if test -f "$(prefix)/include/stdint.h"; then have_stdint_h=1; fi; \
+                 if test -f "$(includedir)/stdint.h"; then have_stdint_h=1; fi; \
+@@ -494,7 +497,8 @@
+ ustr-conf-debug.h: ustr-conf.h.in autoconf_64b autoconf_vsnprintf
+ 		$(HIDE)echo Creating $@
+ 		$(HIDE)have_stdint_h=0; dbg1=1; dbg2=1; \
+-                sz64=`./autoconf_64b`; vsnp=`./autoconf_vsnprintf`; \
++                if test "`echo "__SIZEOF_SIZE_T__" | $(CC) -E -x c - | tail -n 1`" = 8; then sz64=1; else sz64=0; fi; \
++                if test "`./autoconf_vsnprintf`" = 0; then vsnp=0; else vsnp=1; fi; \
+                 if test -f "/usr/include/stdint.h"; then have_stdint_h=1; fi; \
+                 if test -f "$(prefix)/include/stdint.h"; then have_stdint_h=1; fi; \
+                 if test -f "$(includedir)/stdint.h"; then have_stdint_h=1; fi; \
diff --git a/package/ustr/ustr.mk b/package/ustr/ustr.mk
new file mode 100644
index 0000000..91d3e59
--- /dev/null
+++ b/package/ustr/ustr.mk
@@ -0,0 +1,47 @@
+################################################################################
+#
+# ustr
+#
+################################################################################
+
+USTR_VERSION = 1.0.4
+USTR_SOURCE = ustr-$(USTR_VERSION).tar.bz2
+USTR_SITE = http://www.and.org/ustr/$(USTR_VERSION)/
+USTR_LICENSE = BSD-2c MIT LGPLv2+
+USTR_LICENSE_FILES = LICENCE LICENSE_BSD LICENSE_LGPL LICENSE_MIT
+
+USTR_INSTALL_STAGING = YES
+
+ifeq ($(BR2_PREFER_STATIC_LIB),y)
+	USTR_BUILD_CMD = all
+	USTR_INSTALL_CMD = install
+else
+	USTR_BUILD_CMD = all all-shared
+	USTR_INSTALL_CMD = install install-shared
+endif
+
+define USTR_BUILD_CMDS
+	$(MAKE) -C $(@D) $(USTR_BUILD_CMD) $(TARGET_CONFIGURE_OPTS)
+endef
+
+define USTR_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) $(USTR_INSTALL_CMD) $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR=$(STAGING_DIR)
+endef
+
+define USTR_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) $(USTR_INSTALL_CMD) $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR=$(TARGET_DIR)
+endef
+
+define HOST_USTR_BUILD_CMDS
+	$(MAKE) -C $(@D) $(USTR_BUILD_CMD) $(HOST_CONFIGURE_OPTS)
+endef
+
+define HOST_USTR_INSTALL_CMDS
+	$(MAKE) -C $(@D) $(USTR_INSTALL_CMD) $(HOST_CONFIGURE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 04/20] bzip2: Add host build shared library installation

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v3 -> v4:
  - No changes.
Changes v2 -> v3:
  - Changed order of patch to correct dependency issue (suggested by Thomas).
Changes v1 -> v2:
  - No changes
---
 package/bzip2/bzip2.mk |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/package/bzip2/bzip2.mk b/package/bzip2/bzip2.mk
index fcddb55..a06e980 100644
--- a/package/bzip2/bzip2.mk
+++ b/package/bzip2/bzip2.mk
@@ -61,6 +61,8 @@ endef
 define HOST_BZIP2_INSTALL_CMDS
 	$(HOST_MAKE_ENV) \
 		$(MAKE) PREFIX=$(HOST_DIR)/usr -C $(@D) install
+	$(HOST_MAKE_ENV) $(MAKE) \
+		-f Makefile-libbz2_so PREFIX=$(HOST_DIR)/usr -C $(@D) install
 endef
 
 $(eval $(generic-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 05/20] libsemanage: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v3 -> v4:
  - Added back in the Python bindings creation configure option
    (suggested by Thomas).
  - Added a dependency on host-flex (suggeste by Thomas).
  - Cleaned up configure comments (suggested by Thomas).
  - Removed the clean command.
Changes v2 -> v3:
  - Changes patch naming convention (suggested by Thomas).
  - Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and BR2_LARGEFILE
    (suggested by Thomas).
Changes v1 -> v2:
  - Move Config.in entry into the libraries section since this is a
    library.
  - General cleanup to the mk file to conform to the standard format.
  - Fixed the patch naming to avoid using the version number.
  - Cleaned up the patch to include a signed-off-by line.
  - Changed package dependencies into selects in the config.
  - Changed the original Python select in the Config.in to be a check
    in the mk file.
  - Removed building the python bindings in the host configuration.
---
 package/Config.in                                  |    1 +
 package/libsemanage/Config.in                      |   30 ++++++++
 .../libsemanage-0001-execption-lib-path-fix.patch  |   14 ++++
 package/libsemanage/libsemanage.mk                 |   72 ++++++++++++++++++++
 4 files changed, 117 insertions(+), 0 deletions(-)
 create mode 100644 package/libsemanage/Config.in
 create mode 100644 package/libsemanage/libsemanage-0001-execption-lib-path-fix.patch
 create mode 100644 package/libsemanage/libsemanage.mk

diff --git a/package/Config.in b/package/Config.in
index 11cfcab..8f2d3c1 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -726,6 +726,7 @@ endmenu
 
 menu "Security"
 source "package/libselinux/Config.in"
+source "package/libsemanage/Config.in"
 source "package/libsepol/Config.in"
 endmenu
 
diff --git a/package/libsemanage/Config.in b/package/libsemanage/Config.in
new file mode 100644
index 0000000..e4013cd
--- /dev/null
+++ b/package/libsemanage/Config.in
@@ -0,0 +1,30 @@
+config BR2_PACKAGE_LIBSEMANAGE
+	bool "libsemanage"
+	select BR2_PACKAGE_LIBSELINUX
+	select BR2_PACKAGE_USTR
+	select BR2_PACKAGE_BZIP2
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on BR2_LARGEFILE
+	help
+	  libsemanage is the policy management library. It uses
+	  libsepol for binary policy manipulation and libselinux for
+	  interacting with the SELinux system. It also exec's helper
+	  programs for loading policy and for checking whether the
+	  file_contexts configuration is valid (load_policy and
+	  setfiles from policycoreutils) presently, although this may
+	  change at least for the bootstrapping case (for rpm).
+
+	  http://selinuxproject.org/page/Main_Page
+
+comment "libsemanage needs a toolchain w/ largefile, threads"
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_LARGEFILE
+
+if BR2_PACKAGE_LIBSEMANAGE
+
+config BR2_PACKAGE_LIBSEMANAGE_PYTHON_BINDINGS
+	select BR2_PACKAGE_PYTHON
+	bool "python bindings"
+	help
+	  enable building python bindings
+
+endif
diff --git a/package/libsemanage/libsemanage-0001-execption-lib-path-fix.patch b/package/libsemanage/libsemanage-0001-execption-lib-path-fix.patch
new file mode 100644
index 0000000..cbcbea5
--- /dev/null
+++ b/package/libsemanage/libsemanage-0001-execption-lib-path-fix.patch
@@ -0,0 +1,14 @@
+Patch to correct a missing header file issue.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+--- a/src/exception.sh	2011-12-21 11:46:04.000000000 -0600
++++ b/src/exception.sh	2012-08-27 11:29:58.000000000 -0500
+@@ -9,6 +9,6 @@
+ }
+ "
+ }
+-gcc -x c -c - -aux-info temp.aux < ../include/semanage/semanage.h
++gcc -x c -c - -aux-info temp.aux -I../include < ../include/semanage/semanage.h
+ for i in `awk '/extern int/ { print $6 }' temp.aux`; do except $i ; done
+ rm -f -- temp.aux -.o
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
new file mode 100644
index 0000000..44d8324
--- /dev/null
+++ b/package/libsemanage/libsemanage.mk
@@ -0,0 +1,72 @@
+################################################################################
+#
+# libsemanage
+#
+################################################################################
+
+LIBSEMANAGE_VERSION = 2.1.10
+LIBSEMANAGE_SITE = http://userspace.selinuxproject.org/releases/20130423/
+LIBSEPOL_LICENSE = LGPLv2.1+
+LIBSEPOL_LICENSE_FILES = COPYING
+
+LIBSEMANAGE_DEPENDENCIES = host-bison host-flex libselinux ustr bzip2
+
+LIBSEMANAGE_INSTALL_STAGING = YES
+
+LIBSEMANAGE_MAKE_OPT = $(TARGET_CONFIGURE_OPTS)
+
+ifeq ($(BR2_PACKAGE_LIBSEMANAGE_PYTHON_BINDINGS),y)
+
+LIBSEMANAGE_DEPENDENCIES += python host-swig host-python
+LIBSEMANAGE_MAKE_OPT += \
+	PYINC="-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
+	PYTHONLIBDIR="-L$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
+	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
+
+define LIBSEMANAGE_PYTHON_BUILD_CMDS
+	$(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(STAGING_DIR) swigify pywrap
+endef
+
+define LIBSEMANAGE_PYTHON_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install-pywrap $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(STAGING_DIR)
+endef
+
+define LIBSEMANAGE_PYTHON_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install-pywrap $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(TARGET_DIR)
+endef
+
+endif # End of BR2_PACKAGE_PYTHON
+
+define LIBSEMANAGE_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and 
+	# header paths.
+	$(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(STAGING_DIR) all
+	$(LIBSEMANAGE_PYTHON_BUILD_CMDS)
+endef
+
+define LIBSEMANAGE_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(STAGING_DIR)
+	$(LIBSEMANAGE_PYTHON_INSTALL_STAGING_CMDS)
+endef
+
+define LIBSEMANAGE_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install $(LIBSEMANAGE_MAKE_OPT) DESTDIR=$(TARGET_DIR)
+	$(LIBSEMANAGE_PYTHON_INSTALL_TARGET_CMDS)
+endef
+
+HOST_LIBSEMANAGE_DEPENDENCIES = host-bison host-libsepol \
+	host-libselinux host-ustr host-bzip2
+
+define HOST_LIBSEMANAGE_BUILD_CMDS
+	# DESTDIR is needed during the compile to compute library and 
+	# header paths.
+	$(MAKE) -C $(@D) all $(HOST_CONFIGURE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_LIBSEMANAGE_INSTALL_CMDS
+	$(MAKE) -C $(@D) install $(HOST_CONFIGURE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 06/20] checkpolicy: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v3 -> v4:
  - Removed the clean command.
Changes v2 -> v3:
  - Added checkpolicy as a host package (suggested by Arnout).
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Removed the option to do a target build because it should never
    be needed during normal operation.
  - Added checkpolicy as a host package (suggested by Arnout).
---
 package/Config.in.host             |    1 +
 package/checkpolicy/Config.in.host |   10 ++++++++++
 package/checkpolicy/checkpolicy.mk |   26 ++++++++++++++++++++++++++
 3 files changed, 37 insertions(+), 0 deletions(-)
 create mode 100644 package/checkpolicy/Config.in.host
 create mode 100644 package/checkpolicy/checkpolicy.mk

diff --git a/package/Config.in.host b/package/Config.in.host
index 5fd2570..1b3e11b 100644
--- a/package/Config.in.host
+++ b/package/Config.in.host
@@ -1,5 +1,6 @@
 menu "Host utilities"
 
+source "package/checkpolicy/Config.in.host"
 source "package/dfu-util/Config.in.host"
 source "package/dosfstools/Config.in.host"
 source "package/e2fsprogs/Config.in.host"
diff --git a/package/checkpolicy/Config.in.host b/package/checkpolicy/Config.in.host
new file mode 100644
index 0000000..75794be
--- /dev/null
+++ b/package/checkpolicy/Config.in.host
@@ -0,0 +1,10 @@
+config BR2_PACKAGE_HOST_CHECKPOLICY
+	bool "host checkpolicy"
+	help
+	  checkpolicy is the policy compiler. It uses libsepol to 
+	  generate the binary policy. checkpolicy uses the static 
+	  libsepol since it deals with low level details of the policy 
+	  that have not been encapsulated/abstracted by a proper 
+	  shared library interface. 
+	  
+	  http://selinuxproject.org/page/Main_Page
diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
new file mode 100644
index 0000000..0d91794
--- /dev/null
+++ b/package/checkpolicy/checkpolicy.mk
@@ -0,0 +1,26 @@
+################################################################################
+#
+# checkpolicy
+#
+################################################################################
+
+CHECKPOLICY_VERSION = 2.1.12
+CHECKPOLICY_SITE = http://userspace.selinuxproject.org/releases/20130423/
+CHECKPOLICY_LICENSE = GPLv2
+CHECKPOLICY_LICENSE_FILES = COPYING
+
+HOST_CHECKPOLICY_DEPENDENCIES = host-libselinux host-flex host-bison
+
+HOST_CHECKPOLICY_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
+	LEX="$(HOST_DIR)/usr/bin/flex" \
+	YACC="$(HOST_DIR)/usr/bin/bison -y"
+
+define HOST_CHECKPOLICY_BUILD_CMDS
+	$(MAKE) -C $(@D) $(HOST_CHECKPOLICY_MAKE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_CHECKPOLICY_INSTALL_CMDS
+	$(MAKE) -C $(@D) install $(HOST_CHECKPOLICY_MAKE_OPTS) DESTDIR=$(HOST_DIR)
+endef
+
+$(eval $(host-generic-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 07/20] sepolgen: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v3 -> v4:
  - Cleaned up configure comments (suggested by Thomas).
  - Removed the clean command.
Changes v2 -> v3:
  - No changes.
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Changed package dependencies into selects in the config.
---
 package/Config.in            |    4 ++++
 package/sepolgen/Config.in   |   14 ++++++++++++++
 package/sepolgen/sepolgen.mk |   31 +++++++++++++++++++++++++++++++
 3 files changed, 49 insertions(+), 0 deletions(-)
 create mode 100644 package/sepolgen/Config.in
 create mode 100644 package/sepolgen/sepolgen.mk

diff --git a/package/Config.in b/package/Config.in
index 8f2d3c1..fb336eb 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -937,6 +937,10 @@ source "package/rtai/Config.in"
 source "package/xenomai/Config.in"
 endmenu
 
+menu "Security"
+source "package/sepolgen/Config.in"
+endmenu
+
 menu "Shell and utilities"
 source "package/at/Config.in"
 if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
diff --git a/package/sepolgen/Config.in b/package/sepolgen/Config.in
new file mode 100644
index 0000000..d7d0d37
--- /dev/null
+++ b/package/sepolgen/Config.in
@@ -0,0 +1,14 @@
+config BR2_PACKAGE_SEPOLGEN
+	bool "sepolgen"
+	select BR2_PACKAGE_PYTHON
+	depends on BR2_USE_WCHAR # python
+	depends on BR2_USE_MMU # python
+	help
+	  sepolgen is a python module/library that forms the core
+	  of the modern audit2allow (a rewrite).
+
+	  http://selinuxproject.org/page/Main_Page
+
+comment "sepolgen needs a toolchain w/ wchar"
+	depends on BR2_USE_MMU
+	depends on !BR2_USE_WCHAR
diff --git a/package/sepolgen/sepolgen.mk b/package/sepolgen/sepolgen.mk
new file mode 100644
index 0000000..099c9d0
--- /dev/null
+++ b/package/sepolgen/sepolgen.mk
@@ -0,0 +1,31 @@
+################################################################################
+#
+# sepolgen
+#
+################################################################################
+
+SEPOLGEN_VERSION = 1.1.9
+SEPOLGEN_SITE = http://userspace.selinuxproject.org/releases/20130423/
+SEPOLGEN_LICENSE = GPLv2
+SEPOLGEN_LICENSE_FILES = COPYING
+
+SEPOLGEN_DEPENDENCIES = python
+
+SEPOLGEN_INSTALL_STAGING = YES
+
+SEPOLGEN_MAKE_CMDS = $(TARGET_CONFIGURE_OPTS) \
+	PYTHONLIBDIR=/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
+
+define SEPOLGEN_BUILD_CMDS
+	$(MAKE) -C $(@D) $(SEPOLGEN_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define SEPOLGEN_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install $(SEPOLGEN_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define SEPOLGEN_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install $(SEPOLGEN_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
+endef
+
+$(eval $(generic-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 08/20] sqlite: Add host build support

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v3 -> v4:
  - No changes.
Changes v2 -> v3:
  - Changed order of patch to correct dependency issue (suggested by Thomas).
Changes v1 -> v2:
  - No changes
---
 package/sqlite/sqlite.mk |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/package/sqlite/sqlite.mk b/package/sqlite/sqlite.mk
index b27eb58..f4905e5 100644
--- a/package/sqlite/sqlite.mk
+++ b/package/sqlite/sqlite.mk
@@ -60,3 +60,4 @@ SQLITE_CONF_OPT += --disable-readline
 endif
 
 $(eval $(autotools-package))
+$(eval $(host-autotools-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 09/20] setools: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v3 -> v4:
  - Added back in the Python bindings configure option instead of
    relying on the Python package check (suggested by Thomas).
  - Revised the configure comments (suggested by Thomas).
Changes v2 -> v3:
  - Changes patch naming convention (suggested by Thomas).
  - Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and BR2_LARGEFILE
    (suggested by Thomas).
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Cleaned up the patch to include a signed-off-by line.
  - Changed package dependencies into selects in the config.
  - Changed the original Python select in the Config.in to be a check
    in the mk file.
---
 package/Config.in                                  |    1 +
 package/setools/Config.in                          |   33 +
 .../setools/setools-0001-cross-compile-fixes.patch |  121 +++
 .../setools-0002-swig-typedef-python-fixes.patch   | 1014 ++++++++++++++++++++
 package/setools/setools.mk                         |   85 ++
 5 files changed, 1254 insertions(+), 0 deletions(-)
 create mode 100644 package/setools/Config.in
 create mode 100644 package/setools/setools-0001-cross-compile-fixes.patch
 create mode 100644 package/setools/setools-0002-swig-typedef-python-fixes.patch
 create mode 100644 package/setools/setools.mk

diff --git a/package/Config.in b/package/Config.in
index fb336eb..b62f123 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -939,6 +939,7 @@ endmenu
 
 menu "Security"
 source "package/sepolgen/Config.in"
+source "package/setools/Config.in"
 endmenu
 
