Re: [PATCH v2 08/14] python: build: follow standard semantics for DESTDIR and PREFIX
On Tue, Jan 16, 2018 at 09:23:21PM +0100, Marcus Folkesson wrote: > Signed-off-by: Marcus Folkesson > --- > python/audit2allow/Makefile | 10 -- > python/chcat/Makefile | 8 > python/semanage/Makefile | 13 ++--- > python/sepolgen/src/sepolgen/Makefile | 3 ++- > python/sepolicy/Makefile | 18 +- > 5 files changed, 25 insertions(+), 27 deletions(-) > > diff --git a/python/audit2allow/Makefile b/python/audit2allow/Makefile > index 8db8075f..a73c8c68 100644 > --- a/python/audit2allow/Makefile > +++ b/python/audit2allow/Makefile > @@ -1,12 +1,10 @@ > PYTHON ?= python > > # Installation directories. > -PREFIX ?= $(DESTDIR)/usr > -BINDIR ?= $(PREFIX)/bin > -LIBDIR ?= $(PREFIX)/lib > -MANDIR ?= $(PREFIX)/share/man > -LOCALEDIR ?= /usr/share/locale > -INCLUDEDIR ?= $(PREFIX)/include > +PREFIX ?= /usr > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > LIBSEPOLA ?= $(LIBDIR)/libsepol.a > > CFLAGS ?= -Werror -Wall -W > diff --git a/python/chcat/Makefile b/python/chcat/Makefile > index 0fd12d6d..947734a0 100644 > --- a/python/chcat/Makefile > +++ b/python/chcat/Makefile > @@ -1,8 +1,8 @@ > # Installation directories. > -PREFIX ?= $(DESTDIR)/usr > -BINDIR ?= $(PREFIX)/bin > -MANDIR ?= $(PREFIX)/share/man > -LOCALEDIR ?= $(PREFIX)/share/locale > +PREFIX ?= /usr > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale > > .PHONY: all > all: chcat > diff --git a/python/semanage/Makefile b/python/semanage/Makefile > index 132162bc..70759087 100644 > --- a/python/semanage/Makefile > +++ b/python/semanage/Makefile > @@ -1,13 +1,12 @@ > PYTHON ?= python > > # Installation directories. > -PREFIX ?= $(DESTDIR)/usr > -LIBDIR ?= $(PREFIX)/lib > -SBINDIR ?= $(PREFIX)/sbin > -MANDIR = $(PREFIX)/share/man > -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > print(get_python_lib(1))") > -PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR) > -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions > +PREFIX ?= /usr > +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin > +MANDIR = $(DESTDIR)$(PREFIX)/share/man > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > print(get_python_lib(prefix='$(PREFIX)'))") > +PACKAGEDIR ?= $(DESTDIR)$(PYTHONLIBDIR) > +BASHCOMPLETIONDIR ?= $(DESTDIR)$(PREFIX)/share/bash-completion/completions > > TARGETS=semanage > > diff --git a/python/sepolgen/src/sepolgen/Makefile > b/python/sepolgen/src/sepolgen/Makefile > index d3aa7715..2121a955 100644 > --- a/python/sepolgen/src/sepolgen/Makefile > +++ b/python/sepolgen/src/sepolgen/Makefile > @@ -1,5 +1,6 @@ > +PREFIX ?= /usr > PYTHON ?= python > -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > print(get_python_lib(1))") > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > print(get_python_lib(prefix='$(PREFIX)'))") > PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/sepolgen > > all: > diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile > index 5a56e6c8..c528ae43 100644 > --- a/python/sepolicy/Makefile > +++ b/python/sepolicy/Makefile > @@ -1,14 +1,14 @@ > PYTHON ?= python > > # Installation directories. > -PREFIX ?= $(DESTDIR)/usr > -LIBDIR ?= $(PREFIX)/lib > -BINDIR ?= $(PREFIX)/bin > -DATADIR ?= $(PREFIX)/share > -MANDIR ?= $(PREFIX)/share/man > -LOCALEDIR ?= /usr/share/locale > -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions > -SHAREDIR ?= $(PREFIX)/share/sandbox > +PREFIX ?= /usr > +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > +DATADIR ?= $(DESTDIR)$(PREFIX)/share > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale > +BASHCOMPLETIONDIR ?= $(DESTDIR)$(PREFIX)/share/bash-completion/completions > +SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/sandbox > CFLAGS ?