NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

libsepol: bump to 2.7, setools: bump to 4.1.1

Browse Source 
The reason for combining these patches is because the
old version of setools is not compatible iwth libsepol 2.7.  If a user where
to do a git pull on a patch that only updates libsepol or setools, the build
would fail to compile.

setools has been completely rewritten in python instead of C.

The current version of setools includes a few programs that require
python-qt5 or python-networkx to run, however the package does not
check to see if these exist when compiling, and will install the scripts
to the target directory even if they don't exist.

In the case of python-networkx, this package is not available on Buildroot.
The scripts that require them are: sedta and seinfoflow.
In the case of python-qt5, qpol is the script that requires it.

Some setools.mk notes to get the package to compile:

- Convert the package .mk to use python-package instead of autotools-package.

- setup.py hard codes base_lib_dirs to point to several host directories.
  To fix this, sed is used before compiling to point the base_lib_dirs to
  the staging directory.

- setup.py also includes the "Werror" flag, however compilers before gcc6
  cause a few autogenerated variables to not be initialized before use,
  causing the build to fail.
  To fix this, a patch is provided that removes the Werror flag.

- Remove sedta and seinfoflow from the target system after install.  These
  packages rely on the package python-networkx which is not available in
  buildroot.

- Remove the installed apol package and the setoolsgui directory from the
  target directory if python-qt5 is not selected.

Other changes:
- Removed all patches, as they are not compatible with the new version of
  setools.

- Add COPYING, COPYING.GPL, and COPYING.LGPL to setools.hash

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit is contained in:
Adam Duskett 2017-10-17 18:32:16 -04:00 committed by Thomas Petazzoni
parent 38e36cd0e1
commit 96d3d01796
12 changed files with 279 additions and 352 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
package/libsepol/0001-support-static-only.patch
View File

@ -1,4 +1,7 @@
Add support for static-only build
From 2140db697c7f1da2a0a3f7bbcb14c1a0dade84e5 Mon Sep 17 00:00:00 2001
From: Adam Duskett <Adamduskett@outlook.com>
Date: Mon, 9 Oct 2017 16:28:12 -0400
Subject: [PATCH] Add support for static-only build
Instead of unconditionally building shared libraries, this patch
improves the libsepol build system with a "STATIC" variable, which
@ -7,30 +10,30 @@ libraries. It allows to support cases where the target architecture
does not have support for shared libraries.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Index: b/src/Makefile
===================================================================
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
src/Makefile | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/Makefile b/src/Makefile
index db6c2ba..0006285 100644
index 819d261..040921d 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -30,8 +30,12 @@ LOBJS += $(sort $(patsubst %.c,%.lo,$(wildcard $(CILDIR)/src/*.c) $(CIL_GENERATE
override CFLAGS += -I$(CILDIR)/include
@@ -40,7 +40,12 @@ LDFLAGS += -undefined dynamic_lookup
LN=gln
endif
-all: $(LIBA) $(LIBSO) $(LIBPC)
+ALL_TARGETS = $(LIBA) $(LIBPC)
+ifeq ($(STATIC),)
+ALL_TARGETS += $(LIBSO)
+endif
-all: $(LIBA) $(LIBSO) $(LIBPC)
+
+all: $(ALL_TARGETS)
$(LIBA): $(OBJS)
@@ -66,11 +70,13 @@
@@ -82,11 +87,13 @@ endif
install: all
test -d $(LIBDIR) || install -m 755 -d $(LIBDIR)
install -m 644 $(LIBA) $(LIBDIR)
@ -41,8 +44,11 @@ index db6c2ba..0006285 100644
+ifeq ($(STATIC),)
+ test -d $(SHLIBDIR) || install -m 755 -d $(SHLIBDIR)
+ install -m 755 $(LIBSO) $(SHLIBDIR)
ln -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET)
$(LN) -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET)
+endif
relabel:
/sbin/restorecon $(SHLIBDIR)/$(LIBSO)
--
2.13.6