 menu "Shell and utilities"
diff --git a/package/setools/Config.in b/package/setools/Config.in
new file mode 100644
index 0000000..3344ed3
--- /dev/null
+++ b/package/setools/Config.in
@@ -0,0 +1,33 @@
+config BR2_PACKAGE_SETOOLS
+	bool "setools"
+	select BR2_PACKAGE_LIBSELINUX
+	select BR2_PACKAGE_SQLITE
+	select BR2_PACKAGE_LIBXML2
+	select BR2_PACKAGE_BZIP2
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on BR2_LARGEFILE
+	help
+	  SETools is an open source project designed to facilitate
+	  SELinux policy analysis. The primary tools are:
+	   * apol - analyze a SELinux policy.
+	   * seaudit - analyze audit messages from SELinux.
+	   * seaudit-report - generate highly-customized audit log
+	     reports.
+	   * sechecker - command line tool for performing modular
+	     checks on an SELinux policy.
+	   * sediff - semantic policy difference tool for SELinux.
+	   * secmds - command-line tools to analyze and search SELinux
+             policy.
+
+comment "setools needs a toolchain w/ largefile, threads"
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_LARGEFILE
+
+if BR2_PACKAGE_SETOOLS
+
+config BR2_PACKAGE_SETOOLS_PYTHON_BINDINGS
+	bool "python bindings"
+	select BR2_PACKAGE_PYTHON
+	help
+	  enable building python bindings
+
+endif
diff --git a/package/setools/setools-0001-cross-compile-fixes.patch b/package/setools/setools-0001-cross-compile-fixes.patch
new file mode 100644
index 0000000..c931039
--- /dev/null
+++ b/package/setools/setools-0001-cross-compile-fixes.patch
@@ -0,0 +1,121 @@
+Correct build issues to enable cross compiling.  These rechanges require the
+package to be auto reconfigured.  
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/configure.ac b/configure.ac
+--- a/configure.ac	2013-01-16 10:36:24.000000000 -0600
++++ b/configure.ac	2013-07-12 08:22:10.380255248 -0500
+@@ -448,8 +448,9 @@
+               sepol_srcdir="")
+ if test "x${sepol_srcdir}" = "x"; then
+    sepol_srcdir=${sepol_devel_libdir}
+-   AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],,
+-      AC_MSG_ERROR([make sure libsepol-static is installed]))
++   if test ! -f ${sepol_srcdir}/libsepol.a; then
++      AC_MSG_ERROR([could not find precompiled libsepol.a])
++   fi
+ else
+    AC_MSG_CHECKING([for compatible sepol source tree])
+    sepol_version=${sepol_srcdir}/VERSION
+@@ -484,8 +485,9 @@
+    AC_CHECK_HEADER([sepol/policydb/policydb.h], , AC_MSG_ERROR([could not find sepol source tree]))
+    CFLAGS="${sepol_src_save_CFLAGS}"
+    CPPFLAGS="${sepol_src_save_CPPFLAGS}"
+-   AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],,
+-      AC_MSG_ERROR([could not find precompiled libsepol.a]))
++   if test ! -f ${sepol_srcdir}/libsepol.a; then
++      AC_MSG_ERROR([could not find precompiled libsepol.a])
++   fi
+    sepol_devel_incdir="${sepol_srcdir}/../include"
+ fi
+ SELINUX_CFLAGS="-I${sepol_devel_incdir} -I${selinux_devel_incdir}"
+@@ -578,12 +580,13 @@
+                          [AC_LANG_SOURCE([
+ #include <sepol/policydb/expand.h>
+ int main () {
+-  return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0);
++  return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0);
+ }])],
+                          AC_MSG_RESULT([yes]),
+                          AC_MSG_ERROR([this version of libsepol is incompatible with SETools]))
+     fi
+     sepol_new_expand_boolmap="yes"
++    sepol_new_user_role_mapping="yes"
+ else
+     sepol_new_expand_boolmap="no"
+ fi
+@@ -607,7 +610,8 @@
+     exit(EXIT_FAILURE);
+ }])],
+     sepol_policy_version_max=`cat conftest.data`,
+-    AC_MSG_FAILURE([could not determine maximum libsepol policy version]))
++    AC_MSG_FAILURE([could not determine maximum libsepol policy version]),
++    sepol_policy_version_max="26")
+ AC_DEFINE_UNQUOTED(SEPOL_POLICY_VERSION_MAX, ${sepol_policy_version_max}, [maximum policy version supported by libsepol])
+ CFLAGS="${sepol_save_CFLAGS}"
+ CPPFLAGS="${sepol_save_CPPFLAGS}"
+@@ -631,7 +635,7 @@
+     changequote([,])dnl
+     selinux_save_CFLAGS="${CFLAGS}"
+     CFLAGS="${SELINUX_CFLAGS} ${SELINUX_LIB_FLAG} -lselinux -lsepol ${CFLAGS}"
+-    gcc ${CFLAGS} -o conftest conftest.c >&5
++    ${CC} ${CFLAGS} -o conftest conftest.c >&5
+     selinux_policy_dir=`./conftest`
+     AC_MSG_RESULT(${selinux_policy_dir})
+     CFLAGS="${selinux_save_CFLAGS}"
+diff -urN a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c
+--- a/libqpol/src/policy_define.c	2013-01-16 10:36:24.000000000 -0600
++++ b/libqpol/src/policy_define.c	2013-07-12 08:22:10.380255248 -0500
+@@ -2135,7 +2135,7 @@
+ #ifdef HAVE_SEPOL_ROLE_ATTRS
+ 	if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
+ #elif HAVE_SEPOL_USER_ROLE_MAPPING
+-	if (role_set_expand(&roles, &e_roles, policydbp, NULL))
++	if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
+ #else
+ 	if (role_set_expand(&roles, &e_roles, policydbp))
+ #endif
+diff -urN a/m4/ac_python_devel.m4 b/m4/ac_python_devel.m4
+--- a/m4/ac_python_devel.m4	2013-01-16 10:36:22.000000000 -0600
++++ b/m4/ac_python_devel.m4	2013-07-12 08:22:10.380255248 -0500
+@@ -234,7 +234,7 @@
+ 	AC_MSG_CHECKING([consistency of all components of python development environment])
+ 	AC_LANG_PUSH([C])
+ 	# save current global flags
+-	LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
++	LIBS="$ac_save_LIBS $PYTHON_EXTRA_LIBS $PYTHON_LDFLAGS"
+ 	CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
+ 	AC_TRY_LINK([
+ 		#include <Python.h>
+diff -urN a/python/setools/Makefile.am b/python/setools/Makefile.am
+--- a/python/setools/Makefile.am	2013-01-16 10:36:22.000000000 -0600
++++ b/python/setools/Makefile.am	2013-07-12 08:22:19.200251011 -0500
+@@ -22,13 +22,13 @@
+ python-build: sesearch.c seinfo.c
+ 	@mkdir -p setools
+ 	@cp __init__.py setools
+-	LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" INCLUDES="$(QPOL_CFLAGS) $(APOL_CFLAGS)" $(PYTHON) setup.py build
++	LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" LIBDIRS="$(PYTHON_LDFLAGS)" INCLUDES="$(PYTHON_CPPFLAGS) $(QPOL_CFLAGS) $(APOL_CFLAGS)" CC="$(CC)" CFLAGS="$(CFLAGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(LDFLAGS)" $(PYTHON) setup.py build_ext
+ 
+ install-exec-hook:
+-	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr`
+ 
+ uninstall-hook: 
+-	$(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++	$(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr`
+ 
+ clean-local:
+ 	$(PYTHON) setup.py clean -a 
+--- a/python/setools/setup.py	2013-01-16 10:36:22.000000000 -0600
++++ b/python/setools/setup.py	2013-09-04 09:17:48.452916991 -0500
+@@ -8,7 +8,7 @@
+ try:
+     inc=os.getenv("INCLUDES").split(" ")    
+     INCLUDES=map(lambda x: x[2:], inc)
+-    LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split())
++    LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split()) + map(lambda x: x[2:], os.getenv("LIBDIRS").split())
+ except:
+     INCLUDES=""
+     LIBDIRS=""
diff --git a/package/setools/setools-0002-swig-typedef-python-fixes.patch b/package/setools/setools-0002-swig-typedef-python-fixes.patch
new file mode 100644
index 0000000..999fed4
--- /dev/null
+++ b/package/setools/setools-0002-swig-typedef-python-fixes.patch
@@ -0,0 +1,1014 @@
+Correct swig typdef naming convention errors that cause the build to break. 
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+--- a/libapol/swig/apol.i	2010-04-23 11:22:08.000000000 -0500
++++ b/libapol/swig/apol.i	2012-08-29 08:04:29.000000000 -0500
+@@ -232,7 +232,7 @@
+ %newobject wrap_apol_str_to_internal_ip(char*);
+ %rename(apol_str_to_internal_ip) wrap_apol_str_to_internal_ip;
+ %inline %{
+-	typedef struct apol_ip {
++	typedef struct {
+ 		uint32_t ip[4];
+ 		int proto;
+ 	} apol_ip_t;
+@@ -301,7 +301,7 @@
+ %inline %{
+ 	typedef struct apol_string_vector apol_string_vector_t;
+ %}
+-typedef struct apol_vector {} apol_vector_t;
++typedef struct {} apol_vector_t;
+ %extend apol_vector_t {
+ 	apol_vector_t() {
+ 		return apol_vector_create(NULL);
+@@ -377,7 +377,7 @@
+ 		return apol_vector_compare(a, b, NULL, NULL, &idx);
+ 	}
+ %}
+-typedef struct apol_string_vector {} apol_string_vector_t;
++typedef struct {} apol_string_vector_t;
+ %extend apol_string_vector_t {
+ 	apol_string_vector_t() {
+ 		return (apol_string_vector_t*)apol_vector_create(free);
+@@ -460,7 +460,7 @@
+ 	APOL_POLICY_PATH_TYPE_MONOLITHIC = 0,
+ 	APOL_POLICY_PATH_TYPE_MODULAR
+ } apol_policy_path_type_e;
+-typedef struct apol_policy_path {} apol_policy_path_t;
++typedef struct {} apol_policy_path_t;
+ %extend apol_policy_path_t {
+ 	apol_policy_path_t(apol_policy_path_type_e type, char * primary, apol_string_vector_t *modules = NULL) {
+ 		apol_policy_path_t *p;
+@@ -540,7 +540,7 @@
+ int apol_file_is_policy_path_list(const char *filename);
+ 
+ /* apol policy */
+-typedef struct apol_policy {} apol_policy_t;
++typedef struct {} apol_policy_t;
+ #define APOL_PERMMAP_MAX_WEIGHT 10
+ #define APOL_PERMMAP_MIN_WEIGHT 1
+ #define APOL_PERMMAP_UNMAPPED	0x00
+@@ -650,7 +650,7 @@
+ };
+ 
+ /* apol type query */
+-typedef struct apol_type_query {} apol_type_query_t;
++typedef struct {} apol_type_query_t;
+ %extend apol_type_query_t {
+ 	apol_type_query_t() {
+ 		apol_type_query_t *tq;
+@@ -692,7 +692,7 @@
+ };
+ 
+ /* apol attribute query */
+-typedef struct apol_attr_query {} apol_attr_query_t;
++typedef struct {} apol_attr_query_t;
+ %extend apol_attr_query_t {
+ 	apol_attr_query_t() {
+ 		apol_attr_query_t *aq;
+@@ -734,7 +734,7 @@
+ };
+ 
+ /* apol role query */
+-typedef struct apol_role_query {} apol_role_query_t;
++typedef struct {} apol_role_query_t;
+ %extend apol_role_query_t {
+ 	apol_role_query_t() {
+ 		apol_role_query_t *rq;
+@@ -786,7 +786,7 @@
+ int apol_role_has_type(apol_policy_t * p, qpol_role_t * r, qpol_type_t * t);
+ 
+ /* apol class query */
+-typedef struct apol_class_query {} apol_class_query_t;
++typedef struct {} apol_class_query_t;
+ %extend apol_class_query_t {
+ 	apol_class_query_t() {
+ 		apol_class_query_t *cq;
+@@ -837,7 +837,7 @@
+ };
+ 
+ /* apol common query */
+-typedef struct apol_common_query {} apol_common_query_t;
++typedef struct {} apol_common_query_t;
+ %extend apol_common_query_t {
+ 	apol_common_query_t() {
+ 		apol_common_query_t *cq;
+@@ -879,7 +879,7 @@
+ };
+ 
+ /* apol perm query */
+-typedef struct apol_perm_query {} apol_perm_query_t;
++typedef struct {} apol_perm_query_t;
+ %extend apol_perm_query_t {
+ 	apol_perm_query_t() {
+ 		apol_perm_query_t *pq;
+@@ -921,7 +921,7 @@
+ };
+ 
+ /* apol bool query */
+-typedef struct apol_bool_query {} apol_bool_query_t;
++typedef struct {} apol_bool_query_t;
+ %extend apol_bool_query_t {
+ 	apol_bool_query_t() {
+ 		apol_bool_query_t *bq;
+@@ -963,7 +963,7 @@
+ };
+ 
+ /* apol mls level */
+-typedef struct apol_mls_level {} apol_mls_level_t;
++typedef struct {} apol_mls_level_t;
+ %extend apol_mls_level_t {
+ 	apol_mls_level_t() {
+ 		apol_mls_level_t *aml;
+@@ -1122,11 +1122,11 @@
+ %typemap(in) apol_mls_level_t *lvl {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_level, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_level_t, 0 |  0 );
+ 	$1 = (apol_mls_level_t*)x;
+ }
+ #endif
+-typedef struct apol_mls_range {} apol_mls_range_t;
++typedef struct {} apol_mls_range_t;
+ %extend apol_mls_range_t {
+ 	apol_mls_range_t() {
+ 		apol_mls_range_t *amr;
+@@ -1276,7 +1276,7 @@
+ %}
+ 
+ /* apol level query */
+-typedef struct apol_level_query {} apol_level_query_t;
++typedef struct {} apol_level_query_t;
+ %extend apol_level_query_t {
+ 	apol_level_query_t() {
+ 		apol_level_query_t * alq;
+@@ -1327,7 +1327,7 @@
+ };
+ 
+ /* apol cat query */
+-typedef struct apol_cat_query {} apol_cat_query_t;
++typedef struct {} apol_cat_query_t;
+ %extend apol_cat_query_t {
+ 	apol_cat_query_t() {
+ 		apol_cat_query_t * acq;
+@@ -1373,11 +1373,11 @@
+ %typemap(in) apol_mls_range_t *rng {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_range, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_mls_range_t, 0 |  0 );
+ 	$1 = (apol_mls_range_t*)x;
+ }
+ #endif
+-typedef struct apol_user_query {} apol_user_query_t;
++typedef struct {} apol_user_query_t;
+ %extend apol_user_query_t {
+ 	apol_user_query_t() {
+ 		apol_user_query_t *auq;
+@@ -1446,7 +1446,7 @@
+ };
+ 
+ /* apol context */
+-typedef struct apol_context {} apol_context_t;
++typedef struct {} apol_context_t;
+ %extend apol_context_t {
+ 	apol_context_t() {
+ 		apol_context_t *ctx;
+@@ -1581,7 +1581,7 @@
+ int apol_context_compare(apol_policy_t * p, apol_context_t * target, apol_context_t * search, unsigned int range_compare_type);
+ 
+ /* apol constraint query */
+-typedef struct apol_constraint_query {} apol_constraint_query_t;
++typedef struct {} apol_constraint_query_t;
+ %extend apol_constraint_query_t {
+ 	apol_constraint_query_t() {
+ 		apol_constraint_query_t *acq;
+@@ -1632,7 +1632,7 @@
+ };
+ 
+ /* apol validatetrans query */
+-typedef struct apol_validatetrans_query {} apol_validatetrans_query_t;
++typedef struct {} apol_validatetrans_query_t;
+ %extend apol_validatetrans_query_t {
+ 	apol_validatetrans_query_t() {
+ 		apol_validatetrans_query_t *avq;
+@@ -1678,11 +1678,11 @@
+ %typemap(in) apol_context_t *ctx {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_context, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_context_t, 0 |  0 );
+ 	$1 = (apol_context_t*)x;
+ }
+ #endif
+-typedef struct apol_genfscon_query {} apol_genfscon_query_t;
++typedef struct {} apol_genfscon_query_t;
+ %extend apol_genfscon_query_t {
+ 	apol_genfscon_query_t() {
+ 		apol_genfscon_query_t *agq;
+@@ -1744,7 +1744,7 @@
+ char *apol_genfscon_render(apol_policy_t * p, qpol_genfscon_t * genfscon);
+ 
+ /* apol fs_use query */
+-typedef struct apol_fs_use_query {} apol_fs_use_query_t;
++typedef struct {} apol_fs_use_query_t;
+ %extend apol_fs_use_query_t {
+ 	apol_fs_use_query_t() {
+ 		apol_fs_use_query_t *afq;
+@@ -1797,7 +1797,7 @@
+ char *apol_fs_use_render(apol_policy_t * p, qpol_fs_use_t * fsuse);
+ 
+ /* apol initial sid query */
+-typedef struct apol_isid_query {} apol_isid_query_t;
++typedef struct {} apol_isid_query_t;
+ %extend apol_isid_query_t {
+ 	apol_isid_query_t() {
+ 		apol_isid_query_t *aiq;
+@@ -1839,7 +1839,7 @@
+ };
+ 
+ /* apol portcon query */
+-typedef struct apol_portcon_query {} apol_portcon_query_t;
++typedef struct {} apol_portcon_query_t;
+ %extend apol_portcon_query_t {
+ 	apol_portcon_query_t() {
+ 		apol_portcon_query_t *apq;
+@@ -1883,7 +1883,7 @@
+ char *apol_portcon_render(apol_policy_t * p, qpol_portcon_t * portcon);
+ 
+ /* apol netifcon query */
+-typedef struct apol_netifcon_query {} apol_netifcon_query_t;
++typedef struct {} apol_netifcon_query_t;
+ %extend apol_netifcon_query_t {
+ 	apol_netifcon_query_t() {
+ 		apol_netifcon_query_t *anq;
+@@ -1930,7 +1930,7 @@
+ char *apol_netifcon_render(apol_policy_t * p, qpol_netifcon_t * netifcon);
+ 
+ /* apol nodecon query */
+-typedef struct apol_nodecon_query {} apol_nodecon_query_t;
++typedef struct {} apol_nodecon_query_t;
+ %extend apol_nodecon_query_t {
+ 	apol_nodecon_query_t() {
+ 		apol_nodecon_query_t *anq;
+@@ -2010,7 +2010,7 @@
+ char *apol_nodecon_render(apol_policy_t * p, qpol_nodecon_t * nodecon);
+ 
+ /* apol avrule query */
+-typedef struct apol_avrule_query {} apol_avrule_query_t;
++typedef struct {} apol_avrule_query_t;
+ %extend apol_avrule_query_t {
+ 	apol_avrule_query_t() {
+ 		apol_avrule_query_t *avq;
+@@ -2161,7 +2161,7 @@
+ %}
+ 
+ /* apol terule query */
+-typedef struct apol_terule_query {} apol_terule_query_t;
++typedef struct {} apol_terule_query_t;
+ %extend apol_terule_query_t {
+ 	apol_terule_query_t() {
+ 		apol_terule_query_t *atq;
+@@ -2285,7 +2285,7 @@
+ apol_vector_t *apol_terule_list_to_syn_terules(apol_policy_t * p, apol_vector_t * rules);
+ 
+ /* apol cond rule query */
+-typedef struct apol_cond_query {} apol_cond_query_t;
++typedef struct {} apol_cond_query_t;
+ %extend apol_cond_query_t {
+ 	apol_cond_query_t() {
+ 		apol_cond_query_t *acq;
+@@ -2329,7 +2329,7 @@
+ char *apol_cond_expr_render(apol_policy_t * p, qpol_cond_t * cond);
+ 
+ /* apol role allow query */
+-typedef struct apol_role_allow_query {} apol_role_allow_query_t;
++typedef struct {} apol_role_allow_query_t;
+ %extend apol_role_allow_query_t {
+ 	apol_role_allow_query_t() {
+ 		apol_role_allow_query_t *arq;
+@@ -2385,7 +2385,7 @@
+ char *apol_role_allow_render(apol_policy_t * policy, qpol_role_allow_t * rule);
+ 
+ /* apol role transition rule query */
+-typedef struct apol_role_trans_query {} apol_role_trans_query_t;
++typedef struct {} apol_role_trans_query_t;
+ %extend apol_role_trans_query_t {
+ 	apol_role_trans_query_t() {
+ 		apol_role_trans_query_t *arq;
+@@ -2450,7 +2450,7 @@
+ char *apol_role_trans_render(apol_policy_t * policy, qpol_role_trans_t * rule);
+ 
+ /* apol range transition rule query */
+-typedef struct apol_range_trans_query {} apol_range_trans_query_t;
++typedef struct {} apol_range_trans_query_t;
+ %extend apol_range_trans_query_t {
+ 	apol_range_trans_query_t() {
+ 		apol_range_trans_query_t *arq;
+@@ -2529,7 +2529,7 @@
+ #define APOL_DOMAIN_TRANS_SEARCH_VALID		0x01
+ #define APOL_DOMAIN_TRANS_SEARCH_INVALID	0x02
+ #define APOL_DOMAIN_TRANS_SEARCH_BOTH		(APOL_DOMAIN_TRANS_SEARCH_VALID|APOL_DOMAIN_TRANS_SEARCH_INVALID)
+-typedef struct apol_domain_trans_analysis {} apol_domain_trans_analysis_t;
++typedef struct {} apol_domain_trans_analysis_t;
+ %extend apol_domain_trans_analysis_t {
+ 	apol_domain_trans_analysis_t() {
+ 		apol_domain_trans_analysis_t *dta;
+@@ -2620,7 +2620,7 @@
+ 		return v;
+ 	};
+ };
+-typedef struct apol_domain_trans_result {} apol_domain_trans_result_t;
++typedef struct {} apol_domain_trans_result_t;
+ %extend apol_domain_trans_result_t {
+ 	apol_domain_trans_result_t(apol_domain_trans_result_t *in) {
+ 		apol_domain_trans_result_t *dtr;
+@@ -2703,7 +2703,7 @@
+ 		*in = NULL;
+ 	}
+ %}
+-typedef struct apol_infoflow {} apol_infoflow_t;
++typedef struct {} apol_infoflow_t;
+ %extend apol_infoflow_t {
+ 	apol_infoflow_t() {
+ 		BEGIN_EXCEPTION
+@@ -2728,7 +2728,7 @@
+ 		return v;
+ 	};
+ };
+-typedef struct apol_infoflow_analysis {} apol_infoflow_analysis_t;
++typedef struct {} apol_infoflow_analysis_t;
+ %extend apol_infoflow_analysis_t {
+ 	apol_infoflow_analysis_t() {
+ 		apol_infoflow_analysis_t *aia;
+@@ -2821,7 +2821,7 @@
+ 		return;
+ 	};
+ };
+-typedef struct apol_infoflow_graph {} apol_infoflow_graph_t;
++typedef struct {} apol_infoflow_graph_t;
+ %extend apol_infoflow_graph_t {
+ 	apol_infoflow_graph_t() {
+ 		BEGIN_EXCEPTION
+@@ -2865,7 +2865,7 @@
+ 		return retval;
+ 	};
+ };
+-typedef struct apol_infoflow_result {} apol_infoflow_result_t;
++typedef struct {} apol_infoflow_result_t;
+ %extend apol_infoflow_result_t {
+ 	apol_infoflow_result_t() {
+ 		BEGIN_EXCEPTION
+@@ -2899,7 +2899,7 @@
+ 		return (apol_infoflow_result_t*)x;
+ 	};
+ %}
+-typedef struct apol_infoflow_step {} apol_infoflow_step_t;
++typedef struct {} apol_infoflow_step_t;
+ %extend apol_infoflow_step_t {
+ 	apol_infoflow_step_t() {
+ 		BEGIN_EXCEPTION
+@@ -2936,7 +2936,7 @@
+ #define APOL_RELABEL_DIR_FROM    0x02
+ #define APOL_RELABEL_DIR_BOTH    (APOL_RELABEL_DIR_TO|APOL_RELABEL_DIR_FROM)
+ #define APOL_RELABEL_DIR_SUBJECT 0x04
+-typedef struct apol_relabel_analysis {} apol_relabel_analysis_t;
++typedef struct {} apol_relabel_analysis_t;
+ %extend apol_relabel_analysis_t {
+ 	apol_relabel_analysis_t() {
+ 		apol_relabel_analysis_t *ara;
+@@ -3009,7 +3009,7 @@
+ 		return;
+ 	};
+ };
+-typedef struct apol_relabel_result {} apol_relabel_result_t;
++typedef struct {} apol_relabel_result_t;
+ %extend apol_relabel_result_t {
+ 	apol_relabel_result_t() {
+ 		BEGIN_EXCEPTION
+@@ -3040,7 +3040,7 @@
+ 		return (apol_relabel_result_t*)x;
+ 	};
+ %}
+-typedef struct apol_relabel_result_pair {} apol_relabel_result_pair_t;
++typedef struct {} apol_relabel_result_pair_t;
+ %extend apol_relabel_result_pair_t {
+ 	apol_relabel_result_pair_t() {
+ 		BEGIN_EXCEPTION
+@@ -3082,7 +3082,7 @@
+ #define APOL_TYPES_RELATION_DIRECT_FLOW 0x1000
+ #define APOL_TYPES_RELATION_TRANS_FLOW_AB 0x4000
+ #define APOL_TYPES_RELATION_TRANS_FLOW_BA 0x8000
+-typedef struct apol_types_relation_analysis {} apol_types_relation_analysis_t;
++typedef struct {} apol_types_relation_analysis_t;
+ %extend apol_types_relation_analysis_t {
+ 	apol_types_relation_analysis_t() {
+ 		apol_types_relation_analysis_t *atr;
+@@ -3137,7 +3137,7 @@
+ 		return;
+ 	};
+ };
+-typedef struct apol_types_relation_result {} apol_types_relation_result_t;
++typedef struct {} apol_types_relation_result_t;
+ %extend apol_types_relation_result_t {
+ 	apol_types_relation_result_t() {
+ 		BEGIN_EXCEPTION
+@@ -3192,7 +3192,7 @@
+ 		return apol_types_relation_result_get_domainsBA(self);
+ 	};
+ };
+-typedef struct apol_types_relation_access {} apol_types_relation_access_t;
++typedef struct {} apol_types_relation_access_t;
+ %extend apol_types_relation_access_t {
+ 	apol_types_relation_access_t() {
+ 		BEGIN_EXCEPTION
+--- a/libqpol/swig/qpol.i	2010-04-30 11:23:28.000000000 -0500
++++ b/libqpol/swig/qpol.i	2012-08-29 07:52:17.000000000 -0500
+@@ -226,7 +226,7 @@
+ #define QPOL_MODULE_UNKNOWN 0
+ #define QPOL_MODULE_BASE    1
+ #define QPOL_MODULE_OTHER   2
+-typedef struct qpol_module {} qpol_module_t;
++typedef struct {} qpol_module_t;
+ %extend qpol_module_t {
+ 	qpol_module_t(const char *path) {
+ 		qpol_module_t *m;
+@@ -310,7 +310,7 @@
+ #define QPOL_POLICY_OPTION_NO_NEVERALLOWS 0x00000001
+ #define QPOL_POLICY_OPTION_NO_RULES       0x00000002
+ #define QPOL_POLICY_OPTION_MATCH_SYSTEM   0x00000004
+-typedef struct qpol_policy {} qpol_policy_t;
++typedef struct {} qpol_policy_t;
+ typedef void (*qpol_callback_fn_t) (void *varg, struct qpol_policy * policy, int level, const char *fmt, va_list va_args);
+ #define QPOL_POLICY_UNKNOWN       -1
+ #define QPOL_POLICY_KERNEL_SOURCE  0
+@@ -684,7 +684,7 @@
+ };
+ 
+ /* qpol iterator */
+-typedef struct qpol_iterator {} qpol_iterator_t;
++typedef struct {} qpol_iterator_t;
+ %extend qpol_iterator_t {
+ 	/* user never directly creates, but SWIG expects a constructor */
+ 	qpol_iterator_t() {
+@@ -734,7 +734,7 @@
+ };
+ 
+ /* qpol type */
+-typedef struct qpol_type {} qpol_type_t;
++typedef struct {} qpol_type_t;
+ %extend qpol_type_t {
+ 	qpol_type_t(qpol_policy_t *p, const char *name) {
+ 		BEGIN_EXCEPTION
+@@ -849,7 +849,7 @@
+ %}
+ 
+ /* qpol role */
+-typedef struct qpol_role {} qpol_role_t;
++typedef struct {} qpol_role_t;
+ %extend qpol_role_t {
+ 	qpol_role_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_role_t *r;
+@@ -917,7 +917,7 @@
+ %}
+ 
+ /* qpol level */
+-typedef struct qpol_level {} qpol_level_t;
++typedef struct {} qpol_level_t;
+ %extend qpol_level_t {
+ 	qpol_level_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_level_t *l;
+@@ -995,7 +995,7 @@
+ %}
+ 
+ /* qpol cat */
+-typedef struct qpol_cat {} qpol_cat_t;
++typedef struct {} qpol_cat_t;
+ %extend qpol_cat_t {
+ 	qpol_cat_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_cat_t *c;
+@@ -1062,7 +1062,7 @@
+ %}
+ 
+ /* qpol mls range */
+-typedef struct qpol_mls_range {} qpol_mls_range_t;
++typedef struct {} qpol_mls_range_t;
+ %extend qpol_mls_range_t {
+ 	qpol_mls_range_t() {
+ 		BEGIN_EXCEPTION
+@@ -1103,7 +1103,7 @@
+ %}
+ 
+ /* qpol mls level */
+-typedef struct qpol_mls_level {} qpol_mls_level_t;
++typedef struct {} qpol_mls_level_t;
+ %extend qpol_mls_level_t {
+ 	qpol_mls_level_t() {
+ 		BEGIN_EXCEPTION
+@@ -1145,7 +1145,7 @@
+ %}
+ 
+ /* qpol user */
+-typedef struct qpol_user {} qpol_user_t;
++typedef struct {} qpol_user_t;
+ %extend qpol_user_t {
+ 	qpol_user_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_user_t *u;
+@@ -1221,7 +1221,7 @@
+ %}
+ 
+ /* qpol bool */
+-typedef struct qpol_bool {} qpol_bool_t;
++typedef struct {} qpol_bool_t;
+ %extend qpol_bool_t {
+ 	qpol_bool_t(qpol_policy_t *p, const char *name) {
+ 		qpol_bool_t *b;
+@@ -1293,7 +1293,7 @@
+ %}
+ 
+ /* qpol context */
+-typedef struct qpol_context {} qpol_context_t;
++typedef struct {} qpol_context_t;
+ %extend qpol_context_t {
+ 	qpol_context_t() {
+ 		BEGIN_EXCEPTION
+@@ -1354,7 +1354,7 @@
+ %}
+ 
+ /* qpol class */
+-typedef struct qpol_class {} qpol_class_t;
++typedef struct {} qpol_class_t;
+ %extend qpol_class_t {
+ 	qpol_class_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_class_t *c;
+@@ -1441,7 +1441,7 @@
+ %}
+ 
+ /* qpol common */
+-typedef struct qpol_common {} qpol_common_t;
++typedef struct {} qpol_common_t;
+ %extend qpol_common_t {
+ 	qpol_common_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_common_t *c;
+@@ -1514,7 +1514,7 @@
+ #define QPOL_FS_USE_NONE  5U
+ #define QPOL_FS_USE_PSID  6U
+ #endif
+-typedef struct qpol_fs_use {} qpol_fs_use_t;
++typedef struct {} qpol_fs_use_t;
+ %extend qpol_fs_use_t {
+ 	qpol_fs_use_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_fs_use_t *f;
+@@ -1592,7 +1592,7 @@
+ #define QPOL_CLASS_LNK_FILE   9U
+ #define QPOL_CLASS_SOCK_FILE 12U
+ #endif
+-typedef struct qpol_genfscon {} qpol_genfscon_t;
++typedef struct {} qpol_genfscon_t;
+ %extend qpol_genfscon_t {
+ 	qpol_genfscon_t(qpol_policy_t *p, const char *name, const char *path) {
+ 		qpol_genfscon_t *g;
+@@ -1655,7 +1655,7 @@
+ %}
+ 
+ /* qpol isid */
+-typedef struct qpol_isid {} qpol_isid_t;
++typedef struct {} qpol_isid_t;
+ %extend qpol_isid_t {
+ 	qpol_isid_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_isid_t *i;
+@@ -1699,7 +1699,7 @@
+ %}
+ 
+ /* qpol netifcon */
+-typedef struct qpol_netifcon {} qpol_netifcon_t;
++typedef struct {} qpol_netifcon_t;
+ %extend qpol_netifcon_t {
+ 	qpol_netifcon_t(qpol_policy_t *p, const char *name) {
+ 		const qpol_netifcon_t *n;
+@@ -1755,7 +1755,7 @@
+ /* qpol nodecon */
+ #define QPOL_IPV4 0
+ #define QPOL_IPV6 1
+-typedef struct qpol_nodecon {} qpol_nodecon_t;
++typedef struct {} qpol_nodecon_t;
+ %extend qpol_nodecon_t {
+ 	qpol_nodecon_t(qpol_policy_t *p, int addr[4], int mask[4], int protocol) {
+ 		uint32_t a[4], m[4];
+@@ -1828,7 +1828,7 @@
+ /* from netinet/in.h */
+ #define IPPROTO_TCP 6
+ #define IPPROTO_UDP 17
+-typedef struct qpol_portcon {} qpol_portcon_t;
++typedef struct {} qpol_portcon_t;
+ %extend qpol_portcon_t {
+ 	qpol_portcon_t(qpol_policy_t *p, uint16_t low, uint16_t high, uint8_t protocol) {
+ 		const qpol_portcon_t *qp;
+@@ -1892,7 +1892,7 @@
+ %}
+ 
+ /* qpol constraint */
+-typedef struct qpol_constraint {} qpol_constraint_t;
++typedef struct {} qpol_constraint_t;
+ %extend qpol_constraint_t {
+ 	qpol_constraint_t() {
+ 		BEGIN_EXCEPTION
+@@ -1944,7 +1944,7 @@
+ %}
+ 
+ /* qpol validatetrans */
+-typedef struct qpol_validatetrans {} qpol_validatetrans_t;
++typedef struct {} qpol_validatetrans_t;
+ %extend qpol_validatetrans_t {
+ 	qpol_validatetrans_t() {
+ 		BEGIN_EXCEPTION
+@@ -2009,7 +2009,7 @@
+ #define QPOL_CEXPR_OP_DOM    3
+ #define QPOL_CEXPR_OP_DOMBY  4
+ #define QPOL_CEXPR_OP_INCOMP 5
+-typedef struct qpol_constraint_expr_node {} qpol_constraint_expr_node_t;
++typedef struct {} qpol_constraint_expr_node_t;
+ %extend qpol_constraint_expr_node_t {
+ 	qpol_constraint_expr_node_t() {
+ 		BEGIN_EXCEPTION
+@@ -2071,7 +2071,7 @@
+ %}
+ 
+ /* qpol role allow */
+-typedef struct qpol_role_allow {} qpol_role_allow_t;
++typedef struct {} qpol_role_allow_t;
+ %extend qpol_role_allow_t {
+ 	qpol_role_allow_t() {
+ 		BEGIN_EXCEPTION
+@@ -2112,7 +2112,7 @@
+ %}
+ 
+ /* qpol role trans */
+-typedef struct qpol_role_trans {} qpol_role_trans_t;
++typedef struct {} qpol_role_trans_t;
+ %extend qpol_role_trans_t {
+ 	qpol_role_trans_t() {
+ 		BEGIN_EXCEPTION
+@@ -2163,7 +2163,7 @@
+ %}
+ 
+ /* qpol range trans */
+-typedef struct qpol_range_trans {} qpol_range_trans_t;
++typedef struct {} qpol_range_trans_t;
+ %extend qpol_range_trans_t {
+ 	qpol_range_trans_t() {
+ 		BEGIN_EXCEPTION
+@@ -2226,7 +2226,7 @@
+ #define QPOL_RULE_NEVERALLOW  128
+ #define QPOL_RULE_AUDITALLOW    2
+ #define QPOL_RULE_DONTAUDIT     4
+-typedef struct qpol_avrule {} qpol_avrule_t;
++typedef struct {} qpol_avrule_t;
+ %extend qpol_avrule_t {
+ 	qpol_avrule_t() {
+ 		BEGIN_EXCEPTION
+@@ -2346,7 +2346,7 @@
+ #define QPOL_RULE_TYPE_TRANS   16
+ #define QPOL_RULE_TYPE_CHANGE  64
+ #define QPOL_RULE_TYPE_MEMBER  32
+-typedef struct qpol_terule {} qpol_terule_t;
++typedef struct {} qpol_terule_t;
+ %extend qpol_terule_t {
+ 	qpol_terule_t() {
+ 		BEGIN_EXCEPTION
+@@ -2462,7 +2462,7 @@
+ %}
+ 
+ /* qpol conditional */
+-typedef struct qpol_cond {} qpol_cond_t;
++typedef struct {} qpol_cond_t;
+ %extend qpol_cond_t {
+ 	qpol_cond_t() {
+ 		BEGIN_EXCEPTION
+@@ -2555,7 +2555,7 @@
+ #define QPOL_COND_EXPR_XOR  5      /* bool ^ bool */
+ #define QPOL_COND_EXPR_EQ   6      /* bool == bool */
+ #define QPOL_COND_EXPR_NEQ  7      /* bool != bool */
+-typedef struct qpol_cond_expr_node {} qpol_cond_expr_node_t;
++typedef struct {} qpol_cond_expr_node_t;
+ %extend qpol_cond_expr_node_t {
+ 	qpol_cond_expr_node_t() {
+ 		BEGIN_EXCEPTION
+@@ -2600,7 +2600,7 @@
+ %}
+ 
+ /* qpol type set */
+-typedef struct qpol_type_set {} qpol_type_set_t;
++typedef struct {} qpol_type_set_t;
+ %extend qpol_type_set_t {
+ 	qpol_type_set_t() {
+ 		BEGIN_EXCEPTION
+@@ -2663,7 +2663,7 @@
+ %}
+ 
+ /* qpol syn av rule */
+-typedef struct qpol_syn_avrule {} qpol_syn_avrule_t;
++typedef struct {} qpol_syn_avrule_t;
+ %extend qpol_syn_avrule_t {
+ 	qpol_syn_avrule_t() {
+ 		BEGIN_EXCEPTION
+@@ -2776,7 +2776,7 @@
+ %}
+ 
+ /* qpol syn te rule */
+-typedef struct qpol_syn_terule {} qpol_syn_terule_t;
++typedef struct {} qpol_syn_terule_t;
+ %extend qpol_syn_terule_t {
+ 	qpol_syn_terule_t() {
+ 		BEGIN_EXCEPTION
+--- a/libpoldiff/swig/poldiff.i	2007-10-31 16:03:33.000000000 -0500
++++ b/libpoldiff/swig/poldiff.i	2012-08-29 08:08:02.000000000 -0500
+@@ -258,7 +258,7 @@
+ 
+ /* for handling the get_stats function */
+ %{
+-	typedef struct poldiff_stats {
++	typedef struct {
+ 		size_t stats[5];
+ 	} poldiff_stats_t;
+ 	poldiff_stats_t *poldiff_stats_create() {
+@@ -271,7 +271,7 @@
+ 		*x = NULL;
+ 	}
+ %}
+-typedef struct poldiff_stats {} poldiff_stats_t;
++typedef struct {} poldiff_stats_t;
+ %extend poldiff_stats_t {
+ 	poldiff_stats_t() {
+ 		poldiff_stats_t *s;
+@@ -336,17 +336,17 @@
+ %typemap(in) apol_policy_t *op {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy_t, 0 |  0 );
+ 	$1 = (apol_policy_t*)x;
+ }
+ %typemap(in) apol_policy_t *mp {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_apol_policy_t, 0 |  0 );
+ 	$1 = (apol_policy_t*)x;
+ }
+ #endif
+-typedef struct poldiff {} poldiff_t;
++typedef struct {} poldiff_t;
+ %extend poldiff_t {
+ 	poldiff_t(apol_policy_t *op, apol_policy_t *mp) {
+ 		poldiff_t *p;
+@@ -476,7 +476,7 @@
+ };
+ 
+ /* attribute diff */
+-typedef struct poldiff_attrib {} poldiff_attrib_t;
++typedef struct {} poldiff_attrib_t;
+ %extend poldiff_attrib_t {
+    poldiff_attrib_t () {
+       BEGIN_EXCEPTION
+@@ -521,7 +521,7 @@
+ %}
+ 
+ /* av rule diff */
+-typedef struct poldiff_avrule {} poldiff_avrule_t;
++typedef struct {} poldiff_avrule_t;
+ %extend poldiff_avrule_t {
+    poldiff_avrule_t() {
+       BEGIN_EXCEPTION
+@@ -629,7 +629,7 @@
+ %}
+ 
+ /* boolean diff */
+-typedef struct poldiff_bool {} poldiff_bool_t;
++typedef struct {} poldiff_bool_t;
+ %extend poldiff_bool_t {
+ 	poldiff_bool_t() {
+       BEGIN_EXCEPTION
+@@ -668,7 +668,7 @@
+ %}
+ 
+ /* category diff */
+-typedef struct poldiff_cat {} poldiff_cat_t;
++typedef struct {} poldiff_cat_t;
+ %extend poldiff_cat_t {
+ 	poldiff_cat_t() {
+       BEGIN_EXCEPTION
+@@ -707,7 +707,7 @@
+ %}
+ 
+ /* class diff */
+-typedef struct poldiff_class {} poldiff_class_t;
++typedef struct {} poldiff_class_t;
+ %extend poldiff_class_t {
+ 	poldiff_class_t() {
+       BEGIN_EXCEPTION
+@@ -752,7 +752,7 @@
+ %}
+ 
+ /* common diff */
+-typedef struct poldiff_common {} poldiff_common_t;
++typedef struct {} poldiff_common_t;
+ %extend poldiff_common_t {
+ 	poldiff_common_t() {
+       BEGIN_EXCEPTION
+@@ -797,7 +797,7 @@
+ %}
+ 
+ /* level diff */
+-typedef struct poldiff_level {} poldiff_level_t;
++typedef struct {} poldiff_level_t;
+ %extend poldiff_level_t {
+ 	poldiff_level_t() {
+       BEGIN_EXCEPTION
+@@ -857,7 +857,7 @@
+ %}
+ 
+ /* range diff */
+-typedef struct poldiff_range {} poldiff_range_t;
++typedef struct {} poldiff_range_t;
+ %extend poldiff_range_t {
+ 	poldiff_range_t() {
+       BEGIN_EXCEPTION
+@@ -908,7 +908,7 @@
+ %}
+ 
+ /* range_transition rule diff */
+-typedef struct poldiff_range_trans {} poldiff_range_trans_t;
++typedef struct {} poldiff_range_trans_t;
+ %extend poldiff_range_trans_t {
+ 	poldiff_range_trans_t() {
+       BEGIN_EXCEPTION
+@@ -956,7 +956,7 @@
+ %}
+ 
+ /* role allow rule diff */
+-typedef struct poldiff_role_allow {} poldiff_role_allow_t;
++typedef struct {} poldiff_role_allow_t;
+ %extend poldiff_role_allow_t {
+ 	poldiff_role_allow_t() {
+       BEGIN_EXCEPTION
+@@ -1004,7 +1004,7 @@
+ %}
+ 
+ /* role_transition rule diff */
+-typedef struct poldiff_role_trans {} poldiff_role_trans_t;
++typedef struct {} poldiff_role_trans_t;
+ %extend poldiff_role_trans_t {
+ 	poldiff_role_trans_t() {
+       BEGIN_EXCEPTION
+@@ -1052,7 +1052,7 @@
+ %}
+ 
+ /* role diff */
+-typedef struct poldiff_role {} poldiff_role_t;
++typedef struct {} poldiff_role_t;
+ %extend poldiff_role_t {
+ 	poldiff_role_t() {
+       BEGIN_EXCEPTION
+@@ -1097,7 +1097,7 @@
+ %}
+ 
+ /* te rule diff */
+-typedef struct poldiff_terule {} poldiff_terule_t;
++typedef struct {} poldiff_terule_t;
+ %extend poldiff_terule_t {
+ 	poldiff_terule_t() {
+       BEGIN_EXCEPTION
+@@ -1178,7 +1178,7 @@
+ %}
+ 
+ /* type diff */
+-typedef struct poldiff_type {} poldiff_type_t;
++typedef struct {} poldiff_type_t;
+ %extend poldiff_type_t {
+ 	poldiff_type_t() {
+       BEGIN_EXCEPTION
+@@ -1223,7 +1223,7 @@
+ %}
+ 
+ /* user diff */
+-typedef struct poldiff_user {} poldiff_user_t;
++typedef struct {} poldiff_user_t;
+ %extend poldiff_user_t {
+ 	poldiff_user_t() {
+       BEGIN_EXCEPTION
+@@ -1280,7 +1280,7 @@
+ %}
+ 
+ /* type remap */
+-typedef struct poldiff_type_remap_entry {} poldiff_type_remap_entry_t;
++typedef struct {} poldiff_type_remap_entry_t;
+ %extend poldiff_type_remap_entry_t {
+ 	poldiff_type_remap_entry_t() {
+       BEGIN_EXCEPTION
+--- a/libseaudit/swig/seaudit.i	2007-10-31 16:03:33.000000000 -0500
++++ b/libseaudit/swig/seaudit.i	2012-08-29 08:11:39.000000000 -0500
+@@ -240,7 +240,7 @@
+ %{
+ 	typedef struct tm tm_t;
+ %}
+-typedef struct tm {
++typedef struct {
+ 	int tm_sec;   /* seconds */
+ 	int tm_min;   /* minutes */
+ 	int tm_hour;  /* hours */
+@@ -278,7 +278,7 @@
+ 	SEAUDIT_LOG_TYPE_SYSLOG,
+ 	SEAUDIT_LOG_TYPE_AUDITD
+ } seaudit_log_type_e;
+-typedef struct seaudit_log {} seaudit_log_t;
++typedef struct {} seaudit_log_t;
+ %extend seaudit_log_t {
+ 	seaudit_log_t() {
+ 		seaudit_log_t *slog;
+@@ -355,7 +355,7 @@
+ 	SEAUDIT_MESSAGE_TYPE_AVC,
+ 	SEAUDIT_MESSAGE_TYPE_LOAD
+ } seaudit_message_type_e;
+-typedef struct seaudit_message {} seaudit_message_t;
++typedef struct {} seaudit_message_t;
+ %extend seaudit_message_t {
+ 	seaudit_message_t() {
+ 		BEGIN_EXCEPTION
+@@ -427,7 +427,7 @@
+ %}
+ 
+ /* seaudit load message */
+-typedef struct seaudit_load_message {} seaudit_load_message_t;
++typedef struct {} seaudit_load_message_t;
+ %extend seaudit_load_message_t {
+ 	seaudit_load_message_t() {
+ 		BEGIN_EXCEPTION
+@@ -448,7 +448,7 @@
+ %}
+ 
+ /* seaudit bool message */
+-typedef struct seaudit_bool_message {} seaudit_bool_message_t;
++typedef struct {} seaudit_bool_message_t;
+ %extend seaudit_bool_message_t {
+ 	seaudit_bool_message_t(void *msg) {
+ 		BEGIN_EXCEPTION
+@@ -475,7 +475,7 @@
+ 	SEAUDIT_AVC_DENIED,
+ 	SEAUDIT_AVC_GRANTED
+ } seaudit_avc_message_type_e;
+-typedef struct seaudit_avc_message {} seaudit_avc_message_t;
++typedef struct {} seaudit_avc_message_t;
+ %extend seaudit_avc_message_t {
+ 	seaudit_avc_message_t() {
+ 		BEGIN_EXCEPTION
+@@ -606,7 +606,7 @@
+ 	SEAUDIT_FILTER_DATE_MATCH_AFTER,
+ 	SEAUDIT_FILTER_DATE_MATCH_BETWEEN
+ } seaudit_filter_date_match_e;
+-typedef struct seaudit_filter {} seaudit_filter_t;
++typedef struct {} seaudit_filter_t;
+ %extend seaudit_filter_t {
+ 	seaudit_filter_t(char *name = NULL) {
+ 		seaudit_filter_t *sf = NULL;
+@@ -1012,7 +1012,7 @@
+ %}
+ 
+ /* seaudit sort */
+-typedef struct seaudit_sort {} seaudit_sort_t;
++typedef struct {} seaudit_sort_t;
+ %extend seaudit_sort_t {
+ 	seaudit_sort_t() {
+ 		BEGIN_EXCEPTION
+@@ -1101,17 +1101,17 @@
+ %typemap(in) seaudit_filter_t *filter {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_filter, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_filter_t, 0 |  0 );
+ 	$1 = (seaudit_filter_t*)x;
+ }
+ %typemap(in) seaudit_sort_t *ssort {
+ 	void *x = NULL;
+ 	Py_IncRef($input);
+-	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_sort, 0 |  0 );
++	SWIG_ConvertPtr($input, &x,SWIGTYPE_p_seaudit_sort_t, 0 |  0 );
+ 	$1 = (seaudit_sort_t*)x;
+ }
+ #endif
+-typedef struct seaudit_model {} seaudit_model_t;
++typedef struct {} seaudit_model_t;
+ %extend seaudit_model_t {
+ 	seaudit_model_t(char *name = NULL, seaudit_log_t *slog = NULL) {
+ 		seaudit_model_t *smod;
+@@ -1309,7 +1309,7 @@
+ 	SEAUDIT_REPORT_FORMAT_TEXT,
+ 	SEAUDIT_REPORT_FORMAT_HTML
+ } seaudit_report_format_e;
+-typedef struct seaudit_report {} seaudit_report_t;
++typedef struct {} seaudit_report_t;
+ %extend seaudit_report_t {
+ 	seaudit_report_t(seaudit_model_t *m) {
+ 		seaudit_report_t *sr;
diff --git a/package/setools/setools.mk b/package/setools/setools.mk
new file mode 100644
index 0000000..eb3f4cc
--- /dev/null
+++ b/package/setools/setools.mk
@@ -0,0 +1,85 @@
+################################################################################
+#
+# setools
+#
+################################################################################
+
+SETOOLS_VERSION = 3.3.8
+SETOOLS_SOURCE = setools-$(SETOOLS_VERSION).tar.bz2
+SETOOLS_SITE = http://oss.tresys.com/projects/setools/chrome/site/dists/setools-$(SETOOLS_VERSION)/
+SETOOLS_DEPENDENCIES = libselinux sqlite libxml2 bzip2
+
+SETOOLS_INSTALL_STAGING = YES
+
+SETOOLS_AUTORECONF = YES
+SETOOLS_AUTORECONF_OPT = -i -s
+
+# Notes: Need "disable-selinux-check" so the configure does not check to see if host has
+#        selinux enabled.
+SETOOLS_CONF_OPT = \
+	--disable-debug \
+	--disable-gui \
+	--disable-bwidget-check \
+	--disable-selinux-check \
+	--disable-swig-java \
+	--disable-swig-python \
+	--disable-swig-tcl \
+	--with-sepol-devel="$(STAGING_DIR)/usr" \
+	--with-selinux-devel="$(STAGING_DIR)/usr" \
+
+ifeq ($(BR2_PACKAGE_SETOOLS_PYTHON_BINDINGS),y)
+	SETOOLS_DEPENDENCIES += python host-python host-swig 
+	SETOOLS_CONF_ENV += am_cv_pathless_PYTHON=python \
+		ac_cv_path_PYTHON=$(HOST_DIR)/usr/bin/python \
+		am_cv_python_version=$(PYTHON_VERSION) \
+		am_cv_python_platform=linux2 \
+		am_cv_python_pythondir=$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages \
+		am_cv_python_pyexecdir=$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages \
+		am_cv_python_includes=-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)
+	SETOOLS_CONF_OPT += \
+		--enable-swig-python \
+		PYTHON_CPPFLAGS="-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)" \
+		PYTHON_LDFLAGS="-L$(STAGING_DIR)/usr/lib/" \
+		PYTHON_SITE_PKG="$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages" \
+		PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil -lpython$(PYTHON_VERSION_MAJOR)"
+endif
+
+HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol host-sqlite \
+	host-libxml2 host-bzip2
+
+HOST_SETOOLS_AUTORECONF = YES
+HOST_SETOOLS_AUTORECONF_OPT = -i -s
+
+# Notes: Need "disable-selinux-check" so the configure does not check to see if host has
+#        selinux enabled.
+HOST_SETOOLS_CONF_OPT = \
+	--disable-debug \
+	--disable-gui \
+	--disable-bwidget-check \
+	--disable-selinux-check \
+	--disable-swig-java \
+	--disable-swig-python \
+	--disable-swig-tcl \
+	--with-sepol-devel="$(HOST_DIR)/usr" \
+	--with-selinux-devel="$(HOST_DIR)/usr" \
+
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+	HOST_SETOOLS_DEPENDENCIES += host-python host-swig 
+	HOST_SETOOLS_CONF_ENV += \
+		am_cv_pathless_PYTHON=python \
+		ac_cv_path_PYTHON=$(HOST_DIR)/usr/bin/python \
+		am_cv_python_version=$(PYTHON_VERSION) \
+		am_cv_python_platform=linux2 \
+		am_cv_python_pythondir=$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages \
+		am_cv_python_pyexecdir=$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages \
+		am_cv_python_includes=-I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)
+	HOST_SETOOLS_CONF_OPT += \
+		--enable-swig-python \
+		PYTHON_CPPFLAGS="-I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)" \
+		PYTHON_LDFLAGS="-L$(HOST_DIR)/usr/lib/" \
+		PYTHON_SITE_PKG="$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages" \
+		PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil -lpython$(PYTHON_VERSION_MAJOR)"
+endif
+
+$(eval $(autotools-package))
+$(eval $(host-autotools-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 10/20] python-pyparsing: Add host build option