= -Wall -Werror -Wextra -W > override CFLAGS += -DPACKAGE="policycoreutils" -DSHARED -shared > > @@ -30,7 +30,7 @@ test: > @$(PYTHON) test_sepolicy.py -v > > install: > - $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root > $(DESTDIR)` > + $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n > "$(DESTDIR)$(PREFIX)" && echo --root $(DESTDIR)$(PREFIX)` --root $(DESTDIR)$(PREFIX) seems to duplicate prefix from --prefix=$(PREFIX) $ cd python $ make \ DESTDIR=/home/build/rpmbuild/BUILDROOT/policycoreutils-2.7-99.fc28.20180117103354.x86_64 \ LIBSEPOLA=/usr/lib64/libsepol.a install $ find /home/build/rpmbuild/BUILDROOT/policycoreutils-2.7-99.fc28.20180117103354.x86_64/usr/ -type d -name sepolicy /home/build/rpmbuild/BUILDROOT/policycoreutils-2.7-99.fc28.20180117103354.x86_64//usr/usr/lib/python2.7/site-packages/sepolicy > [ -d $(BINDIR) ] || mkdir -p $(BINDIR) > install -m 755 sepolicy.py $(BINDIR)/sepoli
Re: [PATCH v2 08/14] python: build: follow standard semantics for DESTDIR and PREFIX
Hi, On Wed, Jan 17, 2018 at 11:11:35AM +0100, Petr Lautrbach wrote: > On Tue, Jan 16, 2018 at 09:23:21PM +0100, Marcus Folkesson wrote: > > Signed-off-by: Marcus Folkesson > > --- > > python/audit2allow/Makefile | 10 -- > > python/chcat/Makefile | 8 > > python/semanage/Makefile | 13 ++--- > > python/sepolgen/src/sepolgen/Makefile | 3 ++- > > python/sepolicy/Makefile | 18 +- > > 5 files changed, 25 insertions(+), 27 deletions(-) > > > > diff --git a/python/audit2allow/Makefile b/python/audit2allow/Makefile > > index 8db8075f..a73c8c68 100644 > > --- a/python/audit2allow/Makefile > > +++ b/python/audit2allow/Makefile > > @@ -1,12 +1,10 @@ > > PYTHON ?= python > > > > # Installation directories. > > -PREFIX ?= $(DESTDIR)/usr > > -BINDIR ?= $(PREFIX)/bin > > -LIBDIR ?= $(PREFIX)/lib > > -MANDIR ?= $(PREFIX)/share/man > > -LOCALEDIR ?= /usr/share/locale > > -INCLUDEDIR ?= $(PREFIX)/include > > +PREFIX ?= /usr > > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > > +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib > > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > > LIBSEPOLA ?= $(LIBDIR)/libsepol.a > > > > CFLAGS ?= -Werror -Wall -W > > diff --git a/python/chcat/Makefile b/python/chcat/Makefile > > index 0fd12d6d..947734a0 100644 > > --- a/python/chcat/Makefile > > +++ b/python/chcat/Makefile > > @@ -1,8 +1,8 @@ > > # Installation directories. > > -PREFIX ?= $(DESTDIR)/usr > > -BINDIR ?= $(PREFIX)/bin > > -MANDIR ?= $(PREFIX)/share/man > > -LOCALEDIR ?= $(PREFIX)/share/locale > > +PREFIX ?= /usr > > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > > +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale > > > > .PHONY: all > > all: chcat > > diff --git a/python/semanage/Makefile b/python/semanage/Makefile > > index 132162bc..70759087 100644 > > --- a/python/semanage/Makefile > > +++ b/python/semanage/Makefile > > @@ -1,13 +1,12 @@ > > PYTHON ?= python > > > > # Installation directories. > > -PREFIX ?= $(DESTDIR)/usr > > -LIBDIR ?= $(PREFIX)/lib > > -SBINDIR ?= $(PREFIX)/sbin > > -MANDIR = $(PREFIX)/share/man > > -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > > print(get_python_lib(1))") > > -PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR) > > -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions > > +PREFIX ?= /usr > > +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin > > +MANDIR = $(DESTDIR)$(PREFIX)/share/man > > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > > print(get_python_lib(prefix='$(PREFIX)'))") > > +PACKAGEDIR ?= $(DESTDIR)$(PYTHONLIBDIR) > > +BASHCOMPLETIONDIR ?= $(DESTDIR)$(PREFIX)/share/bash-completion/completions > > > > TARGETS=semanage > > > > diff --git a/python/sepolgen/src/sepolgen/Makefile > > b/python/sepolgen/src/sepolgen/Makefile > > index d3aa7715..2121a955 100644 > > --- a/python/sepolgen/src/sepolgen/Makefile > > +++ b/python/sepolgen/src/sepolgen/Makefile > > @@ -1,5 +1,6 @@ > > +PREFIX ?= /usr > > PYTHON ?