diff --git a/package/libsepol/0001-support-static-only.patch b/package/libsepol/0001-support-static-only.patch index 3e6d555e96..185a5641de 100644 --- a/package/libsepol/0001-support-static-only.patch +++ b/package/libsepol/0001-support-static-only.patch @@ -1,4 +1,7 @@ -Add support for static-only build +From 2140db697c7f1da2a0a3f7bbcb14c1a0dade84e5 Mon Sep 17 00:00:00 2001 +From: Adam Duskett +Date: Mon, 9 Oct 2017 16:28:12 -0400 +Subject: [PATCH] Add support for static-only build Instead of unconditionally building shared libraries, this patch improves the libsepol build system with a "STATIC" variable, which @@ -7,30 +10,30 @@ libraries. It allows to support cases where the target architecture does not have support for shared libraries. Signed-off-by: Thomas Petazzoni -Signed-off-by: Adam Duskett - -Index: b/src/Makefile -=================================================================== +Signed-off-by: Adam Duskett +--- + src/Makefile | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/Makefile b/src/Makefile -index db6c2ba..0006285 100644 +index 819d261..040921d 100644 --- a/src/Makefile +++ b/src/Makefile -@@ -30,8 +30,12 @@ LOBJS += $(sort $(patsubst %.c,%.lo,$(wildcard $(CILDIR)/src/*.c) $(CIL_GENERATE - override CFLAGS += -I$(CILDIR)/include +@@ -40,7 +40,12 @@ LDFLAGS += -undefined dynamic_lookup + LN=gln endif +-all: $(LIBA) $(LIBSO) $(LIBPC) +ALL_TARGETS = $(LIBA) $(LIBPC) +ifeq ($(STATIC),) +ALL_TARGETS += $(LIBSO) +endif - --all: $(LIBA) $(LIBSO) $(LIBPC) ++ +all: $(ALL_TARGETS) - + $(LIBA): $(OBJS) -@@ -66,11 +70,13 @@ +@@ -82,11 +87,13 @@ endif install: all test -d $(LIBDIR) || install -m 755 -d $(LIBDIR) install -m 644 $(LIBA) $(LIBDIR) @@ -41,8 +44,11 @@ index db6c2ba..0006285 100644 +ifeq ($(STATIC),) + test -d $(SHLIBDIR) || install -m 755 -d $(SHLIBDIR) + install -m 755 $(LIBSO) $(SHLIBDIR) - ln -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET) + $(LN) -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET) +endif relabel: /sbin/restorecon $(SHLIBDIR)/$(LIBSO) +-- +2.13.6 + diff --git a/package/libsepol/0003-revert-ln-relative.patch b/package/libsepol/0003-revert-ln-relative.patch index 0902d8d40e..488a9abea0 100644 --- a/package/libsepol/0003-revert-ln-relative.patch +++ b/package/libsepol/0003-revert-ln-relative.patch @@ -1,4 +1,7 @@ -Makefile: revert libsepol: use ln --relative to create .so symlinks +From 16b2b0e21e10727065042a1baabd1a887757c65c Mon Sep 17 00:00:00 2001 +From: Adam Duskett +Date: Mon, 9 Oct 2017 16:29:36 -0400 +Subject: [PATCH] Makefile: revert libsepol: use ln --relative to create .so symlinks This reverts 71393a181d63c9baae5fe8dcaeb9411d1f253998 @@ -9,16 +12,23 @@ they are maintained (up to 10 years in some cases?). For the sake of Buildroot, revert the upstream patch. Signed-off-by: "Yann E. MORIN" +--- + src/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) -diff -durN a/src/Makefile b/src/Makefile +diff --git a/src/Makefile b/src/Makefile +index 040921d..e811c9e 100644 --- a/src/Makefile +++ b/src/Makefile -@@ -77,7 +77,7 @@ +@@ -92,7 +92,7 @@ install: all ifeq ($(STATIC),) test -d $(SHLIBDIR) || install -m 755 -d $(SHLIBDIR) install -m 755 $(LIBSO) $(SHLIBDIR) -- ln -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET) +- $(LN) -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET) + cd $(LIBDIR) && ln -sf ../../`basename $(SHLIBDIR)`/$(LIBSO) $(TARGET) endif relabel: +-- +2.13.6 + diff --git a/package/libsepol/libsepol.hash b/package/libsepol/libsepol.hash index 6c705067a2..08e2bf97a4 100644 --- a/package/libsepol/libsepol.hash +++ b/package/libsepol/libsepol.hash @@ -1,2 +1,2 @@ -# From https://github.com/SELinuxProject/selinux/wiki/Releases -sha256 d856d6506054f52abeaa3543ea2f2344595a3dc05d0d873ed7f724f7a16b1874 libsepol-2.6.tar.gz +# From: https://github.com/SELinuxProject/selinux/wiki/Releases +sha256 d69d3bd8ec901a3bd5adf2be2fb47fb1a685ed73066ab482e7e505371a48f9e7 libsepol-2.7.tar.gz diff --git a/package/libsepol/libsepol.mk b/package/libsepol/libsepol.mk index 21ca419c74..c54c3bfc42 100644 --- a/package/libsepol/libsepol.mk +++ b/package/libsepol/libsepol.mk @@ -4,8 +4,8 @@ # ################################################################################ -LIBSEPOL_VERSION = 2.6 -LIBSEPOL_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014 +LIBSEPOL_VERSION = 2.7 +LIBSEPOL_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804 LIBSEPOL_LICENSE = LGPL-2.1+ LIBSEPOL_LICENSE_FILES = COPYING diff --git a/package/setools/0001-cross-compile-fixes.patch b/package/setools/0001-cross-compile-fixes.patch deleted file mode 100644 index 1a4af0ce31..0000000000 --- a/package/setools/0001-cross-compile-fixes.patch +++ /dev/null @@ -1,125 +0,0 @@ -Correct build issues to enable cross compiling. These changes require the -package to be auto reconfigured. - -These updates were not upsteamed as the 3.3.x version has stablized and they -were only taking bug fixes. Also the 4.0 preview has completely reworked -the build infrastructure which will require this to be revisited. - -Signed-off-by Clayton Shotwell - -diff -urN a/configure.ac b/configure.ac ---- a/configure.ac 2013-01-16 10:36:24.000000000 -0600 -+++ b/configure.ac 2013-07-12 08:22:10.380255248 -0500 -@@ -448,8 +448,9 @@ - sepol_srcdir="") - if test "x${sepol_srcdir}" = "x"; then - sepol_srcdir=${sepol_devel_libdir} -- AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],, -- AC_MSG_ERROR([make sure libsepol-static is installed])) -+ if test ! -f ${sepol_srcdir}/libsepol.a; then -+ AC_MSG_ERROR([could not find precompiled libsepol.a]) -+ fi - else - AC_MSG_CHECKING([for compatible sepol source tree]) - sepol_version=${sepol_srcdir}/VERSION -@@ -484,8 +485,9 @@ - AC_CHECK_HEADER([sepol/policydb/policydb.h], , AC_MSG_ERROR([could not find sepol source tree])) - CFLAGS="${sepol_src_save_CFLAGS}" - CPPFLAGS="${sepol_src_save_CPPFLAGS}" -- AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],, -- AC_MSG_ERROR([could not find precompiled libsepol.a])) -+ if test ! -f ${sepol_srcdir}/libsepol.a; then -+ AC_MSG_ERROR([could not find precompiled libsepol.a]) -+ fi - sepol_devel_incdir="${sepol_srcdir}/../include" - fi - SELINUX_CFLAGS="-I${sepol_devel_incdir} -I${selinux_devel_incdir}" -@@ -578,12 +580,13 @@ - [AC_LANG_SOURCE([ - #include - int main () { -- return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0); -+ return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0); - }])], - AC_MSG_RESULT([yes]), - AC_MSG_ERROR([this version of libsepol is incompatible with SETools])) - fi - sepol_new_expand_boolmap="yes" -+ sepol_new_user_role_mapping="yes" - else - sepol_new_expand_boolmap="no" - fi -@@ -607,7 +610,8 @@ - exit(EXIT_FAILURE); - }])], - sepol_policy_version_max=`cat conftest.data`, -- AC_MSG_FAILURE([could not determine maximum libsepol policy version])) -+ AC_MSG_FAILURE([could not determine maximum libsepol policy version]), -+ sepol_policy_version_max="26") - AC_DEFINE_UNQUOTED(SEPOL_POLICY_VERSION_MAX, ${sepol_policy_version_max}, [maximum policy version supported by libsepol]) - CFLAGS="${sepol_save_CFLAGS}" - CPPFLAGS="${sepol_save_CPPFLAGS}" -@@ -631,7 +635,7 @@ - changequote([,])dnl - selinux_save_CFLAGS="${CFLAGS}" - CFLAGS="${SELINUX_CFLAGS} ${SELINUX_LIB_FLAG} -lselinux -lsepol ${CFLAGS}" -- gcc ${CFLAGS} -o conftest conftest.c >&5 -+ ${CC} ${CFLAGS} -o conftest conftest.c >&5 - selinux_policy_dir=`./conftest` - AC_MSG_RESULT(${selinux_policy_dir}) - CFLAGS="${selinux_save_CFLAGS}" -diff -urN a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c ---- a/libqpol/src/policy_define.c 2013-01-16 10:36:24.000000000 -0600 -+++ b/libqpol/src/policy_define.c 2013-07-12 08:22:10.380255248 -0500 -@@ -2135,7 +2135,7 @@ - #ifdef HAVE_SEPOL_ROLE_ATTRS - if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL)) - #elif HAVE_SEPOL_USER_ROLE_MAPPING -- if (role_set_expand(&roles, &e_roles, policydbp, NULL)) -+ if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL)) - #else - if (role_set_expand(&roles, &e_roles, policydbp)) - #endif -diff -urN a/m4/ac_python_devel.m4 b/m4/ac_python_devel.m4 ---- a/m4/ac_python_devel.m4 2013-01-16 10:36:22.000000000 -0600 -+++ b/m4/ac_python_devel.m4 2013-07-12 08:22:10.380255248 -0500 -@@ -234,7 +234,7 @@ - AC_MSG_CHECKING([consistency of all components of python development environment]) - AC_LANG_PUSH([C]) - # save current global flags -- LIBS="$ac_save_LIBS $PYTHON_LDFLAGS" -+ LIBS="$ac_save_LIBS $PYTHON_EXTRA_LIBS $PYTHON_LDFLAGS" - CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS" - AC_TRY_LINK([ - #include -diff -urN a/python/setools/Makefile.am b/python/setools/Makefile.am ---- a/python/setools/Makefile.am 2013-01-16 10:36:22.000000000 -0600 -+++ b/python/setools/Makefile.am 2013-07-12 08:22:19.200251011 -0500 -@@ -22,13 +22,13 @@ - python-build: sesearch.c seinfo.c - @mkdir -p setools - @cp __init__.py setools -- LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" INCLUDES="$(QPOL_CFLAGS) $(APOL_CFLAGS)" $(PYTHON) setup.py build -+ LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" LIBDIRS="$(PYTHON_LDFLAGS)" INCLUDES="$(PYTHON_CPPFLAGS) $(QPOL_CFLAGS) $(APOL_CFLAGS)" CC="$(CC)" CFLAGS="$(CFLAGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(LDFLAGS)" $(PYTHON) setup.py build_ext - - install-exec-hook: -- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` -+ $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr` - - uninstall-hook: -- $(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` -+ $(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr` - - clean-local: - $(PYTHON) setup.py clean -a ---- a/python/setools/setup.py 2013-01-16 10:36:22.000000000 -0600 -+++ b/python/setools/setup.py 2013-09-04 09:17:48.452916991 -0500 -@@ -8,7 +8,7 @@ - try: - inc=os.getenv("INCLUDES").split(" ") - INCLUDES=map(lambda x: x[2:], inc) -- LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split()) -+ LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split()) + map(lambda x: x[2:], os.getenv("LIBDIRS").split()) - except: - INCLUDES="" - LIBDIRS="" diff --git a/package/setools/0001-remove-werror-flag-from-setup.patch b/package/setools/0001-remove-werror-flag-from-setup.patch new file mode 100644 index 0000000000..b1446e2ec3 --- /dev/null +++ b/package/setools/0001-remove-werror-flag-from-setup.patch @@ -0,0 +1,29 @@ +From b2fe84bfd00117d4897f1f2e8f83d3410eb188b8 Mon Sep 17 00:00:00 2001 +From: Adam Duskett +Date: Thu, 12 Oct 2017 22:04:58 -0400 +Subject: [PATCH] remove werror flag from setup + +Compilers older than gcc6 will generate uninitialized variable warnings which +will cause compiling to fail. + +Signed-off-by: Adam Duskett +--- + setup.