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
This package will most likely change based on Thomas P. proposed
python package infrastructure. It will become just:

$(eval $(host-python-package))

Changes v3 -> v4:
  - No changes.
Changes v2 -> v3:
  - Changed order of patch to correct dependency issue (suggested by Thomas).
Changes v1 -> v2:
  - No changes.
---
 package/python-pyparsing/python-pyparsing.mk |   47 ++++++++++++++++++-------
 1 files changed, 34 insertions(+), 13 deletions(-)

diff --git a/package/python-pyparsing/python-pyparsing.mk b/package/python-pyparsing/python-pyparsing.mk
index 7814ce3..b6ba40d 100644
--- a/package/python-pyparsing/python-pyparsing.mk
+++ b/package/python-pyparsing/python-pyparsing.mk
@@ -14,25 +14,46 @@ PYTHON_PYPARSING_DEPENDENCIES    = python
 
 # Shamelessly vampirised from python-pygame ;-)
 define PYTHON_PYPARSING_BUILD_CMDS
-	(cd $(@D);                                              \
-	 CC="$(TARGET_CC)"                                      \
-	 CFLAGS="$(TARGET_CFLAGS)"                              \
-	 LDSHARED="$(TARGET_CROSS)gcc -shared"                  \
-	 CROSS_COMPILING=yes                                    \
-	 _python_sysroot=$(STAGING_DIR)                         \
-	 _python_srcdir=$(BUILD_DIR)/python$(PYTHON_VERSION)    \
-	 _python_prefix=/usr                                    \
-	 _python_exec_prefix=/usr                               \
-	 $(HOST_DIR)/usr/bin/python setup.py build              \
+	(cd $(@D); \
+		CC="$(TARGET_CC)" \
+		CFLAGS="$(TARGET_CFLAGS)" \
+		LDSHARED="$(TARGET_CROSS)gcc -shared" \
+		CROSS_COMPILING=yes \
+		_python_sysroot=$(STAGING_DIR) \
+		_python_srcdir=$(BUILD_DIR)/python$(PYTHON_VERSION) \
+		_python_prefix=/usr \
+		_python_exec_prefix=/usr \
+		$(HOST_DIR)/usr/bin/python setup.py build \
 	)
 endef
 
 # Shamelessly vampirised from python-pygame ;-)
 define PYTHON_PYPARSING_INSTALL_TARGET_CMDS
-	(cd $(@D);                                              \
-	 $(HOST_DIR)/usr/bin/python setup.py install            \
-	                            --prefix=$(TARGET_DIR)/usr  \
+	(cd $(@D); \
+		$(HOST_DIR)/usr/bin/python setup.py install \
+		--prefix=$(TARGET_DIR)/usr \
+	)
+endef
+
+HOST_PYTHON_PYPARSING_DEPENDENCIES = host-python
+
+define HOST_PYTHON_PYPARSING_BUILD_CMDS
+	(cd $(@D); \
+		_python_sysroot=$(HOST_DIR) \
+		_python_srcdir=$(BUILD_DIR)/host-python$(PYTHON_VERSION) \
+		_python_prefix=/usr \
+		_python_exec_prefix=/usr \
+		$(HOST_DIR)/usr/bin/python setup.py build \
+	)
+endef
+
+define HOST_PYTHON_PYPARSING_INSTALL_CMDS
+	(cd $(@D); \
+		$(HOST_DIR)/usr/bin/python setup.py install \
+		--prefix=$(HOST_DIR)/usr \
 	)
 endef
 
 $(eval $(generic-package))
+$(eval $(host-generic-package))
+
-- 
1.7.1

[Buildroot] [ PATCH v4 11/20] audit: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v3 -> v4:
  - Added back in the Python bindings configure option instead of
    relying on a check to see if Python is enabled (suggested by
    Thomas).
  - Cleaned up the startup script installation step (suggested by
    Thomas).
  - Change the startup script order to launch the auditd first thing
    and also change the required shell to sh instead of bash.
  - Adding a dependency on comment BR2_TOOLCHAIN_USES_GLIBC
Changes v2 -> v3:
  - Changed order of patch to correct dependency issue (suggested by Thomas).
  - Changes patch naming convention (suggested by Thomas).
  - Added upstream submission link for patch (suggested by Thomas).
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Fixed the patch naming to avoid using the version number.
  - Cleaned up the patch to include a signed-off-by line.
  - Changed the original Python select in the Config.in to be a check
    in the mk file.
---
 package/Config.in                                  |    1 +
 package/audit/Config.in                            |   24 +
 package/audit/S01auditd                            |  172 +++
 ...it-0001-cross-compile-header-creation-fix.patch | 1424 ++++++++++++++++++++
 package/audit/audit-0002-remove-zos-plugin.patch   |   35 +
 package/audit/audit.mk                             |   61 +
 6 files changed, 1717 insertions(+), 0 deletions(-)
 create mode 100644 package/audit/Config.in
 create mode 100755 package/audit/S01auditd
 create mode 100644 package/audit/audit-0001-cross-compile-header-creation-fix.patch
 create mode 100644 package/audit/audit-0002-remove-zos-plugin.patch
 create mode 100644 package/audit/audit.mk