18
package/libsepol/0003-revert-ln-relative.patch
View File

@ -1,4 +1,7 @@
Makefile: revert libsepol: use ln --relative to create .so symlinks
From 16b2b0e21e10727065042a1baabd1a887757c65c Mon Sep 17 00:00:00 2001
From: Adam Duskett <Adamduskett@outlook.com>
Date: Mon, 9 Oct 2017 16:29:36 -0400
Subject: [PATCH] Makefile: revert libsepol: use ln --relative to create .so symlinks
This reverts 71393a181d63c9baae5fe8dcaeb9411d1f253998
@ -9,16 +12,23 @@ they are maintained (up to 10 years in some cases?).
For the sake of Buildroot, revert the upstream patch.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
---
src/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff -durN a/src/Makefile b/src/Makefile
diff --git a/src/Makefile b/src/Makefile
index 040921d..e811c9e 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -77,7 +77,7 @@
@@ -92,7 +92,7 @@ install: all
ifeq ($(STATIC),)
test -d $(SHLIBDIR) || install -m 755 -d $(SHLIBDIR)
install -m 755 $(LIBSO) $(SHLIBDIR)
- ln -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET)
- $(LN) -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET)
+ cd $(LIBDIR) && ln -sf ../../`basename $(SHLIBDIR)`/$(LIBSO) $(TARGET)
endif
relabel:
--
2.13.6

4
package/libsepol/libsepol.hash
View File

@ -1,2 +1,2 @@
# From https://github.com/SELinuxProject/selinux/wiki/Releases
sha256 d856d6506054f52abeaa3543ea2f2344595a3dc05d0d873ed7f724f7a16b1874 libsepol-2.6.tar.gz
# From: https://github.com/SELinuxProject/selinux/wiki/Releases
sha256 d69d3bd8ec901a3bd5adf2be2fb47fb1a685ed73066ab482e7e505371a48f9e7 libsepol-2.7.tar.gz

4
package/libsepol/libsepol.mk
View File

@ -4,8 +4,8 @@
#
################################################################################
LIBSEPOL_VERSION = 2.6
LIBSEPOL_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014
LIBSEPOL_VERSION = 2.7
LIBSEPOL_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804
LIBSEPOL_LICENSE = LGPL-2.1+
LIBSEPOL_LICENSE_FILES = COPYING