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/setup.py b/setup.py +index 2ca44c9..9319bf6 100644 +--- a/setup.py ++++ b/setup.py +@@ -146,7 +146,7 @@ ext_py_mods = [Extension('setools.policyrep._qpol', + 'libqpol/policy_scan.c', + 'libqpol/xen_query.c'], + include_dirs=include_dirs, +- extra_compile_args=['-Werror', '-Wextra', ++ extra_compile_args=['-Wextra', + '-Waggregate-return', + '-Wfloat-equal', + '-Wformat', '-Wformat=2', +-- +2.13.6 + diff --git a/package/setools/0002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch b/package/setools/0002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch new file mode 100644 index 0000000000..1ef1cd69bc --- /dev/null +++ b/package/setools/0002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch @@ -0,0 +1,142 @@ +From 2512c3ba608077db3a5e0286b976fadc8a04a5c4 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 23 Feb 2017 08:17:07 +0100 +Subject: [PATCH] Do not export/use setools.InfoFlowAnalysis and + setools.DomainTransitionAnalysis + +dta and infoflow modules require networkx which brings lot of dependencies. +These dependencies are not necessary for setools module itself as it's +used in policycoreutils. + +Therefore it's better to use setools.infoflow.InfoFlowAnalysis and +setools.dta.DomainTransitionAnalysis and let the package containing +sedta and seinfoflow to require python3-networkx + +Signed-off-by: Adam Duskett +--- + sedta | 3 ++- + seinfoflow | 3 ++- + setools/__init__.py | 4 ++-- + setoolsgui/apol/dta.py | 2 +- + setoolsgui/apol/infoflow.py | 2 +- + tests/dta.py | 3 ++- + tests/infoflow.py | 3 ++- + 7 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/sedta b/sedta +index 1c76ebb..255ad49 100755 +--- a/sedta ++++ b/sedta +@@ -23,6 +23,7 @@ import argparse + import logging + + import setools ++import setools.dta + + + def print_transition(trans): +@@ -111,7 +112,7 @@ else: + + try: + p = setools.SELinuxPolicy(args.policy) +- g = setools.DomainTransitionAnalysis(p, reverse=args.reverse, exclude=args.exclude) ++ g = setools.dta.DomainTransitionAnalysis(p, reverse=args.reverse, exclude=args.exclude) + + if args.shortest_path or args.all_paths: + if args.shortest_path: +diff --git a/seinfoflow b/seinfoflow +index b287921..d53bdef 100755 +--- a/seinfoflow ++++ b/seinfoflow +@@ -19,6 +19,7 @@ + + from __future__ import print_function + import setools ++import setools.infoflow + import argparse + import sys + import logging +@@ -79,7 +80,7 @@ else: + try: + p = setools.SELinuxPolicy(args.policy) + m = setools.PermissionMap(args.map) +- g = setools.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude) ++ g = setools.infoflow.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude) + + if args.shortest_path or args.all_paths: + if args.shortest_path: +diff --git a/setools/__init__.py b/setools/__init__.py +index a84c846..a53c5a7 100644 +--- a/setools/__init__.py ++++ b/setools/__init__.py +@@ -74,11 +74,11 @@ from .pcideviceconquery import PcideviceconQuery + from .devicetreeconquery import DevicetreeconQuery + + # Information Flow Analysis +-from .infoflow import InfoFlowAnalysis ++# from .infoflow import InfoFlowAnalysis + from .permmap import PermissionMap + + # Domain Transition Analysis +-from .dta import DomainTransitionAnalysis ++# from .dta import DomainTransitionAnalysis + + # Policy difference + from .diff import PolicyDifference +diff --git a/setoolsgui/apol/dta.py b/setoolsgui/apol/dta.py +index 0aaf13f..5b1ea20 100644 +--- a/setoolsgui/apol/dta.py ++++ b/setoolsgui/apol/dta.py +@@ -23,7 +23,7 @@ from PyQt5.QtCore import pyqtSignal, Qt, QStringListModel, QThread + from PyQt5.QtGui import QPalette, QTextCursor + from PyQt5.QtWidgets import QCompleter, QHeaderView, QMessageBox, QProgressDialog, \ + QTreeWidgetItem +-from setools import DomainTransitionAnalysis ++from setools.dta import DomainTransitionAnalysis + + from ..logtosignal import LogHandlerToSignal + from .analysistab import AnalysisTab +diff --git a/setoolsgui/apol/infoflow.py