diff --git a/package/Config.in b/package/Config.in
index b62f123..48c66a6 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -969,6 +969,7 @@ endmenu
 menu "System tools"
 source "package/acl/Config.in"
 source "package/attr/Config.in"
+source "package/audit/Config.in"
 if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
 source "package/bootutils/Config.in"
 source "package/coreutils/Config.in"
diff --git a/package/audit/Config.in b/package/audit/Config.in
new file mode 100644
index 0000000..91b985d
--- /dev/null
+++ b/package/audit/Config.in
@@ -0,0 +1,24 @@
+config BR2_PACKAGE_AUDIT
+	bool "audit"
+	depends on BR2_TOOLCHAIN_USES_GLIBC
+	help
+	  The audit package contains the user space utilities for
+	  storing and searching the audit records generate by
+	  the audit subsystem in the Linux 2.6 kernel
+	  
+	  Note: The z/OS remote plugin is disabled in this package
+	  
+	  http://people.redhat.com/sgrubb/audit/
+
+comment "audit needs an (e)glibc toolchain"
+        depends on !BR2_TOOLCHAIN_USES_GLIBC
+
+if BR2_PACKAGE_AUDIT
+
+config BR2_PACKAGE_AUDIT_PYTHON_BINDINGS
+	select BR2_PACKAGE_PYTHON
+	bool "python bindings"
+	help
+	  enable building python bindings
+
+endif
diff --git a/package/audit/S01auditd b/package/audit/S01auditd
new file mode 100755
index 0000000..23a7761
--- /dev/null
+++ b/package/audit/S01auditd
@@ -0,0 +1,172 @@
+#!/bin/sh
+#
+# auditd        This starts and stops auditd
+#
+# description: This starts the Linux Auditing System Daemon, \
+#              which collects security related events in a dedicated \
+#              audit log. If this daemon is turned off, audit events \
+#              will be sent to syslog.
+#
+# processname: /sbin/auditd
+# config: /etc/sysconfig/auditd
+# config: /etc/audit/auditd.conf
+# pidfile: /var/run/auditd.pid
+#
+# Return values according to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+#
+prog="auditd"
+
+# Check that we are root ... so non-root users stop here
+test $EUID=0  ||  exit 4
+
+# Check config
+test -f /etc/sysconfig/auditd && . /etc/sysconfig/auditd
+
+RETVAL=0
+LOCK=/var/lock/subsys/auditd
+
+start(){
+   echo -n "Initializing $prog: "
+
+   if [ ! -e $LOCK ]; then
+      test -x /sbin/auditd  || exit 5
+      test -f /etc/audit/auditd.conf  || exit 6
+   
+      # Create dir to store log files in if one doesn't exist
+      test -d /var/log/audit || mkdir -p /var/log/audit && /sbin/restorecon /var/log/audit
+   
+      # Run audit daemon executable
+      $prog
+      RETVAL=$?
+      if test $RETVAL = 0 ; then
+         test -d /var/lock/subsys || mkdir -p /var/lock/subsys
+         touch $LOCK
+         # Load the default rules
+         test -f /etc/audit/audit.rules && /sbin/auditctl -R /etc/audit/audit.rules >/dev/null
+         echo "OK"
+      else
+         echo "FAILED: auditd failed to start"
+      fi
+   else
+      echo "FAILED: auditd already started, stop first"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+stop(){
+   echo -n "Uninitializing $prog: "
+   if [ -e $LOCK ]; then
+      killall -TERM $prog
+      RETVAL=$?
+      if [ $RETVAL ]; then
+         rm -f $LOCK
+         # Remove watches so shutdown works cleanly
+         if test x"$AUDITD_CLEAN_STOP" != "x" ; then
+            if test "`echo $AUDITD_CLEAN_STOP | tr 'NO' 'no'`" != "no"
+            then
+               /sbin/auditctl -D >/dev/null
+            fi
+         fi
+         if test x"$AUDITD_STOP_DISABLE" != "x" ; then
+            if test "`echo $AUDITD_STOP_DISABLE | tr 'NO' 'no'`" != "no"
+            then
+               /sbin/auditctl -e 0 >/dev/null
+            fi
+         fi
+         echo "OK"
+      else
+         echo "FAILED: auditd not stopped"
+      fi
+   else
+      echo "FAILED: auditd not started"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+reload(){
+   echo -n "Reloading auditd configuration: "
+   if [ -e $LOCK ]; then
+      test -f /etc/audit/auditd.conf  || exit 6
+      echo -n "Reloading configuration: " 
+      killall -HUP $prog
+      RETVAL=$?
+      if [ $RETVAL ]; then
+         echo "OK"
+      else
+         echo "FAILED"
+      fi
+   else
+      echo "FAILED: auditd not started"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+rotate(){
+   echo -n "Rotating auditd logs: "  
+   if [ -e $LOCK ]; then
+      killall -USR1 $prog
+      RETVAL=$?
+      if [ $RETVAL ]; then
+         echo "OK"
+      else
+         echo "FAILED"
+      fi
+   else
+      echo "FAILED: auditd not started"
+      RETVAL=1
+   fi
+   return $RETVAL
+}
+
+restart(){
+   test -f /etc/audit/auditd.conf  || exit 6
+   stop
+   start
+   return $RETVAL
+}
+
+condrestart(){
+   [ -e $LOCK ] && restart
+   return 0
+}
+
+# See how we were called.
+case "$1" in
+   start)
+      start
+      ;;
+   stop)
+      stop
+      ;;
+   restart)
+      restart
+      ;;
+   reload)
+      reload
+      ;;
+   rotate)
+      rotate
+      ;;
+   resume)
+      resume
+      ;;
+   condrestart)
+      condrestart
+      ;;
+   *)
+      echo "Usage: $0 {start|stop|restart|condrestart|reload|rotate}"
+      RETVAL=3
+      ;;
+esac
+
+exit $RETVAL
diff --git a/package/audit/audit-0001-cross-compile-header-creation-fix.patch b/package/audit/audit-0001-cross-compile-header-creation-fix.patch
new file mode 100644
index 0000000..78df6ee
--- /dev/null
+++ b/package/audit/audit-0001-cross-compile-header-creation-fix.patch
@@ -0,0 +1,1424 @@
+Rework the build system to generate the required header files using a 
+Python script rather than compiling executables.  This change has
+to be made because the executables that are generated are built for
+the target architecture and are generally not compilable on the host
+build machine.  
+
+The code has been submitted to the audit maintainers for review.
+The first of three patches can be seen at the following link.
+https://www.redhat.com/archives/linux-audit/2013-August/msg00043.html
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/configure.ac b/configure.ac
+--- a/configure.ac	2013-07-29 16:37:01.000000000 -0500
++++ b/configure.ac	2013-08-21 13:29:55.760585744 -0500
+@@ -51,11 +51,14 @@
+ AC_PROG_CC
+ AC_PROG_INSTALL
+ AC_PROG_AWK
++AM_PATH_PYTHON
++AC_PYTHON_MODULE(pyparsing, 1)
+ 
+ echo .
+ echo Checking for header files
+ AC_HEADER_STDC
+ AC_HEADER_TIME
++AC_CHECK_HEADER([Python.h])
+ 
+ AC_C_CONST
+ AC_C_INLINE
+@@ -89,14 +92,13 @@
+ 	AC_MSG_RESULT(no)
+ else
+ AC_MSG_RESULT(testing)
+-AM_PATH_PYTHON
+-if test -f /usr/include/python${am_cv_python_version}/Python.h ; then
++if test x$ac_cv_header_Python_h != x ; then
+ 	python_found="yes"
+ 	AC_MSG_NOTICE(Python bindings will be built)
+ else
+ 	python_found="no"
+ 	if test x$use_python = xyes ; then
+-		AC_MSG_ERROR([Python explicitly required and python headers found])
++		AC_MSG_ERROR([Python explicitly required and python headers not found])
+ 	else
+ 		AC_MSG_WARN("Python headers not found - python bindings will not be made")
+ 	fi
+diff -urN a/bindings/python/Makefile.am b/bindings/python/Makefile.am
+--- a/bindings/python/Makefile.am	2013-07-29 16:37:00.000000000 -0500
++++ b/bindings/python/Makefile.am	2013-09-11 08:18:41.437704969 -0500
+@@ -26,6 +26,6 @@
+ pyexec_LTLIBRARIES = auparse.la
+ 
+ auparse_la_SOURCES = auparse_python.c
+-auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) -I/usr/include/python$(PYTHON_VERSION) -fno-strict-aliasing
++auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) -fno-strict-aliasing
+ auparse_la_LDFLAGS = -module -avoid-version -Wl,-z,relro
+ auparse_la_LIBADD = ../../auparse/libauparse.la ../../lib/libaudit.la
+diff -urN /dev/null b/m4/ax_python_module.m4
+--- /dev/null	2013-06-19 11:25:31.230442052 -0500
++++ b/m4/ax_python_module.m4	2013-08-21 12:43:56.829882655 -0500
+@@ -0,0 +1,49 @@
++# ===========================================================================
++#     http://www.gnu.org/software/autoconf-archive/ax_python_module.html
++# ===========================================================================
++#
++# SYNOPSIS
++#
++#   AX_PYTHON_MODULE(modname[, fatal])
++#
++# DESCRIPTION
++#
++#   Checks for Python module.
++#
++#   If fatal is non-empty then absence of a module will trigger an error.
++#
++# LICENSE
++#
++#   Copyright (c) 2008 Andrew Collier
++#
++#   Copying and distribution of this file, with or without modification, are
++#   permitted in any medium without royalty provided the copyright notice
++#   and this notice are preserved. This file is offered as-is, without any
++#   warranty.
++
++#serial 6
++
++AU_ALIAS([AC_PYTHON_MODULE], [AX_PYTHON_MODULE])
++AC_DEFUN([AX_PYTHON_MODULE],[
++    if test -z $PYTHON;
++    then
++        PYTHON="python"
++    fi
++    PYTHON_NAME=`basename $PYTHON`
++    AC_MSG_CHECKING($PYTHON_NAME module: $1)
++	$PYTHON -c "import $1" 2>/dev/null
++	if test $? -eq 0;
++	then
++		AC_MSG_RESULT(yes)
++		eval AS_TR_CPP(HAVE_PYMOD_$1)=yes
++	else
++		AC_MSG_RESULT(no)
++		eval AS_TR_CPP(HAVE_PYMOD_$1)=no
++		#
++		if test -n "$2"
++		then
++			AC_MSG_ERROR(failed to find required module $1)
++			exit 1
++		fi
++	fi
++])
+diff -urN a/auparse/Makefile.am b/auparse/Makefile.am
+--- a/auparse/Makefile.am	2013-07-29 16:37:01.000000000 -0500
++++ b/auparse/Makefile.am	2013-08-19 14:37:31.230510790 -0500
+@@ -52,8 +52,8 @@
+ 	rlimittabs.h recvtabs.h schedtabs.h seccomptabs.h \
+ 	seektabs.h shm_modetabs.h signaltabs.h sockoptnametabs.h \
+ 	socktabs.h sockleveltabs.h socktypetabs.h \
+-	tcpoptnametabs.h typetabs.h umounttabs.h
+-noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \
++	tcpoptnametabs.h typetabs.h umounttabs.h \
++	gen_accesstabs_h gen_captabs_h gen_clock_h \
+ 	gen_clone-flagtabs_h \
+ 	gen_epoll_ctls_h gen_famtabs_h \
+ 	gen_fcntl-cmdtabs_h gen_flagtabs_h \
+@@ -69,187 +69,184 @@
+ 	gen_socktypetabs_h gen_tcpoptnametabs_h gen_typetabs_h \
+ 	gen_umounttabs_h
+ 
+-gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h
+-gen_accesstabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="accesstab.h"'
++gen_accesstabs_h: ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"accesstab.h\" -E -o $@ ../lib/gen_tables.c
+ accesstabs.h: gen_accesstabs_h Makefile
+-	./gen_accesstabs_h --i2s-transtab access > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab access gen_accesstabs_h $@
+ 
+-gen_captabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h captab.h
+-gen_captabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="captab.h"'
++gen_captabs_h: ../lib/gen_tables.c ../lib/gen_tables.h captab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"captab.h\" -E -o $@ ../lib/gen_tables.c
+ captabs.h: gen_captabs_h Makefile
+-	./gen_captabs_h --i2s cap > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s cap gen_captabs_h $@
+ 
+-gen_clock_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h
+-gen_clock_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="clocktab.h"'
++gen_clock_h: ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"clocktab.h\" -E -o $@ ../lib/gen_tables.c
+ clocktabs.h: gen_clock_h Makefile
+-	./gen_clock_h --i2s clock > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s clock gen_clock_h $@
+ 
+-gen_clone_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+-	clone-flagtab.h
+-gen_clone_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="clone-flagtab.h"'
++gen_clone-flagtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h clone-flagtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"clone-flagtab.h\" -E -o $@ ../lib/gen_tables.c
+ clone-flagtabs.h: gen_clone-flagtabs_h Makefile
+-	./gen_clone-flagtabs_h --i2s-transtab clone_flag > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab clone_flag gen_clone-flagtabs_h $@
+ 
+-gen_epoll_ctls_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h
+-gen_epoll_ctls_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="epoll_ctl.h"'
++gen_epoll_ctls_h: ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"epoll_ctl.h\" -E -o $@ ../lib/gen_tables.c
+ epoll_ctls.h: gen_epoll_ctls_h Makefile
+-	./gen_epoll_ctls_h --i2s epoll_ctl > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s epoll_ctl gen_epoll_ctls_h $@
+ 
+-gen_famtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h famtab.h
+-gen_famtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="famtab.h"'
++gen_famtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h famtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"famtab.h\" -E -o $@ ../lib/gen_tables.c
+ famtabs.h: gen_famtabs_h Makefile
+-	./gen_famtabs_h --i2s fam > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s fam gen_famtabs_h $@
+ 
+-gen_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h flagtab.h
+ # ../auparse/ is used to avoid using ../lib/flagtab.h
+-gen_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="../auparse/flagtab.h"'
++gen_flagtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ../auparse/flagtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"../auparse/flagtab.h\" -E -o $@ ../lib/gen_tables.c
+ flagtabs.h: gen_flagtabs_h Makefile
+-	./gen_flagtabs_h --i2s-transtab flag > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab flag gen_flagtabs_h $@
+ 
+-gen_fcntl_cmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+-	fcntl-cmdtab.h
+-gen_fcntl_cmdtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="fcntl-cmdtab.h"'
++gen_fcntl-cmdtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h fcntl-cmdtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"fcntl-cmdtab.h\" -E -o $@ ../lib/gen_tables.c
+ fcntl-cmdtabs.h: gen_fcntl-cmdtabs_h Makefile
+-	./gen_fcntl-cmdtabs_h --i2s fcntl > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s fcntl gen_fcntl-cmdtabs_h $@
+ 
+-gen_icmptypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h
+-gen_icmptypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="icmptypetab.h"'
++gen_icmptypetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"icmptypetab.h\" -E -o $@ ../lib/gen_tables.c
+ icmptypetabs.h: gen_icmptypetabs_h Makefile
+-	./gen_icmptypetabs_h --i2s icmptype > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s icmptype gen_icmptypetabs_h $@
+ 
+-gen_ipctabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h
+-gen_ipctabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipctab.h"'
++gen_ipctabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ipctab.h\" -E -o $@ ../lib/gen_tables.c
+ ipctabs.h: gen_ipctabs_h Makefile
+-	./gen_ipctabs_h --i2s ipc > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s ipc gen_ipctabs_h $@
+ 
+-gen_ipccmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h
+-gen_ipccmdtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipccmdtab.h"'
++gen_ipccmdtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ipccmdtab.h\" -E -o $@ ../lib/gen_tables.c
+ ipccmdtabs.h: gen_ipccmdtabs_h Makefile
+-	./gen_ipccmdtabs_h --i2s-transtab ipccmd > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab ipccmd gen_ipccmdtabs_h $@
+ 
+-gen_ipoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h
+-gen_ipoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ipoptnametab.h"'
++gen_ipoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ipoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ ipoptnametabs.h: gen_ipoptnametabs_h Makefile
+-	./gen_ipoptnametabs_h --i2s ipoptname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s ipoptname gen_ipoptnametabs_h $@
+ 
+-gen_ip6optnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h
+-gen_ip6optnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ip6optnametab.h"'
++gen_ip6optnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ip6optnametab.h\" -E -o $@ ../lib/gen_tables.c
+ ip6optnametabs.h: gen_ip6optnametabs_h Makefile
+-	./gen_ip6optnametabs_h --i2s ip6optname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s ip6optname gen_ip6optnametabs_h $@
+ 
+-gen_mmaptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h
+-gen_mmaptabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="mmaptab.h"'
++gen_mmaptabs_h: ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"mmaptab.h\" -E -o $@ ../lib/gen_tables.c
+ mmaptabs.h: gen_mmaptabs_h Makefile
+-	./gen_mmaptabs_h --i2s-transtab mmap > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab mmap gen_mmaptabs_h $@
+ 
+-gen_mounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h
+-gen_mounttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="mounttab.h"'
++gen_mounttabs_h: ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"mounttab.h\" -E -o $@ ../lib/gen_tables.c
+ mounttabs.h: gen_mounttabs_h Makefile
+-	./gen_mounttabs_h --i2s-transtab mount > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab mount gen_mounttabs_h $@
+ 
+-gen_nfprototabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h
+-gen_nfprototabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="nfprototab.h"'
++gen_nfprototabs_h: ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"nfprototab.h\" -E -o $@ ../lib/gen_tables.c
+ nfprototabs.h: gen_nfprototabs_h Makefile
+-	./gen_nfprototabs_h --i2s nfproto > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s nfproto gen_nfprototabs_h $@
+ 
+-gen_open_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
+-	open-flagtab.h
+-gen_open_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="open-flagtab.h"'
++gen_open-flagtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h open-flagtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"open-flagtab.h\" -E -o $@ ../lib/gen_tables.c
+ open-flagtabs.h: gen_open-flagtabs_h Makefile
+-	./gen_open-flagtabs_h --i2s-transtab open_flag > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab open_flag gen_open-flagtabs_h $@
+ 
+-gen_persontabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h persontab.h
+-gen_persontabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="persontab.h"'
++gen_persontabs_h: ../lib/gen_tables.c ../lib/gen_tables.h persontab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"persontab.h\" -E -o $@ ../lib/gen_tables.c
+ persontabs.h: gen_persontabs_h Makefile
+-	./gen_persontabs_h --i2s person > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s person gen_persontabs_h $@
+ 
+-gen_ptracetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h
+-gen_ptracetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ptracetab.h"'
++gen_ptracetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ptracetab.h\" -E -o $@ ../lib/gen_tables.c
+ ptracetabs.h: gen_ptracetabs_h Makefile
+-	./gen_ptracetabs_h --i2s ptrace > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s ptrace gen_ptracetabs_h $@
+ 
+-gen_prctl_opttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h
+-gen_prctl_opttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="prctl-opt-tab.h"'
++gen_prctl_opttabs_h: ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"prctl-opt-tab.h\" -E -o $@ ../lib/gen_tables.c
+ prctl_opttabs.h: gen_prctl_opttabs_h Makefile
+-	./gen_prctl_opttabs_h --i2s prctl_opt > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s prctl_opt gen_prctl_opttabs_h $@
+ 
+-gen_pktoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h
+-gen_pktoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="pktoptnametab.h"'
++gen_pktoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"pktoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ pktoptnametabs.h: gen_pktoptnametabs_h Makefile
+-	./gen_pktoptnametabs_h --i2s pktoptname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s pktoptname gen_pktoptnametabs_h $@
+ 
+-gen_prottabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prottab.h
+-gen_prottabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="prottab.h"'
++gen_prottabs_h: ../lib/gen_tables.c ../lib/gen_tables.h prottab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"prottab.h\" -E -o $@ ../lib/gen_tables.c
+ prottabs.h: gen_prottabs_h Makefile
+-	./gen_prottabs_h --i2s-transtab prot > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab prot gen_prottabs_h $@
+ 
+-gen_recvtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h
+-gen_recvtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="recvtab.h"'
++gen_recvtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"recvtab.h\" -E -o $@ ../lib/gen_tables.c
+ recvtabs.h: gen_recvtabs_h Makefile
+-	./gen_recvtabs_h --i2s-transtab recv > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab recv gen_recvtabs_h $@
+ 
+-gen_rlimit_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h
+-gen_rlimit_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="rlimittab.h"'
++gen_rlimit_h: ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"rlimittab.h\" -E -o $@ ../lib/gen_tables.c
+ rlimittabs.h: gen_rlimit_h Makefile
+-	./gen_rlimit_h --i2s rlimit > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s rlimit gen_rlimit_h $@
+ 
+-gen_schedtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h
+-gen_schedtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="schedtab.h"'
++gen_schedtabs_h: ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"schedtab.h\" -E -o $@ ../lib/gen_tables.c
+ schedtabs.h: gen_schedtabs_h Makefile
+-	./gen_schedtabs_h --i2s sched > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s sched gen_schedtabs_h $@
+ 
+-gen_seccomptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h
+-gen_seccomptabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="seccomptab.h"'
++gen_seccomptabs_h: ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"seccomptab.h\" -E -o $@ ../lib/gen_tables.c
+ seccomptabs.h: gen_seccomptabs_h Makefile
+-	./gen_seccomptabs_h --i2s seccomp > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s seccomp gen_seccomptabs_h $@
+ 
+-gen_seektabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seektab.h
+-gen_seektabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="seektab.h"'
++gen_seektabs_h: ../lib/gen_tables.c ../lib/gen_tables.h seektab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"seektab.h\" -E -o $@ ../lib/gen_tables.c
+ seektabs.h: gen_seektabs_h Makefile
+-	./gen_seektabs_h --i2s seek > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s seek gen_seektabs_h $@
+ 
+-gen_shm_modetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h
+-gen_shm_modetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="shm_modetab.h"'
++gen_shm_modetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"shm_modetab.h\" -E -o $@ ../lib/gen_tables.c
+ shm_modetabs.h: gen_shm_modetabs_h Makefile
+-	./gen_shm_modetabs_h --i2s-transtab shm_mode > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab shm_mode gen_shm_modetabs_h $@
+ 
+-gen_signals_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h
+-gen_signals_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="signaltab.h"'
++gen_signals_h: ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"signaltab.h\" -E -o $@ ../lib/gen_tables.c
+ signaltabs.h: gen_signals_h Makefile
+-	./gen_signals_h --i2s signal > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s signal gen_signals_h $@
+ 
+-gen_sockleveltabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h
+-gen_sockleveltabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="sockleveltab.h"'
++gen_sockleveltabs_h: ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"sockleveltab.h\" -E -o $@ ../lib/gen_tables.c
+ sockleveltabs.h: gen_sockleveltabs_h Makefile
+-	./gen_sockleveltabs_h --i2s socklevel > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s socklevel gen_sockleveltabs_h $@
+ 
+-gen_sockoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h
+-gen_sockoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="sockoptnametab.h"'
++gen_sockoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"sockoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ sockoptnametabs.h: gen_sockoptnametabs_h Makefile
+-	./gen_sockoptnametabs_h --i2s sockoptname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s sockoptname gen_sockoptnametabs_h $@
+ 
+-gen_socktabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktab.h
+-gen_socktabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="socktab.h"'
++gen_socktabs_h: ../lib/gen_tables.c ../lib/gen_tables.h socktab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"socktab.h\" -E -o $@ ../lib/gen_tables.c
+ socktabs.h: gen_socktabs_h Makefile
+-	./gen_socktabs_h --i2s sock > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s sock gen_socktabs_h $@
+ 
+-gen_socktypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h
+-gen_socktypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="socktypetab.h"'
++gen_socktypetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"socktypetab.h\" -E -o $@ ../lib/gen_tables.c
+ socktypetabs.h: gen_socktypetabs_h Makefile
+-	./gen_socktypetabs_h --i2s sock_type > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s sock_type gen_socktypetabs_h $@
+ 
+-gen_tcpoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h
+-gen_tcpoptnametabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="tcpoptnametab.h"'
++gen_tcpoptnametabs_h: ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"tcpoptnametab.h\" -E -o $@ ../lib/gen_tables.c
+ tcpoptnametabs.h: gen_tcpoptnametabs_h Makefile
+-	./gen_tcpoptnametabs_h --i2s tcpoptname > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s tcpoptname gen_tcpoptnametabs_h $@
+ 
+-gen_typetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h typetab.h
+-gen_typetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="typetab.h"'
++gen_typetabs_h: ../lib/gen_tables.c ../lib/gen_tables.h typetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"typetab.h\" -E -o $@ ../lib/gen_tables.c
+ typetabs.h: gen_typetabs_h Makefile
+-	./gen_typetabs_h --s2i type > $@
++	$(PYTHON) ../lib/gen_tables.py --s2i type gen_typetabs_h $@
+ 
+-gen_umounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h
+-gen_umounttabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="umounttab.h"'
++gen_umounttabs_h: ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"umounttab.h\" -E -o $@ ../lib/gen_tables.c
+ umounttabs.h: gen_umounttabs_h Makefile
+-	./gen_umounttabs_h --i2s-transtab umount > $@
++	$(PYTHON) ../lib/gen_tables.py --i2s-transtab umount gen_umounttabs_h $@
+ 
+diff -urN a/lib/gen_tables.c b/lib/gen_tables.c
+--- a/lib/gen_tables.c	2013-07-29 16:37:01.000000000 -0500
++++ b/lib/gen_tables.c	2013-08-19 10:09:03.060041420 -0500
+@@ -54,19 +54,6 @@
+ #define SHMGET          23
+ #define SHMCTL          24
+ 
+-
+-/* The ratio of table size to number of non-empty elements allowed for a
+-   "direct" s2i table; if the ratio would be bigger, bsearch tables are used
+-   instead.
+-
+-   2 looks like a lot at a first glance, but the bsearch tables need twice as
+-   much space per element, so with the ratio equal to 2 the direct table uses
+-   no more memory and is faster. */
+-#define DIRECT_THRESHOLD 2
+-
+-/* Allow more than one string defined for a single integer value */
+-static bool allow_duplicate_ints; /* = false; */
+-
+ struct value {
+ 	int val;
+ 	const char *s;
+@@ -83,335 +70,11 @@
+ 
+ #define NUM_VALUES (sizeof(values) / sizeof(*values))
+ 
+-/* Compare two "struct value" members by name. */
+-static int
+-cmp_value_strings(const void *xa, const void *xb)
+-{
+-	const struct value *a, *b;
+-
+-	a = xa;
+-	b = xb;
+-	return strcmp(a->s, b->s);
+-}
+-
+-/* Compare two "struct value" members by value. */
+-static int
+-cmp_value_vals(const void *xa, const void *xb)
+-{
+-	const struct value *a, *b;
+-
+-	a = xa;
+-	b = xb;
+-	if (a->val > b->val)
+-		return 1;
+-	if (a->val < b->val)
+-		return -1;
+-	/* Preserve the original order if there is an ambiguity, to always use
+-	   the first specified value. */
+-	if (a->orig_index > b->orig_index)
+-		return 1;
+-	if (a->orig_index < b->orig_index)
+-		return -1;
+-	return 0;
+-}
+-
+-/* Compare two "struct value" members by orig_index. */
+-static int
+-cmp_value_orig_index(const void *xa, const void *xb)
+-{
+-	const struct value *a, *b;
+-
+-	a = xa;
+-	b = xb;
+-	if (a->orig_index > b->orig_index)
+-		return 1;
+-	if (a->orig_index < b->orig_index)
+-		return -1;
+-	return 0;
+-}
+-
+-/* Output the string table, initialize values[*]->s_offset. */
+-static void
+-output_strings(const char *prefix)
+-{
+-	size_t i, offset;
+-
+-	offset = 0;
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		values[i].s_offset = offset;
+-		offset += strlen(values[i].s) + 1;
+-	}
+-	printf("static const char %s_strings[] = \"", prefix);
+-	assert(NUM_VALUES > 0);
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		const char *c;
+-
+-		if (i != 0 && i % 10 == 0)
+-			fputs("\"\n"
+-			      "\t\"", stdout);
+-		for (c = values[i].s; *c != '\0'; c++) {
+-			assert(*c != '"' && *c != '\\'
+-			       && isprint((unsigned char)*c));
+-			putc(*c, stdout);
+-		}
+-		if (i != NUM_VALUES - 1)
+-			fputs("\\0", stdout);
+-	}
+-	fputs("\";\n", stdout);
+-}
+-
+-/* Output the string to integer mapping code.
+-   Assume strings are all uppsercase or all lowercase if specified by
+-   parameters; in that case, make the search case-insensitive.
+-   values must be sorted by strings. */
+-static void
+-output_s2i(const char *prefix, bool uppercase, bool lowercase)
+-{
+-	size_t i;
+-
+-	for (i = 0; i < NUM_VALUES - 1; i++) {
+-		assert(strcmp(values[i].s, values[i + 1].s) <= 0);
+-		if (strcmp(values[i].s, values[i + 1].s) == 0) {
+-			fprintf(stderr, "Duplicate value `%s': %d, %d\n",
+-				values[i].s, values[i].val, values[i + 1].val);
+-			abort();
+-		}
+-	}
+-	printf("static const unsigned %s_s2i_s[] = {", prefix);
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		if (i % 10 == 0)
+-			fputs("\n\t", stdout);
+-		assert(values[i].s_offset <= UINT_MAX);
+-		printf("%zu,", values[i].s_offset);
+-	}
+-	printf("\n"
+-	       "};\n"
+-	       "static const int %s_s2i_i[] = {", prefix);
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		if (i % 10 == 0)
+-			fputs("\n\t", stdout);
+-		printf("%d,", values[i].val);
+-	}
+-	fputs("\n"
+-	      "};\n", stdout);
+-	assert(!(uppercase && lowercase));
+-	if (uppercase) {
+-		for (i = 0; i < NUM_VALUES; i++) {
+-			const char *c;
+-
+-			for (c = values[i].s; *c != '\0'; c++)
+-				assert(isascii((unsigned char)*c)
+-				       && !GT_ISLOWER(*c));
+-		}
+-	} else if (lowercase) {
+-		for (i = 0; i < NUM_VALUES; i++) {
+-			const char *c;
+-
+-			for (c = values[i].s; *c != '\0'; c++)
+-				assert(isascii((unsigned char)*c)
+-				       && !GT_ISUPPER(*c));
+-		}
+-	}
+-	if (uppercase || lowercase) {
+-		printf("static int %s_s2i(const char *s, int *value) {\n"
+-		       "\tsize_t len, i;\n"
+-		       "\tlen = strlen(s);\n"
+-		       "\t{ char copy[len + 1];\n"
+-		       "\tfor (i = 0; i < len; i++) {\n"
+-		       "\t\tchar c = s[i];\n", prefix);
+-		if (uppercase)
+-			fputs("\t\tcopy[i] = GT_ISLOWER(c) ? c - 'a' + 'A' "
+-							  ": c;\n", stdout);
+-		else
+-			fputs("\t\tcopy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' "
+-							  ": c;\n", stdout);
+-		printf("\t}\n"
+-		       "\tcopy[i] = 0;\n"
+-		       "\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %zu, "
+-				      "copy, value);\n"
+-		       "\t}\n"
+-		       "}\n", prefix, prefix, prefix, NUM_VALUES);
+-	} else
+-		printf("static int %s_s2i(const char *s, int *value) {\n"
+-		       "\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %zu, s, "
+-				      "value);\n"
+-		       "}\n", prefix, prefix, prefix, prefix, NUM_VALUES);
+-}
+-
+-/* Output the string to integer mapping table.
+-   values must be sorted by strings. */
+-static void
+-output_i2s(const char *prefix)
+-{
+-	struct value *unique_values;
+-	int min_val, max_val;
+-	size_t i, n;
+-
+-	assert(NUM_VALUES > 0);
+-	for (i = 0; i < NUM_VALUES - 1; i++) {
+-		assert(values[i].val <= values[i + 1].val);
+-		if (!allow_duplicate_ints
+-		    && values[i].val == values[i + 1].val) {
+-			fprintf(stderr, "Duplicate value %d: `%s', `%s'\n",
+-				values[i].val, values[i].s, values[i + 1].s);
+-			abort();
+-		}
+-	}
+-
+-	unique_values = malloc(NUM_VALUES * sizeof(*unique_values));
+-	assert(unique_values != NULL);
+-	n = 0;
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		if (n == 0 || unique_values[n - 1].val != values[i].val) {
+-			unique_values[n] = values[i];
+-			n++;
+-		}
+-	}
+-
+-	min_val = unique_values[0].val;
+-	max_val = unique_values[n - 1].val;
+-	if (((double)max_val - (double)min_val) / n <= DIRECT_THRESHOLD) {
+-		int next_index;
+-
+-		printf("static const unsigned %s_i2s_direct[] = {", prefix);
+-		next_index = min_val;
+-		i = 0;
+-		for (;;) {
+-			if ((next_index - min_val) % 10 == 0)
+-				fputs("\n\t", stdout);
+-			while (unique_values[i].val < next_index)
+-				/* This can happen if (allow_duplicate_ints) */
+-				i++;
+-			if (unique_values[i].val == next_index) {
+-				assert(unique_values[i].s_offset <= UINT_MAX);
+-				printf("%zu,", unique_values[i].s_offset);
+-			} else
+-				fputs("-1u,", stdout);
+-			if (next_index == max_val)
+-				/* Done like this to avoid integer overflow */
+-				break;
+-			next_index++;
+-		}
+-		printf("\n"
+-		       "};\n"
+-		       "static const char *%s_i2s(int v) {\n"
+-		       "\treturn i2s_direct__(%s_strings, %s_i2s_direct, %d, "
+-					     "%d, v);\n"
+-		       "}\n", prefix, prefix, prefix, min_val, max_val);
+-	} else {
+-		printf("static const int %s_i2s_i[] = {", prefix);
+-		for (i = 0; i < n; i++) {
+-			if (i % 10 == 0)
+-				fputs("\n\t", stdout);
+-			printf("%d,", unique_values[i].val);
+-		}
+-		printf("\n"
+-		       "};\n"
+-		       "static const unsigned %s_i2s_s[] = {", prefix);
+-		for (i = 0; i < n; i++) {
+-			if (i % 10 == 0)
+-				fputs("\n\t", stdout);
+-			assert(unique_values[i].s_offset <= UINT_MAX);
+-			printf("%zu,", unique_values[i].s_offset);
+-		}
+-		printf("\n"
+-		       "};\n"
+-		       "static const char *%s_i2s(int v) {\n"
+-		       "\treturn i2s_bsearch__(%s_strings, %s_i2s_i, %s_i2s_s, "
+-			      "%zu, v);\n"
+-		       "}\n", prefix, prefix, prefix, prefix, n);
+-	}
+-	free(unique_values);
+-}
+-
+-/* Output the string to integer mapping table as a transtab[].
+-   values must be sorted in the desired order. */
+-static void
+-output_i2s_transtab(const char *prefix)
+-{
+-	size_t i;
+-	char *uc_prefix;
+-
+-	printf("static const struct transtab %s_table[] = {", prefix);
+-	for (i = 0; i < NUM_VALUES; i++) {
+-		if (i % 10 == 0)
+-			fputs("\n\t", stdout);
+-		printf("{%d,%zu},", values[i].val, values[i].s_offset);
+-	}
+-	uc_prefix = strdup(prefix);
+-	assert(uc_prefix != NULL);
+-	for (i = 0; uc_prefix[i] != '\0'; i++)
+-		uc_prefix[i] = toupper((unsigned char)uc_prefix[i]);
+-	printf("\n"
+-	       "};\n"
+-	       "#define %s_NUM_ENTRIES "
+-	       "(sizeof(%s_table) / sizeof(*%s_table))\n", uc_prefix, prefix,
+-	       prefix);
+-	free(uc_prefix);
+-}
+-
+ int
+ main(int argc, char **argv)
+ {
+-	bool gen_i2s, gen_i2s_transtab, gen_s2i, uppercase, lowercase;
+-	char *prefix;
+-	size_t i;
+-
+ 	/* This is required by gen_tables.h */
+ 	assert(NUM_VALUES <= (SSIZE_MAX / 2 + 1));
+ 
+-	/* To make sure GT_ISUPPER and GT_ISLOWER work. */
+-	assert('Z' == 'A' + 25 && 'z' == 'a' + 25);
+-	gen_i2s = false;
+-	gen_i2s_transtab = false;
+-	gen_s2i = false;
+-	uppercase = false;
+-	lowercase = false;
+-	prefix = NULL;
+-	assert (argc > 1);
+-	for (i = 1; i < (size_t)argc; i++) {
+-		if (strcmp(argv[i], "--i2s") == 0)
+-			gen_i2s = true;
+-		else if (strcmp(argv[i], "--i2s-transtab") == 0)
+-			gen_i2s_transtab = true;
+-		else if (strcmp(argv[i], "--s2i") == 0)
+-			gen_s2i = true;
+-		else if (strcmp(argv[i], "--uppercase") == 0)
+-			uppercase = true;
+-		else if (strcmp(argv[i], "--lowercase") == 0)
+-			lowercase = true;
+-		else if (strcmp(argv[i], "--duplicate-ints") == 0)
+-			allow_duplicate_ints = true;
+-		else {
+-			assert(*argv[i] != '-');
+-			assert(prefix == NULL);
+-			prefix = argv[i];
+-		}
+-	}
+-	assert(prefix != NULL);
+-	assert(!(uppercase && lowercase));
+-
+-	printf("/* This is a generated file, see Makefile.am for its "
+-	       "inputs. */\n");
+-	for (i = 0; i < NUM_VALUES; i++)
+-		values[i].orig_index = i;
+-	qsort(values, NUM_VALUES, sizeof(*values), cmp_value_strings);
+-	/* FIXME? if (gen_s2i), sort the strings in some other order
+-	   (e.g. "first 4 nodes in BFS of the bsearch tree first") to use the
+-	   cache better. */
+-	/* FIXME? If the only thing generated is a transtab, keep the strings
+-	   in the original order to use the cache better. */
+-	output_strings(prefix);
+-	if (gen_s2i)
+-		output_s2i(prefix, uppercase, lowercase);
+-	if (gen_i2s) {
+-		qsort(values, NUM_VALUES, sizeof(*values), cmp_value_vals);
+-		output_i2s(prefix);
+-	}
+-	if (gen_i2s_transtab) {
+-		qsort(values, NUM_VALUES, sizeof(*values),
+-		      cmp_value_orig_index);
+-		output_i2s_transtab(prefix);
+-	}
+ 	return EXIT_SUCCESS;
+ }
+diff -urN /dev/null b/lib/gen_tables.py
+--- /dev/null	2013-06-19 11:25:31.230442052 -0500
++++ b/lib/gen_tables.py	2013-08-19 14:27:55.639872141 -0500
+@@ -0,0 +1,458 @@
++#!/usr/bin/python
++################################################################################
++# Copyright 2013, Rockwell Collins.  All rights reserved.
++# 
++# This library is free software; you can redistribute it and/or
++# modify it under the terms of the GNU Lesser General Public
++# License as published by the Free Software Foundation; either
++# version 2.1 of the License, or (at your option) any later version.
++# 
++# This library is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++# Lesser General Public License for more details.
++# 
++# You should have received a copy of the GNU Lesser General Public
++# License along with this library; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
++# 
++# Authors:
++#      Clayton Shotwell <clshotwe@rockwellcollins.com>
++#
++# Description:
++#      Generator of lookup tables to replace the gen_tables.c method developed
++#      Miloslav Trmac <mitr@redhat.com> to make audit package cross compilable.
++#      The logic in this script mimics the logic in gen_tables.c before the last
++#      modification.
++#
++# Usage: gen_tables.py [-h] [--i2s] [--i2s-transtab] [--s2i]
++#                             [--uppercase | --lowercase] [--duplicate-ints]
++#                             prefix header source output
++#
++#        Generate tables header files.
++#
++#        positional arguments:
++#          prefix            The prefix of the output file to use
++#          header            The header file to parse table values from
++#          source            The source of the preprocessor from the compiler
++#          output            The output header file
++#
++#        optional arguments:
++#          -h, --help        show this help message and exit
++#          --i2s             Generate i2s tables
++#          --i2s-transtab    Generate transtab tables
++#          --s2i             Generate s2i tables
++#          --uppercase       All characters are uppercase
++#          --lowercase       All characters are lowercase
++#          --duplicate-ints  Allow duplicate integers
++
++import argparse
++import ctypes
++import os
++import re
++import sys
++from operator import attrgetter
++from pyparsing import Group, Word, Suppress, alphas, alphanums, nums, cppStyleComment, \
++		Optional, ZeroOrMore
++
++# Number of entries to print per line
++NUM_ENTIRES_IN_LINE = 10
++
++# Global table entries variable that is used everywhere
++ENTRIES = []
++
++# The ratio of table size to number of non-empty elements allowed for a
++# "direct" s2i table; if the ratio would be bigger, bsearch tables are used
++# instead.
++# 
++# 2 looks like a lot at a first glance, but the bsearch tables need twice as
++# much space per element, so with the ratio equal to 2 the direct table uses
++# no more memory and is faster.
++DIRECT_THRESHOLD = 2
++
++# Set to True to enable some debug output
++DEBUG = False
++
++class Entry:
++	def __init__(self, new_s, val):
++		self.st = new_s
++		self.val = val
++		self.offset = 0
++		self.orig_index = 0
++	
++	def set_position(self, offset):
++		self.offset = offset
++	
++	def set_orig_index(self, orig_index):
++		self.orig_index = orig_index
++	
++	def get_str(self):
++		return self.st
++	
++	def __repr__(self):
++		return "<Entry st=%s val=%s>" % (self.st, self.val)
++	
++	def __str__(self):
++		return "Entry of st=%s, val=%s, offset=%d, orig_index=%d" % \
++				(self.st, self.val, self.offset, self.orig_index)
++
++def output_strings(prefix, outfile):
++	try:
++		# Calculate the position each entry will be in the string
++		index = 0
++		for i in range(len(ENTRIES)):
++			ENTRIES[i].set_position(index)
++			# Increment the index by the length of the name plus 1 for the null
++			# character at the end.
++			index += len(ENTRIES[i].get_str()) + 1
++		# Write out the strings
++		outfile.write("static const char %s_strings[] = \"" % prefix)
++		for i in range(len(ENTRIES)):
++			if (i != 0) and (i % NUM_ENTIRES_IN_LINE == 0):
++				outfile.write('"\n\t"')
++			outfile.write(ENTRIES[i].get_str())
++			if (i != (len(ENTRIES) - 1)):
++				outfile.write('\\0')
++		outfile.write('";\n')
++	except:
++		# If an error is found, raise the exception so the main function can close
++		# and delete the outfile
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_strings:", exc_type, fname, exc_tb.tb_lineno)
++		raise
++
++def output_s2i(prefix, outfile, uppercase, lowercase):
++	try:
++		# Check for duplicate values
++		for i in range(len(ENTRIES) - 1):
++			assert (ENTRIES[i].get_str() <= ENTRIES[i + 1].get_str()), "Entries not in the correct order"
++			if (ENTRIES[i].get_str() == ENTRIES[i + 1].get_str()):
++				print("Duplicate value %s: %d, %d" % \
++						(ENTRIES[i].get_str(), ENTRIES[i].val, ENTRIES[i + 1].val))
++				raise
++		
++		# Write out the index to value index values
++		outfile.write("static const unsigned %s_s2i_s[] = {" % prefix)
++		for i in range(len(ENTRIES)):
++			if (i % NUM_ENTIRES_IN_LINE == 0):
++				outfile.write('\n\t')
++			outfile.write("%i," % ENTRIES[i].offset)
++		outfile.write('\n};\n')
++		
++		# Write out the string to value actual values
++		outfile.write("static const int %s_s2i_i[] = {" % prefix)
++		for i in range(len(ENTRIES)):
++			if (i % NUM_ENTIRES_IN_LINE == 0):
++				outfile.write('\n\t')
++			outfile.write("%i," % ENTRIES[i].val)
++		outfile.write('\n};\n')
++		
++		# Verify the strings are all uppercase or lowercase depending on the arguments
++		# passed in
++		if uppercase:
++			for i in range(len(ENTRIES)):
++				assert (all(ord(c) < 128 for c in ENTRIES[i].get_str()) and \
++						ENTRIES[i].get_str().isupper()), "String %s is not uppercase" % ENTRIES[i].get_str()
++		if lowercase:
++			for i in range(len(ENTRIES)):
++				assert (all(ord(c) < 128 for c in ENTRIES[i].get_str()) and \
++						ENTRIES[i].get_str().islower()), "String %s is not lowercase" % ENTRIES[i].get_str()
++		if uppercase or lowercase:
++			outfile.write("static int %s_s2i(const char *s, int *value) {\n" \
++					"\tsize_t len, i;\n" \
++					"\tlen = strlen(s);\n" \
++					"\t{ char copy[len + 1];\n" \
++					"\tfor (i = 0; i < len; i++) {\n" \
++					"\t\tchar c = s[i];\n" % prefix)
++			if uppercase:
++				outfile.write("\t\tcopy[i] = GT_ISLOWER(c) ? c - 'a' + 'A' : c;\n")
++			else:
++				outfile.write("\t\tcopy[i] = GT_ISUPPER(c) ? c - 'A' + 'a' : c;\n")
++			outfile.write("\t}\n" \
++					"\tcopy[i] = 0;\n" \
++					"\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %d, copy, value);\n" \
++					"\t}\n" \
++					"}\n" % (prefix, prefix, prefix, len(ENTRIES)))
++		else:
++			outfile.write("static int %s_s2i(const char *s, int *value) {\n" \
++					"\treturn s2i__(%s_strings, %s_s2i_s, %s_s2i_i, %d, s, value);\n" \
++					"}\n" % (prefix, prefix, prefix, prefix, len(ENTRIES)))
++	except:
++		# If an error is found, raise the exception so the main function can close
++		# and delete the outfile
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_s2i:", exc_type, fname, exc_tb.tb_lineno)
++		raise
++
++def output_i2s(prefix, outfile, allow_duplicate_ints):
++	try:
++		# Check for duplicate values
++		for i in range(len(ENTRIES) - 1):
++			assert (ENTRIES[i].val <= ENTRIES[i + 1].val), "Entries not in the correct order"
++			if (not allow_duplicate_ints) and (ENTRIES[i].val == ENTRIES[i + 1].val):
++				print("Duplicate value %d: %s, %s" % (ENTRIES[i].val, ENTRIES[i].get_str(), \
++						ENTRIES[i + 1].get_str()))
++				raise
++		
++		# Find all of the unique values
++		unique_entries = []
++		for i in range(len(ENTRIES)):
++			# If the unique_entries is empty or the last unique_entries entry is different from the 
++			# entry being compared, append the entry
++			if (len(unique_entries) == 0) or (unique_entries[-1].val != ENTRIES[i].val):
++				unique_entries.append(ENTRIES[i])
++		
++		# Determine which mapping to use based on the treshold
++		max_val = unique_entries[-1].val
++		min_val = unique_entries[0].val
++		if ((float(max_val - min_val)/len(unique_entries)) <= DIRECT_THRESHOLD):
++			outfile.write("static const unsigned %s_i2s_direct[] = {" % prefix)
++			next_index = min_val
++			i = 0
++			while True:
++				if (((next_index - min_val) % 10) == 0):
++					outfile.write("\n\t")
++				while (unique_entries[i].val < next_index):
++					# This can happen if (allow_duplicate_ints)
++					i += 1
++				if (unique_entries[i].val == next_index):
++					assert(unique_entries[i].offset <= sys.maxint)
++					outfile.write("%i," % unique_entries[i].offset)
++				else:
++					outfile.write("-1u,")
++				if (next_index == max_val):
++					break
++				next_index += 1
++			outfile.write("\n};\nstatic const char *%s_i2s(int v) {\n" \
++					"\treturn i2s_direct__(%s_strings, %s_i2s_direct, %d, %d, v);\n" \
++					"}\n" % (prefix, prefix, prefix, min_val, max_val))
++		else:
++			outfile.write("static const int %s_i2s_i[] = {" % prefix)
++			for i in range(len(unique_entries)):
++				if (i % 10 == 0):
++					outfile.write("\n\t")
++				outfile.write("%i," % unique_entries[i].val)
++			outfile.write("\n};\nstatic const unsigned %s_i2s_s[] = {" % prefix)
++			for i in range(len(unique_entries)):
++				if (i % 10 == 0):
++					outfile.write("\n\t")
++				assert(unique_entries[i].offset <= sys.maxint)
++				outfile.write("%i," % unique_entries[i].offset)
++			outfile.write("\n };\n static const char *%s_i2s(int v) {\n" \
++					"\treturn i2s_bsearch__(%s_strings, %s_i2s_i, %s_i2s_s, %u, v);\n" \
++					"}\n" % (prefix, prefix, prefix, prefix, len(unique_entries)))
++	except:
++		# If an error is found, raise the exception so the main function can close
++		# and delete the outfile
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_i2s:", exc_type, fname, exc_tb.tb_lineno)
++		raise
++
++def output_i2s_transtab(prefix, outfile):
++	"""
++		Output the string to integer mapping table as a transtab[].
++		values must be sorted in the desired order. 
++	"""
++	try:
++		outfile.write("static const struct transtab %s_table[] = {" % prefix)
++		for i in range(len(ENTRIES)):
++			if (i % NUM_ENTIRES_IN_LINE == 0):
++				outfile.write('\n\t')
++			outfile.write("{%i,%u}," % (ENTRIES[i].val, ENTRIES[i].offset))
++		outfile.write("\n};\n#define %s_NUM_ENTRIES (sizeof(%s_table) / sizeof(*%s_table))\n" % \
++				(prefix.upper(), prefix, prefix))
++	except:
++		# If an error is found, raise the exception so the main function can close
++		# and delete the outfile
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_i2s_transtab:", exc_type, fname, exc_tb.tb_lineno)
++		raise
++
++def lookup_enum(look_str, buf):
++	try:
++		# Pull all of the enums out of the preprocessor output out only once
++		# to help speed up all of the lookups
++		if not hasattr(lookup_enum, "enums"):
++			if DEBUG:
++				print("Pulling out the enums from the preprocessor output")
++			# Regex pattern to parse out the enums from the preprocessor output
++			enum_regex = "enum.*?{(?P<s>.*?)}"
++			lookup_enum.enums = re.findall(enum_regex, buf, flags=(re.M | re.S))
++		
++		# find which enum contains the string we are looking for
++		for i in range(len(lookup_enum.enums)):
++			if look_str in lookup_enum.enums[i]:
++				# Determine the value of the variable in the enum
++				enum_string = "enum preproc { " + lookup_enum.enums[i] + " }"
++				enum_string = "".join([line.strip() for line in enum_string])
++				if DEBUG:
++					print("Found %s in %s" % (look_str, enum_string))
++				
++				identifier = Word(alphas, alphanums+'_')
++				opt_value = Word(nums, nums+'x+<>/*')
++				
++				enum_value = Group(identifier('name') + Optional(Suppress('=') + opt_value('value')))
++				enum_list = Group(enum_value + ZeroOrMore(Suppress(',') + enum_value))
++				enum = Suppress('enum') + identifier('enum') + Suppress('{') + enum_list('list') + \
++						Suppress('}')
++				enum.ignore(cppStyleComment)
++				
++				for item, start, stop in enum.scanString(enum_string):
++					temp = 0
++					for entry in item.list:
++						if DEBUG:
++							print("Checking %s against %s" % (look_str, entry.name))
++						if entry.name == look_str:
++							if entry.value != '':
++								# Need to call eval becuase some enums have math in them
++								try:
++									value = eval(entry.value)
++								except:
++									print("Found invalid value %s" % entry.value)
++							else:
++								value = temp
++							if DEBUG:
++								print("Matched the enum name to value %d" % value)
++							return value
++						temp += 1
++	except:
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error in output_i2s_transtab:", exc_type, fname, exc_tb.tb_lineno)
++	print("Unable to find enum value")
++	return None
++
++def evaluate_string(eval_str, buf):
++	if DEBUG:
++		print("Evaluating string %s" % eval_str)
++	
++	# Regex expression for pulling apart the values in the preprocessor output
++	eval_regex = "(?P<val>\w+)"
++	# Since the string can be anything, it must be parsed into individual parts
++	# and evaluated separately to find any enum values
++	matches = re.findall(eval_regex, eval_str)
++	if len(matches) <= 0:
++		print("Could not find any matches")
++	
++	local_s = eval_str
++	value = None
++	i = 0
++	for i in range(len(matches)):
++		try:
++			# If the current item is abled to evaled, there is nothing to do
++			val = eval(matches[i])
++		except:
++			try:
++				# Need to check to see if the last character is a "U" and remove it
++				# if this does not except, a valid number was found
++				if matches[i][-1] == 'U':
++					val = eval(matches[i][:-1])
++					local_s = local_s.replace(matches[i], "%d" % val)
++				else:
++					# Need to do a enum look up for anything that doesnt translate into a number
++					val = lookup_enum(matches[i], buf)
++					if val is not None:
++						local_s = local_s.replace(matches[i], "%d" % val)
++			except:
++				# This case will be hit if the "U" removal fails
++				val = lookup_enum(matches[i], buf)
++				if val is not None:
++					local_s = local_s.replace(matches[i], "%d" % val)
++	try:
++		# This will fail if all of the enums were not found rather
++		# than handling the failues in the above steps
++		# Also, need to convert to a signed 32 bit int for the output value
++		value = ctypes.c_int32(eval(local_s)).value
++		if DEBUG:
++			print("Found value %d for %s" % (value, matches[i]))
++	except:
++		print("Could not parse string %s" % local_s)
++	
++	# Verify the mess above resulted in a number being found
++	if value is None:
++		print("Failed to find value for %s" % eval_str)
++		raise
++	return value
++	
++def remove_output(outfile):
++	path = outfile.name
++	outfile.close()
++	os.remove(path)
++	sys.exit(1)
++
++def main():
++	
++	# Setup the argument parser and parse the arguments given
++	parser = argparse.ArgumentParser(description='Generate tables header files.')
++	parser.add_argument('--i2s', dest='gen_i2s', action='store_true', 
++			help='Generate i2s tables')
++	parser.add_argument('--i2s-transtab', dest='gen_i2s_transtab', action='store_true', 
++			help='Generate transtab tables')
++	parser.add_argument('--s2i', dest='gen_s2i', action='store_true', 
++			help='Generate s2i tables')
++	# Make sure uppercase and lowercase are mutually exclusive
++	group = parser.add_mutually_exclusive_group()
++	group.add_argument('--uppercase', dest='uppercase', action='store_true', 
++			help='All characters are uppercase')
++	group.add_argument('--lowercase', dest='lowercase', action='store_true', 
++			help='All characters are lowercase')
++	parser.add_argument('--duplicate-ints', dest='allow_duplicate_ints', action='store_true', 
++			help='Allow duplicate integers')
++	parser.add_argument('prefix', help='The prefix of the output file to use')
++	parser.add_argument('source', type=argparse.FileType('r'), 
++			help='The source of the preprocessor from the compiler')
++	parser.add_argument('output', type=argparse.FileType('w'), 
++			help='The output header file')
++	args = parser.parse_args()
++	
++	# Regex pattern to parse out the macro and string from the _S calls
++	source_regex = "{ \((?P<val>.*?)\), \(\"(?P<s>\S+)\"\), 0, 0 }"
++	
++	# First parse the header file for all of the preprocessor source that need to
++	# be looked up
++	buf = args.source.read()
++	matches = re.findall(source_regex, buf, flags=re.MULTILINE)
++	
++	# Check to make sure we have matches
++	if (len(matches) <= 0):
++		print("Failed to find valid source")
++		remove_output(args.output)
++		sys.exit(1)
++	
++	try:
++		# Create all of the entry structures
++		global ENTRIES
++		for i in range(len(matches)):
++			ENTRIES.append(Entry(matches[i][1], evaluate_string(matches[i][0], buf)))
++			ENTRIES[i].set_orig_index(i)
++			if DEBUG:
++				print(ENTRIES[i])
++		
++		# Sort the entries alphabetically
++		ENTRIES = sorted(ENTRIES, key=attrgetter('st'))
++		# Print out the output header
++		args.output.write("/* This is a generated file, see Makefile.am for its inputs. */\n")
++		output_strings(args.prefix, args.output)
++		if args.gen_s2i:
++			output_s2i(args.prefix, args.output, args.uppercase, args.lowercase)
++		if args.gen_i2s:
++			ENTRIES = sorted(ENTRIES, key=attrgetter('val'))
++			output_i2s(args.prefix, args.output, args.allow_duplicate_ints)
++		if args.gen_i2s_transtab:
++			ENTRIES = sorted(ENTRIES, key=attrgetter('orig_index'))
++			output_i2s_transtab(args.prefix, args.output)
++	except:
++		# On an error, close and remove the file before returning an error
++		print("Failed to write the output file correctly")
++		exc_type, exc_obj, exc_tb = sys.exc_info()
++		fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
++		print("Unexpected error:", exc_type, fname, exc_tb.tb_lineno)
++		remove_output(args.output)
++		sys.exit(1)
++
++if __name__ == '__main__':
++	main()
+diff -urN a/lib/Makefile.am b/lib/Makefile.am
+--- a/lib/Makefile.am	2013-07-29 16:37:01.000000000 -0500
++++ b/lib/Makefile.am	2013-08-19 14:39:58.280509378 -0500
+@@ -40,119 +40,109 @@
+ BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \
+ 	ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \
+ 	msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \
+-	s390x_tables.h x86_64_tables.h
+-if USE_ALPHA
+-BUILT_SOURCES += alpha_tables.h
+-endif
+-if USE_ARMEB
+-BUILT_SOURCES += armeb_tables.h
+-endif
+-if USE_AARCH64
+-BUILT_SOURCES += aarch64_tables.h
+-endif
+-noinst_PROGRAMS = gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \
++	s390x_tables.h x86_64_tables.h \
++	gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \
+ 	gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
+ 	gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \
+ 	gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \
+-	gen_s390x_tables_h gen_x86_64_tables_h
++	gen_s390x_tables_h gen_x86_64_tables_h 
+ if USE_ALPHA
+-noinst_PROGRAMS += gen_alpha_tables_h
++BUILT_SOURCES += alpha_tables.h gen_alpha_tables_h
+ endif
+ if USE_ARMEB
+-noinst_PROGRAMS += gen_armeb_tables_h
++BUILT_SOURCES += armeb_tables.h gen_armeb_tables_h
+ endif
+ if USE_AARCH64
+-noinst_PROGRAMS += gen_aarch64_tables_h
++BUILT_SOURCES += aarch64_tables.h gen_aarch64_tables_h
+ endif
+-gen_actiontabs_h_SOURCES = gen_tables.c gen_tables.h actiontab.h
+-gen_actiontabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="actiontab.h"'
++
++gen_actiontabs_h: gen_tables.c gen_tables.h actiontab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"actiontab.h\" -E -o $@ gen_tables.c
+ actiontabs.h: gen_actiontabs_h Makefile
+-	./gen_actiontabs_h --lowercase --i2s --s2i action > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i action gen_actiontabs_h $@
+ 
+ if USE_ALPHA
+-gen_alpha_tables_h_SOURCES = gen_tables.c gen_tables.h alpha_table.h
+-gen_alpha_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="alpha_table.h"'
++gen_alpha_tables_h: gen_tables.c gen_tables.h alpha_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"alpha_table.h\" -E -o $@ gen_tables.c
+ alpha_tables.h: gen_alpha_tables_h Makefile
+-	./gen_alpha_tables_h --lowercase --i2s --s2i alpha_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i alpha_syscall gen_alpha_tables_h $@
+ endif
+ 
+ if USE_ARMEB
+-gen_armeb_tables_h_SOURCES = gen_tables.c gen_tables.h armeb_table.h
+-gen_armeb_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="armeb_table.h"'
+-armeb_tables.h: gen_armeb_tables_h Makefile
+-	./gen_armeb_tables_h --lowercase --i2s --s2i armeb_syscall > $@
++gen_armeb_tables_h: gen_tables.c gen_tables.h armeb_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"armeb_table.h\" -E -o $@ gen_tables.c
++armeb_tables.h: gen_armeb_tables_h Makefile
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i armeb_syscall gen_armeb_tables_h $@
+ endif
+ 
+ if USE_AARCH64
+-gen_aarch64_tables_h_SOURCES = gen_tables.c gen_tables.h aarch64_table.h
+-gen_aarch64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="aarch64_table.h"'
++gen_aarch64_tables_h: gen_tables.c gen_tables.h aarch64_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"aarch64_table.h\" -E -o $@ gen_tables.c
+ aarch64_tables.h: gen_aarch64_tables_h Makefile
+-	./gen_aarch64_tables_h --lowercase --i2s --s2i aarch64_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i aarch64_syscall gen_aarch64_tables_h $@
+ endif
+ 
+-gen_errtabs_h_SOURCES = gen_tables.c gen_tables.h errtab.h
+-gen_errtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="errtab.h"'
++gen_errtabs_h: gen_tables.c gen_tables.h errtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"errtab.h\" -E -o $@ gen_tables.c
+ errtabs.h: gen_errtabs_h Makefile
+-	./gen_errtabs_h --duplicate-ints --uppercase --i2s --s2i err > $@
++	$(PYTHON) gen_tables.py --duplicate-ints --uppercase --i2s --s2i err gen_errtabs_h $@
+ 
+-gen_fieldtabs_h_SOURCES = gen_tables.c gen_tables.h fieldtab.h
+-gen_fieldtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="fieldtab.h"'
++gen_fieldtabs_h: gen_tables.c gen_tables.h fieldtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"fieldtab.h\" -E -o $@ gen_tables.c
+ fieldtabs.h: gen_fieldtabs_h Makefile
+-	./gen_fieldtabs_h --duplicate-ints --lowercase --i2s --s2i field > $@
++	$(PYTHON) gen_tables.py --duplicate-ints --lowercase --i2s --s2i field gen_fieldtabs_h $@
+ 
+-gen_flagtabs_h_SOURCES = gen_tables.c gen_tables.h flagtab.h
+-gen_flagtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="flagtab.h"'
++gen_flagtabs_h: gen_tables.c gen_tables.h flagtab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"flagtab.h\" -E -o $@ gen_tables.c
+ flagtabs.h: gen_flagtabs_h Makefile
+-	./gen_flagtabs_h --lowercase --i2s --s2i flag > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i flag gen_flagtabs_h $@
+ 
+-gen_ftypetabs_h_SOURCES = gen_tables.c gen_tables.h ftypetab.h
+-gen_ftypetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ftypetab.h"'
++gen_ftypetabs_h: gen_tables.c gen_tables.h ftypetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ftypetab.h\" -E -o $@ gen_tables.c
+ ftypetabs.h: gen_ftypetabs_h Makefile
+-	./gen_ftypetabs_h --lowercase --i2s --s2i ftype > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i ftype gen_ftypetabs_h $@
+ 
+-gen_i386_tables_h_SOURCES = gen_tables.c gen_tables.h i386_table.h
+-gen_i386_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="i386_table.h"'
++gen_i386_tables_h: gen_tables.c gen_tables.h i386_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"i386_table.h\" -E -o $@ gen_tables.c
+ i386_tables.h: gen_i386_tables_h Makefile
+-	./gen_i386_tables_h --duplicate-ints --lowercase --i2s --s2i \
+-		i386_syscall > $@
++	$(PYTHON) gen_tables.py --duplicate-ints --lowercase --i2s --s2i i386_syscall gen_i386_tables_h $@
+ 
+-gen_ia64_tables_h_SOURCES = gen_tables.c gen_tables.h ia64_table.h
+-gen_ia64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ia64_table.h"'
++gen_ia64_tables_h: gen_tables.c gen_tables.h ia64_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ia64_table.h\" -E -o $@ gen_tables.c
+ ia64_tables.h: gen_ia64_tables_h Makefile
+-	./gen_ia64_tables_h --lowercase --i2s --s2i ia64_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i ia64_syscall gen_ia64_tables_h $@
+ 
+-gen_machinetabs_h_SOURCES = gen_tables.c gen_tables.h machinetab.h
+-gen_machinetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="machinetab.h"'
++gen_machinetabs_h: gen_tables.c gen_tables.h machinetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"machinetab.h\" -E -o $@ gen_tables.c
+ machinetabs.h: gen_machinetabs_h Makefile
+-	./gen_machinetabs_h --duplicate-ints --lowercase --i2s --s2i machine \
+-		> $@
++	$(PYTHON) gen_tables.py --duplicate-ints --lowercase --i2s --s2i machine gen_machinetabs_h $@
+ 
+-gen_msg_typetabs_h_SOURCES = gen_tables.c gen_tables.h msg_typetab.h
+-gen_msg_typetabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="msg_typetab.h"'
++gen_msg_typetabs_h: gen_tables.c gen_tables.h msg_typetab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"msg_typetab.h\" -E -o $@ gen_tables.c
+ msg_typetabs.h: gen_msg_typetabs_h Makefile
+-	./gen_msg_typetabs_h --uppercase --i2s --s2i msg_type > $@
++	$(PYTHON) gen_tables.py --uppercase --i2s --s2i msg_type gen_msg_typetabs_h $@
+ 
+-gen_optabs_h_SOURCES = gen_tables.c gen_tables.h optab.h
+-gen_optabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="optab.h"'
++gen_optabs_h: gen_tables.c gen_tables.h optab.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"optab.h\" -E -o $@ gen_tables.c
+ optabs.h: gen_optabs_h Makefile
+-	./gen_optabs_h --i2s op > $@
++	$(PYTHON) gen_tables.py --i2s op gen_optabs_h $@
+ 
+-gen_ppc_tables_h_SOURCES = gen_tables.c gen_tables.h ppc_table.h
+-gen_ppc_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="ppc_table.h"'
++gen_ppc_tables_h: gen_tables.c gen_tables.h ppc_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"ppc_table.h\" -E -o $@ gen_tables.c
+ ppc_tables.h: gen_ppc_tables_h Makefile
+-	./gen_ppc_tables_h --lowercase --i2s --s2i ppc_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i ppc_syscall gen_ppc_tables_h $@
+ 
+-gen_s390_tables_h_SOURCES = gen_tables.c gen_tables.h s390_table.h
+-gen_s390_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390_table.h"'
++gen_s390_tables_h: gen_tables.c gen_tables.h s390_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"s390_table.h\" -E -o $@ gen_tables.c
+ s390_tables.h: gen_s390_tables_h Makefile
+-	./gen_s390_tables_h --lowercase --i2s --s2i s390_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i s390_syscall gen_s390_tables_h $@
+ 
+-gen_s390x_tables_h_SOURCES = gen_tables.c gen_tables.h s390x_table.h
+-gen_s390x_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="s390x_table.h"'
++gen_s390x_tables_h: gen_tables.c gen_tables.h s390x_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"s390x_table.h\" -E -o $@ gen_tables.c
+ s390x_tables.h: gen_s390x_tables_h Makefile
+-	./gen_s390x_tables_h --lowercase --i2s --s2i s390x_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i s390x_syscall gen_s390x_tables_h $@
+ 
+-gen_x86_64_tables_h_SOURCES = gen_tables.c gen_tables.h x86_64_table.h
+-gen_x86_64_tables_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="x86_64_table.h"'
++gen_x86_64_tables_h: gen_tables.c gen_tables.h x86_64_table.h
++	$(CC) $(INCLUDES) $(AM_CFLAGS) $(CFLAGS) -DTABLE_H=\"x86_64_table.h\" -E -o $@ gen_tables.c
+ x86_64_tables.h: gen_x86_64_tables_h Makefile
+-	./gen_x86_64_tables_h --lowercase --i2s --s2i x86_64_syscall > $@
++	$(PYTHON) gen_tables.py --lowercase --i2s --s2i x86_64_syscall gen_x86_64_tables_h $@
diff --git a/package/audit/audit-0002-remove-zos-plugin.patch b/package/audit/audit-0002-remove-zos-plugin.patch
new file mode 100644
index 0000000..576d8fa
--- /dev/null
+++ b/package/audit/audit-0002-remove-zos-plugin.patch
@@ -0,0 +1,35 @@
+Removed the step to build the zos-remote.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+---
+--- a/audisp/plugins/Makefile.am	2012-08-28 10:33:03.582396601 -0500
++++ b/audisp/plugins/Makefile.am	2012-08-28 10:33:14.162399662 -0500
+@@ -22,7 +22,7 @@
+ 
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+ 
+-SUBDIRS = builtins zos-remote remote
++SUBDIRS = builtins remote
+ #SUBDIRS = builtins zos-remote
+ if HAVE_PRELUDE
+ SUBDIRS += prelude
+--- a/audisp/plugins/Makefile.in	2012-08-28 10:33:03.592380390 -0500
++++ b/audisp/plugins/Makefile.in	2012-08-28 10:35:38.482397668 -0500
+@@ -84,7 +84,7 @@
+ 	distdir
+ ETAGS = etags
+ CTAGS = ctags
+-DIST_SUBDIRS = builtins zos-remote remote prelude
++DIST_SUBDIRS = builtins remote prelude
+ DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ am__relativize = \
+   dir0=`pwd`; \
+@@ -242,7 +242,7 @@
+ top_builddir = @top_builddir@
+ top_srcdir = @top_srcdir@
+ CONFIG_CLEAN_FILES = *.loT *.rej *.orig
+-SUBDIRS = builtins zos-remote remote $(am__append_1)
++SUBDIRS = builtins remote $(am__append_1)
+ all: all-recursive
+ 
+ .SUFFIXES:
diff --git a/package/audit/audit.mk b/package/audit/audit.mk
new file mode 100644
index 0000000..4a87887
--- /dev/null
+++ b/package/audit/audit.mk
@@ -0,0 +1,61 @@
+################################################################################
+#
+# audit
+#
+################################################################################
+
+AUDIT_VERSION:=2.3.2
+AUDIT_SITE:=http://people.redhat.com/sgrubb/audit/
+AUDIT_DEPENDENCIES = host-python-pyparsing
+AUDIT_LICENSE = GPLv2
+AUDIT_LICENSE_FILES = COPYING
+
+AUDIT_INSTALL_STAGING = YES
+
+AUDIT_AUTORECONF = YES
+AUDIT_AUTORECONF_OPT = -i -s -I m4
+
+# Audit will be looking for applications to be in the root
+# /sbin folder rather than in /usr/sbin folder
+AUDIT_CONF_OPT = --sbindir=/sbin
+
+ifeq ($(BR2_PACKAGE_AUDIT_PYTHON_BINDINGS),y)
+	AUDIT_DEPENDENCIES += python host-python host-swig
+	AUDIT_CONF_OPT += --with-python=yes
+	AUDIT_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)"
+else
+	AUDIT_CONF_OPT += --with-python=no
+endif
+
+ifeq ($(BR2_PACKAGE_LIBCAP_NG),y)
+	AUDIT_DEPENDENCIES += libcap-ng
+	AUDIT_CONF_OPT += --with-libcap-ng=yes
+else
+	AUDIT_CONF_OPT += --with-libcap-ng=no
+endif
+
+ifeq ($(BR2_armeb),y)
+	AUDIT_CONF_OPT += --with-armeb
+endif
+ifeq ($(BR2_arm),y)
+	AUDIT_CONF_OPT += --with-armeb
+endif
+ifeq ($(BR2_aarch64),y)
+	AUDIT_CONF_OPT += --with-aarch64
+endif
+
+ifeq ($(BR2_PREFER_STATIC_LIB),y)
+	AUDIT_CONF_OPT += --enable-shared=no
+endif
+
+define AUDIT_INSTALL_INIT_SYSV
+	$(INSTALL) -m 755 package/audit/S01auditd $(TARGET_DIR)/etc/init.d/
+endef
+
+define AUDIT_REMOVE_STARTUP_SCRIPT_DIR
+	$(RM) -rf $(TARGET_DIR)/etc/rc.d
+endef
+
+AUDIT_POST_INSTALL_TARGET_HOOKS += AUDIT_REMOVE_STARTUP_SCRIPT_DIR
+
+$(eval $(autotools-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 12/20] policycoreutils: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v3 -> v4:
  - Add a select for the libselinux Python bindings when debugging
    is enabled.  This will cause Python to be built for the target
    (suggested by Thomas).
  - Cleaned up the configure comments (suggested by Thomas).
  - Added a dependency on BR2_USE_MMU for the debugging option
    because python requires it (suggested by Thomas).
  - Removed the dependencies on audit and linux-pam. Both packages
    are now optional dependencies based on whether or not the package
    has been selected.
  - Moved the dependency on dbus-glib to only the restorecond option
    where it is used.
  - Added a INSTALL_INIT_SYSV for the restorecond daemon rather than
    just installing it directly
  - Adding a dependency on glibc
  - Removed the clean commands.
Changes v2 -> v3:
  - Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and BR2_LARGEFILE
    (suggested by Thomas).
  - Changes patch naming convention (suggested by Thomas).
  - Added selects for linux-pam and audit.
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Fixed the patch naming to avoid using the version number.
  - Cleaned up the patch to include a signed-off-by line.
  - Changed package dependencies into selects in the config.
---
 package/Config.in                                  |    1 +
 package/policycoreutils/Config.in                  |   88 +++++
 package/policycoreutils/S15restorecond             |   85 +++++
 .../policycoreutils-0001-cross-compile-fixes.patch |  332 ++++++++++++++++++++
 package/policycoreutils/policycoreutils.mk         |  231 ++++++++++++++
 5 files changed, 737 insertions(+), 0 deletions(-)
 create mode 100644 package/policycoreutils/Config.in
 create mode 100755 package/policycoreutils/S15restorecond
 create mode 100644 package/policycoreutils/policycoreutils-0001-cross-compile-fixes.patch
 create mode 100644 package/policycoreutils/policycoreutils.mk