= python > > -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > > print(get_python_lib(1))") > > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > > print(get_python_lib(prefix='$(PREFIX)'))") > > PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/sepolgen > > > > all: > > diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile > > index 5a56e6c8..c528ae43 100644 > > --- a/python/sepolicy/Makefile > > +++ b/python/sepolicy/Makefile > > @@ -1,14 +1,14 @@ > > PYTHON ?= python > > > > # Installation directories. > > -PREFIX ?= $(DESTDIR)/usr > > -LIBDIR ?= $(PREFIX)/lib > > -BINDIR ?= $(PREFIX)/bin > > -DATADIR ?= $(PREFIX)/share > > -MANDIR ?= $(PREFIX)/share/man > > -LOCALEDIR ?= /usr/share/locale > > -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions > > -SHAREDIR ?= $(PREFIX)/share/sandbox > > +PREFIX ?= /usr > > +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib > > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > > +DATADIR ?= $(DESTDIR)$(PREFIX)/share > > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > > +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale > > +BASHCOMPLETIONDIR ?= $(DESTDIR)$(PREFIX)/share/bash-completion/completions > > +SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/sandbox > > CFLAGS ?= -Wall -Werror -Wextra -W > > override CFLAGS += -DPACKAGE="policycoreutils" -DSHARED -shared > > > > @@ -30,7 +30,7 @@ test: > > @$(PYTHON) test_sepolicy.py -v > > > > install: > > - $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root > > $(DESTDIR)` > > + $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n > > "$(DESTDIR)$(PREFIX)" && echo --root $(DESTDIR)$(PREFIX)` > > --root $(DESTDIR)$(PREFIX) seems to duplicate prefix from --prefix=$(PREFIX) > > $ cd python > $ make \ > > DESTDIR=/home/build/rpmbuild/BUILDROOT/policycoreutils-2.7-99.fc28.20180117103354.x86_64 > \ > LIBSEPOLA=/usr/lib64/libsepol.a install > > $ find > /h
[PATCH] selinux:Significant reduce of preempt_disable holds
From: Peter Enderborg
Holding the preempt_disable is very bad for low latency tasks
as audio and therefore we need to break out the rule-set dependent
part from this disable. By using a rwsem instead of rwlock we
have an efficient locking and less preemption interference.
Selinux uses a lot of read_locks. This patch replaces the rwlock
with rwsem/percpu_down_read() that does not hold preempt_disable.
Intel Xeon W3520 2.67 Ghz running FC27 with 4.15.0-rc8git (+measurement)
I get preempt_disable in worst case for 1.2ms in security_compute_av().
With the patch I get 960us as the longest security_compute_av()
without preempt disabeld. It very much noise in the measurement
but it is not likely a degrade.
And the preempt_disable times is also very dependent on the selinux
rule-set.
In security_get_user_sids() we have two nested for-loops and the
inner part calls sittab_context_to_sid() that calls
sidtab_search_context() that has a for loop() over a while() where
the loops is dependent on the rules.
On the test system the average lookup time is 60us and does
not change with the rwsem usage.
Reported-by: Björn Davidsson
Signed-off-by: Peter Enderborg
---
security/selinux/ss/services.c | 134 -
1 file changed, 67 insertions(+), 67 deletions(-)
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 33cfe5d..a3daaf2 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -87,7 +87,7 @@ int selinux_policycap_alwaysnetwork;
int selinux_policycap_cgroupseclabel;
int selinux_policycap_nnp_nosuid_transition;
-static DEFINE_RWLOCK(policy_rwlock);
+DEFINE_STATIC_PERCPU_RWSEM(policy_rwsem);
static struct sidtab sidtab;
struct policydb policydb;
@@ -779,7 +779,7 @@ static int security_compute_validatetrans(u32 oldsid, u32
newsid, u32 tasksid,
if (!ss_initialized)
return 0;
- read_lock(&policy_rwlock);
+ percpu_down_read(&policy_rwsem);
if (!user)
tclass = unmap_class(orig_tclass);
@@ -833,7 +833,7 @@ static int security_compute_validatetrans(u32 oldsid, u32
newsid, u32 tasksid,
}
out:
- read_unlock(&policy_rwlock);
+ percpu_up_read(&policy_rwsem);
return rc;
}
@@ -867,7 +867,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