b/setoolsgui/apol/infoflow.py +index 1ae16de..fdf8f7b 100644 +--- a/setoolsgui/apol/infoflow.py ++++ b/setoolsgui/apol/infoflow.py +@@ -25,7 +25,7 @@ from PyQt5.QtCore import pyqtSignal, Qt, QStringListModel, QThread + from PyQt5.QtGui import QPalette, QTextCursor + from PyQt5.QtWidgets import QCompleter, QHeaderView, QMessageBox, QProgressDialog, \ + QTreeWidgetItem +-from setools import InfoFlowAnalysis ++from setools.infoflow import InfoFlowAnalysis + from setools.exception import UnmappedClass, UnmappedPermission + + from ..logtosignal import LogHandlerToSignal +diff --git a/tests/dta.py b/tests/dta.py +index 32b9271..2bdd052 100644 +--- a/tests/dta.py ++++ b/tests/dta.py +@@ -17,7 +17,8 @@ + # + import unittest + +-from setools import SELinuxPolicy, DomainTransitionAnalysis ++from setools import SELinuxPolicy ++from setools.dta import DomainTransitionAnalysis + from setools import TERuletype as TERT + from setools.policyrep.exception import InvalidType + from setools.policyrep.typeattr import Type +diff --git a/tests/infoflow.py b/tests/infoflow.py +index 7751dda..a21c683 100644 +--- a/tests/infoflow.py ++++ b/tests/infoflow.py +@@ -17,7 +17,8 @@ + # + import unittest + +-from setools import SELinuxPolicy, InfoFlowAnalysis ++from setools import SELinuxPolicy ++from setools.infoflow import InfoFlowAnalysis + from setools import TERuletype as TERT + from setools.permmap import PermissionMap + from setools.policyrep.exception import InvalidType +-- +2.9.3 + diff --git a/package/setools/0002-move-python-check.patch b/package/setools/0002-move-python-check.patch deleted file mode 100644 index cef2cec996..0000000000 --- a/package/setools/0002-move-python-check.patch +++ /dev/null @@ -1,25 +0,0 @@ -Correct a build issue that occurs when python is not found -in the path. This check should only be done if swig-python -option is selected. - -Signed-off-by Clayton Shotwell - ---- a/configure.ac 2015-05-15 12:28:07.566060349 -0500 -+++ b/configure.ac 2015-05-28 15:07:25.357072800 -0500 -@@ -217,8 +217,6 @@ - do_swigify=yes - fi - --AM_PATH_PYTHON(2.7) -- - AC_ARG_ENABLE(swig-python, - AC_HELP_STRING([--enable-swig-python], - [build SWIG interfaces for Python]), -@@ -227,6 +225,7 @@ - if test ${do_swigify} = no; then - AC_PROG_SWIG(2.0.0) - fi -+ AM_PATH_PYTHON(2.7) - SWIG_PYTHON - do_swigify_python=yes - do_swigify=yes diff --git a/package/setools/0003-setools-Update-for-2015-02-02-Userspace-release.patch b/package/setools/0003-setools-Update-for-2015-02-02-Userspace-release.patch deleted file mode 100644 index b0842d961a..0000000000 --- a/package/setools/0003-setools-Update-for-2015-02-02-Userspace-release.patch +++ /dev/null @@ -1,90 +0,0 @@ -setools: Add patch to support 2.4 toolstack. -Signed-off-by: Philip Tricca -Signed-off-by: Joe MacDonald -URL: https://github.com/flihp/meta-selinux/commit/e09eaef7a9acb552a4a5e1f90117154ae06b6fda - -Signed-off-by: Adam Duskett - -diff --git a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c -index fad6b60..231962f 100644 ---- a/libqpol/src/policy_define.c -+++ b/libqpol/src/policy_define.c -@@ -1449,7 +1449,7 @@ int define_compute_type_helper(int which, avrule_t ** rule) - return -1; - } - class_perm_node_init(perm); -- perm->class = i + 1; -+ perm->tclass = i + 1; - perm->data = datum->s.value; - perm->next = avrule->perms; - avrule->perms = perm; -@@ -1699,7 +1699,7 @@ int define_te_avtab_helper(int which, avrule_t ** rule) - goto out; - } - class_perm_node_init(cur_perms); -- cur_perms->class = i + 1; -+ cur_perms->tclass = i + 1; - if (!perms) - perms = cur_perms; - if (tail) -diff --git a/libqpol/src/policy_extend.c b/libqpol/src/policy_extend.c -index 