diff --git a/package/Config.in b/package/Config.in
index 48c66a6..d69d106 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -938,6 +938,7 @@ source "package/xenomai/Config.in"
 endmenu
 
 menu "Security"
+source "package/policycoreutils/Config.in"
 source "package/sepolgen/Config.in"
 source "package/setools/Config.in"
 endmenu
diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
new file mode 100644
index 0000000..ca9611b
--- /dev/null
+++ b/package/policycoreutils/Config.in
@@ -0,0 +1,88 @@
+config BR2_PACKAGE_POLICYCOREUTILS
+	bool "policycoreutils"
+	select BR2_PACKAGE_LIBSEMANAGE
+	depends on BR2_TOOLCHAIN_USES_GLIBC
+	depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
+	depends on BR2_LARGEFILE # libsemanage
+	help
+	  Policycoreutils is a collection of policy utilities (originally
+	  the "core" set of utilities needed to use SELinux, although it
+	  has grown a bit over time), which have different dependencies.
+	  sestatus, secon, run_init, and newrole only use libselinux.
+	  load_policy and setfiles only use libselinux and libsepol.
+	  semodule and semanage use libsemanage (and thus bring in
+	  dependencies on libsepol and libselinux as well). setsebool
+	  uses libselinux to make non-persistent boolean changes (via
+	  the kernel interface) and uses libsemanage to make persistent
+	  boolean changes.
+
+	  The base package will install the following utilities:
+	      load_policy
+	      newrole
+	      restorecond
+	      run_init
+	      secon
+	      semodule
+	      semodule_deps
+	      semodule_expand
+	      semodule_link
+	      semodule_package
+	      sepolgen-ifgen
+	      sestatus
+	      setfiles
+	      setsebool
+
+	  http://selinuxproject.org/page/Main_Page
+
+comment "policycoreutils needs a toolchain w/ (e)glibc, wchar, largefile"
+	depends on !BR2_TOOLCHAIN_USES_GLIBC || !BR2_TOOLCHAIN_HAS_THREADS \
+		|| !BR2_LARGEFILE
+
+if BR2_PACKAGE_POLICYCOREUTILS
+
+config BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING
+	bool "Policy Debugging Utilities"
+	select BR2_PACKAGE_LIBSELINUX_PYTHON_BINDINGS
+	select BR2_PACKAGE_PYTHON
+	select BR2_PACKAGE_SEPOLGEN
+	select BR2_PACKAGE_SETOOLS
+	depends on BR2_USE_MMU # python
+	help
+	  Enable policy debugging packages to be built.  These are being included
+	  separately because of dependencies.
+	      audit2allow
+	      audit2why
+	      semanage
+	      sepolicy
+	      scripts
+
+config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
+	bool "restorecond Utility"
+	select BR2_PACKAGE_DBUS_GLIB
+	depends on BR2_USE_WCHAR # dbus-glib
+	depends on BR2_USE_MMU # dbus-glib
+	help
+	  Enable restorecond to be built
+
+comment "restorecond needs a toolchain w/ wchar, threads, mmu"
+	depends on !BR2_USE_WCHAR || !BR2_USE_MMU
+
+config BR2_PACKAGE_POLICYCOREUTILS_MCSTRANS
+	bool "mcstrans Utility"
+	select BR2_PACKAGE_PCRE
+	select BR2_PACKAGE_LIBCAP
+	help
+	  Enable mcstrans to be built
+
+config BR2_PACKAGE_POLICYCOREUTILS_SANDBOX
+	bool "sandbox Utility"
+	select BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING
+	select BR2_PACKAGE_LIBCGROUP
+	depends on BR2_INSTALL_LIBSTDCPP # libcgroup
+	help
+	  Enable sandbox to be built
+
+comment "policycoreutils sandbox needs an toolchain w/ C++"
+	depends on !BR2_INSTALL_LIBSTDCPP
+
+endif
diff --git a/package/policycoreutils/S15restorecond b/package/policycoreutils/S15restorecond
new file mode 100755
index 0000000..e408281
--- /dev/null
+++ b/package/policycoreutils/S15restorecond
@@ -0,0 +1,85 @@
+#!/bin/sh
+#
+# restorecond:		Daemon used to maintain path file context
+#
+# description:	restorecond uses inotify to look for creation of new files \
+# listed in the /etc/selinux/restorecond.conf file, and restores the \
+# correct security context.
+#
+# processname: /usr/sbin/restorecond
+# config: /etc/selinux/restorecond.conf 
+# pidfile: /var/run/restorecond.pid
+#
+# Return values according to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 2 - invalid or excess argument(s)
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+
+PATH=/sbin:/bin:/usr/bin:/usr/sbin
+
+[ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled || exit 7
+
+# Check that we are root ... so non-root users stop here
+test $EUID = 0  || exit 4
+
+test -x /usr/sbin/restorecond  || exit 5
+test -f /etc/selinux/restorecond.conf  || exit 6
+
+RETVAL=0
+
+start() 
+{
+	echo -n $"Starting restorecond: "
+	unset HOME MAIL USER USERNAME
+	/usr/sbin/restorecond 
+	RETVAL=$?
+	touch /var/lock/subsys/restorecond
+	echo
+	return $RETVAL
+}
+
+stop() 
+{
+	echo -n $"Shutting down restorecond: "
+	killproc restorecond
+	RETVAL=$?
+	rm -f  /var/lock/subsys/restorecond
+	echo
+	return $RETVAL
+}
+
+restart() 
+{
+	stop
+	start
+}
+
+# See how we were called.
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  status)
+	status restorecond
+	RETVAL=$?
+	;;
+  force-reload|restart|reload)
+	restart
+	;;
+  condrestart)
+	[ -e /var/lock/subsys/restorecond ] && restart || :
+	;;
+  *)
+	echo $"Usage: $0 {start|stop|restart|force-reload|status|condrestart}"
+	RETVAL=3
+esac
+
+exit $RETVAL
diff --git a/package/policycoreutils/policycoreutils-0001-cross-compile-fixes.patch b/package/policycoreutils/policycoreutils-0001-cross-compile-fixes.patch
new file mode 100644
index 0000000..8f47907
--- /dev/null
+++ b/package/policycoreutils/policycoreutils-0001-cross-compile-fixes.patch
@@ -0,0 +1,332 @@
+Patch to enable cross compile build and install.
+
+Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
+
+diff -urN a/audit2allow/Makefile b/audit2allow/Makefile
+--- a/audit2allow/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/audit2allow/Makefile	2013-08-23 09:16:21.282917254 -0500
+@@ -3,7 +3,7 @@
+ BINDIR ?= $(PREFIX)/bin
+ LIBDIR ?= $(PREFIX)/lib
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ 
+ all: ;
+ 
+diff -urN a/load_policy/Makefile b/load_policy/Makefile
+--- a/load_policy/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/load_policy/Makefile	2013-08-23 09:16:21.282917254 -0500
+@@ -3,7 +3,7 @@
+ SBINDIR ?= $(DESTDIR)/sbin
+ USRSBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ 
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+diff -urN a/Makefile b/Makefile
+--- a/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -1,8 +1,8 @@
+ SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
+ 
+-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
+ 
+-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
++ifeq (${INOTIFYH}, $(DESTDIR)/usr/include/sys/inotify.h)
+ 	SUBDIRS += restorecond
+ endif
+ 
+diff -urN a/mcstrans/src/Makefile b/mcstrans/src/Makefile
+--- a/mcstrans/src/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/mcstrans/src/Makefile	2013-08-23 09:41:18.782916946 -0500
+@@ -1,22 +1,8 @@
+-ARCH = $(shell uname -i)
+-ifeq "$(ARCH)" "x86_64"
+-	# In case of 64 bit system, use these lines
+-	LIBDIR=/usr/lib64
+-else 
+-ifeq "$(ARCH)" "i686"
+-	# In case of 32 bit system, use these lines
+-	LIBDIR=/usr/lib
+-else
+-ifeq "$(ARCH)" "i386"
+-	# In case of 32 bit system, use these lines
+-	LIBDIR=/usr/lib
+-endif
+-endif
+-endif
+ # Installation directories.
+ PREFIX  ?= $(DESTDIR)/usr
+-SBINDIR ?= $(DESTDIR)/sbin
+-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
++LIBDIR  ?= $(PREFIX)/lib
++SBINDIR ?= $(PREFIX)/sbin
++INITDIR ?= $(DESTDIR)/etc/init.d
+ 
+ PROG_SRC=mcstrans.c  mcscolor.c  mcstransd.c  mls_level.c
+ PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
+@@ -40,5 +26,5 @@
+ 	install -m 755 $(INITSCRIPT).init $(INITDIR)/$(INITSCRIPT)
+ 
+ clean: 
+-	-rm -f $(OBJS) $(LOBJS) $(TARGET) $(PROG) $(PROG_OBJS) *~ \#*
++	-rm -f $(PROG) $(PROG_OBJS) *.o *~ \#*
+ 
+diff -urN a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
+--- a/mcstrans/utils/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/mcstrans/utils/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -1,24 +1,8 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
++LIBDIR  ?= $(PREFIX)/lib
+ BINDIR ?= $(PREFIX)/sbin
+ 
+-ARCH = $(shell uname -i)
+-ifeq "$(ARCH)" "x86_64"
+-        # In case of 64 bit system, use these lines
+-        LIBDIR=/usr/lib64
+-else
+-ifeq "$(ARCH)" "i686"
+-        # In case of 32 bit system, use these lines
+-        LIBDIR=/usr/lib
+-else
+-ifeq "$(ARCH)" "i386"
+-        # In case of 32 bit system, use these lines
+-        LIBDIR=/usr/lib
+-endif
+-endif
+-endif
+-
+-
+ CFLAGS ?= -Wall
+ override CFLAGS += -I../src -D_GNU_SOURCE
+ LDLIBS += -L../src ../src/mcstrans.o ../src/mls_level.o -lselinux -lpcre $(LIBDIR)/libsepol.a
+diff -urN a/newrole/Makefile b/newrole/Makefile
+--- a/newrole/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/newrole/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -3,9 +3,9 @@
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR = /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++LOCALEDIR = $(DESTDIR)/usr/share/locale
++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ # Enable capabilities to permit newrole to generate audit records.
+ # This will make newrole a setuid root program.
+ # The capabilities used are: CAP_AUDIT_WRITE.
+@@ -24,7 +24,7 @@
+ EXTRA_OBJS =
+ override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	override CFLAGS += -DUSE_PAM
+ 	EXTRA_OBJS += hashtab.o
+ 	LDLIBS += -lpam -lpam_misc
+@@ -32,7 +32,7 @@
+ 	override CFLAGS += -D_XOPEN_SOURCE=500
+ 	LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ 	override CFLAGS += -DUSE_AUDIT
+ 	LDLIBS += -laudit
+ endif
+@@ -66,7 +66,7 @@
+ 	test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
+ 	install -m $(MODE) newrole $(BINDIR)
+ 	install -m 644 newrole.1 $(MANDIR)/man1/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
+ ifeq ($(LSPP_PRIV),y)
+ 	install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
+diff -urN a/restorecond/Makefile b/restorecond/Makefile
+--- a/restorecond/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/restorecond/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -2,24 +2,29 @@
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(PREFIX)/sbin
+ LIBDIR ?= $(PREFIX)/lib
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart
+ DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services
+ 
+ autostart_DATA = sealertauto.desktop
+-INITDIR = $(DESTDIR)/etc/rc.d/init.d
++INITDIR = $(DESTDIR)/etc/init.d
+ SELINUXDIR = $(DESTDIR)/etc/selinux
+ 
+-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
++DBUSFLAGS = -DHAVE_DBUS -I$(PREFIX)/include/dbus-1.0 -I$(PREFIX)/lib64/dbus-1.0/include \
++		-I$(PREFIX)/lib/dbus-1.0/include
+ DBUSLIB = -ldbus-glib-1 -ldbus-1
+ 
+ CFLAGS ?= -g -Werror -Wall -W
+-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
++override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I$(PREFIX)/include/glib-2.0 \
++		-I$(PREFIX)/lib64/glib-2.0/include -I$(PREFIX)/lib/glib-2.0/include
+ 
+ LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
+ 
+ all: restorecond
+ 
++%.o: %.c
++	$(CC) $(CFLAGS) -c -o $@ $<
++
+ restorecond.o utmpwatcher.o stringslist.o user.o watch.o: restorecond.h
+ 
+ restorecond:  ../setfiles/restore.o restorecond.o utmpwatcher.o stringslist.o user.o watch.o
+diff -urN a/run_init/Makefile b/run_init/Makefile
+--- a/run_init/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/run_init/Makefile	2013-08-23 09:16:21.292985286 -0500
+@@ -4,21 +4,21 @@
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR ?= /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ 
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	override CFLAGS += -DUSE_PAM
+ 	LDLIBS += -lpam -lpam_misc
+ else
+ 	override CFLAGS += -D_XOPEN_SOURCE=500
+ 	LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ 	override CFLAGS += -DUSE_AUDIT
+ 	LDLIBS += -laudit
+ endif
+@@ -38,7 +38,7 @@
+ 	install -m 755 open_init_pty $(SBINDIR)
+ 	install -m 644 run_init.8 $(MANDIR)/man8/
+ 	install -m 644 open_init_pty.8 $(MANDIR)/man8/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(DESTDIR)/usr/include/security/pam_appl.h)
+ 	install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
+ endif
+ 
+diff -urN a/semodule/Makefile b/semodule/Makefile
+--- a/semodule/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/semodule/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -2,7 +2,7 @@
+ PREFIX ?= $(DESTDIR)/usr
+ INCLUDEDIR ?= $(PREFIX)/include
+ SBINDIR ?= $(PREFIX)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ LIBDIR ?= $(PREFIX)/lib
+ 
+ CFLAGS ?= -Werror -Wall -W
+diff -urN a/sepolicy/Makefile b/sepolicy/Makefile
+--- a/sepolicy/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/sepolicy/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -5,25 +5,32 @@
+ BINDIR ?= $(PREFIX)/bin
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(DESTDIR)/usr/share/locale
+ PYTHON ?= /usr/bin/python
+ BASHCOMPLETIONDIR ?= $(DESTDIR)/etc/bash_completion.d/
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+-override CFLAGS = $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W  -DSHARED -shared
+ 
+ BASHCOMPLETIONS=sepolicy-bash-completion.sh 
+ 
++PYTHON_ARGS = LDSHARED="$(CC) -shared" \
++		CROSS_COMPILING=yes              \
++		_python_sysroot=$(DESTDIR)       \
++		_python_srcdir=$(PYTHON_SRC)     \
++		_python_prefix=/usr              \
++		_python_exec_prefix=/usr
++
+ all: python-build
+ 
+ python-build: info.c search.c common.h policy.h policy.c
+-	$(PYTHON) setup.py build
++	$(PYTHON_ARGS) $(PYTHON) setup.py build
+ 
+ clean:
+ 	$(PYTHON) setup.py clean
+ 	-rm -rf build *~ \#* *pyc .#*
+ 
+ install:
+-	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++	$(PYTHON_ARGS) $(PYTHON) setup.py install --prefix=$(PREFIX)
+ 	[ -d $(BINDIR) ] || mkdir -p $(BINDIR)
+ 	install -m 755 sepolicy.py $(BINDIR)/sepolicy
+ 	-mkdir -p $(MANDIR)/man8
+diff -urN a/sestatus/Makefile b/sestatus/Makefile
+--- a/sestatus/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/sestatus/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -1,11 +1,11 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(PREFIX)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+ LIBDIR ?= $(PREFIX)/lib
+ 
+-CFLAGS = -Werror -Wall -W
++CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
+ LDLIBS = -lselinux -L$(LIBDIR)
+ 
+diff -urN a/setfiles/Makefile b/setfiles/Makefile
+--- a/setfiles/Makefile	2013-02-05 19:43:22.000000000 -0600
++++ b/setfiles/Makefile	2013-08-23 09:16:21.302924109 -0500
+@@ -1,24 +1,27 @@
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(DESTDIR)/sbin
+-MANDIR = $(PREFIX)/share/man
++MANDIR ?= $(PREFIX)/share/man
+ LIBDIR ?= $(PREFIX)/lib
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ 
+-PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
+-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
++PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk '{ print $$3 }')
++ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk '{ print $$3 }')
+ 
+-CFLAGS = -g -Werror -Wall -W
++CFLAGS ?= -g -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include
+ LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+ 
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(DESTDIR)/usr/include/libaudit.h)
+ 	override CFLAGS += -DUSE_AUDIT
+ 	LDLIBS += -laudit
+ endif
+ 
+ all: setfiles restorecon man
+ 
++%.o: %.c
++	$(CC) $(CFLAGS) -c -o $@ $<
++
+ setfiles:  setfiles.o restore.o
+ 
+ restorecon: setfiles
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
new file mode 100644
index 0000000..67d1d25
--- /dev/null
+++ b/package/policycoreutils/policycoreutils.mk
@@ -0,0 +1,231 @@
+################################################################################
+#
+# policycoreutils
+#
+################################################################################
+
+POLICYCOREUTILS_VERSION = 2.1.14
+POLICYCOREUTILS_SITE = http://userspace.selinuxproject.org/releases/20130423/
+POLICYCOREUTILS_LICENSE = GPLv2
+POLICYCOREUTILS_LICENSE_FILES = COPYING
+
+POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng
+
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+	POLICYCOREUTILS_DEPENDENCIES += linux-pam
+	POLICYCOREUTILS_DEBUGGING_MAKE_OPTS += NAMESPACE_PRIV=y
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+	POLICYCOREUTILS_DEPENDENCIES += audit
+	POLICYCOREUTILS_DEBUGGING_MAKE_OPTS += AUDIT_LOG_PRIV=y
+endif
+
+# Enable LSPP_PRIV if both audit and linux pam are enabled
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+	POLICYCOREUTILS_DEBUGGING_MAKE_OPTS += LSPP_PRIV=y
+endif
+endif
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h 
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+POLICYCOREUTILS_MAKE_OPTS = \
+	$(TARGET_CONFIGURE_OPTS) \
+	CFLAGS+="-U_FILE_OFFSET_BITS"
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING),y)
+
+POLICYCOREUTILS_DEPENDENCIES += python host-python sepolgen setools
+
+POLICYCOREUTILS_DEBUGGING_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS) \
+	PYTHON="$(HOST_DIR)/usr/bin/python" \
+	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+	PYTHON_SRC="$(BUILD_DIR)/python$(PYTHON_VERSION)"
+
+define POLICYCOREUTILS_DEBUGGING_BUILD_CMDS
+	$(MAKE) -C $(@D)/audit2allow $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/audit2why $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/scripts $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semanage $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/sepolicy $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_DEBUGGING_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D)/audit2allow $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/audit2why $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/scripts $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semanage $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/sepolicy $(POLICYCOREUTILS_DEBUGGING_MAKE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
+
+POLICYCOREUTILS_DEPENDENCIES += dbus-glib
+
+define POLICYCOREUTILS_RESTORECOND_BUILD_CMDS
+	$(MAKE) -C $(@D)/restorecond $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_RESTORECOND_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D)/restorecond $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+	rm $(TARGET_DIR)/etc/init.d/restorecond
+endef
+
+define POLICYCOREUTILS_RESTORECOND_INSTALL_INIT_SYSV
+	$(INSTALL) -m 0755 package/policycoreutils/S15restorecond \
+		$(TARGET_DIR)/etc/init.d/
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_MCSTRANS),y)
+
+POLICYCOREUTILS_DEPENDENCIES += pcre libcap
+
+define POLICYCOREUTILS_MCSTRANS_BUILD_CMDS
+	$(MAKE) -C $(@D)/mcstrans $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_MCSTRANS_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D)/mcstrans $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_MCSTRANS
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_SANDBOX),y)
+
+POLICYCOREUTILS_DEPENDENCIES += libcgroup
+
+define POLICYCOREUTILS_SANDBOX_BUILD_CMDS
+	$(MAKE) -C $(@D)/sandbox $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+endef
+
+define POLICYCOREUTILS_SANDBOX_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D)/sandbox $(TARGET_CONFIGURE_OPTS) \
+		DESTDIR="$(TARGET_DIR)" install
+endef
+
+endif # End of BR2_PACKAGE_POLICYCOREUTILS_SANDBOX
+
+define POLICYCOREUTILS_BUILD_CMDS
+	$(MAKE) -C $(@D)/load_policy $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/newrole $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/run_init $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/secon $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule_deps $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule_expand $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule_link $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/semodule_package $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/sepolgen-ifgen $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/sestatus $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/setfiles $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(MAKE) -C $(@D)/setsebool $(POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR="$(STAGING_DIR)" all
+	$(POLICYCOREUTILS_DEBUGGING_BUILD_CMDS)
+	$(POLICYCOREUTILS_RESTORECOND_BUILD_CMDS)
+	$(POLICYCOREUTILS_MCSTRANS_BUILD_CMDS)
+	$(POLICYCOREUTILS_SANDBOX_BUILD_CMDS)
+endef
+
+define POLICYCOREUTILS_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D)/load_policy      DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/newrole          DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/run_init         DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/secon            DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule         DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule_deps    DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule_expand  DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule_link    DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/semodule_package DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/sepolgen-ifgen   DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/sestatus         DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/setfiles         DESTDIR="$(TARGET_DIR)" install
+	$(MAKE) -C $(@D)/setsebool        DESTDIR="$(TARGET_DIR)" install
+	$(POLICYCOREUTILS_DEBUGGING_INSTALL_TARGET_CMDS)
+	$(POLICYCOREUTILS_RESTORECOND_INSTALL_TARGET_CMDS)
+	$(POLICYCOREUTILS_MCSTRANS_INSTALL_TARGET_CMDS)
+	$(POLICYCOREUTILS_SANDBOX_INSTALL_TARGET_CMDS)
+endef
+
+define POLICYCOREUTILS_INSTALL_INIT_SYSV
+	$(POLICYCOREUTILS_RESTORECOND_INSTALL_INIT_SYSV)
+endef
+
+HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h 
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+HOST_POLICYCOREUTILS_MAKE_OPTS = \
+	$(HOST_CONFIGURE_OPTS) \
+	CFLAGS+="-U_FILE_OFFSET_BITS"
+
+# Note: We are only building the programs required by the refpolicy build
+define HOST_POLICYCOREUTILS_BUILD_CMDS
+	$(MAKE) -C $(@D)/semodule $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_package $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_link $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_expand $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_deps $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/load_policy $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/setfiles $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_POLICYCOREUTILS_INSTALL_CMDS
+	$(MAKE) -C $(@D)/semodule install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_package install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_link install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_expand install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/semodule_deps install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/load_policy install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+	$(MAKE) -C $(@D)/setfiles install $(HOST_POLICYCOREUTILS_MAKE_OPTS) \
+		DESTDIR=$(HOST_DIR)
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 13/20] python-pyxml: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---