125
package/setools/0001-cross-compile-fixes.patch
View File

@ -1,125 +0,0 @@
Correct build issues to enable cross compiling. These changes require the
package to be auto reconfigured.
These updates were not upsteamed as the 3.3.x version has stablized and they
were only taking bug fixes. Also the 4.0 preview has completely reworked
the build infrastructure which will require this to be revisited.
Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
diff -urN a/configure.ac b/configure.ac
--- a/configure.ac 2013-01-16 10:36:24.000000000 -0600
+++ b/configure.ac 2013-07-12 08:22:10.380255248 -0500
@@ -448,8 +448,9 @@
sepol_srcdir="")
if test "x${sepol_srcdir}" = "x"; then
sepol_srcdir=${sepol_devel_libdir}
- AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],,
- AC_MSG_ERROR([make sure libsepol-static is installed]))
+ if test ! -f ${sepol_srcdir}/libsepol.a; then
+ AC_MSG_ERROR([could not find precompiled libsepol.a])
+ fi
else
AC_MSG_CHECKING([for compatible sepol source tree])
sepol_version=${sepol_srcdir}/VERSION
@@ -484,8 +485,9 @@
AC_CHECK_HEADER([sepol/policydb/policydb.h], , AC_MSG_ERROR([could not find sepol source tree]))
CFLAGS="${sepol_src_save_CFLAGS}"
CPPFLAGS="${sepol_src_save_CPPFLAGS}"
- AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],,
- AC_MSG_ERROR([could not find precompiled libsepol.a]))
+ if test ! -f ${sepol_srcdir}/libsepol.a; then
+ AC_MSG_ERROR([could not find precompiled libsepol.a])
+ fi
sepol_devel_incdir="${sepol_srcdir}/../include"
fi
SELINUX_CFLAGS="-I${sepol_devel_incdir} -I${selinux_devel_incdir}"
@@ -578,12 +580,13 @@
[AC_LANG_SOURCE([
#include <sepol/policydb/expand.h>
int main () {
- return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0);
+ return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0);
}])],
AC_MSG_RESULT([yes]),
AC_MSG_ERROR([this version of libsepol is incompatible with SETools]))
fi
sepol_new_expand_boolmap="yes"
+ sepol_new_user_role_mapping="yes"
else
sepol_new_expand_boolmap="no"
fi
@@ -607,7 +610,8 @@
exit(EXIT_FAILURE);
}])],
sepol_policy_version_max=`cat conftest.data`,
- AC_MSG_FAILURE([could not determine maximum libsepol policy version]))
+ AC_MSG_FAILURE([could not determine maximum libsepol policy version]),
+ sepol_policy_version_max="26")
AC_DEFINE_UNQUOTED(SEPOL_POLICY_VERSION_MAX, ${sepol_policy_version_max}, [maximum policy version supported by libsepol])
CFLAGS="${sepol_save_CFLAGS}"
CPPFLAGS="${sepol_save_CPPFLAGS}"
@@ -631,7 +635,7 @@
changequote([,])dnl
selinux_save_CFLAGS="${CFLAGS}"
CFLAGS="${SELINUX_CFLAGS} ${SELINUX_LIB_FLAG} -lselinux -lsepol ${CFLAGS}"
- gcc ${CFLAGS} -o conftest conftest.c >&5
+ ${CC} ${CFLAGS} -o conftest conftest.c >&5
selinux_policy_dir=`./conftest`
AC_MSG_RESULT(${selinux_policy_dir})
CFLAGS="${selinux_save_CFLAGS}"
diff -urN a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c
--- a/libqpol/src/policy_define.c 2013-01-16 10:36:24.000000000 -0600
+++ b/libqpol/src/policy_define.c 2013-07-12 08:22:10.380255248 -0500
@@ -2135,7 +2135,7 @@
#ifdef HAVE_SEPOL_ROLE_ATTRS
if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
#elif HAVE_SEPOL_USER_ROLE_MAPPING
- if (role_set_expand(&roles, &e_roles, policydbp, NULL))
+ if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
#else
if (role_set_expand(&roles, &e_roles, policydbp))
#endif
diff -urN a/m4/ac_python_devel.m4 b/m4/ac_python_devel.m4
--- a/m4/ac_python_devel.m4 2013-01-16 10:36:22.000000000 -0600
+++ b/m4/ac_python_devel.m4 2013-07-12 08:22:10.380255248 -0500
@@ -234,7 +234,7 @@
AC_MSG_CHECKING([consistency of all components of python development environment])
AC_LANG_PUSH([C])
# save current global flags
- LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
+ LIBS="$ac_save_LIBS $PYTHON_EXTRA_LIBS $PYTHON_LDFLAGS"
CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
AC_TRY_LINK([
#include <Python.h>
diff -urN a/python/setools/Makefile.am b/python/setools/Makefile.am
--- a/python/setools/Makefile.am 2013-01-16 10:36:22.000000000 -0600
+++ b/python/setools/Makefile.am 2013-07-12 08:22:19.200251011 -0500
@@ -22,13 +22,13 @@
python-build: sesearch.c seinfo.c
@mkdir -p setools
@cp __init__.py setools
- LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" INCLUDES="$(QPOL_CFLAGS) $(APOL_CFLAGS)" $(PYTHON) setup.py build
+ LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" LIBDIRS="$(PYTHON_LDFLAGS)" INCLUDES="$(PYTHON_CPPFLAGS) $(QPOL_CFLAGS) $(APOL_CFLAGS)" CC="$(CC)" CFLAGS="$(CFLAGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(LDFLAGS)" $(PYTHON) setup.py build_ext
install-exec-hook:
- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
+ $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr`
uninstall-hook:
- $(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
+ $(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr`
clean-local:
$(PYTHON) setup.py clean -a
--- a/python/setools/setup.py 2013-01-16 10:36:22.000000000 -0600
+++ b/python/setools/setup.py 2013-09-04 09:17:48.452916991 -0500
@@ -8,7 +8,7 @@
try:
inc=os.getenv("INCLUDES").split(" ")
INCLUDES=map(lambda x: x[2:], inc)
- LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split())
+ LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split()) + map(lambda x: x[2:], os.getenv("LIBDIRS").split())
except:
INCLUDES=""
LIBDIRS=""

29
package/setools/0001-remove-werror-flag-from-setup.patch Normal file
View File