int index;
int rc;
- read_lock(&policy_rwlock);
+ percpu_down_read(&policy_rwsem);
rc = -EINVAL;
old_context = sidtab_search(&sidtab, old_sid);
@@ -929,7 +929,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
kfree(old_name);
}
out:
- read_unlock(&policy_rwlock);
+ percpu_up_read(&policy_rwsem);
return rc;
}
@@ -1017,7 +1017,7 @@ void security_compute_xperms_decision(u32 ssid,
memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow->p));
memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit->p));
- read_lock(&policy_rwlock);
+ percpu_down_read(&policy_rwsem);
if (!ss_initialized)
goto allow;
@@ -1070,7 +1070,7 @@ void security_compute_xperms_decision(u32 ssid,
}
}
out:
- read_unlock(&policy_rwlock);
+ percpu_up_read(&policy_rwsem);
return;
allow:
memset(xpermd->allowed->p, 0xff, sizeof(xpermd->allowed->p));
@@ -1097,7 +1097,7 @@ void security_compute_av(u32 ssid,
u16 tclass;
struct context *scontext = NULL, *tcontext = NULL;
- read_lock(&policy_rwlock);
+ percpu_down_read(&policy_rwsem);
avd_init(avd);
xperms->len = 0;
if (!ss_initialized)
@@ -1130,7 +1130,7 @@ void security_compute_av(u32 ssid,
context_struct_compute_av(scontext, tcontext, tclass, avd, xperms);
map_decision(orig_tclass, avd, policydb.allow_unknown);
out:
- read_unlock(&policy_rwlock);
+ percpu_up_read(&policy_rwsem);
return;
allow:
avd->allowed = 0x;
@@ -1144,7 +1144,7 @@ void security_compute_av_user(u32 ssid,
{
struct context *scontext = NULL, *tcontext = NULL;
- read_lock(&policy_rwlock);
+ percpu_down_read(&policy_rwsem);
avd_init(avd);
if (!ss_initialized)
goto allow;
@@ -1175,7 +1175,7 @@ void security_compute_av_user(u32 ssid,
context_struct_compute_av(scontext, tcontext, tclass, avd, NULL);
out:
- read_unlock(&policy_rwlock);
+ percpu_up_read(&policy_rwsem);
return;
allow:
avd->allowed = 0x;
@@ -1277,7 +1277,7 @@ static int security_sid_to_context_core(u32 sid, char
**scontext,
rc = -EINVAL;
goto out;
}
- read_lock(&policy_rwlock);
+ percpu_down_read(&policy_rwsem);
if (force)
context = sidtab_search_force(&sidtab, sid);
else
@@ -1290,7 +1290,7 @@ static int security_sid_to_context_core(u32 sid
Re: [PATCH] selinux:Significant reduce of preempt_disable holds
On Wed, 2018-01-17 at 15:55 +0100, peter.enderb...@sony.com wrote:
> From: Peter Enderborg
>
> Holding the preempt_disable is very bad for low latency tasks
> as audio and therefore we need to break out the rule-set dependent
> part from this disable. By using a rwsem instead of rwlock we
> have an efficient locking and less preemption interference.
>
> Selinux uses a lot of read_locks. This patch replaces the rwlock
> with rwsem/percpu_down_read() that does not hold preempt_disable.
Many of these functions are called while holding spinlocks, and some of
them are called from interrupt. Unless I misunderstand, you can't just
replace read_lock() with percpu_down_read(), which might sleep.
What you might be able to do is to convert the whole thing to RCU, but
this would require reworking how policy booleans are changed and how
policy is reloaded.
You might also try increasing your AVC size via
/sys/fs/selinux/avc/cache_threshold to reduce cache misses and thus
calls to security_compute_av().
>
> Intel Xeon W3520 2.67 Ghz running FC27 with 4.15.0-rc8git
> (+measurement)
> I get preempt_disable in worst case for 1.2ms in
> security_compute_av().
> With the patch I get 960us as the longest security_compute_av()
> without preempt disabeld. It very much noise in the measurement
> but it is not likely a degrade.
>
> And the preempt_disable times is also very dependent on the selinux
> rule-set.
>
> In security_get_user_sids() we have two nested for-loops and the
> inner part calls sittab_context_to_sid() that calls
> sidtab_search_context() that has a for loop() over a while() where
> the loops is dependent on the rules.
>
> On the test system the average lookup time is 60us and does
> not change with the rwsem usage.