This package will also have to change with the new Python
infrastructure proposed by Thomas P.

Changes v3 -> v4:
  - Correcting the download path (suggested by Thomas).
  - Removed the clean commands.
Changes v2 -> v3:
  - No changes.
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
---
 package/Config.in                  |    1 +
 package/python-pyxml/Config.in     |   11 ++++++++
 package/python-pyxml/python-xml.mk |   50 ++++++++++++++++++++++++++++++++++++
 3 files changed, 62 insertions(+), 0 deletions(-)
 create mode 100644 package/python-pyxml/Config.in
 create mode 100644 package/python-pyxml/python-xml.mk

diff --git a/package/Config.in b/package/Config.in
index d69d106..8adf9ec 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -399,6 +399,7 @@ source "package/python-protobuf/Config.in"
 source "package/python-pygame/Config.in"
 source "package/python-pyparsing/Config.in"
 source "package/python-pyro/Config.in"
+source "package/python-pyxml/Config.in"
 source "package/python-pyzmq/Config.in"
 source "package/python-serial/Config.in"
 source "package/python-setuptools/Config.in"
diff --git a/package/python-pyxml/Config.in b/package/python-pyxml/Config.in
new file mode 100644
index 0000000..420f3ad
--- /dev/null
+++ b/package/python-pyxml/Config.in
@@ -0,0 +1,11 @@
+config BR2_PACKAGE_PYTHON_PYXML
+	bool "python-pyxml"
+	depends on BR2_PACKAGE_PYTHON
+	help
+	  This is the Python XML package.  The distribution contains a
+	  validating XML parser, an implementation of the SAX and DOM
+	  programming interfaces, an interface to the Expat parser (and the
+	  Expat parser itself), and a C helper module that can speed up
+	  xmllib.py by a factor of 5.  There's even documentation!
+
+	  http://pyxml.sourceforge.net/topics/index.html
diff --git a/package/python-pyxml/python-xml.mk b/package/python-pyxml/python-xml.mk
new file mode 100644
index 0000000..bdf6a71
--- /dev/null
+++ b/package/python-pyxml/python-xml.mk
@@ -0,0 +1,50 @@
+################################################################################
+#
+# python-pyxml
+#
+################################################################################
+
+PYTHON_PYXML_VERSION = 0.8.4
+PYTHON_PYXML_SOURCE  = PyXML-$(PYTHON_PYXML_VERSION).tar.gz
+PYTHON_PYXML_SITE    = http://downloads.sourceforge.net/project/pyxml/pyxml/0.8.4/
+PYTHON_PYXML_LICENSE = BSD-3c
+PYTHON_PYXML_LICENSE_FILES = LICENSE
+
+PYTHON_PYXML_DEPENDENCIES = host-python python expat
+
+PYTHON_PYXML_INSTALL_STAGING = NO
+
+define PYTHON_PYXML_BUILD_CMDS
+	(cd $(@D); \
+		CC="$(TARGET_CC)" \
+		CFLAGS="$(TARGET_CFLAGS) -I$(STAGING_DIR)/usr/include" \
+		LDSHARED="$(TARGET_CC) -shared" \
+		LDFLAGS="$(TARGET_LDFLAGS) -L$(STAGING_DIR)/lib -L$(STAGING_DIR)/usr/lib" \
+		$(HOST_DIR)/usr/bin/python setup.py build_ext \
+		--include-dirs=$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR) \
+		--with-libexpat=$(STAGING_DIR)/usr \
+	)
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py build)
+endef
+
+define PYTHON_PYXML_INSTALL_STAGING_CMDS
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py install --prefix=$(STAGING_DIR)/usr)
+endef
+
+define PYTHON_PYXML_INSTALL_TARGET_CMDS
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py install --prefix=$(TARGET_DIR)/usr)
+endef
+
+HOST_PYTHON_PYXML_DEPENDENCIES = host-python
+
+define HOST_PYTHON_PYXML_BUILD_CMDS
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py build_ext --with-libexpat=$(HOST_DIR)/usr)
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py build)
+endef
+
+define HOST_PYTHON_PYXML_INSTALL_CMDS
+	(cd $(@D); $(HOST_DIR)/usr/bin/python setup.py install --prefix=$(HOST_DIR)/usr)
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 14/20] refpolicy: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v3 -> v4:
  - Added a dependency on host-gawk and correct the awk calls
    in the makefile to use $(AWK)
  - Changed the default policy name to br_policy to differentiate
    the policy generated from refpolicy.
  - Added a install step to create a /.autorelabel file to cause
    the file system to be relabeled by S12SELinux init script.
  - Adding a default modules.conf file with an option to specify
    a different one. This will decrease the build time for
    refpolicy by removing unused policies. (implemented by
    Thomas).
  - Cleaned up the configure comments (implemented by Thomas).
  - Added a check to only install the documentation if the
    Buildroot option is enabled.
  - Removed the build because the install step completes the
    same process. Also removed the clean step because it is
    being removed globally from buildroot (implemented by
    Thomas).
  - Added more error handling to the startup script to print
    a warning if SELinux fails to install the policy if it
    exists. This can be caused by the kernel not being configured
    with SELinux enabled.
Changes v2 -> v3:
  - Changes patch naming convention (suggested by Thomas).
  - Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and
    BR2_LARGEFILE (suggested by Thomas).
  - Removed configure option for a specific patch folder
    (suggested by Thomas).
  - Removed distribution configuration option (suggested by Thomas).
  - Changed the monolithic configuration option to a modular
    configuration option (suggested by Thomas).
  - Removed the refpolicy name option (suggested by Thomas).
  - Corrected gramatical and comment errors (suggested by Thomas).
  - Multiple style corrections to the mk file (suggested by Thomas).
  - Added a comment to clairfy the usage of the the host build
    options for a target build.
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
  - Fixed the patch naming to match the standard 4 digit numbering.
  - Changed package dependencies into selects in the config.
---
 package/Config.in                                  |    1 +
 package/refpolicy/Config.in                        |   72 ++
 package/refpolicy/S12selinux                       |  137 +++
 package/refpolicy/config                           |    8 +
 package/refpolicy/modules.conf                     |  406 +++++++
 .../refpolicy-0001-gentoo-hardened-fixes.patch     | 1250 ++++++++++++++++++++
 package/refpolicy/refpolicy-0002-awk-fix.patch     |   37 +
 package/refpolicy/refpolicy.mk                     |   82 ++
 8 files changed, 1993 insertions(+), 0 deletions(-)
 create mode 100644 package/refpolicy/Config.in
 create mode 100644 package/refpolicy/S12selinux
 create mode 100755 package/refpolicy/config
 create mode 100644 package/refpolicy/modules.conf
 create mode 100644 package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch
 create mode 100644 package/refpolicy/refpolicy-0002-awk-fix.patch
 create mode 100644 package/refpolicy/refpolicy.mk

diff --git a/package/Config.in b/package/Config.in
index 8adf9ec..343927d 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -940,6 +940,7 @@ endmenu
 