@ -0,0 +1,29 @@
From b2fe84bfd00117d4897f1f2e8f83d3410eb188b8 Mon Sep 17 00:00:00 2001
From: Adam Duskett <Adamduskett@outlook.com>
Date: Thu, 12 Oct 2017 22:04:58 -0400
Subject: [PATCH] remove werror flag from setup
Compilers older than gcc6 will generate uninitialized variable warnings which
will cause compiling to fail.
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
setup.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/setup.py b/setup.py
index 2ca44c9..9319bf6 100644
--- a/setup.py
+++ b/setup.py
@@ -146,7 +146,7 @@ ext_py_mods = [Extension('setools.policyrep._qpol',
'libqpol/policy_scan.c',
'libqpol/xen_query.c'],
include_dirs=include_dirs,
- extra_compile_args=['-Werror', '-Wextra',
+ extra_compile_args=['-Wextra',
'-Waggregate-return',
'-Wfloat-equal',
'-Wformat', '-Wformat=2',
--
2.13.6

142
package/setools/0002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch Normal file
View File

@ -0,0 +1,142 @@
From 2512c3ba608077db3a5e0286b976fadc8a04a5c4 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 23 Feb 2017 08:17:07 +0100
Subject: [PATCH] Do not export/use setools.InfoFlowAnalysis and
setools.DomainTransitionAnalysis
dta and infoflow modules require networkx which brings lot of dependencies.
These dependencies are not necessary for setools module itself as it's
used in policycoreutils.
Therefore it's better to use setools.infoflow.InfoFlowAnalysis and
setools.dta.DomainTransitionAnalysis and let the package containing
sedta and seinfoflow to require python3-networkx
Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
---
sedta | 3 ++-
seinfoflow | 3 ++-
setools/__init__.py | 4 ++--
setoolsgui/apol/dta.py | 2 +-
setoolsgui/apol/infoflow.py | 2 +-
tests/dta.py | 3 ++-
tests/infoflow.py | 3 ++-
7 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/sedta b/sedta
index 1c76ebb..255ad49 100755
--- a/sedta
+++ b/sedta
@@ -23,6 +23,7 @@ import argparse
import logging
import setools
+import setools.dta
def print_transition(trans):
@@ -111,7 +112,7 @@ else:
try:
p = setools.SELinuxPolicy(args.policy)
- g = setools.DomainTransitionAnalysis(p, reverse=args.reverse, exclude=args.exclude)
+ g = setools.dta.DomainTransitionAnalysis(p, reverse=args.reverse, exclude=args.exclude)
if args.shortest_path or args.all_paths:
if args.shortest_path:
diff --git a/seinfoflow b/seinfoflow
index b287921..d53bdef 100755
--- a/seinfoflow
+++ b/seinfoflow
@@ -19,6 +19,7 @@
from __future__ import print_function
import setools
+import setools.infoflow
import argparse
import sys
import logging
@@ -79,7 +80,7 @@ else:
try:
p = setools.SELinuxPolicy(args.policy)
m = setools.PermissionMap(args.map)
- g = setools.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude)
+ g = setools.infoflow.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude)
if args.shortest_path or args.all_paths:
if args.shortest_path:
diff --git a/setools/__init__.py b/setools/__init__.py
index a84c846..a53c5a7 100644
--- a/setools/__init__.py
+++ b/setools/__init__.py
@@ -74,11 +74,11 @@ from .pcideviceconquery import PcideviceconQuery
from .devicetreeconquery import DevicetreeconQuery
# Information Flow Analysis
-from .infoflow import InfoFlowAnalysis
+# from .infoflow import InfoFlowAnalysis
from .permmap import PermissionMap
# Domain Transition Analysis
-from .dta import DomainTransitionAnalysis
+# from .dta import DomainTransitionAnalysis
# Policy difference
from .diff import PolicyDifference
diff --git a/setoolsgui/apol/dta.py b/setoolsgui/apol/dta.py
index 0aaf13f..5b1ea20 100644
--- a/setoolsgui/apol/dta.py
+++ b/setoolsgui/apol/dta.py
@@ -23,7 +23,7 @@ from PyQt5.QtCore import pyqtSignal, Qt, QStringListModel, QThread
from PyQt5.QtGui import QPalette, QTextCursor
from PyQt5.QtWidgets import QCompleter, QHeaderView, QMessageBox, QProgressDialog, \
QTreeWidgetItem
-from setools import DomainTransitionAnalysis
+from setools.dta import DomainTransitionAnalysis
from ..logtosignal import LogHandlerToSignal
from .analysistab import AnalysisTab
diff --git a/setoolsgui/apol/infoflow.py b/setoolsgui/apol/infoflow.py
index 1ae16de..fdf8f7b 100644
--- a/setoolsgui/apol/infoflow.py
+++ b/setoolsgui/apol/infoflow.py
@@ -25,7 +25,7 @@ from PyQt5.QtCore import pyqtSignal, Qt, QStringListModel, QThread
from PyQt5.QtGui import QPalette, QTextCursor
from PyQt5.QtWidgets import QCompleter, QHeaderView, QMessageBox, QProgressDialog, \
QTreeWidgetItem
-from setools import InfoFlowAnalysis
+from setools.infoflow import InfoFlowAnalysis
from setools.exception import UnmappedClass, UnmappedPermission
from ..logtosignal import LogHandlerToSignal
diff --git a/tests/dta.py b/tests/dta.py
index 32b9271..2bdd052 100644
--- a/tests/dta.py
+++ b/tests/dta.py
@@ -17,7 +17,8 @@
#
import unittest
-from setools import SELinuxPolicy, DomainTransitionAnalysis
+from setools import SELinuxPolicy
+from setools.dta import DomainTransitionAnalysis
from setools import TERuletype as TERT
from setools.policyrep.exception import InvalidType
from setools.policyrep.typeattr import Type
diff --git a/tests/infoflow.py b/tests/infoflow.py
index 7751dda..a21c683 100644
--- a/tests/infoflow.py
+++ b/tests/infoflow.py
@@ -17,7 +17,8 @@
#
import unittest
-from setools import SELinuxPolicy, InfoFlowAnalysis
+from setools import SELinuxPolicy
+from setools.infoflow import InfoFlowAnalysis
from setools import TERuletype as TERT
from setools.permmap import PermissionMap
from setools.policyrep.exception import InvalidType
--
2.9.3