>
> Reported-by: Björn Davidsson
> Signed-off-by: Peter Enderborg
> ---
> security/selinux/ss/services.c | 134 ---
> --
> 1 file changed, 67 insertions(+), 67 deletions(-)
>
> diff --git a/security/selinux/ss/services.c
> b/security/selinux/ss/services.c
> index 33cfe5d..a3daaf2 100644
> --- a/security/selinux/ss/services.c
> +++ b/security/selinux/ss/services.c
> @@ -87,7 +87,7 @@ int selinux_policycap_alwaysnetwork;
> int selinux_policycap_cgroupseclabel;
> int selinux_policycap_nnp_nosuid_transition;
>
> -static DEFINE_RWLOCK(policy_rwlock);
> +DEFINE_STATIC_PERCPU_RWSEM(policy_rwsem);
>
> static struct sidtab sidtab;
> struct policydb policydb;
> @@ -779,7 +779,7 @@ static int security_compute_validatetrans(u32
> oldsid, u32 newsid, u32 tasksid,
> if (!ss_initialized)
> return 0;
>
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
>
> if (!user)
> tclass = unmap_class(orig_tclass);
> @@ -833,7 +833,7 @@ static int security_compute_validatetrans(u32
> oldsid, u32 newsid, u32 tasksid,
> }
>
> out:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> return rc;
> }
>
> @@ -867,7 +867,7 @@ int security_bounded_transition(u32 old_sid, u32
> new_sid)
> int index;
> int rc;
>
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
>
> rc = -EINVAL;
> old_context = sidtab_search(&sidtab, old_sid);
> @@ -929,7 +929,7 @@ int security_bounded_transition(u32 old_sid, u32
> new_sid)
> kfree(old_name);
> }
> out:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
>
> return rc;
> }
> @@ -1017,7 +1017,7 @@ void security_compute_xperms_decision(u32 ssid,
> memset(xpermd->auditallow->p, 0, sizeof(xpermd->auditallow-
> >p));
> memset(xpermd->dontaudit->p, 0, sizeof(xpermd->dontaudit-
> >p));
>
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> if (!ss_initialized)
> goto allow;
>
> @@ -1070,7 +1070,7 @@ void security_compute_xperms_decision(u32 ssid,
> }
> }
> out:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> return;
> allow:
> memset(xpermd->allowed->p, 0xff, sizeof(xpermd->allowed-
> >p));
> @@ -1097,7 +1097,7 @@ void security_compute_av(u32 ssid,
> u16 tclass;
> struct context *scontext = NULL, *tcontext = NULL;
>
> - read_lock(&policy_rwlock);
> + percpu_down_read(&policy_rwsem);
> avd_init(avd);
> xperms->len = 0;
> if (!ss_initialized)
> @@ -1130,7 +1130,7 @@ void security_compute_av(u32 ssid,
> context_struct_compute_av(scontext, tcontext, tclass, avd,
> xperms);
> map_decision(orig_tclass, avd, policydb.allow_unknown);
> out:
> - read_unlock(&policy_rwlock);
> + percpu_up_read(&policy_rwsem);
> return;
> allow:
> avd->allowed = 0x;
> @@ -1144,7 +1144,7 @@ void security_compute_av_user(u32 ssid,
> {
> struct context *scontext = NULL, *tcontext = NULL;
>
> - read_lock(&policy_rwlock);
> + percpu_down_read(&polic
Re: [PATCH v2 08/14] python: build: follow standard semantics for DESTDIR and PREFIX
On Wed, Jan 17, 2018 at 11:43:58AM +0100, Marcus Folkesson wrote: > Hi, > > On Wed, Jan 17, 2018 at 11:11:35AM +0100, Petr Lautrbach wrote: > > On Tue, Jan 16, 2018 at 09:23:21PM +0100, Marcus Folkesson wrote: > > > Signed-off-by: Marcus Folkesson > > > --- > > > python/audit2allow/Makefile | 10 -- > > > python/chcat/Makefile | 8 > > > python/semanage/Makefile | 13 ++--- > > > python/sepolgen/src/sepolgen/Makefile | 3 ++- > > > python/sepolicy/Makefile | 18 +- > > > 5 files changed, 25 insertions(+), 27 deletions(-) > > > > > > diff --git a/python/audit2allow/Makefile b/python/audit2allow/Makefile > > > index 8db8075f..a73c8c68 100644 > > > --- a/python/audit2allow/Makefile > > > +++ b/python/audit2allow/Makefile > > > @@ -1,12 +1,10 @@ > > > PYTHON ?= python > > > > > > # Installation directories. > > > -PREFIX ?= $(DESTDIR)/usr > > > -BINDIR ?= $(PREFIX)/bin > > > -LIBDIR ?= $(PREFIX)/lib > > > -MANDIR ?= $(PREFIX)/share/man > > > -LOCALEDIR ?= /usr/share/locale > > > -INCLUDEDIR ?= $(PREFIX)/include > > > +PREFIX ?= /usr > > > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > > > +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib > > > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > > > LIBSEPOLA ?= $(LIBDIR)/libsepol.a > > > > > > CFLAGS ?= -Werror -Wall -W > > > diff --git a/python/chcat/Makefile b/python/chcat/Makefile > > > index 0fd12d6d..947734a0 100644 > > > --- a/python/chcat/Makefile > > > +++ b/python/chcat/Makefile > > > @@ -1,8 +1,8 @@ > > > # Installation directories. > > > -PREFIX ?= $(DESTDIR)/usr > > > -BINDIR ?