 menu "Security"
 source "package/policycoreutils/Config.in"
+source "package/refpolicy/Config.in"
 source "package/sepolgen/Config.in"
 source "package/setools/Config.in"
 endmenu
diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
new file mode 100644
index 0000000..64e5831
--- /dev/null
+++ b/package/refpolicy/Config.in
@@ -0,0 +1,72 @@
+config BR2_PACKAGE_REFPOLICY
+	bool "refpolicy"
+	select BR2_PACKAGE_POLICYCOREUTILS
+	depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
+	depends on BR2_LARGEFILE # policycoreutils
+	depends on BR2_ENABLE_LOCALE # policycoreutils
+	depends on BR2_USE_WCHAR # policycoreutils
+	depends on BR2_TOOLCHAIN_USES_GLIBC # policycoreutils
+	help
+	  The SELinux Reference Policy project (refpolicy) is a
+	  complete SELinux policy that can be used as the system
+	  policy for a variety of systems and used as the basis
+	  for creating other policies. Reference Policy was originally
+	  based on the NSA example policy, but aims to accomplish
+	  many additional goals.
+
+	  The current refpolicy does not fully support Buildroot
+	  and needs modifications to work with the default system
+	  file layout.  These changes should be added as patches to
+	  the refpolicy that modify a single SELinux policy.
+
+comment "refpolicy needs a toolchain w/ wchar, locale, threads, largefile, glibc"
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_LARGEFILE \
+		|| !BR2_ENABLE_LOCALE || !BR2_USE_WCHAR \
+		|| !BR2_TOOLCHAIN_USES_GLIBC
+
+if BR2_PACKAGE_REFPOLICY
+
+choice
+	prompt "SELinux policy type"
+	default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+
+	config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+		bool "Standard"
+		help
+		  Standard SELinux policy
+
+	config BR2_PACKAGE_REFPOLICY_TYPE_MCS
+		bool "MCS"
+		help
+		  SELinux policy with multi-catagory support
+
+	config BR2_PACKAGE_REFPOLICY_TYPE_MLS
+		bool "MLS"
+		help
+		  SELinux policy with multi-catagory and multi-level support
+endchoice
+
+config BR2_PACKAGE_REFPOLICY_TYPE
+	string
+	default "standard" if BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+	default "mcs" if BR2_PACKAGE_REFPOLICY_TYPE_MCS
+	default "mls" if BR2_PACKAGE_REFPOLICY_TYPE_MLS
+
+config BR2_PACKAGE_REFPOLICY_MODULES_FILE
+	string
+	default "package/refpolicy/modules.conf"
+	help
+	  Location of a custom modules.conf file that lists the
+	  SELinux policy modules to be included in the compiled
+	  policy. See policy/modules.conf in the refpolicy sources for
+	  the complete list of available modules.
+
+config BR2_PACKAGE_REFPOLICY_MODULAR
+	bool "Build a modular SELinux policy"
+	help
+	  Select Y to build a modular SELinux policy. By default,
+	  a monolithing policy will be built to save space on the
+	  target. A modular policy can also be built if policies
+	  need to be modified without reloading the target.
+
+endif
diff --git a/package/refpolicy/S12selinux b/package/refpolicy/S12selinux
new file mode 100644
index 0000000..f570bd3
--- /dev/null
+++ b/package/refpolicy/S12selinux
@@ -0,0 +1,137 @@
+#!/bin/sh
+################################################################################
+#
+# This file labels the security contexts of memory based filesystems such as
+# /dev/ and checks for auto relabel request if '/.autorelabel' file exists.
+# The 'stop' argument drops the security mode to 'permissive'.
+#
+# This script is a heavily stripped down and modified version of the one used
+# in CentOS 6.2
+#
+################################################################################
+
+# Get SELinux config env vars
+. /etc/selinux/config || failed "Failed to source the SELinux config"
+
+failed()
+{
+   echo $1
+   exit 1
+}
+
+setup_selinux() {
+   # Create required directories
+   mkdir -p /etc/selinux/${SELINUXTYPE}/policy/ || 
+         failed "Failed to create the policy folder"
+   mkdir -p /etc/selinux/${SELINUXTYPE}/modules/active/modules || \
+         failed "Failed to create the modules folder"
+   if [ ! -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local ]
+   then
+      touch /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local || \
+            failed "Failed to create the file_contexts.local file"
+   fi
+   
+   # Install modules
+   semodule -v -s ${SELINUXTYPE} -b /usr/share/selinux/${SELINUXTYPE}/base.pp \
+         -i $(ls /usr/share/selinux/${SELINUXTYPE}/*.pp | grep -v base) || \
+         failed "Failed to install the base policy"
+   
+   # Load the policy to activate it
+   load_policy -i || failed "Failed to load the SELinux policy"
+}
+
+relabel_selinux() {
+   # if /sbin/init is not labeled correctly this process is running in the
+   # wrong context, so a reboot will be required after relabel
+   AUTORELABEL=
+
+   # Switch to Permissive mode
+   echo "0" > /selinux/enforce || failed "Failed to disable enforcing mode"
+
+   echo
+   echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
+   echo "*** Relabeling could take a very long time, depending on file"
+   echo "*** system size and speed of hard drives."
+
+   # Relabel mount points
+   restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) \
+         >/dev/null 2>&1 || failed "Failed to relabel the mount points"
+   
+   # Relabel file system
+   echo "Relabeling file systems"
+   restorecon -R -F / || failed "Failed to relabel the file system"
+
+   # Remove label
+   rm -f  /.autorelabel || failed "Failed to remove the autorelabel flag"
+   
+   # Reboot to activate relabeled file system
+   echo "Automatic reboot in progress."
+   reboot -f
+}
+
+start() {
+   echo -n "Initializing SELinux: "
+
+   # Check to see if the default policy has been installed
+   if [ "`sestatus | grep "SELinux status" | grep enabled`" == "" ]; then
+      if [ ! -f /etc/selinux/${SELINUXTYPE}/policy/policy.* ]
+      then
+         setup_selinux
+      else
+         echo "SELinux policy install failed. Check kernel and init config"
+         exit 1
+      fi
+   fi
+
+   # Check SELinux status
+   SELINUX_STATE=
+   if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then
+      if [ -r "/selinux/enforce" ] ; then
+         SELINUX_STATE=$(cat "/selinux/enforce")
+      else
+         # assume enforcing if you can't read it
+         SELINUX_STATE=1
+      fi
+   fi
+
+   # Context Label /dev/
+   if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ] && fgrep " /dev " /proc/mounts >/dev/null 2>&1 ; then
+      /sbin/restorecon -R -F /dev 2>/dev/null
+   fi
+
+   # Context Label tmpfs mounts
+   if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ]; then
+      /sbin/restorecon -R -F $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// && $3 =="tmpfs" { print $2 }' /etc/fstab) >/dev/null 2>&1
+   fi
+
+   # Clean up SELinux labels
+   if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ]; then
+      restorecon -F /etc/mtab /etc/ld.so.cache /etc/resolv.conf >/dev/null 2>&1
+   fi
+
+   # Check for filesystem relabel request
+   if [ -f /.autorelabel ] ; then
+      relabel_selinux
+   fi
+
+   echo "OK"
+}  
+stop() {
+   # There is nothing to do
+   echo "OK" 
+}
+
+case "$1" in
+   start)
+      start
+      ;;
+   stop)
+      stop
+      ;;
+   *)
+      echo "Usage: $0 {start|stop}"
+      exit 1
+      ;;
+esac
+
+exit $?
diff --git a/package/refpolicy/config b/package/refpolicy/config
new file mode 100755
index 0000000..5eee807
--- /dev/null
+++ b/package/refpolicy/config
@@ -0,0 +1,8 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#     enforcing - SELinux security policy is enforced.
+#     permissive - SELinux prints warnings instead of enforcing.
+#     disabled - No SELinux policy is loaded.
+SELINUX=permissive
+# SELINUXTYPE= name of the selinux policy to use
+SELINUXTYPE=refpolicy
diff --git a/package/refpolicy/modules.conf b/package/refpolicy/modules.conf
new file mode 100644
index 0000000..58282d8
--- /dev/null
+++ b/package/refpolicy/modules.conf
@@ -0,0 +1,406 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from  being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module.  "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: kernel
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,
+# and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# Multicategory security policy
+#
+mcs = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: kernel
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+# Required in base
+#
+# User-based access control policy
+#
+ubac = base
+
+# Layer: admin
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = module
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+#
+consoletype = module
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+#
+su = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+sudo = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = module
+
+# Layer: apps
+# Module: seunshare
+#
+# Filesystem namespacing/polyinstantiation application.
+#
+seunshare = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = module
+
+# Layer: roles
+# Module: auditadm
+#
+# Audit administrator role
+#
+auditadm = module
+
+# Layer: roles
+# Module: logadm
+#
+# Log administrator role
+#
+logadm = module
+
+# Layer: roles
+# Module: secadm
+#
+# Security administrator role
+#
+secadm = module
+
+# Layer: roles
+# Module: staff
+#
+# Administrator's unprivileged user role
+#
+staff = module
+
+# Layer: roles
+# Module: sysadm
+#
+# General system administration role
+#
+sysadm = module
+
+# Layer: roles
+# Module: unprivuser
+#
+# Generic unprivileged user role
+#
+unprivuser = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+#
+postgresql = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+#
+ssh = module
+
+# Layer: services
+# Module: xserver
+#
+# X Windows Server
+#
+xserver = module
+
+# Layer: system
+# Module: application
+#
+# Policy for user executable applications.
+#
+application = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = module
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+#
+hotplug = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+#
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+#
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# NetLabel/CIPSO labeled networking management
+#
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = module
+
+# Layer: system
+# Module: setrans
+#
+# SELinux MLS/MCS label translation service.
+#
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = module
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = module
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+#
+unconfined = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = module
+
diff --git a/package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch b/package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch
new file mode 100644
index 0000000..c1c398f
--- /dev/null
+++ b/package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch
@@ -0,0 +1,1250 @@
+From: Dominick Grift <dominick.grift@gmail.com>
+Date: Fri, 16 Aug 2013 07:07:37 +0000 (+0200)
+Subject: Fix monolithic built
+X-Git-Url: http://git.overlays.gentoo.org/gitweb/?p=proj%2Fhardened-refpolicy.git;a=commitdiff_plain;h=86500de7
+
+Fix monolithic built
+
+Make unconfined_cronjob_t declaration mandatory, because else monolithic
+built fails due to duplicate declaration
+
+Deprecate kerberos_keytab_template:
+
+Keytab type declarations have to be mandatory, because else monolithic
+built fails due to out-of-scope
+
+This keytab solution does not make sense in its current implementation,
+as many corresponding file context specs are missing, and there are no
+type transtion rules
+
+Replaced two deprecated interface calls
+
+Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
+---
+
+diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
+index a1d1131..655cbe1 100644
+--- a/policy/modules/contrib/apache.if
++++ b/policy/modules/contrib/apache.if
+@@ -1203,9 +1203,9 @@ interface(`apache_admin',`
+ 		attribute httpd_script_domains, httpd_htaccess_type;
+ 		type httpd_t, httpd_config_t, httpd_log_t;
+ 		type httpd_modules_t, httpd_lock_t, httpd_helper_t;
+-		type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t;
++		type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
+ 		type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
+-		type httpd_initrc_exec_t, httpd_suexec_t;
++		type httpd_initrc_exec_t, httpd_keytab_t;
+ 	')
+ 
+ 	allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
+@@ -1222,7 +1222,7 @@ interface(`apache_admin',`
+ 	miscfiles_manage_public_files($1)
+ 
+ 	files_search_etc($1)
+-	admin_pattern($1, { httpd_config_t httpd_keytab_t })
++	admin_pattern($1, { httpd_keytab_t httpd_config_t })
+ 
+ 	logging_search_logs($1)
+ 	admin_pattern($1, httpd_log_t)
+diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
+index 0da7cc3..99bb9b5 100644
+--- a/policy/modules/contrib/apache.te
++++ b/policy/modules/contrib/apache.te
+@@ -1,4 +1,4 @@
+-policy_module(apache, 2.7.0)
++policy_module(apache, 2.7.1)
+ 
+ ########################################
+ #
+@@ -283,6 +283,9 @@ role httpd_helper_roles types httpd_helper_t;
+ type httpd_initrc_exec_t;
+ init_script_file(httpd_initrc_exec_t)
+ 
++type httpd_keytab_t;
++files_type(httpd_keytab_t)
++
+ type httpd_lock_t;
+ files_lock_file(httpd_lock_t)
+ 
+@@ -391,6 +394,8 @@ allow httpd_t httpd_config_t:dir list_dir_perms;
+ read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
+ 
++allow httpd_t httpd_keytab_t:file read_file_perms;
++
+ allow httpd_t httpd_lock_t:file manage_file_perms;
+ files_lock_filetrans(httpd_t, httpd_lock_t, file)
+ 
+@@ -781,10 +786,11 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(httpd, httpd_t)
+ 	kerberos_manage_host_rcache(httpd_t)
++	kerberos_read_keytab(httpd_t)
+ 	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
+ 	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
++	kerberos_use(httpd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/automount.if b/policy/modules/contrib/automount.if
+index 089430a..f24e369 100644
+--- a/policy/modules/contrib/automount.if
++++ b/policy/modules/contrib/automount.if
+@@ -153,6 +153,7 @@ interface(`automount_admin',`
+ 	gen_require(`
+ 		type automount_t, automount_lock_t, automount_tmp_t;
+ 		type automount_var_run_t, automount_initrc_exec_t;
++		type automount_keytab_t;
+ 	')
+ 
+ 	allow $1 automount_t:process { ptrace signal_perms };
+@@ -163,6 +164,9 @@ interface(`automount_admin',`
+ 	role_transition $2 automount_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_list_etc($1)
++	admin_pattern($1, automount_keytab_t)
++
+ 	files_list_var($1)
+ 	admin_pattern($1, automount_lock_t)
+ 
+diff --git a/policy/modules/contrib/automount.te b/policy/modules/contrib/automount.te
+index d4e58ea..27d2f40 100644
+--- a/policy/modules/contrib/automount.te
++++ b/policy/modules/contrib/automount.te
+@@ -1,4 +1,4 @@
+-policy_module(automount, 1.14.0)
++policy_module(automount, 1.14.1)
+ 
+ ########################################
+ #
+@@ -12,8 +12,8 @@ init_daemon_domain(automount_t, automount_exec_t)
+ type automount_initrc_exec_t;
+ init_script_file(automount_initrc_exec_t)
+ 
+-type automount_var_run_t;
+-files_pid_file(automount_var_run_t)
++type automount_keytab_t;
++files_type(automount_keytab_t)
+ 
+ type automount_lock_t;
+ files_lock_file(automount_lock_t)
+@@ -22,6 +22,9 @@ type automount_tmp_t;
+ files_tmp_file(automount_tmp_t)
+ files_mountpoint(automount_tmp_t)
+ 
++type automount_var_run_t;
++files_pid_file(automount_var_run_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -36,6 +39,8 @@ allow automount_t self:rawip_socket create_socket_perms;
+ 
+ can_exec(automount_t, automount_exec_t)
+ 
++allow automount_t automount_keytab_t:file read_file_perms;
++
+ allow automount_t automount_lock_t:file manage_file_perms;
+ files_lock_filetrans(automount_t, automount_lock_t, file)
+ 
+@@ -143,8 +148,9 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(automount, automount_t)
+ 	kerberos_read_config(automount_t)
++	kerberos_read_keytab(automount_t)
++	kerberos_use(automount_t)
+ 	kerberos_dontaudit_write_config(automount_t)
+ ')
+ 
+diff --git a/policy/modules/contrib/bind.if b/policy/modules/contrib/bind.if
+index 866a1e2..531a8f2 100644
+--- a/policy/modules/contrib/bind.if
++++ b/policy/modules/contrib/bind.if
+@@ -364,6 +364,7 @@ interface(`bind_admin',`
+ 		type named_t, named_tmp_t, named_log_t;
+ 		type named_cache_t, named_zone_t, named_initrc_exec_t;
+ 		type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
++		type named_keytab_t;
+ 	')
+ 
+ 	allow $1 { named_t ndc_t }:process { ptrace signal_perms };
+@@ -381,7 +382,7 @@ interface(`bind_admin',`
+ 	admin_pattern($1, named_log_t)
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, named_conf_t)
++	admin_pattern($1, { named_keytab_t named_conf_t })
+ 
+ 	files_list_var($1)
+ 	admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
+diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
+index b01e493..1241123 100644
+--- a/policy/modules/contrib/bind.te
++++ b/policy/modules/contrib/bind.te
+@@ -1,4 +1,4 @@
+-policy_module(bind, 1.13.0)
++policy_module(bind, 1.13.1)
+ 
+ ########################################
+ #
+@@ -44,6 +44,9 @@ files_type(named_cache_t)
+ type named_initrc_exec_t;
+ init_script_file(named_initrc_exec_t)
+ 
++type named_keytab_t;
++files_type(named_keytab_t)
++
+ type named_log_t;
+ logging_log_file(named_log_t)
+ 
+@@ -84,7 +87,7 @@ read_lnk_files_pattern(named_t, named_conf_t, named_conf_t)
+ manage_files_pattern(named_t, named_cache_t, named_cache_t)
+ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+ 
+-can_exec(named_t, named_exec_t)
++allow named_t named_keytab_t:file read_file_perms;
+ 
+ append_files_pattern(named_t, named_log_t, named_log_t)
+ create_files_pattern(named_t, named_log_t, named_log_t)
+@@ -100,6 +103,8 @@ manage_files_pattern(named_t, named_var_run_t, named_var_run_t)
+ manage_sock_files_pattern(named_t, named_var_run_t, named_var_run_t)
+ files_pid_filetrans(named_t, named_var_run_t, { dir file sock_file })
+ 
++can_exec(named_t, named_exec_t)
++
+ allow named_t named_zone_t:dir list_dir_perms;
+ read_files_pattern(named_t, named_zone_t, named_zone_t)
+ read_lnk_files_pattern(named_t, named_zone_t, named_zone_t)
+@@ -182,7 +187,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(named, named_t)
++	kerberos_read_keytab(named_t)
++	kerberos_use(named_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
+index d865049..41bb279 100644
+--- a/policy/modules/contrib/cron.te
++++ b/policy/modules/contrib/cron.te
+@@ -1,4 +1,4 @@
+-policy_module(cron, 2.6.0)
++policy_module(cron, 2.6.1)
+ 
+ gen_require(`
+ 	class passwd rootok;
+@@ -701,22 +701,22 @@ optional_policy(`
+ # Unconfined local policy
+ #
+ 
+-optional_policy(`
+-	type unconfined_cronjob_t;
+-	domain_type(unconfined_cronjob_t)
+-	domain_cron_exemption_target(unconfined_cronjob_t)
++type unconfined_cronjob_t;
++domain_type(unconfined_cronjob_t)
++domain_cron_exemption_target(unconfined_cronjob_t)
+ 
+-	dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
++dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
+ 
+-	unconfined_domain(unconfined_cronjob_t)
++tunable_policy(`cron_userdomain_transition',`
++	dontaudit crond_t unconfined_cronjob_t:process transition;
++	dontaudit crond_t unconfined_cronjob_t:fd use;
++	dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
++',`
++	allow crond_t unconfined_cronjob_t:process transition;
++	allow crond_t unconfined_cronjob_t:fd use;
++	allow crond_t unconfined_cronjob_t:key manage_key_perms;
++')
+ 
+-	tunable_policy(`cron_userdomain_transition',`
+-		dontaudit crond_t unconfined_cronjob_t:process transition;
+-		dontaudit crond_t unconfined_cronjob_t:fd use;
+-		dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
+-	',`
+-		allow crond_t unconfined_cronjob_t:process transition;
+-		allow crond_t unconfined_cronjob_t:fd use;
+-		allow crond_t unconfined_cronjob_t:key manage_key_perms;
+-	')
++optional_policy(`
++	unconfined_domain(unconfined_cronjob_t)
+ ')
+diff --git a/policy/modules/contrib/cvs.if b/policy/modules/contrib/cvs.if
+index 9fa7ffb..64775fd 100644
+--- a/policy/modules/contrib/cvs.if
++++ b/policy/modules/contrib/cvs.if
+@@ -59,7 +59,7 @@ interface(`cvs_exec',`
+ interface(`cvs_admin',`
+ 	gen_require(`
+ 		type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
+-		type cvs_data_t, cvs_var_run_t;
++		type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
+ 	')
+ 
+ 	allow $1 cvs_t:process { ptrace signal_perms };
+@@ -70,6 +70,9 @@ interface(`cvs_admin',`
+ 	role_transition $2 cvs_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_search_etc($1)
++	admin_pattern($1, cvs_keytab_t)
++
+ 	files_list_tmp($1)
+ 	admin_pattern($1, cvs_tmp_t)
+ 
+diff --git a/policy/modules/contrib/cvs.te b/policy/modules/contrib/cvs.te
+index 6c544e5..17df324 100644
+--- a/policy/modules/contrib/cvs.te
++++ b/policy/modules/contrib/cvs.te
+@@ -1,4 +1,4 @@
+-policy_module(cvs, 1.10.0)
++policy_module(cvs, 1.10.1)
+ 
+ ########################################
+ #
+@@ -24,6 +24,9 @@ files_type(cvs_data_t)
+ type cvs_initrc_exec_t;
+ init_script_file(cvs_initrc_exec_t)
+ 
++type cvs_keytab_t;
++files_type(cvs_keytab_t)
++
+ type cvs_tmp_t;
+ files_tmp_file(cvs_tmp_t)
+ 
+@@ -44,6 +47,8 @@ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ 
++allow cvs_t cvs_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+ manage_files_pattern(cvs_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(cvs_t, cvs_tmp_t, { dir file })
+@@ -87,8 +92,9 @@ tunable_policy(`allow_cvs_read_shadow',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(cvs, cvs_t)
+ 	kerberos_read_config(cvs_t)
++	kerberos_read_keytab(cvs_t)
++	kerberos_use(cvs_t)
+ 	kerberos_dontaudit_write_config(cvs_t)
+ ')
+ 
+diff --git a/policy/modules/contrib/cyrus.if b/policy/modules/contrib/cyrus.if
+index 6508280..83bfda6 100644
+--- a/policy/modules/contrib/cyrus.if
++++ b/policy/modules/contrib/cyrus.if
+@@ -61,6 +61,7 @@ interface(`cyrus_admin',`
+ 	gen_require(`
+ 		type cyrus_t, cyrus_tmp_t, cyrus_var_lib_t;
+ 		type cyrus_var_run_t, cyrus_initrc_exec_t;
++		type cyrus_keytab_t;
+ 	')
+ 
+ 	allow $1 cyrus_t:process { ptrace signal_perms };
+@@ -71,6 +72,9 @@ interface(`cyrus_admin',`
+ 	role_transition $2 cyrus_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_list_etc($1)
++	admin_pattern($1, cyrus_keytab_t)
++
+ 	files_list_tmp($1)
+ 	admin_pattern($1, cyrus_tmp_t)
+ 
+diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
+index 0cef3ef..4283f2d 100644
+--- a/policy/modules/contrib/cyrus.te
++++ b/policy/modules/contrib/cyrus.te
+@@ -1,4 +1,4 @@
+-policy_module(cyrus, 1.13.0)
++policy_module(cyrus, 1.13.1)
+ 
+ ########################################
+ #
+@@ -12,6 +12,9 @@ init_daemon_domain(cyrus_t, cyrus_exec_t)
+ type cyrus_initrc_exec_t;
+ init_script_file(cyrus_initrc_exec_t)
+ 
++type cyrus_keytab_t;
++files_type(cyrus_keytab_t)
++
+ type cyrus_tmp_t;
+ files_tmp_file(cyrus_tmp_t)
+ 
+@@ -41,6 +44,8 @@ allow cyrus_t self:unix_dgram_socket sendto;
+ allow cyrus_t self:unix_stream_socket { accept connectto listen };
+ allow cyrus_t self:tcp_socket { accept listen };
+ 
++allow cyrus_t cyrus_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+ manage_files_pattern(cyrus_t, cyrus_tmp_t, cyrus_tmp_t)
+ files_tmp_filetrans(cyrus_t, cyrus_tmp_t, { dir file })
+@@ -116,7 +121,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(cyrus, cyrus_t)
++	kerberos_read_keytab(cyrus_t)
++	kerberos_use(cyrus_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/dovecot.if b/policy/modules/contrib/dovecot.if
+index dbcac59..d5badb7 100644
+--- a/policy/modules/contrib/dovecot.if
++++ b/policy/modules/contrib/dovecot.if
+@@ -143,6 +143,7 @@ interface(`dovecot_admin',`
+ 		type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t;
+ 		type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t;
+ 		type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t;
++		type dovecot_keytab_t;
+ 	')
+ 
+ 	allow $1 dovecot_t:process { ptrace signal_perms };
+@@ -154,7 +155,7 @@ interface(`dovecot_admin',`
+ 	allow $2 system_r;
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, dovecot_etc_t)
++	admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
+ 
+ 	logging_list_logs($1)
+ 	admin_pattern($1, dovecot_var_log_t)
+diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
+index 3a6e733..0aabc7e 100644
+--- a/policy/modules/contrib/dovecot.te
++++ b/policy/modules/contrib/dovecot.te
+@@ -1,4 +1,4 @@
+-policy_module(dovecot, 1.16.0)
++policy_module(dovecot, 1.16.1)
+ 
+ ########################################
+ #
+@@ -38,6 +38,9 @@ files_config_file(dovecot_etc_t)
+ type dovecot_initrc_exec_t;
+ init_script_file(dovecot_initrc_exec_t)
+ 
++type dovecot_keytab_t;
++files_type(dovecot_keytab_t)
++
+ type dovecot_passwd_t;
+ files_type(dovecot_passwd_t)
+ 
+@@ -99,6 +102,8 @@ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+ allow dovecot_t dovecot_cert_t:file read_file_perms;
+ allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
+ 
++allow dovecot_t dovecot_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+ manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+ files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
+@@ -182,9 +187,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(dovecot, dovecot_t)
+ 	kerberos_manage_host_rcache(dovecot_t)
++	kerberos_read_keytab(dovecot_t)
+ 	kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
++	kerberos_use(dovecot_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/exim.if b/policy/modules/contrib/exim.if
+index 6041113..94a8269 100644
+--- a/policy/modules/contrib/exim.if
++++ b/policy/modules/contrib/exim.if
+@@ -244,6 +244,7 @@ interface(`exim_admin',`
+ 	gen_require(`
+ 		type exim_t, exim_spool_t, exim_log_t;
+ 		type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
++		type exim_keytab_t;
+ 	')
+ 
+ 	allow $1 exim_t:process { ptrace signal_perms };
+@@ -254,6 +255,9 @@ interface(`exim_admin',`
+ 	role_transition $2 exim_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_search_etc($1)
++	admin_pattern($1, exim_keytab_t)
++
+ 	files_search_spool($1)
+ 	admin_pattern($1, exim_spool_t)
+ 
+diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
+index c9c04ee..7e8cf42 100644
+--- a/policy/modules/contrib/exim.te
++++ b/policy/modules/contrib/exim.te
+@@ -1,4 +1,4 @@
+-policy_module(exim, 1.6.0)
++policy_module(exim, 1.6.1)
+ 
+ ########################################
+ #
+@@ -45,6 +45,9 @@ mta_agent_executable(exim_exec_t)
+ type exim_initrc_exec_t;
+ init_script_file(exim_initrc_exec_t)
+ 
++type exim_keytab_t;
++files_type(exim_keytab_t)
++
+ type exim_log_t;
+ logging_log_file(exim_log_t)
+ 
+@@ -68,6 +71,8 @@ allow exim_t self:fifo_file rw_fifo_file_perms;
+ allow exim_t self:unix_stream_socket { accept listen };
+ allow exim_t self:tcp_socket { accept listen };
+ 
++allow exim_t exim_keytab_t:file read_file_perms;
++
+ append_files_pattern(exim_t, exim_log_t, exim_log_t)
+ create_files_pattern(exim_t, exim_log_t, exim_log_t)
+ setattr_files_pattern(exim_t, exim_log_t, exim_log_t)
+@@ -188,7 +193,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(exim, exim_t)
++	kerberos_read_keytab(exim_t)
++	kerberos_use(exim_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/ftp.if b/policy/modules/contrib/ftp.if
+index d062080..4498143 100644
+--- a/policy/modules/contrib/ftp.if
++++ b/policy/modules/contrib/ftp.if
+@@ -176,6 +176,7 @@ interface(`ftp_admin',`
+ 		type ftpd_etc_t, ftpd_lock_t, sftpd_t;
+ 		type ftpd_var_run_t, xferlog_t, anon_sftpd_t;
+ 		type ftpd_initrc_exec_t, ftpdctl_tmp_t;
++		type ftpd_keytab_t;
+ 	')
+ 
+ 	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+@@ -192,7 +193,7 @@ interface(`ftp_admin',`
+ 	admin_pattern($1, { ftpd_tmp_t ftpdctl_tmp_t })
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, ftpd_etc_t)
++	admin_pattern($1, { ftpd_etc_t ftpd_keytab_t })
+ 
+ 	files_list_var($1)
+ 	admin_pattern($1, ftpd_lock_t)
+diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
+index 544c512..36838c2 100644
+--- a/policy/modules/contrib/ftp.te
++++ b/policy/modules/contrib/ftp.te
+@@ -1,4 +1,4 @@
+-policy_module(ftp, 1.15.0)
++policy_module(ftp, 1.15.1)
+ 
+ ########################################
+ #
+@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t)
+ type ftpd_initrc_exec_t;
+ init_script_file(ftpd_initrc_exec_t)
+ 
++type ftpd_keytab_t;
++files_type(ftpd_keytab_t)
++
+ type ftpd_lock_t;
+ files_lock_file(ftpd_lock_t)
+ 
+@@ -176,6 +179,8 @@ allow ftpd_t self:key manage_key_perms;
+ 
+ allow ftpd_t ftpd_etc_t:file read_file_perms;
+ 
++allow ftpd_t ftpd_keytab_t:file read_file_perms;
++
+ allow ftpd_t ftpd_lock_t:file manage_file_perms;
+ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+ 
+@@ -359,8 +364,9 @@ optional_policy(`
+ optional_policy(`
+ 	selinux_validate_context(ftpd_t)
+ 
+-	kerberos_keytab_template(ftpd, ftpd_t)
++	kerberos_read_keytab(ftpd_t)
+ 	kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
++	kerberos_use(ftpd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if
+index f9de9fc..f6c00d8 100644
+--- a/policy/modules/contrib/kerberos.if
++++ b/policy/modules/contrib/kerberos.if
+@@ -354,22 +354,7 @@ interface(`kerberos_etc_filetrans_keytab',`
+ ## </param>
+ #
+ template(`kerberos_keytab_template',`
+-
+-	########################################
+-	#
+-	# Declarations
+-	#
+-
+-	type $1_keytab_t;
+-	files_type($1_keytab_t)
+-
+-	########################################
+-	#
+-	# Policy
+-	#
+-
+-	allow $2 $1_keytab_t:file read_file_perms;
+-
++	refpolicywarn(`$0($*) has been deprecated.')
+ 	kerberos_read_keytab($2)
+ 	kerberos_use($2)
+ ')
+diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if
+index de2508e..7f09b4a 100644
+--- a/policy/modules/contrib/ldap.if
++++ b/policy/modules/contrib/ldap.if
+@@ -116,7 +116,7 @@ interface(`ldap_admin',`
+ 		type slapd_t, slapd_tmp_t, slapd_replog_t;
+ 		type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
+ 		type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
+-		type slapd_db_t;
++		type slapd_db_t, slapd_keytab_t;
+ 	')
+ 
+ 	allow $1 slapd_t:process { ptrace signal_perms };
+@@ -128,7 +128,7 @@ interface(`ldap_admin',`
+ 	allow $2 system_r;
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t })
++	admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
+ 
+ 	files_list_locks($1)
+ 	admin_pattern($1, slapd_lock_t)
+diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
+index 71b00f8..131dc88 100644
+--- a/policy/modules/contrib/ldap.te
++++ b/policy/modules/contrib/ldap.te
+@@ -1,4 +1,4 @@
+-policy_module(ldap, 1.11.0)
++policy_module(ldap, 1.11.1)
+ 
+ ########################################
+ #
+@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
+ type slapd_initrc_exec_t;
+ init_script_file(slapd_initrc_exec_t)
+ 
++type slapd_keytab_t;
++files_type(slapd_keytab_t)
++
+ type slapd_lock_t;
+ files_lock_file(slapd_lock_t)
+ 
+@@ -60,6 +63,8 @@ manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
+ 
+ allow slapd_t slapd_etc_t:file read_file_perms;
+ 
++allow slapd_t slapd_keytab_t:file read_file_perms;
++
+ allow slapd_t slapd_lock_t:file manage_file_perms;
+ files_lock_filetrans(slapd_t, slapd_lock_t, file)
+ 
+@@ -131,11 +136,12 @@ ifdef(`distro_gentoo',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(slapd, slapd_t)
+ 	kerberos_manage_host_rcache(slapd_t)
++	kerberos_read_keytab(slapd_t)
+ 	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0")
+ 	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487")
+ 	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55")
++	kerberos_use(slapd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/postfix.if b/policy/modules/contrib/postfix.if
+index 6e26d71..8e7d1e7 100644
+--- a/policy/modules/contrib/postfix.if
++++ b/policy/modules/contrib/postfix.if
+@@ -714,6 +714,7 @@ interface(`postfix_admin',`
+ 		type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
+ 		type postfix_data_t, postfix_var_run_t, postfix_public_t;
+ 		type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
++		type postfix_keytab_t;
+ 	')
+ 
+ 	allow $1 postfix_domain:process { ptrace signal_perms };
+@@ -725,7 +726,7 @@ interface(`postfix_admin',`
+ 	allow $2 system_r;
+ 
+ 	files_search_etc($1)
+-	admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t })
++	admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
+ 
+ 	files_search_spool($1)
+ 	admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type })
+diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
+index 0cb7938..dd7259f 100644
+--- a/policy/modules/contrib/postfix.te
++++ b/policy/modules/contrib/postfix.te
+@@ -1,4 +1,4 @@
+-policy_module(postfix, 1.15.0)
++policy_module(postfix, 1.15.1)
+ 
+ ########################################
+ #
+@@ -36,6 +36,9 @@ files_config_file(postfix_etc_t)
+ type postfix_exec_t;
+ application_executable_file(postfix_exec_t)
+ 
++type postfix_keytab_t;
++files_type(postfix_keytab_t)
++
+ postfix_server_domain_template(local)
+ mta_mailserver_delivery(postfix_local_t)
+ 
+@@ -209,6 +212,8 @@ allow postfix_master_t postfix_etc_t:file rw_file_perms;
+ allow postfix_master_t postfix_data_t:dir manage_dir_perms;
+ allow postfix_master_t postfix_data_t:file manage_file_perms;
+ 
++allow postfix_master_t postfix_keytab_t:file read_file_perms;
++
+ allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+ 
+ allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
+@@ -314,7 +319,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(postfix, postfix_t)
++	kerberos_read_keytab(postfix_master_t)
++	kerberos_use(postfix_master_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/procmail.te b/policy/modules/contrib/procmail.te
+index fbbc398..cc426e6 100644
+--- a/policy/modules/contrib/procmail.te
++++ b/policy/modules/contrib/procmail.te
+@@ -1,4 +1,4 @@
+-policy_module(procmail, 1.13.0)
++policy_module(procmail, 1.13.1)
+ 
+ ########################################
+ #
+@@ -122,7 +122,7 @@ optional_policy(`
+ 	postfix_read_spool_files(procmail_t)
+ 	postfix_read_local_state(procmail_t)
+ 	postfix_read_master_state(procmail_t)
+-	postfix_rw_master_pipes(procmail_t)
++	postfix_rw_inherited_master_pipes(procmail_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/qmail.te b/policy/modules/contrib/qmail.te
+index 83cccf9..8742944 100644
+--- a/policy/modules/contrib/qmail.te
++++ b/policy/modules/contrib/qmail.te
+@@ -1,4 +1,4 @@
+-policy_module(qmail, 1.6.0)
++policy_module(qmail, 1.6.1)
+ 
+ ########################################
+ #
+@@ -42,6 +42,9 @@ qmail_child_domain_template(qmail_send, qmail_start_t)
+ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+ qmail_child_domain_template(qmail_splogger, qmail_start_t)
+ 
++type qmail_keytab_t;
++files_type(qmail_keytab_t)
++
+ type qmail_spool_t;
+ files_type(qmail_spool_t)
+ 
+@@ -241,6 +244,8 @@ allow qmail_smtpd_t self:process signal_perms;
+ allow qmail_smtpd_t self:fifo_file write_fifo_file_perms;
+ allow qmail_smtpd_t self:tcp_socket create_socket_perms;
+ 
++allow qmail_smtpd_t qmail_keytab_t:file read_file_perms;
++
+ allow qmail_smtpd_t qmail_queue_exec_t:file read_file_perms;
+ 
+ dev_read_rand(qmail_smtpd_t)
+@@ -253,7 +258,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(qmail, qmail_smtpd_t)
++	kerberos_read_keytab(qmail_smtpd_t)
++	kerberos_use(qmail_smtpd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/rlogin.te b/policy/modules/contrib/rlogin.te
+index 20696cc..5916f81 100644
+--- a/policy/modules/contrib/rlogin.te
++++ b/policy/modules/contrib/rlogin.te
+@@ -1,4 +1,4 @@
+-policy_module(rlogin, 1.11.0)
++policy_module(rlogin, 1.11.1)
+ 
+ ########################################
+ #
+@@ -16,6 +16,9 @@ term_login_pty(rlogind_devpts_t)
+ type rlogind_home_t;
+ userdom_user_home_content(rlogind_home_t)
+ 
++type rlogind_keytab_t;
++files_type(rlogind_keytab_t)
++
+ type rlogind_tmp_t;
+ files_tmp_file(rlogind_tmp_t)
+ 
+@@ -37,6 +40,8 @@ term_create_pty(rlogind_t, rlogind_devpts_t)
+ 
+ allow rlogind_t rlogind_home_t:file read_file_perms;
+ 
++allow rlogind_t rlogind_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+ manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
+ files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file })
+@@ -98,9 +103,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(rlogind, rlogind_t)
++	kerberos_read_keytab(rlogind_t)
+ 	kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
+ 	kerberos_manage_host_rcache(rlogind_t)
++	kerberos_use(rlogind_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/rpc.if b/policy/modules/contrib/rpc.if
+index 07f5eb0..157afd9 100644
+--- a/policy/modules/contrib/rpc.if
++++ b/policy/modules/contrib/rpc.if
+@@ -394,7 +394,7 @@ interface(`rpc_admin',`
+ 		attribute rpc_domain;
+ 		type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
+ 		type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
+-		type nfsd_ro_t, nfsd_rw_t;
++		type nfsd_ro_t, nfsd_rw_t, gssd_keytab_t;
+ 	')
+ 
+ 	allow $1 rpc_domain:process { ptrace signal_perms };
+@@ -406,7 +406,7 @@ interface(`rpc_admin',`
+  	allow $2 system_r;
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, exports_t)
++	admin_pattern($1, { gssd_keytab_t exports_t })
+ 
+ 	files_list_var_lib($1)
+ 	admin_pattern($1, var_lib_nfs_t)
+diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
+index 1e6b44d..a8de8bd 100644
+--- a/policy/modules/contrib/rpc.te
++++ b/policy/modules/contrib/rpc.te
+@@ -1,4 +1,4 @@
+-policy_module(rpc, 1.15.0)
++policy_module(rpc, 1.15.1)
+ 
+ ########################################
+ #
+@@ -30,6 +30,9 @@ files_config_file(exports_t)
+ 
+ rpc_domain_template(gssd)
+ 
++type gssd_keytab_t;
++files_type(gssd_keytab_t)
++
+ type gssd_tmp_t;
+ files_tmp_file(gssd_tmp_t)
+ 
+@@ -271,6 +274,8 @@ allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
+ allow gssd_t self:process { getsched setsched };
+ allow gssd_t self:fifo_file rw_fifo_file_perms;
+ 
++allow gssd_t gssd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+ manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+ files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+@@ -309,9 +314,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(gssd, gssd_t)
+ 	kerberos_manage_host_rcache(gssd_t)
++	kerberos_read_keytab(gssd_t)
+ 	kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
++	kerberos_use(gssd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/rshd.te b/policy/modules/contrib/rshd.te
+index 575e3e3..864e089 100644
+--- a/policy/modules/contrib/rshd.te
++++ b/policy/modules/contrib/rshd.te
+@@ -1,4 +1,4 @@
+-policy_module(rshd, 1.8.0)
++policy_module(rshd, 1.8.1)
+ 
+ ########################################
+ #
+@@ -10,6 +10,9 @@ type rshd_exec_t;
+ auth_login_pgm_domain(rshd_t)
+ inetd_tcp_service_domain(rshd_t, rshd_exec_t)
+ 
++type rshd_keytab_t;
++files_type(rshd_keytab_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -20,6 +23,8 @@ allow rshd_t self:process { signal_perms setsched setpgid setexec };
+ allow rshd_t self:fifo_file rw_fifo_file_perms;
+ allow rshd_t self:tcp_socket create_stream_socket_perms;
+ 
++allow rshd_t rshd_keytab_t:file read_file_perms;
++
+ kernel_read_kernel_sysctls(rshd_t)
+ 
+ corenet_all_recvfrom_unlabeled(rshd_t)
+@@ -54,9 +59,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(rshd, rshd_t)
+ 	kerberos_manage_host_rcache(rshd_t)
++	kerberos_read_keytab(rshd_t)
+ 	kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0")
++	kerberos_use(rshd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
+index aee75af..50d07fb 100644
+--- a/policy/modules/contrib/samba.if
++++ b/policy/modules/contrib/samba.if
+@@ -689,6 +689,7 @@ interface(`samba_admin',`
+ 		type samba_etc_t, samba_share_t, samba_initrc_exec_t;
+ 		type swat_var_run_t, swat_tmp_t, winbind_log_t;
+ 		type winbind_var_run_t, winbind_tmp_t;
++		type smbd_keytab_t;
+ 	')
+ 
+ 	allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
+@@ -700,7 +701,7 @@ interface(`samba_admin',`
+ 	allow $2 system_r;
+ 
+ 	files_list_etc($1)
+-	admin_pattern($1, samba_etc_t)
++	admin_pattern($1, { samba_etc_t smbd_keytab_t })
+ 
+ 	logging_list_logs($1)
+ 	admin_pattern($1, { samba_log_t winbind_log_t })
+diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
+index 54b89a6..98daaef 100644
+--- a/policy/modules/contrib/samba.te
++++ b/policy/modules/contrib/samba.te
+@@ -1,4 +1,4 @@
+-policy_module(samba, 1.16.0)
++policy_module(samba, 1.16.1)
+ 
+ #################################
+ #
+@@ -142,6 +142,9 @@ type smbd_t;
+ type smbd_exec_t;
+ init_daemon_domain(smbd_t, smbd_exec_t)
+ 
++type smbd_keytab_t;
++files_type(smbd_keytab_t)
++
+ type smbd_tmp_t;
+ files_tmp_file(smbd_tmp_t)
+ 
+@@ -271,6 +274,8 @@ allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull }
+ 
+ allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
+ 
++allow smbd_t smbd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
+ append_files_pattern(smbd_t, samba_log_t, samba_log_t)
+ create_files_pattern(smbd_t, samba_log_t, samba_log_t)
+@@ -468,8 +473,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	kerberos_read_keytab(smbd_t)
+ 	kerberos_use(smbd_t)
+-	kerberos_keytab_template(smbd, smbd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/sasl.if b/policy/modules/contrib/sasl.if
+index b2f388a..8c3c151 100644
+--- a/policy/modules/contrib/sasl.if
++++ b/policy/modules/contrib/sasl.if
+@@ -39,6 +39,7 @@ interface(`sasl_connect',`
+ interface(`sasl_admin',`
+ 	gen_require(`
+ 		type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t;
++		type saslauthd_keytab_t;
+ 	')
+ 
+ 	allow $1 saslauthd_t:process { ptrace signal_perms };
+@@ -49,6 +50,9 @@ interface(`sasl_admin',`
+ 	role_transition $2 saslauthd_initrc_exec_t system_r;
+ 	allow $2 system_r;
+ 
++	files_list_etc($1)
++	admin_pattern($1, saslauthd_keytab_t)
++
+ 	files_list_pids($1)
+ 	admin_pattern($1, saslauthd_var_run_t)
+ ')
+diff --git a/policy/modules/contrib/sasl.te b/policy/modules/contrib/sasl.te
+index 20ebffb..6c3bc20 100644
+--- a/policy/modules/contrib/sasl.te
++++ b/policy/modules/contrib/sasl.te
+@@ -1,4 +1,4 @@
+-policy_module(sasl, 1.15.0)
++policy_module(sasl, 1.15.1)
+ 
+ ########################################
+ #
+@@ -20,6 +20,9 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
+ type saslauthd_initrc_exec_t;
+ init_script_file(saslauthd_initrc_exec_t)
+ 
++type saslauthd_keytab_t;
++files_type(saslauthd_keytab_t)
++
+ type saslauthd_var_run_t;
+ files_pid_file(saslauthd_var_run_t)
+ 
+@@ -34,6 +37,8 @@ allow saslauthd_t self:process { setsched signal_perms };
+ allow saslauthd_t self:fifo_file rw_fifo_file_perms;
+ allow saslauthd_t self:unix_stream_socket { accept listen };
+ 
++allow saslauthd_t saslauthd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+ manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+ manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
+@@ -92,9 +97,10 @@ tunable_policy(`allow_saslauthd_read_shadow',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(saslauthd, saslauthd_t)
++	kerberos_read_keytab(saslauthd_t)
+ 	kerberos_manage_host_rcache(saslauthd_t)
+ 	kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0")
++	kerberos_use(saslauthd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/sendmail.if b/policy/modules/contrib/sendmail.if
+index 88e753f..35ad2a7 100644
+--- a/policy/modules/contrib/sendmail.if
++++ b/policy/modules/contrib/sendmail.if
+@@ -354,6 +354,7 @@ interface(`sendmail_admin',`
+ 	gen_require(`
+ 		type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
+ 		type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
++		type sendmail_keytab_t;
+ 	')
+ 
+ 	allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
+@@ -363,6 +364,9 @@ interface(`sendmail_admin',`
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 sendmail_initrc_exec_t system_r;
+ 
++	files_list_etc($1)
++	admin_pattern($1, sendmail_keytab_t)
++
+ 	logging_list_logs($1)
+ 	admin_pattern($1, sendmail_log_t)
+ 
+diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
+index 320db21..12700b4 100644
+--- a/policy/modules/contrib/sendmail.te
++++ b/policy/modules/contrib/sendmail.te
+@@ -1,4 +1,4 @@
+-policy_module(sendmail, 1.12.0)
++policy_module(sendmail, 1.12.1)
+ 
+ ########################################
+ #
+@@ -13,6 +13,9 @@ roleattribute system_r sendmail_unconfined_roles;
+ type sendmail_initrc_exec_t;
+ init_script_file(sendmail_initrc_exec_t)
+ 
++type sendmail_keytab_t;
++files_type(sendmail_keytab_t)
++
+ type sendmail_log_t;
+ logging_log_file(sendmail_log_t)
+ 
+@@ -43,6 +46,8 @@ allow sendmail_t self:fifo_file rw_fifo_file_perms;
+ allow sendmail_t self:unix_stream_socket { accept listen };
+ allow sendmail_t self:tcp_socket { accept listen };
+ 
++allow sendmail_t sendmail_keytab_t:file read_file_perms;
++
+ allow sendmail_t sendmail_log_t:dir setattr_dir_perms;
+ append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+ create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+@@ -154,7 +159,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(sendmail, sendmail_t)
++	kerberos_read_keytab(sendmail_t)
++	kerberos_use(sendmail_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/spamassassin.te b/policy/modules/contrib/spamassassin.te
+index 02fba54..cc58e35 100644
+--- a/policy/modules/contrib/spamassassin.te
++++ b/policy/modules/contrib/spamassassin.te
+@@ -1,4 +1,4 @@
+-policy_module(spamassassin, 2.6.0)
++policy_module(spamassassin, 2.6.1)
+ 
+ ########################################
+ #
+@@ -262,7 +262,7 @@ optional_policy(`
+ 	postfix_domtrans_postdrop(spamc_t)
+ 	postfix_search_spool(spamc_t)
+ 	postfix_rw_local_pipes(spamc_t)
+-	postfix_rw_master_pipes(spamc_t)
++	postfix_rw_inherited_master_pipes(spamc_t)
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/contrib/telnet.te b/policy/modules/contrib/telnet.te
+index b9e2061..bcef8b5 100644
+--- a/policy/modules/contrib/telnet.te
++++ b/policy/modules/contrib/telnet.te
+@@ -1,4 +1,4 @@
+-policy_module(telnet, 1.11.0)
++policy_module(telnet, 1.11.1)
+ 
+ ########################################
+ #
+@@ -12,6 +12,9 @@ inetd_service_domain(telnetd_t, telnetd_exec_t)
+ type telnetd_devpts_t;
+ term_login_pty(telnetd_devpts_t)
+ 
++type telnetd_keytab_t;
++files_type(telnetd_keytab_t)
++
+ type telnetd_tmp_t;
+ files_tmp_file(telnetd_tmp_t)
+ 
+@@ -30,6 +33,8 @@ allow telnetd_t self:fifo_file rw_fifo_file_perms;
+ allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
+ term_create_pty(telnetd_t, telnetd_devpts_t)
+ 
++allow telnetd_t telnetd_keytab_t:file read_file_perms;
++
+ manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+ manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
+ files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
+@@ -85,9 +90,10 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(telnetd, telnetd_t)
++	kerberos_read_keytab(telnetd_t)
+ 	kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0")
+ 	kerberos_manage_host_rcache(telnetd_t)
++	kerberos_use(telnetd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if
+index e30a42e..c8bc302 100644
+--- a/policy/modules/contrib/virt.if
++++ b/policy/modules/contrib/virt.if
+@@ -1148,7 +1148,7 @@ interface(`virt_admin',`
+ 		type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
+ 		type virt_var_run_t, virt_tmp_t, virt_log_t;
+ 		type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
+-		type virt_etc_t, svirt_cache_t;
++		type virt_etc_t, svirt_cache_t, virtd_keytab_t;
+ 	')
+ 
+ 	allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
+@@ -1168,7 +1168,7 @@ interface(`virt_admin',`
+ 	admin_pattern($1, { virt_tmp_type virt_tmp_t })
+ 
+ 	files_search_etc($1)
+-	admin_pattern($1, { virt_etc_t virt_etc_rw_t })
++	admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
+ 
+ 	logging_search_logs($1)
+ 	admin_pattern($1, virt_log_t)
+diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
+index 9230f0d..f2916f7 100644
+--- a/policy/modules/contrib/virt.te
++++ b/policy/modules/contrib/virt.te
+@@ -1,4 +1,4 @@
+-policy_module(virt, 1.7.0)
++policy_module(virt, 1.7.1)
+ 
+ ########################################
+ #
+@@ -142,6 +142,9 @@ domain_subj_id_change_exemption(virtd_t)
+ type virtd_initrc_exec_t;
+ init_script_file(virtd_initrc_exec_t)
+ 
++type virtd_keytab_t;
++files_type(virtd_keytab_t)
++
+ ifdef(`enable_mcs',`
+ 	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
+ ')
+@@ -438,6 +441,8 @@ manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+ manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
+ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
+ 
++allow virtd_t virtd_keytab_t:file read_file_perms;
++
+ allow virtd_t svirt_var_run_t:file relabel_file_perms;
+ manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+ manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
+@@ -700,7 +705,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	kerberos_keytab_template(virtd, virtd_t)
++	kerberos_read_keytab(virtd_t)
++	kerberos_use(virtd_t)
+ ')
+ 
+ optional_policy(`
diff --git a/package/refpolicy/refpolicy-0002-awk-fix.patch b/package/refpolicy/refpolicy-0002-awk-fix.patch
new file mode 100644
index 0000000..cc742a5
--- /dev/null
+++ b/package/refpolicy/refpolicy-0002-awk-fix.patch
@@ -0,0 +1,37 @@
+Use AWK variable instead of the hardcoded awk
+
+The refpolicy build system uses some awk expressions that need GNU
+awk, and not some other version of awk. Unfortunately, while the
+Makefile nicely defines a AWK variable pointing to gawk by default,
+there are several places where it hardcodes the usage of 'awk' without
+the variable. This patch fixes those instances by using the AWK
+vairable everywhere.
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+
+Index: refpolicy-2.20130424/Makefile
+===================================================================
+--- refpolicy-2.20130424.orig/Makefile	2013-02-25 16:29:33.000000000 +0100
++++ refpolicy-2.20130424/Makefile	2013-11-24 22:29:19.000000000 +0100
+@@ -292,9 +292,9 @@
+ cmdline_off := $(addsuffix .te,$(APPS_OFF))
+ 
+ # extract settings from modules.conf
+-mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
+-mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
+-mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_base := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_mods := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_off := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
+ 
+ base_mods := $(cmdline_base)
+ mod_mods := $(cmdline_mods)
+@@ -308,7 +308,7 @@
+ off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+ 
+ # filesystems to be used in labeling targets
+-filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
++filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+ fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
+ 
+ ########################################
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
new file mode 100644
index 0000000..90be77a
--- /dev/null
+++ b/package/refpolicy/refpolicy.mk
@@ -0,0 +1,82 @@
+################################################################################
+#
+# refpolicy
+#
+################################################################################
+
+REFPOLICY_VERSION = 2.20130424
+REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
+REFPOLICY_SITE = http://oss.tresys.com/files/refpolicy/
+REFPOLICY_LICENSE = GPLv2
+REFPOLICY_LICENSE_FILES = COPYING
+
+# Cannot use multiple threads to build the reference policy
+REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)
+
+REFPOLICY_DEPENDENCIES = host-m4 host-checkpolicy host-policycoreutils \
+	host-setools host-python-pyxml host-gawk policycoreutils
+
+REFPOLICY_INSTALL_STAGING = YES
+
+REFPOLICY_POLICY_NAME = br_policy
+
+# To apply board specific customizations, create a refpolicy folder in
+# BR2_GLOBAL_PATCH_DIR.  These patches will be applied after the patches
+# in package/refpolicy
+
+# Pointing to the host compiler to build a sort application during the build.
+# The host compiler tools are not used for any part of the refpolicy build.
+# Note, the TEST_TOOLCHAIN option will also set the
+# LD_LIBRARY_PATH at run time.
+REFPOLICY_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
+	TEST_TOOLCHAIN="$(HOST_DIR)"
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
+	REFPOLICY_MONOLITHIC = n
+else
+	REFPOLICY_MONOLITHIC = y
+endif
+
+define REFPOLICY_CONFIGURE_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) bare $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+	$(SED) "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
+	$(SED) "/MONOLITHIC/c\MONOLITHIC = $(REFPOLICY_MONOLITHIC)" $(@D)/build.conf
+	$(SED) "/NAME/c\NAME = $(REFPOLICY_POLICY_NAME)" $(@D)/build.conf
+	$(REFPOLICY_MAKE) -C $(@D) conf $(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+	cp -f $(REFPOLICY_MODULES_FILE) $(@D)/policy/modules.conf
+endef
+
+define REFPOLICY_INSTALL_STAGING_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) install-src install-headers \
+		$(if $(BR2_HAVE_DOCUMENTATION),install-docs) \
+		$(REFPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+REFPOLICY_MODULES_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_MODULES_FILE))
+
+define REFPOLICY_INSTALL_TARGET_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) install $(REFPOLICY_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
+	$(INSTALL) -m 0755 -D package/refpolicy/config $(TARGET_DIR)/etc/selinux/config
+	$(SED) "/^SELINUXTYPE/c\SELINUXTYPE=$(REFPOLICY_POLICY_NAME)" \
+		$(TARGET_DIR)/etc/selinux/config
+	touch $(TARGET_DIR)/.autorelabel
+	$(RM) $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/booleans
+endef
+
+define REFPOLICY_INSTALL_INIT_SYSV
+	$(INSTALL) -m 0755 -D package/refpolicy/S12selinux \
+		$(TARGET_DIR)/etc/init.d/S12selinux
+endef
+
+define REFPOLICY_POLICY_COMPILE
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/policy
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/modules/active/modules
+	$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/contexts/files
+	touch $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/contexts/files/file_contexts.local
+endef
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
+	REFPOLICY_POST_INSTALL_TARGET_HOOKS += REFPOLICY_POLICY_COMPILE
+endif
+
+$(eval $(generic-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 15/20] shadow: new package