25
package/setools/0002-move-python-check.patch
View File

@ -1,25 +0,0 @@
Correct a build issue that occurs when python is not found
in the path. This check should only be done if swig-python
option is selected.
Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
--- a/configure.ac 2015-05-15 12:28:07.566060349 -0500
+++ b/configure.ac 2015-05-28 15:07:25.357072800 -0500
@@ -217,8 +217,6 @@
do_swigify=yes
fi
-AM_PATH_PYTHON(2.7)
-
AC_ARG_ENABLE(swig-python,
AC_HELP_STRING([--enable-swig-python],
[build SWIG interfaces for Python]),
@@ -227,6 +225,7 @@
if test ${do_swigify} = no; then
AC_PROG_SWIG(2.0.0)
fi
+ AM_PATH_PYTHON(2.7)
SWIG_PYTHON
do_swigify_python=yes
do_swigify=yes

90
package/setools/0003-setools-Update-for-2015-02-02-Userspace-release.patch
View File

@ -1,90 +0,0 @@
setools: Add patch to support 2.4 toolstack.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
URL: https://github.com/flihp/meta-selinux/commit/e09eaef7a9acb552a4a5e1f90117154ae06b6fda
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
diff --git a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c
index fad6b60..231962f 100644
--- a/libqpol/src/policy_define.c
+++ b/libqpol/src/policy_define.c
@@ -1449,7 +1449,7 @@ int define_compute_type_helper(int which, avrule_t ** rule)
return -1;
}
class_perm_node_init(perm);
- perm->class = i + 1;
+ perm->tclass = i + 1;
perm->data = datum->s.value;
perm->next = avrule->perms;
avrule->perms = perm;
@@ -1699,7 +1699,7 @@ int define_te_avtab_helper(int which, avrule_t ** rule)
goto out;
}
class_perm_node_init(cur_perms);
- cur_perms->class = i + 1;
+ cur_perms->tclass = i + 1;
if (!perms)
perms = cur_perms;
if (tail)
diff --git a/libqpol/src/policy_extend.c b/libqpol/src/policy_extend.c
index 5325a87..1417271 100644
--- a/libqpol/src/policy_extend.c
+++ b/libqpol/src/policy_extend.c
@@ -843,7 +843,7 @@ static int qpol_syn_rule_table_insert_sepol_avrule(qpol_policy_t * policy, qpol_
for (class_node = rule->perms; class_node; class_node = class_node->next) {
key.rule_type = rule->specified;
key.source_val = key.target_val = i + 1;
- key.class_val = class_node->class;
+ key.class_val = class_node->tclass;
key.cond = cond;
if (qpol_syn_rule_table_insert_entry(policy, table, &key, new_rule))
goto err;
@@ -856,7 +856,7 @@ static int qpol_syn_rule_table_insert_sepol_avrule(qpol_policy_t * policy, qpol_
key.rule_type = rule->specified;
key.source_val = i + 1;
key.target_val = j + 1;
- key.class_val = class_node->class;
+ key.class_val = class_node->tclass;
key.cond = cond;
if (qpol_syn_rule_table_insert_entry(policy, table, &key, new_rule))
goto err;
diff --git a/libqpol/src/syn_rule_query.c b/libqpol/src/syn_rule_query.c
index 3e63204..d7578f1 100644
--- a/libqpol/src/syn_rule_query.c
+++ b/libqpol/src/syn_rule_query.c
@@ -67,7 +67,7 @@ static void *syn_rule_class_state_get_cur(const qpol_iterator_t * iter)
return NULL;
}
- return db->class_val_to_struct[srcs->cur->class - 1];
+ return db->class_val_to_struct[srcs->cur->tclass - 1];
}
static int syn_rule_class_state_next(qpol_iterator_t * iter)