= $(PREFIX)/bin > > > -MANDIR ?= $(PREFIX)/share/man > > > -LOCALEDIR ?= $(PREFIX)/share/locale > > > +PREFIX ?= /usr > > > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > > > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > > > +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale > > > > > > .PHONY: all > > > all: chcat > > > diff --git a/python/semanage/Makefile b/python/semanage/Makefile > > > index 132162bc..70759087 100644 > > > --- a/python/semanage/Makefile > > > +++ b/python/semanage/Makefile > > > @@ -1,13 +1,12 @@ > > > PYTHON ?= python > > > > > > # Installation directories. > > > -PREFIX ?= $(DESTDIR)/usr > > > -LIBDIR ?= $(PREFIX)/lib > > > -SBINDIR ?= $(PREFIX)/sbin > > > -MANDIR = $(PREFIX)/share/man > > > -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > > > print(get_python_lib(1))") > > > -PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR) > > > -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions > > > +PREFIX ?= /usr > > > +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin > > > +MANDIR = $(DESTDIR)$(PREFIX)/share/man > > > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > > > print(get_python_lib(prefix='$(PREFIX)'))") > > > +PACKAGEDIR ?= $(DESTDIR)$(PYTHONLIBDIR) > > > +BASHCOMPLETIONDIR ?= > > > $(DESTDIR)$(PREFIX)/share/bash-completion/completions > > > > > > TARGETS=semanage > > > > > > diff --git a/python/sepolgen/src/sepolgen/Makefile > > > b/python/sepolgen/src/sepolgen/Makefile > > > index d3aa7715..2121a955 100644 > > > --- a/python/sepolgen/src/sepolgen/Makefile > > > +++ b/python/sepolgen/src/sepolgen/Makefile > > > @@ -1,5 +1,6 @@ > > > +PREFIX ?= /usr > > > PYTHON ?= python > > > -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > > > print(get_python_lib(1))") > > > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; > > > print(get_python_lib(prefix='$(PREFIX)'))") > > > PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/sepolgen > > > > > > all: > > > diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile > > > index 5a56e6c8..c528ae43 100644 > > > --- a/python/sepolicy/Makefile > > > +++ b/python/sepolicy/Makefile > > > @@ -1,14 +1,14 @@ > > > PYTHON ?= python > > > > > > # Installation directories. > > > -PREFIX ?= $(DESTDIR)/usr > > > -LIBDIR ?= $(PREFIX)/lib > > > -BINDIR ?= $(PREFIX)/bin > > > -DATADIR ?= $(PREFIX)/share > > > -MANDIR ?= $(PREFIX)/share/man > > > -LOCALEDIR ?= /usr/share/locale > > > -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions > > > -SHAREDIR ?= $(PREFIX)/share/sandbox > > > +PREFIX ?= /usr > > > +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib > > > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > > > +DATADIR ?= $(DESTDIR)$(PREFIX)/share > > > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > > > +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale > > > +BASHCOMPLETIONDIR ?= > > > $(DESTDIR)$(PREFIX)/share/bash-completion/completions > > > +SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/sandbox > > > CFLAGS ?= -Wall -Werror -Wextra -W > > > override CFLAGS += -DPACKAGE="policycoreutils" -DSHARED -shared > > > > > > @@ -30,7 +30,7 @@ test: > > > @$(PYTHON) test_sepolicy.py -v > > > > > > install: > > > - $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root > > > $(DESTDIR)` > > > + $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n > > > "$(
Re: [PATCH v2 08/14] python: build: follow standard semantics for DESTDIR and PREFIX
On Wed, Jan 17, 2018 at 05:38:06PM +0100, Petr Lautrbach wrote: > On Wed, Jan 17, 2018 at 11:43:58AM +0100, Marcus Folkesson wrote: > > Hi, > > > > On Wed, Jan 17, 2018 at 11:11:35AM +0100, Petr Lautrbach wrote: > > > On Tue, Jan 16, 2018 at 09:23:21PM +0100, Marcus Folkesson wrote: > > > > Signed-off-by: Marcus Folkesson > > > > --- > > > > python/audit2allow/Makefile | 10 -- > > > > python/chcat/Makefile | 8 > > > > python/semanage/Makefile | 13 ++--- > > > > python/sepolgen/src/sepolgen/Makefile | 3 ++- > > > > python/sepolicy/Makefile | 18 +- > > > > 5 files changed, 25 insertions(+), 27 deletions(-) > > > > > > > > diff --git a/python/audit2allow/Makefile b/python/audit2allow/Makefile > > > > index 8db8075f..a73c8c68 100644 > > > > --- a/python/audit2allow/Makefile > > > > +++ b/python/audit2allow/Makefile > > > > @@ -1,12 +1,10 @@ > > > > PYTHON ?= python > > > > > > > > # Installation directories. > > > > -PREFIX ?