5325a87..1417271 100644 ---- a/libqpol/src/policy_extend.c -+++ b/libqpol/src/policy_extend.c -@@ -843,7 +843,7 @@ static int qpol_syn_rule_table_insert_sepol_avrule(qpol_policy_t * policy, qpol_ - for (class_node = rule->perms; class_node; class_node = class_node->next) { - key.rule_type = rule->specified; - key.source_val = key.target_val = i + 1; -- key.class_val = class_node->class; -+ key.class_val = class_node->tclass; - key.cond = cond; - if (qpol_syn_rule_table_insert_entry(policy, table, &key, new_rule)) - goto err; -@@ -856,7 +856,7 @@ static int qpol_syn_rule_table_insert_sepol_avrule(qpol_policy_t * policy, qpol_ - key.rule_type = rule->specified; - key.source_val = i + 1; - key.target_val = j + 1; -- key.class_val = class_node->class; -+ key.class_val = class_node->tclass; - key.cond = cond; - if (qpol_syn_rule_table_insert_entry(policy, table, &key, new_rule)) - goto err; -diff --git a/libqpol/src/syn_rule_query.c b/libqpol/src/syn_rule_query.c -index 3e63204..d7578f1 100644 ---- a/libqpol/src/syn_rule_query.c -+++ b/libqpol/src/syn_rule_query.c -@@ -67,7 +67,7 @@ static void *syn_rule_class_state_get_cur(const qpol_iterator_t * iter) - return NULL; - } - -- return db->class_val_to_struct[srcs->cur->class - 1]; -+ return db->class_val_to_struct[srcs->cur->tclass - 1]; - } - - static int syn_rule_class_state_next(qpol_iterator_t * iter) -@@ -465,10 +465,10 @@ int qpol_syn_avrule_get_perm_iter(const qpol_policy_t * policy, const qpol_syn_a - } - - for (node = internal_rule->perms; node; node = node->next) { -- for (i = 0; i < db->class_val_to_struct[node->class - 1]->permissions.nprim; i++) { -+ for (i = 0; i < db->class_val_to_struct[node->tclass - 1]->permissions.nprim; i++) { - if (!(node->data & (1 << i))) - continue; -- tmp = sepol_av_to_string(db, node->class, (sepol_access_vector_t) (1 << i)); -+ tmp = sepol_av_to_string(db, node->tclass, (sepol_access_vector_t) (1 << i)); - if (tmp) { - tmp++; /* remove prepended space */ - for (cur = 0; cur < perm_list_sz; cur++) -diff --git a/secmds/replcon.cc b/secmds/replcon.cc -index 34f7c1a..307c39f 100644 ---- a/secmds/replcon.cc -+++ b/secmds/replcon.cc -@@ -60,7 +60,7 @@ static struct option const longopts[] = { - {NULL, 0, NULL, 0} - }; - --extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak)); -+extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak)); - - /** - * As that setools must work with older libselinux versions that may diff --git a/package/setools/Config.in b/package/setools/Config.in index d7b119ffc6..ae0c45fe3f 100644 --- a/package/setools/Config.in +++ b/package/setools/Config.in @@ -1,36 +1,27 @@ config BR2_PACKAGE_SETOOLS bool "setools" - depends on BR2_TOOLCHAIN_HAS_THREADS + depends on !BR2_arc # arc: libselinux not available depends on !BR2_STATIC_LIBS - depends on BR2_INSTALL_LIBSTDCPP + depends on BR2_TOOLCHAIN_HAS_THREADS depends on BR2_USE_WCHAR depends on BR2_TOOLCHAIN_USES_GLIBC # libselinux - # bfin: infamous _ symbol prefix issue - # nios2: triggers some toolchain issue "No symbol version - # section for versioned symbol" - # arc: libselinux not available - depends on !BR2_nios2 && !BR2_bfin && !BR2_arc + depends on BR2_USE_MMU + select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON + select BR2_PACKAGE_PYTHON_ENUM34 if !BR2_PACKAGE_PYTHON3 + select BR2_PACKAGE_PYTHON_SETUPTOOLS select BR2_PACKAGE_LIBSELINUX - select BR2_PACKAGE_SQLITE - select BR2_PACKAGE_LIBXML2 - select BR2_PACKAGE_BZIP2 help SETools is an open source project designed to facilitate SELinux policy analysis. The primary tools are: - * apol - analyze a SELinux policy. - * seaudit - analyze audit messages from