@@ -465,10 +465,10 @@ int qpol_syn_avrule_get_perm_iter(const qpol_policy_t * policy, const qpol_syn_a
}
for (node = internal_rule->perms; node; node = node->next) {
- for (i = 0; i < db->class_val_to_struct[node->class - 1]->permissions.nprim; i++) {
+ for (i = 0; i < db->class_val_to_struct[node->tclass - 1]->permissions.nprim; i++) {
if (!(node->data & (1 << i)))
continue;
- tmp = sepol_av_to_string(db, node->class, (sepol_access_vector_t) (1 << i));
+ tmp = sepol_av_to_string(db, node->tclass, (sepol_access_vector_t) (1 << i));
if (tmp) {
tmp++; /* remove prepended space */
for (cur = 0; cur < perm_list_sz; cur++)
diff --git a/secmds/replcon.cc b/secmds/replcon.cc
index 34f7c1a..307c39f 100644
--- a/secmds/replcon.cc
+++ b/secmds/replcon.cc
@@ -60,7 +60,7 @@ static struct option const longopts[] = {
{NULL, 0, NULL, 0}
};
-extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak));
+extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak));
/**
* As that setools must work with older libselinux versions that may

37
package/setools/Config.in
View File

@ -1,36 +1,27 @@
config BR2_PACKAGE_SETOOLS
bool "setools"
depends on BR2_TOOLCHAIN_HAS_THREADS
depends on !BR2_arc # arc: libselinux not available
depends on !BR2_STATIC_LIBS
depends on BR2_INSTALL_LIBSTDCPP
depends on BR2_TOOLCHAIN_HAS_THREADS
depends on BR2_USE_WCHAR
depends on BR2_TOOLCHAIN_USES_GLIBC # libselinux
# bfin: infamous _ symbol prefix issue
# nios2: triggers some toolchain issue "No symbol version
# section for versioned symbol"
# arc: libselinux not available
depends on !BR2_nios2 && !BR2_bfin && !BR2_arc
depends on BR2_USE_MMU
select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
select BR2_PACKAGE_PYTHON_ENUM34 if !BR2_PACKAGE_PYTHON3
select BR2_PACKAGE_PYTHON_SETUPTOOLS
select BR2_PACKAGE_LIBSELINUX
select BR2_PACKAGE_SQLITE
select BR2_PACKAGE_LIBXML2
select BR2_PACKAGE_BZIP2
help
SETools is an open source project designed to facilitate
SELinux policy analysis. The primary tools are:
* apol - analyze a SELinux policy.
* seaudit - analyze audit messages from SELinux.
* seaudit-report - generate highly-customized audit log
reports.
* sechecker - command line tool for performing modular
checks on an SELinux policy.
* apol - analyze a SELinux policy. (requires python-qt5)
* sediff - semantic policy difference tool for SELinux.
* secmds - command-line tools to analyze and search SELinux
policy.
* sedta - Perform domain transition analyses
* sesearch - Search rules (allow, type_transition, etc.)
https://github.com/TresysTechnology/setools3/wiki
https://github.com/TresysTechnology/setools
comment "setools needs a glibc toolchain w/ threads, C++, wchar, dynamic library"
depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS \
|| !BR2_USE_WCHAR || !BR2_INSTALL_LIBSTDCPP \
|| !BR2_TOOLCHAIN_USES_GLIBC
depends on !BR2_nios2 && !BR2_bfin && !BR2_arc
depends on BR2_USE_MMU && !BR2_arc
depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS || \
!BR2_USE_WCHAR || !BR2_TOOLCHAIN_USES_GLIBC || \
!BR2_INSTALL_LIBSTDCPP