= $(DESTDIR)/usr > > > > -BINDIR ?= $(PREFIX)/bin > > > > -LIBDIR ?= $(PREFIX)/lib > > > > -MANDIR ?= $(PREFIX)/share/man > > > > -LOCALEDIR ?= /usr/share/locale > > > > -INCLUDEDIR ?= $(PREFIX)/include > > > > +PREFIX ?= /usr > > > > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > > > > +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib > > > > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > > > > LIBSEPOLA ?= $(LIBDIR)/libsepol.a > > > > > > > > CFLAGS ?= -Werror -Wall -W > > > > diff --git a/python/chcat/Makefile b/python/chcat/Makefile > > > > index 0fd12d6d..947734a0 100644 > > > > --- a/python/chcat/Makefile > > > > +++ b/python/chcat/Makefile > > > > @@ -1,8 +1,8 @@ > > > > # Installation directories. > > > > -PREFIX ?= $(DESTDIR)/usr > > > > -BINDIR ?= $(PREFIX)/bin > > > > -MANDIR ?= $(PREFIX)/share/man > > > > -LOCALEDIR ?= $(PREFIX)/share/locale > > > > +PREFIX ?= /usr > > > > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > > > > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > > > > +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale > > > > > > > > .PHONY: all > > > > all: chcat > > > > diff --git a/python/semanage/Makefile b/python/semanage/Makefile > > > > index 132162bc..70759087 100644 > > > > --- a/python/semanage/Makefile > > > > +++ b/python/semanage/Makefile > > > > @@ -1,13 +1,12 @@ > > > > PYTHON ?= python > > > > > > > > # Installation directories. > > > > -PREFIX ?= $(DESTDIR)/usr > > > > -LIBDIR ?= $(PREFIX)/lib > > > > -SBINDIR ?= $(PREFIX)/sbin > > > > -MANDIR = $(PREFIX)/share/man > > > > -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import > > > > *; print(get_python_lib(1))") > > > > -PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR) > > > > -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions > > > > +PREFIX ?= /usr > > > > +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin > > > > +MANDIR = $(DESTDIR)$(PREFIX)/share/man > > > > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import > > > > *; print(get_python_lib(prefix='$(PREFIX)'))") > > > > +PACKAGEDIR ?= $(DESTDIR)$(PYTHONLIBDIR) > > > > +BASHCOMPLETIONDIR ?= > > > > $(DESTDIR)$(PREFIX)/share/bash-completion/completions > > > > > > > > TARGETS=semanage > > > > > > > > diff --git a/python/sepolgen/src/sepolgen/Makefile > > > > b/python/sepolgen/src/sepolgen/Makefile > > > > index d3aa7715..2121a955 100644 > > > > --- a/python/sepolgen/src/sepolgen/Makefile > > > > +++ b/python/sepolgen/src/sepolgen/Makefile > > > > @@ -1,5 +1,6 @@ > > > > +PREFIX ?= /usr > > > > PYTHON ?= python > > > > -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import > > > > *; print(get_python_lib(1))") > > > > +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import > > > > *; print(get_python_lib(prefix='$(PREFIX)'))") > > > > PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/sepolgen > > > > > > > > all: > > > > diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile > > > > index 5a56e6c8..c528ae43 100644 > > > > --- a/python/sepolicy/Makefile > > > > +++ b/python/sepolicy/Makefile > > > > @@ -1,14 +1,14 @@ > > > > PYTHON ?= python > > > > > > > > # Installation directories. > > > > -PREFIX ?= $(DESTDIR)/usr > > > > -LIBDIR ?= $(PREFIX)/lib > > > > -BINDIR ?= $(PREFIX)/bin > > > > -DATADIR ?= $(PREFIX)/share > > > > -MANDIR ?= $(PREFIX)/share/man > > > > -LOCALEDIR ?= /usr/share/locale > > > > -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions > > > > -SHAREDIR ?= $(PREFIX)/share/sandbox > > > > +PREFIX ?= /usr > > > > +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib > > > > +BINDIR ?= $(DESTDIR)$(PREFIX)/bin > > > > +DATADIR ?= $(DESTDIR)$(PREFIX)/share > > > > +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man > > > > +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale > > > > +BASHCOMPLETIONDIR ?= > > > > $(DESTDIR)$(PREFIX)/share/bash-completion/completions > > > > +SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/sandbox > > > > CFLAGS ?= -Wall -Werror -Wextra -W > > > > override CFLAGS += -DPA
Re: [PATCH v2 02/14] libselinux: build: follow standard semantics for DESTDIR and PREFIX
On Tue, Jan 16, 2018 at 9:23 PM, Marcus Folkesson
wrote:
> This patch solves the following issues:
> - The pkg-config files generates odd paths when using DESTDIR without PREFIX
> - DESTDIR is needed during compile time to compute library and header paths
> which it should not.
