[yocto] [PATCH][meta-selinux] policycoreutils: enable mcstransd
rongqing.li at windriver.com
rongqing.li at windriver.com
Sun Jan 25 23:38:39 PST 2015
From: Roy Li <rongqing.li at windriver.com>
mcstransd is a daemon to translate SELinux MCS/MLS sensitivity labels,
policycoreutils includes mcstransd whose version is newer than that
from http://mcstrans.sourcearchive.com/
Signed-off-by: Roy Li <rongqing.li at windriver.com>
---
recipes-security/selinux/policycoreutils.inc | 82 ++++++++++++++++++++--
.../0001-mcstrans-fix-the-init-script.patch | 27 +++++++
.../selinux/policycoreutils/enable-mcstrans.patch | 17 +++++
recipes-security/selinux/policycoreutils_2.3.bb | 2 +
recipes-security/selinux/policycoreutils_git.bb | 2 +
5 files changed, 126 insertions(+), 4 deletions(-)
create mode 100644 recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch
create mode 100644 recipes-security/selinux/policycoreutils/enable-mcstrans.patch
diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
index 44a5861..fa0b601 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -13,11 +13,14 @@ PAM_SRC_URI = "file://pam.d/newrole \
file://pam.d/run_init \
"
-DEPENDS += "libsepol libselinux libsemanage"
+DEPENDS += "libsepol libselinux libsemanage libcap"
EXTRA_DEPENDS = "libcap-ng libcgroup setools"
DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"
-inherit selinux
+inherit selinux systemd pythonnative update-rc.d
+
+PROVIDES += "mcstrans"
+
DEPENDS += "${@target_selinux(d, 'libpam audit')}"
RDEPENDS_${BPN}-audit2allow = "\
@@ -113,7 +116,6 @@ RDEPENDS_${BPN} += "setools setools-libs ${BPN}-python"
WARN_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${WARN_QA}', d)}"
ERROR_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${ERROR_QA}', d)}"
-inherit pythonnative
PACKAGES =+ "\
${PN}-audit2allow \
@@ -137,8 +139,31 @@ PACKAGES =+ "\
${PN}-sestatus \
${PN}-setfiles \
${PN}-setsebool \
+ mcstrans \
+ mcstrans-doc \
system-config-selinux \
"
+PKGV_mcstrans = "0.3.2"
+PKGV_mcstrans-doc = "0.3.2"
+SUMMARY_mcstrans = "Daemon to translate SELinux MCS/MLS sensitivity labels"
+DESCRIPTION_mcstrans = "\
+ Security-enhanced Linux is a feature of the Linux kernel and a number \
+ of utilities with enhanced security functionality designed to add \
+ mandatory access controls to Linux. The Security-enhanced Linux \
+ kernel contains new architectural components originally developed to \
+ improve the security of the Flask operating system. These \
+ architectural components provide general support for the enforcement \
+ of many kinds of mandatory access control policies, including those \
+ based on the concepts of Type Enforcement®, Role-based Access \
+ Control, and Multi-level Security. \
+ \
+ mcstrans provides an translation daemon to translate SELinux categories \
+ from internal representations to user defined representation. \
+ "
+SUMMARY_mcstrans-doc = "${SUMMARY_mcstrans} man pages and examples"
+DESCRIPTION_mcstrans-doc = "${DESCRIPTION_mcstrans} \
+ This package contains man pages and examples. \
+ "
FILES_${PN}-audit2allow = "\
${bindir}/audit2allow \
${bindir}/audit2why \
@@ -208,6 +233,23 @@ FILES_${PN}-setsebool += "\
${sbindir}/setsebool \
${datadir}/bash-completion/completions/setsebool \
"
+FILES_mcstrans = "\
+ ${base_sbindir}/mcstransd \
+ ${sbindir}/untranscon \
+ ${sbindir}/transcon \
+ ${sysconfdir}/init.d/mcstrans \
+ ${systemd_unitdir}/system/mcstrans.service \
+ ${sysconfdir}/default/volatiles/volatiles.80_mcstrans \
+ ${sysconfdir}/tmpfiles.d/setrans.conf \
+"
+
+FILES_mcstrans-doc = "\
+ /usr/share/man/man8/mcstransd.8 \
+ /usr/share/man/man8/mcs.8 \
+ /usr/share/man/man8/setrans.conf.8 \
+ ${datadir}/mcstrans \
+"
+
FILES_system-config-selinux = " \
${bindir}/sepolgen \
${datadir}/system-config-selinux/* \
@@ -248,7 +290,24 @@ do_compile_prepend() {
do_install_prepend() {
export PYTHON=python
- export SEMODULE_PATH=${sbindir}
+ export SEMODULE_PATH=${sbindir} SYSTEMDDIR=${D}/${systemd_unitdir}
+}
+
+do_install_append_class-target() {
+ install -m 755 mcstrans/utils/untranscon ${D}${sbindir}/
+ install -m 755 mcstrans/utils/transcon ${D}${sbindir}/
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ install -d ${D}${sysconfdir}/tmpfiles.d
+ echo "d ${localstatedir}/run/setrans - - - -" \
+ > ${D}${sysconfdir}/tmpfiles.d/setrans.conf
+ else
+ install -d ${D}${sysconfdir}/default/volatiles
+ echo "d root root 0755 /var/run/setrans none" \
+ >${D}${sysconfdir}/default/volatiles/volatiles.80_mcstrans
+ fi
+ install -d ${D}${datadir}/mcstrans
+ cp -r mcstrans/share/* ${D}${datadir}/mcstrans/.