7
package/setools/setools.hash
View File

@ -1,4 +1,7 @@
# From https://github.com/TresysTechnology/setools3/wiki/Download
md5 d68d0d4e4da0f01da0f208782ff04b91 setools-3.3.8.tar.bz2
md5 d68d0d4e4da0f01da0f208782ff04b91 setools-4.1.1.tar.bz2
# Locally computed
sha256 44387ecc9a231ec536a937783440cd8960a72c51f14bffc1604b7525e341e999 setools-3.3.8.tar.bz2
sha256 46a927ea2b163cbe1d35cc35da43e45853e13720c7e02d4cf75a498783c19610 setools-4.1.1.tar.gz
sha256 2f7547e10f76a382c24c053595f38a5cc6dda9347f508f254ca490e0046a9624 COPYING
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING.GPL
sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LGPL

118
package/setools/setools.mk
View File

@ -4,81 +4,67 @@
#
################################################################################
SETOOLS_VERSION = 3.3.8
SETOOLS_SOURCE = setools-$(SETOOLS_VERSION).tar.bz2
SETOOLS_SITE = https://raw.githubusercontent.com/wiki/TresysTechnology/setools3/files/dists/setools-$(SETOOLS_VERSION)
SETOOLS_DEPENDENCIES = libselinux libsepol sqlite libxml2 bzip2 host-bison host-flex
SETOOLS_VERSION = 4.1.1
SETOOLS_SITE = $(call github,TresysTechnology,setools,$(SETOOLS_VERSION))
SETOOLS_DEPENDENCIES = libselinux libsepol python-setuptools host-bison host-flex host-swig
SETOOLS_INSTALL_STAGING = YES
SETOOLS_LICENSE = GPL-2.0+, LGPL-2.1+
SETOOLS_LICENSE_FILES = COPYING COPYING.GPL COPYING.LGPL
SETOOLS_SETUP_TYPE = setuptools
HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol
# configure.ac is patched by the cross compile patch,
# so autoreconf is necessary
SETOOLS_AUTORECONF = YES
# Notes: Need "disable-selinux-check" so the configure does not check to see
# if host has selinux enabled.
# No python support as only the libraries and commandline tools are
# installed on target
SETOOLS_CONF_OPTS = \
--disable-debug \
--disable-gui \
--disable-bwidget-check \
--disable-selinux-check \
--disable-swig-java \
--disable-swig-python \
--disable-swig-tcl \
--with-sepol-devel="$(STAGING_DIR)/usr" \
--with-selinux-devel="$(STAGING_DIR)/usr"
ifeq ($(BR2_sparc64):$(BR2_STATIC_LIBS),y:)
SETOOLS_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -fPIC"
endif
HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol host-sqlite \
host-libxml2 host-bzip2 host-bison
ifeq ($(BR2_PACKAGE_PYTHON3),y)
HOST_SETOOLS_PYTHON_VERSION=$(PYTHON3_VERSION_MAJOR)
HOST_SETOOLS_DEPENDENCIES += host-python3
HOST_SETOOLS_CONF_ENV += am_cv_python_version=$(PYTHON3_VERSION)
SETOOLS_PYLIBVER = python$(PYTHON3_VERSION_MAJOR)
else
HOST_SETOOLS_PYTHON_VERSION=$(PYTHON_VERSION_MAJOR)
HOST_SETOOLS_DEPENDENCIES += host-python
HOST_SETOOLS_CONF_ENV += am_cv_python_version=$(PYTHON_VERSION)
SETOOLS_PYLIBVER = python$(PYTHON_VERSION_MAJOR)
SETOOLS_DEPENDENCIES += python-enum34
endif
HOST_SETOOLS_PYTHON_SITE_PACKAGES = $(HOST_DIR)/lib/python$(HOST_SETOOLS_PYTHON_VERSION)/site-packages
HOST_SETOOLS_PYTHON_INCLUDES = $(HOST_DIR)/include/python$(HOST_SETOOLS_PYTHON_VERSION)