> - Installing with both DESTDIR and PREFIX set gives us odd paths
> - Make usage of DESTDIR and PREFIX more standard
>
> Signed-off-by: Marcus Folkesson
> ---
> libselinux/include/Makefile | 4 ++--
> libselinux/man/Makefile | 7 ---
> libselinux/src/Makefile | 12 +---
> libselinux/src/libselinux.pc.in | 2 +-
> libselinux/utils/Makefile | 6 ++
> 5 files changed, 14 insertions(+), 17 deletions(-)
>
> diff --git a/libselinux/include/Makefile b/libselinux/include/Makefile
> index 757a6c9c..3b51f5ce 100644
> --- a/libselinux/include/Makefile
> +++ b/libselinux/include/Makefile
> @@ -1,6 +1,6 @@
> # Installation directories.
> -PREFIX ?= $(DESTDIR)/usr
> -INCDIR ?= $(PREFIX)/include/selinux
> +PREFIX ?= /usr
> +INCDIR = $(DESTDIR)$(PREFIX)/include/selinux
>
> all:
>
> diff --git a/libselinux/man/Makefile b/libselinux/man/Makefile
> index 0643e6af..233bfaa9 100644
> --- a/libselinux/man/Makefile
> +++ b/libselinux/man/Makefile
> @@ -1,7 +1,8 @@
> # Installation directories.
> -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8
> -MAN5DIR ?= $(DESTDIR)/usr/share/man/man5
> -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3
> +PREFIX ?= /usr
> +MAN8DIR ?= $(DESTDIR)$(PREFIX)/share/man/man8
> +MAN5DIR ?= $(DESTDIR)$(PREFIX)/share/man/man5
> +MAN3DIR ?= $(DESTDIR)$(PREFIX)/share/man/man3
>
> all:
>
> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> index 18df75c8..18a58164 100644
> --- a/libselinux/src/Makefile
> +++ b/libselinux/src/Makefile
> @@ -8,8 +8,8 @@ RUBYPREFIX ?= $(notdir $(RUBY))
> PKG_CONFIG ?= pkg-config
>
> # Installation directories.
> -PREFIX ?= $(DESTDIR)/usr
> -LIBDIR ?= $(PREFIX)/lib
> +PREFIX ?= /usr
> +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib
> SHLIBDIR ?= $(DESTDIR)/lib
> INCLUDEDIR ?= $(PREFIX)/include
> PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
> @@ -19,8 +19,6 @@ PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for
> s,m,t in imp.get_suffixe
> RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" +
> RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]')
> RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + "
> -L" + RbConfig::CONFIG["archlibdir"] + " " +
> RbConfig::CONFIG["LIBRUBYARG_SHARED"]')
> RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts
> RbConfig::CONFIG["vendorarchdir"]')
> -LIBBASE ?= $(shell basename $(LIBDIR))
> -LIBSEPOLA ?= $(LIBDIR)/libsepol.a
>
> VERSION = $(shell cat ../VERSION)
> LIBVERSION = 1
> @@ -148,7 +146,7 @@ $(LIBSO): $(LOBJS)
> ln -sf $@ $(TARGET)
>
> $(LIBPC): $(LIBPC).in ../VERSION
> - sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
> s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):;
> s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@
> + sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):;
> s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):;
> s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@
>
> selinuxswig_python_exception.i: ../include/selinux/selinux.h
> bash -e exception.sh > $@ || (rm -f $@ ; false)
> @@ -156,8 +154,8 @@ selinuxswig_python_exception.i:
> ../include/selinux/selinux.h
> $(AUDIT2WHYLOBJ): audit2why.c
> $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o
> $@ $<
>
> -$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA)
> - $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(PYLIBS)
> +$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ)
> + $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(PYLIBS)
> -l:libsepol.a
Hello,
This change makes audit2why.so no longer being rebuilt when libsepol's
code change. This is an issue when debugging issues in libsepol, which
is why I added $(LIBSEPOLA) to the dependencies of $(AUDIT2WHYSO) in
commit dcd135cc06ab ("Re-link programs after libsepol.a is updated"
[1]).
By the way, I like the change from using a "hardcoded" path to
libsepol.a to telling the compiler to look into directories specified
with option -L in LDFLAGS. This would ease the packaging a little bit,
as it makes defining LIBSEPOLA no longer necessary (if I understood
the changes correctly, I have not tested this point). Is there a way
to ask the compiler for the resolved location of a static library, in
a way which can be used to compute the value of LIBSEPOLA? ("gcc
-Wl,--trace ..." displays it but it is not easily usable).
Best regards,
Nicolas
[1]
https://github.com/SELinuxProject/selinux/commit/dcd135cc06abd8cd662d2d7a896e368f09380dd2