SELinux. - * seaudit-report - generate highly-customized audit log - reports. - * sechecker - command line tool for performing modular - checks on an SELinux policy. + * apol - analyze a SELinux policy. (requires python-qt5) * sediff - semantic policy difference tool for SELinux. - * secmds - command-line tools to analyze and search SELinux - policy. + * sedta - Perform domain transition analyses + * sesearch - Search rules (allow, type_transition, etc.) - https://github.com/TresysTechnology/setools3/wiki + https://github.com/TresysTechnology/setools comment "setools needs a glibc toolchain w/ threads, C++, wchar, dynamic library" - depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS \ - || !BR2_USE_WCHAR || !BR2_INSTALL_LIBSTDCPP \ - || !BR2_TOOLCHAIN_USES_GLIBC - depends on !BR2_nios2 && !BR2_bfin && !BR2_arc + depends on BR2_USE_MMU && !BR2_arc + depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS || \ + !BR2_USE_WCHAR || !BR2_TOOLCHAIN_USES_GLIBC || \ + !BR2_INSTALL_LIBSTDCPP diff --git a/package/setools/setools.hash b/package/setools/setools.hash index d422e6607b..8729297064 100644 --- a/package/setools/setools.hash +++ b/package/setools/setools.hash @@ -1,4 +1,7 @@ # From https://github.com/TresysTechnology/setools3/wiki/Download -md5 d68d0d4e4da0f01da0f208782ff04b91 setools-3.3.8.tar.bz2 +md5 d68d0d4e4da0f01da0f208782ff04b91 setools-4.1.1.tar.bz2 # Locally computed -sha256 44387ecc9a231ec536a937783440cd8960a72c51f14bffc1604b7525e341e999 setools-3.3.8.tar.bz2 +sha256 46a927ea2b163cbe1d35cc35da43e45853e13720c7e02d4cf75a498783c19610 setools-4.1.1.tar.gz +sha256 2f7547e10f76a382c24c053595f38a5cc6dda9347f508f254ca490e0046a9624 COPYING +sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING.GPL +sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LGPL diff --git a/package/setools/setools.mk b/package/setools/setools.mk index d2e9f05998..80d58235d3 100644 --- a/package/setools/setools.mk +++ b/package/setools/setools.mk @@ -4,81 +4,67 @@ # ################################################################################ -SETOOLS_VERSION = 3.3.8 -SETOOLS_SOURCE = setools-$(SETOOLS_VERSION).tar.bz2 -SETOOLS_SITE = https://raw.githubusercontent.com/wiki/TresysTechnology/setools3/files/dists/setools-$(SETOOLS_VERSION) -SETOOLS_DEPENDENCIES = libselinux libsepol sqlite libxml2 bzip2 host-bison host-flex +SETOOLS_VERSION = 4.1.1 +SETOOLS_SITE = $(call github,TresysTechnology,setools,$(SETOOLS_VERSION)) +SETOOLS_DEPENDENCIES = libselinux libsepol python-setuptools host-bison host-flex host-swig SETOOLS_INSTALL_STAGING = YES SETOOLS_LICENSE = GPL-2.0+, LGPL-2.1+ SETOOLS_LICENSE_FILES = COPYING COPYING.GPL COPYING.LGPL +SETOOLS_SETUP_TYPE = setuptools +HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol -# configure.ac is patched by the cross compile patch, -# so autoreconf is necessary -SETOOLS_AUTORECONF = YES - -# Notes: Need "disable-selinux-check" so the configure does not check to see -# if host has selinux enabled. -# No python support as only the libraries and commandline tools are -# installed on target -SETOOLS_CONF_OPTS = \ - --disable-debug \ - --disable-gui \ - --disable-bwidget-check \ - --disable-selinux-check \ - --disable-swig-java \ - --disable-swig-python \ - --disable-swig-tcl \ - --with-sepol-devel="$(STAGING_DIR)/usr" \ - --with-selinux-devel="$(STAGING_DIR)/usr" - -ifeq ($(BR2_sparc64):$(BR2_STATIC_LIBS),y:) -SETOOLS_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -fPIC" -endif - -HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol host-sqlite \ - host-libxml2 host-bzip2 host-bison ifeq ($(BR2_PACKAGE_PYTHON3),y) -HOST_SETOOLS_PYTHON_VERSION=$(PYTHON3_VERSION_MAJOR) -HOST_SETOOLS_DEPENDENCIES += host-python3 -HOST_SETOOLS_CONF_ENV += am_cv_python_version=$(PYTHON3_VERSION) +SETOOLS_PYLIBVER = python$(PYTHON3_VERSION_MAJOR) else -HOST_SETOOLS_PYTHON_VERSION=$(PYTHON_VERSION_MAJOR) -HOST_SETOOLS_DEPENDENCIES += host-python -HOST_SETOOLS_CONF_ENV += am_cv_python_version=$(PYTHON_VERSION) +SETOOLS_PYLIBVER = python$(PYTHON_VERSION_MAJOR) +SETOOLS_DEPENDENCIES += python-enum34 endif -HOST_SETOOLS_PYTHON_SITE_PACKAGES = $(HOST_DIR)/lib/python$(HOST_SETOOLS_PYTHON_VERSION)/site-packages -HOST_SETOOLS_PYTHON_INCLUDES = $(HOST_DIR)/include/python$(HOST_SETOOLS_PYTHON_VERSION) -HOST_SETOOLS_PYTHON_LIB = -lpython$(HOST_SETOOLS_PYTHON_VERSION) +define SETOOLS_FIX_SETUP + # By default, setup.py will look for libsepol.a in the host machines + # /usr/lib directory. This needs to be changed to the staging directory. + $(SED) "s@base_lib_dirs =.*@base_lib_dirs = ['$(STAGING_DIR)/lib']@g" \ + $(@D)/setup.py +endef +SETOOLS_POST_PATCH_HOOKS += SETOOLS_FIX_SETUP -# Notes: Need "disable-selinux-check" so the configure does not check to see -# if host has selinux enabled. -# Host builds with python support to enable tools for offline target -# policy analysis -HOST_SETOOLS_CONF_OPTS = \ - --disable-debug \ - --disable-gui \ - --disable-bwidget-check \ - --disable-selinux-check \ - --disable-swig-java \ - --disable-swig-python \ - --disable-swig-tcl \ - --with-sepol-devel="$(HOST_DIR)" \ - --with-selinux-devel="$(HOST_DIR)" \ - PYTHON_LDFLAGS="-L$(HOST_DIR)/lib/" \ - PYTHON_CPPFLAGS="-I$(HOST_SETOOLS_PYTHON_INCLUDES)" \ - PYTHON_SITE_PKG="$(HOST_SETOOLS_PYTHON_SITE_PACKAGES)" \ - PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil $(HOST_SETOOLS_PYTHON_LIB)" +define HOST_SETOOLS_FIX_SETUP + # By default, setup.py will look for libsepol.a in the host machines + # /usr/lib directory. This needs to be changed to the host directory. + $(SED) "s@base_lib_dirs =.*@base_lib_dirs = ['$(HOST_DIR)/lib']@g" \ + $(@D)/setup.py +endef +HOST_SETOOLS_POST_PATCH_HOOKS += HOST_SETOOLS_FIX_SETUP -HOST_SETOOLS_CONF_ENV += \ - am_cv_pathless_PYTHON=python \ - ac_cv_path_PYTHON=$(HOST_DIR)/bin/python \ - am_cv_python_platform=linux2 \ - am_cv_python_version=$(HOST_SETOOLS_PYTHON_VERSION) \ - am_cv_python_pythondir=$(HOST_SETOOLS_PYTHON_SITE_PACKAGES) \ - am_cv_python_pyexecdir=$(HOST_SETOOLS_PYTHON_SITE_PACKAGES) \ - am_cv_python_includes=-I$(HOST_SETOOLS_PYTHON_INCLUDES) +# sedta and seinfoflow depend on python-networkx. This package is not +# available in buildroot. +define SETOOLS_REMOVE_BROKEN_SCRIPTS + $(RM) $(TARGET_DIR)/usr/bin/sedta + $(RM) $(TARGET_DIR)/usr/bin/seinfoflow +endef +SETOOLS_POST_INSTALL_TARGET_HOOKS += SETOOLS_REMOVE_BROKEN_SCRIPTS -$(eval $(autotools-package)) -$(eval $(host-autotools-package)) +# apol requires pyqt5. However, the setools installation +# process will install apol even if pyqt5 is missing. +# Remove these scripts from the target it pyqt5 is not selected. +ifeq ($(BR2_PACKAGE_PYTHON_PYQT5),) +define SETOOLS_REMOVE_QT_SCRIPTS + $(RM) $(TARGET_DIR)/usr/bin/apol + $(RM) -r $(TARGET_DIR)/lib/$(SETOOLS_PYLIBVER)/site-packages/setoolsgui/ +endef +SETOOLS_POST_INSTALL_TARGET_HOOKS += SETOOLS_REMOVE_QT_SCRIPTS +endif + +# sedta and seinfoflow depend on python-networkx. This package is not +# available in buildroot. pyqt5 is not a host-package, remove apol +# from the host directory as well. +define HOST_SETOOLS_REMOVE_BROKEN_SCRIPTS + $(RM) $(HOST_DIR)/bin/sedta + $(RM) $(HOST_DIR)/bin/seinfoflow + $(RM) $(HOST_DIR)/bin/apol +endef +HOST_SETOOLS_POST_INSTALL_HOOKS += HOST_SETOOLS_REMOVE_BROKEN_SCRIPTS + +$(eval $(python-package)) +$(eval $(host-python-package))