HOST_SETOOLS_PYTHON_LIB = -lpython$(HOST_SETOOLS_PYTHON_VERSION)
define SETOOLS_FIX_SETUP
# By default, setup.py will look for libsepol.a in the host machines
# /usr/lib directory. This needs to be changed to the staging directory.
$(SED) "s@base_lib_dirs =.*@base_lib_dirs = ['$(STAGING_DIR)/lib']@g" \
$(@D)/setup.py
endef
SETOOLS_POST_PATCH_HOOKS += SETOOLS_FIX_SETUP
# Notes: Need "disable-selinux-check" so the configure does not check to see
# if host has selinux enabled.
# Host builds with python support to enable tools for offline target
# policy analysis
HOST_SETOOLS_CONF_OPTS = \
--disable-debug \
--disable-gui \
--disable-bwidget-check \
--disable-selinux-check \
--disable-swig-java \
--disable-swig-python \
--disable-swig-tcl \
--with-sepol-devel="$(HOST_DIR)" \
--with-selinux-devel="$(HOST_DIR)" \
PYTHON_LDFLAGS="-L$(HOST_DIR)/lib/" \
PYTHON_CPPFLAGS="-I$(HOST_SETOOLS_PYTHON_INCLUDES)" \
PYTHON_SITE_PKG="$(HOST_SETOOLS_PYTHON_SITE_PACKAGES)" \
PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil $(HOST_SETOOLS_PYTHON_LIB)"
define HOST_SETOOLS_FIX_SETUP
# By default, setup.py will look for libsepol.a in the host machines
# /usr/lib directory. This needs to be changed to the host directory.
$(SED) "s@base_lib_dirs =.*@base_lib_dirs = ['$(HOST_DIR)/lib']@g" \
$(@D)/setup.py
endef
HOST_SETOOLS_POST_PATCH_HOOKS += HOST_SETOOLS_FIX_SETUP
HOST_SETOOLS_CONF_ENV += \
am_cv_pathless_PYTHON=python \
ac_cv_path_PYTHON=$(HOST_DIR)/bin/python \
am_cv_python_platform=linux2 \
am_cv_python_version=$(HOST_SETOOLS_PYTHON_VERSION) \
am_cv_python_pythondir=$(HOST_SETOOLS_PYTHON_SITE_PACKAGES) \
am_cv_python_pyexecdir=$(HOST_SETOOLS_PYTHON_SITE_PACKAGES) \
am_cv_python_includes=-I$(HOST_SETOOLS_PYTHON_INCLUDES)
# sedta and seinfoflow depend on python-networkx. This package is not
# available in buildroot.
define SETOOLS_REMOVE_BROKEN_SCRIPTS
$(RM) $(TARGET_DIR)/usr/bin/sedta
$(RM) $(TARGET_DIR)/usr/bin/seinfoflow
endef
SETOOLS_POST_INSTALL_TARGET_HOOKS += SETOOLS_REMOVE_BROKEN_SCRIPTS
$(eval $(autotools-package))
$(eval $(host-autotools-package))
# apol requires pyqt5. However, the setools installation
# process will install apol even if pyqt5 is missing.
# Remove these scripts from the target it pyqt5 is not selected.
ifeq ($(BR2_PACKAGE_PYTHON_PYQT5),)
define SETOOLS_REMOVE_QT_SCRIPTS
$(RM) $(TARGET_DIR)/usr/bin/apol
$(RM) -r $(TARGET_DIR)/lib/$(SETOOLS_PYLIBVER)/site-packages/setoolsgui/
endef
SETOOLS_POST_INSTALL_TARGET_HOOKS += SETOOLS_REMOVE_QT_SCRIPTS
endif
# sedta and seinfoflow depend on python-networkx. This package is not
# available in buildroot. pyqt5 is not a host-package, remove apol
# from the host directory as well.
define HOST_SETOOLS_REMOVE_BROKEN_SCRIPTS
$(RM) $(HOST_DIR)/bin/sedta
$(RM) $(HOST_DIR)/bin/seinfoflow
$(RM) $(HOST_DIR)/bin/apol
endef
HOST_SETOOLS_POST_INSTALL_HOOKS += HOST_SETOOLS_REMOVE_BROKEN_SCRIPTS
$(eval $(python-package))
$(eval $(host-python-package))