}
do_install_virtclass-native() {
@@ -266,3 +325,18 @@ do_install_append_class-target() {
install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/
fi
}
+
+SYSTEMD_SERVICE_mcstrans = "mcstrans.service"
+INITSCRIPT_PACKAGES = "mcstrans"
+INITSCRIPT_NAME_mcstrans = "mcstrans"
+INITSCRIPT_PARAMS_mcstrans = "defaults"
+
+pkg_postinst_mcstrans () {
+ if [ -z "$D" ]; then
+ if command -v systemd-tmpfiles >/dev/null; then
+ systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/setrans.conf
+ elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
+ ${sysconfdir}/init.d/populate-volatile.sh update
+ fi
+ fi
+}
diff --git a/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch b/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch
new file mode 100644
index 0000000..39be80a
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch
@@ -0,0 +1,27 @@
+[PATCH] mcstrans: fix the init script
+
+Upstream-Status: Inappropriate [embedded specific]
+
+replace daemon with start-stop-daemon, due to not daemon functions
+
+Signed-off-by: Roy Li <rongqing.li at windriver.com>
+---
+ mcstrans/src/mcstrans.init | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mcstrans/src/mcstrans.init b/mcstrans/src/mcstrans.init
+index 2804ec0..c660290 100644
+--- a/mcstrans/src/mcstrans.init
++++ b/mcstrans/src/mcstrans.init
+@@ -51,7 +51,7 @@ start(){
+ fi
+
+ unset HOME MAIL USER USERNAME
+- daemon $prog "$EXTRAOPTIONS"
++ start-stop-daemon --start --quiet --exec $prog -- "$EXTRAOPTIONS"
+ RETVAL=$?
+ echo
+ if test $RETVAL = 0 ; then
+--
+1.9.1
+
diff --git a/recipes-security/selinux/policycoreutils/enable-mcstrans.patch b/recipes-security/selinux/policycoreutils/enable-mcstrans.patch
new file mode 100644
index 0000000..e923903
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils/enable-mcstrans.patch
@@ -0,0 +1,17 @@
+Add the "mcstrans" subdir so it gets built too.
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Roy Li <rongqing.li at windriver.com>
+diff --git a/Makefile b/Makefile
+index 83ebd45..3ae784f 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,5 +1,7 @@
+ SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui
+
++SUBDIRS += mcstrans
++
+ INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
+
+ ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
diff --git a/recipes-security/selinux/policycoreutils_2.3.bb b/recipes-security/selinux/policycoreutils_2.3.bb
index 447e6c9..c837266 100644
--- a/recipes-security/selinux/policycoreutils_2.3.bb
+++ b/recipes-security/selinux/policycoreutils_2.3.bb
@@ -13,4 +13,6 @@ SRC_URI += "\
file://policycoreutils-semanage-edit-user.patch \
file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \
file://policycoreutils-fix-TypeError-for-seobject.py.patch \
+ file://0001-mcstrans-fix-the-init-script.patch \
+ file://enable-mcstrans.patch \
"
diff --git a/recipes-security/selinux/policycoreutils_git.bb b/recipes-security/selinux/policycoreutils_git.bb
index 823edb2..b630797 100644
--- a/recipes-security/selinux/policycoreutils_git.bb
+++ b/recipes-security/selinux/policycoreutils_git.bb
@@ -9,4 +9,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
SRC_URI += "\
file://policycoreutils-fix-sepolicy-install-path.patch \
file://policycoreutils-make-O_CLOEXEC-optional.patch \
+ file://0001-mcstrans-fix-the-init-script.patch \
+ file://enable-mcstrans.patch \
"
--
2.1.0
More information about the yocto
mailing list