[Clayton Shotwell]

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
Changes v3 -> v4:
  - Added back in the Python bindings configure option (suggested by
    Thomas).
  - Moved the linux-pam shadow configuration changes inside the
    linux-pam if block (suggested by Ryan).
Changes v2 -> v3:
  - Corrected spelling error.
Changes v1 -> v2:
  - General cleanup to the mk file to conform to the standard format.
---
 package/Config.in          |    3 ++
 package/setools/setools.mk |    2 +-
 package/shadow/Config.in   |   13 +++++++++++
 package/shadow/shadow.mk   |   50 ++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 67 insertions(+), 1 deletions(-)
 create mode 100644 package/shadow/Config.in
 create mode 100644 package/shadow/shadow.mk

diff --git a/package/Config.in b/package/Config.in
index 343927d..d4442db 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -961,6 +961,9 @@ source "package/lockfile-progs/Config.in"
 source "package/logrotate/Config.in"
 source "package/logsurfer/Config.in"
 source "package/screen/Config.in"
+if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
+source "package/shadow/Config.in"
+endif
 source "package/sudo/Config.in"
 if BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
 source "package/time/Config.in"
diff --git a/package/setools/setools.mk b/package/setools/setools.mk
index eb3f4cc..c99cdeb 100644
--- a/package/setools/setools.mk
+++ b/package/setools/setools.mk
@@ -63,7 +63,7 @@ HOST_SETOOLS_CONF_OPT = \
 	--with-sepol-devel="$(HOST_DIR)/usr" \
 	--with-selinux-devel="$(HOST_DIR)/usr" \
 
-ifeq ($(BR2_PACKAGE_PYTHON),y)
+ifeq ($(BR2_PACKAGE_SETOOLS_PYTHON_BINDINGS),y)
 	HOST_SETOOLS_DEPENDENCIES += host-python host-swig 
 	HOST_SETOOLS_CONF_ENV += \
 		am_cv_pathless_PYTHON=python \
diff --git a/package/shadow/Config.in b/package/shadow/Config.in
new file mode 100644
index 0000000..5692ac6
--- /dev/null
+++ b/package/shadow/Config.in
@@ -0,0 +1,13 @@
+config BR2_PACKAGE_SHADOW
+	bool "shadow"
+	help
+	  The shadow-utils package includes the necessary programs for
+	  converting UNIX password files to the shadow password format, plus
+	  programs for managing user and group accounts. The pwconv command
+	  converts passwords to the shadow password format. The pwunconv command
+	  unconverts shadow passwords and generates an npasswd file (a standard
+	  UNIX password file). The pwck command checks the integrity of password
+	  and shadow files. The lastlog command prints out the last login times
+	  for all users. The useradd, userdel, and usermod commands are used for
+	  managing user accounts. The groupadd, groupdel, and groupmod commands
+	  are used for managing group accounts.
diff --git a/package/shadow/shadow.mk b/package/shadow/shadow.mk
new file mode 100644
index 0000000..774162b
--- /dev/null
+++ b/package/shadow/shadow.mk
@@ -0,0 +1,50 @@
+################################################################################
+#
+# shadow
+#
+################################################################################
+
+SHADOW_VERSION = 4.1.5.1
+SHADOW_SOURCE = shadow-$(SHADOW_VERSION).tar.bz2
+SHADOW_SITE = http://pkg-shadow.alioth.debian.org/releases/
+SHADOW_LICENSE = BSD
+SHADOW_LICENSE_FILES = COPYING
+SHADOW_DEPENDENCIES = acl attr busybox
+
+SHADOW_INSTALL_STAGING = NO
+
+SHADOW_CONF_OPT = --disable-nls
+
+# Shadow configuration to support audit
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+SHADOW_DEPENDENCIES += audit
+SHADOW_CONF_OPT += --with-audit=yes
+endif
+
+# Shadow with linux-pam support
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y) 
+SHADOW_DEPENDENCIES += linux-pam
+SHADOW_CONF_OPT += --with-libpam=yes
+
+# Comment out all config entries that conflict with using PAM
+define SHADOW_LOGIN_CONFIGURATION
+        for FUNCTION in FAIL_DELAY FAILLOG_ENAB LASTLOG_ENAB MAIL_CHECK_ENAB \
+                OBSCURE_CHECKS_ENAB PORTTIME_CHECKS_ENAB QUOTAS_ENAB CONSOLE MOTD_FILE \
+                FTMP_FILE NOLOGINS_FILE ENV_HZ PASS_MIN_LEN SU_WHEEL_ONLY CRACKLIB_DICTPATH \
+                PASS_CHANGE_TRIES PASS_ALWAYS_WARN CHFN_AUTH ENCRYPT_METHOD ENVIRON_FILE ; \
+        do \
+                sed -i "s/^$${FUNCTION}/# &/" $(TARGET_DIR)/etc/login.defs ; \
+        done
+endef
+
+SHADOW_POST_INSTALL_TARGET_HOOKS += SHADOW_LOGIN_CONFIGURATION
+
+endif
+
+# Shadow with selinux support
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+SHADOW_DEPENDENCIES += libselinux libsemanage
+SHADOW_CONF_OPT += --with-selinux=yes
+endif
+
+$(eval $(autotools-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 16/20] busybox: add option to install individual binaries

[Clayton Shotwell]

From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
 package/busybox/Config.in  |    3 +++
 package/busybox/busybox.mk |   24 ++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 0 deletions(-)

diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index 2d55aa6..7f00fb8 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -55,6 +55,9 @@ config BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
 	  Show packages in menuconfig that are potentially also provided
 	  by busybox.
 
+config BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES
+	bool "Individual binaries"
+
 config BR2_PACKAGE_BUSYBOX_WATCHDOG
 	bool "Install the watchdog daemon startup script"
 	help
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index f6f542e..13de7ed 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -50,10 +50,16 @@ ifndef BUSYBOX_CONFIG_FILE
 	BUSYBOX_CONFIG_FILE = $(call qstrip,$(BR2_PACKAGE_BUSYBOX_CONFIG))
 endif
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
+define BUSYBOX_PERMISSIONS
+/usr/share/udhcpc/default.script f 755  0 0 - - - - -
+endef
+else
 define BUSYBOX_PERMISSIONS
 /bin/busybox			 f 4755	0 0 - - - - -
 /usr/share/udhcpc/default.script f 755  0 0 - - - - -
 endef
+endif
 
 # If mdev will be used for device creation enable it and copy S10mdev to /etc/init.d
 ifeq ($(BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_MDEV),y)
@@ -152,6 +158,22 @@ define BUSYBOX_SET_INIT
 endef
 endif
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
+define BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BUILD_LIBBUSYBOX,$(BUSYBOX_BUILD_CONFIG))
+	$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_INDIVIDUAL,$(BUSYBOX_BUILD_CONFIG))
+endef
+
+define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
+	for i in `find -L $(TARGET_DIR) -xtype l -samefile $(TARGET_DIR)/bin/busybox` ; do \
+		$(INSTALL) -D -m 0755 $(@D)/0_lib/`basename $$i` $$i ; \
+	done
+	cp $(@D)/0_lib/libbusybox.so.* $(TARGET_DIR)/lib
+	rm -f $(TARGET_DIR)/lib/libbusybox.so.*_unstripped*
+	rm -f $(TARGET_DIR)/bin/busybox
+endef
+endif
+
 define BUSYBOX_INSTALL_LOGGING_SCRIPT
 	if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
 		[ -f $(TARGET_DIR)/etc/init.d/S01logging ] || \
@@ -187,6 +209,7 @@ define BUSYBOX_CONFIGURE_CMDS
 	$(BUSYBOX_INTERNAL_SHADOW_PASSWORDS)
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
+	$(BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES)
 	@yes "" | $(MAKE) ARCH=$(KERNEL_ARCH) CROSS_COMPILE="$(TARGET_CROSS)" \
 		-C $(@D) oldconfig
 endef
@@ -205,6 +228,7 @@ define BUSYBOX_INSTALL_TARGET_CMDS
 	$(BUSYBOX_INSTALL_MDEV_CONF)
 	$(BUSYBOX_INSTALL_LOGGING_SCRIPT)
 	$(BUSYBOX_INSTALL_WATCHDOG_SCRIPT)
+	$(BUSYBOX_INSTALL_INDIVIDUAL_BINARIES)
 endef
 
 $(eval $(generic-package))
-- 
1.7.1

[Buildroot] [ PATCH v4 17/20] busybox: add option to enable SELinux support

[Clayton Shotwell]

From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
 ...ags-strip-non-l-arguments-returned-by-pkg.patch |   28 ++++++++++++++++++++
 package/busybox/Config.in                          |    3 ++
 package/busybox/busybox.mk                         |    8 +++++
 3 files changed, 39 insertions(+), 0 deletions(-)
 create mode 100644 package/busybox/1.21.1/0004-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch

diff --git a/package/busybox/1.21.1/0004-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch b/package/busybox/1.21.1/0004-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
new file mode 100644
index 0000000..105626c
--- /dev/null
+++ b/package/busybox/1.21.1/0004-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
@@ -0,0 +1,28 @@
+From 67eb23d2be8aba3c474dac81a15b0fa11e5847b7 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+Date: Mon, 25 Nov 2013 22:51:53 +0100
+Subject: [PATCH] Makefile.flags: strip non -l arguments returned by pkg-config
+
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
+---
+ Makefile.flags | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.flags b/Makefile.flags
+index 307afa7..885e323 100644
+--- a/Makefile.flags
++++ b/Makefile.flags
+@@ -141,7 +141,9 @@ ifeq ($(CONFIG_SELINUX),y)
+ SELINUX_PC_MODULES = libselinux libsepol
+ $(eval $(call pkg_check_modules,SELINUX,$(SELINUX_PC_MODULES)))
+ CPPFLAGS += $(SELINUX_CFLAGS)
+-LDLIBS += $(if $(SELINUX_LIBS),$(SELINUX_LIBS:-l%=%),$(SELINUX_PC_MODULES:lib%=%))
++LDLIBS += $(if $(SELINUX_LIBS),\
++       $(patsubst -l%,%,$(filter -l%,$(SELINUX_LIBS))),\
++       $(SELINUX_PC_MODULES:lib%=%))
+ endif
+ 
+ ifeq ($(CONFIG_EFENCE),y)
+-- 
+1.8.1.2
+
diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index 7f00fb8..9e64ec0 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -58,6 +58,9 @@ config BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
 config BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES
 	bool "Individual binaries"
 
+config BR2_PACKAGE_BUSYBOX_SELINUX
+	bool "Enable SELinux support"
+
 config BR2_PACKAGE_BUSYBOX_WATCHDOG
 	bool "Install the watchdog daemon startup script"
 	help
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 13de7ed..24f0695 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -174,6 +174,13 @@ define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
 endef
 endif
 
+ifeq ($(BR2_PACKAGE_BUSYBOX_SELINUX),y)
+BUSYBOX_DEPENDENCIES += host-pkgconf libselinux libsepol
+define BUSYBOX_SET_SELINUX
+	$(call KCONFIG_ENABLE_OPT,CONFIG_SELINUX,$(BUSYBOX_BUILD_CONFIG))
+endef
+endif
+
 define BUSYBOX_INSTALL_LOGGING_SCRIPT
 	if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
 		[ -f $(TARGET_DIR)/etc/init.d/S01logging ] || \
@@ -210,6 +217,7 @@ define BUSYBOX_CONFIGURE_CMDS
 	$(BUSYBOX_SET_INIT)
 	$(BUSYBOX_SET_WATCHDOG)
 	$(BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES)
+	$(BUSYBOX_SET_SELINUX)
 	@yes "" | $(MAKE) ARCH=$(KERNEL_ARCH) CROSS_COMPILE="$(TARGET_CROSS)" \
 		-C $(@D) oldconfig
 endef
-- 
1.7.1

[Buildroot] [ PATCH v4 18/20] busybox: ensure it finds pkg-config by setting PATH

[Clayton Shotwell]

From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Acked-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
 package/busybox/busybox.mk |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index 24f0695..1a40b43 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -38,6 +38,7 @@ BUSYBOX_MAKE_ENV = \
 	CFLAGS="$(BUSYBOX_CFLAGS)" \
 	CFLAGS_busybox="$(BUSYBOX_CFLAGS_busybox)"
 BUSYBOX_MAKE_OPTS = \
+	PATH="$(TARGET_PATH)" \
 	CC="$(TARGET_CC)" \
 	ARCH=$(KERNEL_ARCH) \
 	PREFIX="$(TARGET_DIR)" \
-- 
1.7.1

[Buildroot] [ PATCH v4 19/20] refpolicy: Add busybox selections

[Clayton Shotwell]

Adding selects to enable SELinux and individual binaries when
refpolicy is selected.
---
 package/refpolicy/Config.in |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index 64e5831..03bfed3 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -1,6 +1,8 @@
 config BR2_PACKAGE_REFPOLICY
 	bool "refpolicy"
 	select BR2_PACKAGE_POLICYCOREUTILS
+	select BR2_PACKAGE_BUSYBOX_SELINUX
+	select BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES
 	depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
 	depends on BR2_LARGEFILE # policycoreutils
 	depends on BR2_ENABLE_LOCALE # policycoreutils
-- 
1.7.1

[Buildroot] [ PATCH v4 20/20] configs: Add SELinux x86 qemu config

[Clayton Shotwell]

Adding a base SELinux QEMU image for x86. This will build a base
SELinux system that boots with SELinux in permissive mode.

Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
 board/qemu/x86/linux-3.12-selinux.config |   72 ++++++++++++++++++++++++++++++
 configs/qemu_x86_selinux_defconfig       |   27 +++++++++++
 2 files changed, 99 insertions(+), 0 deletions(-)
 create mode 100644 board/qemu/x86/linux-3.12-selinux.config
 create mode 100644 configs/qemu_x86_selinux_defconfig

diff --git a/board/qemu/x86/linux-3.12-selinux.config b/board/qemu/x86/linux-3.12-selinux.config
new file mode 100644
index 0000000..20aff7f
--- /dev/null
+++ b/board/qemu/x86/linux-3.12-selinux.config
@@ -0,0 +1,72 @@
+CONFIG_EXPERIMENTAL=y
+# CONFIG_LOCALVERSION_AUTO is not set
+# CONFIG_SWAP is not set
+CONFIG_AUDIT=y
+# CONFIG_COMPAT_BRK is not set
+CONFIG_MODULES=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_IOSCHED_DEADLINE is not set
+# CONFIG_IOSCHED_CFQ is not set
+# CONFIG_X86_EXTENDED_PLATFORM is not set
+# CONFIG_SCHED_OMIT_FRAME_POINTER is not set
+# CONFIG_MTRR_SANITIZER is not set
+# CONFIG_SECCOMP is not set
+# CONFIG_RELOCATABLE is not set
+CONFIG_NET=y
+CONFIG_PACKET=y
+CONFIG_UNIX=y
+CONFIG_INET=y
+CONFIG_IP_PNP=y
+# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
+# CONFIG_INET_XFRM_MODE_TUNNEL is not set
+# CONFIG_INET_XFRM_MODE_BEET is not set
+# CONFIG_INET_LRO is not set
+# CONFIG_INET_DIAG is not set
+# CONFIG_IPV6 is not set
+# CONFIG_WIRELESS is not set
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+# CONFIG_PREVENT_FIRMWARE_BUILD is not set
+# CONFIG_FIRMWARE_IN_KERNEL is not set
+# CONFIG_BLK_DEV is not set
+CONFIG_BLK_DEV_SD=y
+CONFIG_ATA=y
+CONFIG_ATA_PIIX=y
+CONFIG_NETDEVICES=y
+CONFIG_NE2K_PCI=y
+CONFIG_8139CP=y
+# CONFIG_WLAN is not set
+# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
+# CONFIG_INPUT_MOUSE is not set
+# CONFIG_SERIO_SERPORT is not set
+# CONFIG_LEGACY_PTYS is not set
+# CONFIG_DEVKMEM is not set
+CONFIG_SERIAL_8250=y
+CONFIG_SERIAL_8250_CONSOLE=y
+# CONFIG_HW_RANDOM is not set
+# CONFIG_HWMON is not set
+CONFIG_SOUND=y
+CONFIG_SND=y
+CONFIG_SND_HDA_INTEL=y
+# CONFIG_USB_SUPPORT is not set
+# CONFIG_X86_PLATFORM_DEVICES is not set
+# CONFIG_DMIID is not set
+CONFIG_EXT2_FS=y
+CONFIG_EXT2_FS_XATTR=y
+CONFIG_EXT2_FS_SECURITY=y
+# CONFIG_DNOTIFY is not set
+# CONFIG_INOTIFY_USER is not set
+# CONFIG_MISC_FILESYSTEMS is not set
+CONFIG_NFS_FS=y
+CONFIG_ROOT_NFS=y
+# CONFIG_ENABLE_WARN_DEPRECATED is not set
+# CONFIG_ENABLE_MUST_CHECK is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_FRAME_POINTER is not set
+# CONFIG_X86_VERBOSE_BOOTUP is not set
+CONFIG_SECURITY=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_BOOTPARAM=y
+CONFIG_CRYPTO_ANSI_CPRNG=y
+# CONFIG_VIRTUALIZATION is not set
diff --git a/configs/qemu_x86_selinux_defconfig b/configs/qemu_x86_selinux_defconfig
new file mode 100644
index 0000000..ba26ae4
--- /dev/null
+++ b/configs/qemu_x86_selinux_defconfig
@@ -0,0 +1,27 @@
+# Architecture
+BR2_i386=y
+BR2_x86_pentiumpro=y
+
+# system
+BR2_TARGET_GENERIC_GETTY=y
+BR2_TARGET_GENERIC_GETTY_PORT="tty1"
+
+# filesystem
+BR2_TARGET_ROOTFS_EXT2=y
+# BR2_TARGET_ROOTFS_TAR is not set
+
+# Lock to 3.12 headers to avoid breaking with newer kernels
+BR2_KERNEL_HEADERS_VERSION=y
+BR2_DEFAULT_KERNEL_VERSION="3.12.2"
+
+# Kernel
+BR2_LINUX_KERNEL=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="3.12.2"
+BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/x86/linux-3.12-selinux.config"
+
+# SELinux
+BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES=y
+BR2_PACKAGE_BUSYBOX_SELINUX=y
+BR2_PACKAGE_REFPOLICY=y
-- 
1.7.1

[Buildroot] [ PATCH v4 16/20] busybox: add option to install individual binaries

[Arnout Vandecappelle]

On 12/12/13 19:27, Clayton Shotwell wrote:
> From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
> Acked-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
> ---
>   package/busybox/Config.in  |    3 +++
>   package/busybox/busybox.mk |   24 ++++++++++++++++++++++++
>   2 files changed, 27 insertions(+), 0 deletions(-)
>
> diff --git a/package/busybox/Config.in b/package/busybox/Config.in
> index 2d55aa6..7f00fb8 100644
> --- a/package/busybox/Config.in
> +++ b/package/busybox/Config.in
> @@ -55,6 +55,9 @@ config BR2_PACKAGE_BUSYBOX_SHOW_OTHERS
>   	  Show packages in menuconfig that are potentially also provided
>   	  by busybox.
>
> +config BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES
> +	bool "Individual binaries"

  This really lacks some help text, even I had no idea what it meant at 
first. I guess the text from busybox can just be reused - though for 
SELinux there's obviously a different reason.

         If your CPU architecture doesn't allow for sharing text/rodata
         sections of running binaries, but allows for runtime dynamic
         libraries, this option will allow you to reduce memory footprint
         when you have many different applets running at once.

         If your CPU architecture allows for sharing text/rodata,
         having single binary is more optimal.

         Each applet will be a tiny program, dynamically linked
         against libbusybox.so.N.N.N.

         You need to have a working dynamic linker.

  That last sentence makes me think that we're missing a depends on 
!BR2_PREFER_STATIC here.

> +
>   config BR2_PACKAGE_BUSYBOX_WATCHDOG
>   	bool "Install the watchdog daemon startup script"
>   	help
> diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
> index f6f542e..13de7ed 100644
> --- a/package/busybox/busybox.mk
> +++ b/package/busybox/busybox.mk
> @@ -50,10 +50,16 @@ ifndef BUSYBOX_CONFIG_FILE
>   	BUSYBOX_CONFIG_FILE = $(call qstrip,$(BR2_PACKAGE_BUSYBOX_CONFIG))
>   endif
>
> +ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
> +define BUSYBOX_PERMISSIONS
> +/usr/share/udhcpc/default.script f 755  0 0 - - - - -

  Isn't setuid root needed anymore for /bin/login? Same for passwd, su, 
probably others...


> +endef
> +else
>   define BUSYBOX_PERMISSIONS
>   /bin/busybox			 f 4755	0 0 - - - - -
>   /usr/share/udhcpc/default.script f 755  0 0 - - - - -
>   endef
> +endif
>
>   # If mdev will be used for device creation enable it and copy S10mdev to /etc/init.d
>   ifeq ($(BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_MDEV),y)
> @@ -152,6 +158,22 @@ define BUSYBOX_SET_INIT
>   endef
>   endif
>
> +ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
> +define BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES
> +	$(call KCONFIG_ENABLE_OPT,CONFIG_BUILD_LIBBUSYBOX,$(BUSYBOX_BUILD_CONFIG))
> +	$(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_INDIVIDUAL,$(BUSYBOX_BUILD_CONFIG))
> +endef
> +
> +define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
> +	for i in `find -L $(TARGET_DIR) -xtype l -samefile $(TARGET_DIR)/bin/busybox` ; do \
> +		$(INSTALL) -D -m 0755 $(@D)/0_lib/`basename $$i` $$i ; \
> +	done

  Icky, perhaps it's better to make an upstreamable patch that fixes the 
Makefile so it properly installs the binaries if INDIVIDUAL_BINARIES is 
selected?


  Regards,
  Arnout

> +	cp $(@D)/0_lib/libbusybox.so.* $(TARGET_DIR)/lib
> +	rm -f $(TARGET_DIR)/lib/libbusybox.so.*_unstripped*
> +	rm -f $(TARGET_DIR)/bin/busybox
> +endef
> +endif
> +
>   define BUSYBOX_INSTALL_LOGGING_SCRIPT
>   	if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
>   		[ -f $(TARGET_DIR)/etc/init.d/S01logging ] || \
> @@ -187,6 +209,7 @@ define BUSYBOX_CONFIGURE_CMDS
>   	$(BUSYBOX_INTERNAL_SHADOW_PASSWORDS)
>   	$(BUSYBOX_SET_INIT)
>   	$(BUSYBOX_SET_WATCHDOG)
> +	$(BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES)
>   	@yes "" | $(MAKE) ARCH=$(KERNEL_ARCH) CROSS_COMPILE="$(TARGET_CROSS)" \
>   		-C $(@D) oldconfig
>   endef
> @@ -205,6 +228,7 @@ define BUSYBOX_INSTALL_TARGET_CMDS
>   	$(BUSYBOX_INSTALL_MDEV_CONF)
>   	$(BUSYBOX_INSTALL_LOGGING_SCRIPT)
>   	$(BUSYBOX_INSTALL_WATCHDOG_SCRIPT)
> +	$(BUSYBOX_INSTALL_INDIVIDUAL_BINARIES)
>   endef
>
>   $(eval $(generic-package))
>


-- 
Arnout Vandecappelle                          arnout at mind be
Senior Embedded Software Architect            +32-16-286500
Essensium/Mind                                http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium           BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7CB5 E4CC 6C2E EFD4 6E3D A754 F963 ECAB 2450 2F1F

[Buildroot] [ PATCH v4 16/20] busybox: add option to install individual binaries

[Thomas Petazzoni]

Dear Arnout Vandecappelle,

On Fri, 13 Dec 2013 00:02:01 +0100, Arnout Vandecappelle wrote:

> >
> > +config BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES
> > +	bool "Individual binaries"
> 
>   This really lacks some help text, even I had no idea what it meant
> at first. I guess the text from busybox can just be reused - though
> for SELinux there's obviously a different reason.

In fact, the patches from me in this series were not really meant to be
sent to the list. They are proof-of-concept patches that I did to help
Clayton, but some more work was needed before they could be submit for
real.

>          If your CPU architecture doesn't allow for sharing
> text/rodata sections of running binaries, but allows for runtime
> dynamic libraries, this option will allow you to reduce memory
> footprint when you have many different applets running at once.
> 
>          If your CPU architecture allows for sharing text/rodata,
>          having single binary is more optimal.
> 
>          Each applet will be a tiny program, dynamically linked
>          against libbusybox.so.N.N.N.
> 
>          You need to have a working dynamic linker.

In the context of SELinux, it's because SELinux can only apply
different security policies to the various applets if they use
different binaries.

>   That last sentence makes me think that we're missing a depends on 
> !BR2_PREFER_STATIC here.

Indeed.

Also, I am not sure we want to show this option in the top-level
package menuconfig. So, we can either:

 * Have a sub-menu for Busybox customization options
 * Make this behavior automatic whenever SELinux support is enabled,
   and only in this case

> > +ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
> > +define BUSYBOX_PERMISSIONS
> > +/usr/share/udhcpc/default.script f 755  0 0 - - - - -
> 
>   Isn't setuid root needed anymore for /bin/login? Same for passwd,
> su, probably others...

Most likely yes. I have been able to log into the system with this
patch, though.

> > +define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
> > +	for i in `find -L $(TARGET_DIR) -xtype l -samefile
> > $(TARGET_DIR)/bin/busybox` ; do \
> > +		$(INSTALL) -D -m 0755 $(@D)/0_lib/`basename $$i`
> > $$i ; \
> > +	done
> 
>   Icky, perhaps it's better to make an upstreamable patch that fixes
> the Makefile so it properly installs the binaries if
> INDIVIDUAL_BINARIES is selected?

Yeah, could be interesting indeed.

Thanks for your comments,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [ PATCH v4 17/20] busybox: add option to enable SELinux support

[Thomas Petazzoni]

Dear Clayton Shotwell,

On Thu, 12 Dec 2013 12:27:17 -0600, Clayton Shotwell wrote:

> +config BR2_PACKAGE_BUSYBOX_SELINUX
> +	bool "Enable SELinux support"

Maybe we don't need a Busybox sub-option and instead we can enable
SELinux support as soon as libselinux and libsepol are available?

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

[Buildroot] [ PATCH v4 16/20] busybox: add option to install individual binaries

[Clayton Shotwell]

Arnout,

Arnout Vandecappelle <arnout@mind.be> wrote on 12/12/2013 05:02:01 PM:

>   That last sentence makes me think that we're missing a depends on 
> !BR2_PREFER_STATIC here.

Agreed. I'll add that in.

> > +
> >   config BR2_PACKAGE_BUSYBOX_WATCHDOG
> >      bool "Install the watchdog daemon startup script"
> >      help
> > diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
> > index f6f542e..13de7ed 100644
> > --- a/package/busybox/busybox.mk
> > +++ b/package/busybox/busybox.mk
> > @@ -50,10 +50,16 @@ ifndef BUSYBOX_CONFIG_FILE
> >      BUSYBOX_CONFIG_FILE = $(call 
qstrip,$(BR2_PACKAGE_BUSYBOX_CONFIG))
> >   endif
> >
> > +ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
> > +define BUSYBOX_PERMISSIONS
> > +/usr/share/udhcpc/default.script f 755  0 0 - - - - -
> 
>   Isn't setuid root needed anymore for /bin/login? Same for passwd, su, 
> probably others...

Good point. I'll look into adding support for that.

> > +endef
> > +else
> >   define BUSYBOX_PERMISSIONS
> >   /bin/busybox          f 4755   0 0 - - - - -
> >   /usr/share/udhcpc/default.script f 755  0 0 - - - - -
> >   endef
> > +endif
> >
> >   # If mdev will be used for device creation enable it and copy 
> S10mdev to /etc/init.d
> >   ifeq ($(BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_MDEV),y)
> > @@ -152,6 +158,22 @@ define BUSYBOX_SET_INIT
> >   endef
> >   endif
> >
> > +ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
> > +define BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES
> > +   $(call KCONFIG_ENABLE_OPT,CONFIG_BUILD_LIBBUSYBOX,$
> (BUSYBOX_BUILD_CONFIG))
> > +   $(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_INDIVIDUAL,$
> (BUSYBOX_BUILD_CONFIG))
> > +endef
> > +
> > +define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
> > +   for i in `find -L $(TARGET_DIR) -xtype l -samefile $
> (TARGET_DIR)/bin/busybox` ; do \
> > +      $(INSTALL) -D -m 0755 $(@D)/0_lib/`basename $$i` $$i ; \
> > +   done
> 
>   Icky, perhaps it's better to make an upstreamable patch that fixes the 

> Makefile so it properly installs the binaries if INDIVIDUAL_BINARIES is 

I'll see what I can do.

Thanks,
Clayton

Clayton Shotwell
Software Engineer
clshotwe at rockwellcollins.com
www.rockwellcollins.com 

[Buildroot] [ PATCH v4 16/20] busybox: add option to install individual binaries

[Clayton Shotwell]

Thomas,

Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote on 12/15/2013 
10:10:59 AM:

> > >
> > > +config BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES
> > > +   bool "Individual binaries"
> > 
> >   This really lacks some help text, even I had no idea what it meant
> > at first. I guess the text from busybox can just be reused - though
> > for SELinux there's obviously a different reason.
> 
> In fact, the patches from me in this series were not really meant to be
> sent to the list. They are proof-of-concept patches that I did to help
> Clayton, but some more work was needed before they could be submit for
> real.

I apologize for just sending these out without any context or much of a 
second review.
I will get them cleaned up a little bit and resubmit them.
 
> >          If your CPU architecture doesn't allow for sharing
> > text/rodata sections of running binaries, but allows for runtime
> > dynamic libraries, this option will allow you to reduce memory
> > footprint when you have many different applets running at once.
> > 
> >          If your CPU architecture allows for sharing text/rodata,
> >          having single binary is more optimal.
> > 
> >          Each applet will be a tiny program, dynamically linked
> >          against libbusybox.so.N.N.N.
> > 
> >          You need to have a working dynamic linker.
> 
> In the context of SELinux, it's because SELinux can only apply
> different security policies to the various applets if they use
> different binaries.
> 
> >   That last sentence makes me think that we're missing a depends on 
> > !BR2_PREFER_STATIC here.
> 
> Indeed.
> 
> Also, I am not sure we want to show this option in the top-level
> package menuconfig. So, we can either:
> 
>  * Have a sub-menu for Busybox customization options
>  * Make this behavior automatic whenever SELinux support is enabled,
>    and only in this case
> 
> > > +ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
> > > +define BUSYBOX_PERMISSIONS
> > > +/usr/share/udhcpc/default.script f 755  0 0 - - - - -
> > 
> >   Isn't setuid root needed anymore for /bin/login? Same for passwd,
> > su, probably others...
> 
> Most likely yes. I have been able to log into the system with this
> patch, though.

I will come up with a base list of applications that need suid and add
it to the patch.

Thanks,
Clayton

Clayton Shotwell
Software Engineer
clshotwe at rockwellcollins.com
www.rockwellcollins.com 

[Buildroot] [ PATCH v4 17/20] busybox: add option to enable SELinux support

[Clayton Shotwell]

Thomas,

> > +config BR2_PACKAGE_BUSYBOX_SELINUX
> > +   bool "Enable SELinux support"
> 
> Maybe we don't need a Busybox sub-option and instead we can enable
> SELinux support as soon as libselinux and libsepol are available?
> 

Either way works for me.

Thanks,
Clayton

Clayton Shotwell
Software Engineer
clshotwe at rockwellcollins.com
www.rockwellcollins.com