From: Roy Li <rongqing...@windriver.com> mcstransd is a daemon to translate SELinux MCS/MLS sensitivity labels, policycoreutils includes mcstransd whose version is newer than that from http://mcstrans.sourcearchive.com/
Signed-off-by: Roy Li <rongqing...@windriver.com> --- recipes-security/selinux/policycoreutils.inc | 82 ++++++++++++++++++++-- .../0001-mcstrans-fix-the-init-script.patch | 27 +++++++ .../selinux/policycoreutils/enable-mcstrans.patch | 17 +++++ recipes-security/selinux/policycoreutils_2.3.bb | 2 + recipes-security/selinux/policycoreutils_git.bb | 2 + 5 files changed, 126 insertions(+), 4 deletions(-) create mode 100644 recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch create mode 100644 recipes-security/selinux/policycoreutils/enable-mcstrans.patch diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc index 44a5861..fa0b601 100644 --- a/recipes-security/selinux/policycoreutils.inc +++ b/recipes-security/selinux/policycoreutils.inc @@ -13,11 +13,14 @@ PAM_SRC_URI = "file://pam.d/newrole \ file://pam.d/run_init \ " -DEPENDS += "libsepol libselinux libsemanage" +DEPENDS += "libsepol libselinux libsemanage libcap" EXTRA_DEPENDS = "libcap-ng libcgroup setools" DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}" -inherit selinux +inherit selinux systemd pythonnative update-rc.d + +PROVIDES += "mcstrans" + DEPENDS += "${@target_selinux(d, 'libpam audit')}" RDEPENDS_${BPN}-audit2allow = "\ @@ -113,7 +116,6 @@ RDEPENDS_${BPN} += "setools setools-libs ${BPN}-python" WARN_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${WARN_QA}', d)}" ERROR_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${ERROR_QA}', d)}" -inherit pythonnative PACKAGES =+ "\ ${PN}-audit2allow \ @@ -137,8 +139,31 @@ PACKAGES =+ "\ ${PN}-sestatus \ ${PN}-setfiles \ ${PN}-setsebool \ + mcstrans \ + mcstrans-doc \ system-config-selinux \ " +PKGV_mcstrans = "0.3.2" +PKGV_mcstrans-doc = "0.3.2" +SUMMARY_mcstrans = "Daemon to translate SELinux MCS/MLS sensitivity labels" +DESCRIPTION_mcstrans = "\ + Security-enhanced Linux is a feature of the Linux kernel and a number \ + of utilities with enhanced security functionality designed to add \ + mandatory access controls to Linux. The Security-enhanced Linux \ + kernel contains new architectural components originally developed to \ + improve the security of the Flask operating system. These \ + architectural components provide general support for the enforcement \ + of many kinds of mandatory access control policies, including those \ + based on the concepts of Type EnforcementĀ®, Role-based Access \ + Control, and Multi-level Security. \ + \ + mcstrans provides an translation daemon to translate SELinux categories \ + from internal representations to user defined representation. \ + " +SUMMARY_mcstrans-doc = "${SUMMARY_mcstrans} man pages and examples" +DESCRIPTION_mcstrans-doc = "${DESCRIPTION_mcstrans} \ + This package contains man pages and examples. \ + " FILES_${PN}-audit2allow = "\ ${bindir}/audit2allow \ ${bindir}/audit2why \ @@ -208,6 +233,23 @@ FILES_${PN}-setsebool += "\ ${sbindir}/setsebool \ ${datadir}/bash-completion/completions/setsebool \ " +FILES_mcstrans = "\ + ${base_sbindir}/mcstransd \ + ${sbindir}/untranscon \ + ${sbindir}/transcon \ + ${sysconfdir}/init.d/mcstrans \ + ${systemd_unitdir}/system/mcstrans.service \ + ${sysconfdir}/default/volatiles/volatiles.80_mcstrans \ + ${sysconfdir}/tmpfiles.d/setrans.conf \ +" + +FILES_mcstrans-doc = "\ + /usr/share/man/man8/mcstransd.8 \ + /usr/share/man/man8/mcs.8 \ + /usr/share/man/man8/setrans.conf.8 \ + ${datadir}/mcstrans \ +" + FILES_system-config-selinux = " \ ${bindir}/sepolgen \ ${datadir}/system-config-selinux/* \ @@ -248,7 +290,24 @@ do_compile_prepend() { do_install_prepend() { export PYTHON=python - export SEMODULE_PATH=${sbindir} + export SEMODULE_PATH=${sbindir} SYSTEMDDIR=${D}/${systemd_unitdir} +} + +do_install_append_class-target() { + install -m 755 mcstrans/utils/untranscon ${D}${sbindir}/ + install -m 755 mcstrans/utils/transcon ${D}${sbindir}/ + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d ${localstatedir}/run/setrans - - - -" \ + > ${D}${sysconfdir}/tmpfiles.d/setrans.conf + else + install -d ${D}${sysconfdir}/default/volatiles + echo "d root root 0755 /var/run/setrans none" \ + >${D}${sysconfdir}/default/volatiles/volatiles.80_mcstrans + fi + install -d ${D}${datadir}/mcstrans + cp -r mcstrans/share/* ${D}${datadir}/mcstrans/. } do_install_virtclass-native() { @@ -266,3 +325,18 @@ do_install_append_class-target() { install -m 0644 ${WORKDIR}/pam.d/* ${D}${sysconfdir}/pam.d/ fi } + +SYSTEMD_SERVICE_mcstrans = "mcstrans.service" +INITSCRIPT_PACKAGES = "mcstrans" +INITSCRIPT_NAME_mcstrans = "mcstrans" +INITSCRIPT_PARAMS_mcstrans = "defaults" + +pkg_postinst_mcstrans () { + if [ -z "$D" ]; then + if command -v systemd-tmpfiles >/dev/null; then + systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/setrans.conf + elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then + ${sysconfdir}/init.d/populate-volatile.sh update + fi + fi +} diff --git a/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch b/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch new file mode 100644 index 0000000..39be80a --- /dev/null +++ b/recipes-security/selinux/policycoreutils/0001-mcstrans-fix-the-init-script.patch @@ -0,0 +1,27 @@ +[PATCH] mcstrans: fix the init script + +Upstream-Status: Inappropriate [embedded specific] + +replace daemon with start-stop-daemon, due to not daemon functions + +Signed-off-by: Roy Li <rongqing...@windriver.com> +--- + mcstrans/src/mcstrans.init | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mcstrans/src/mcstrans.init b/mcstrans/src/mcstrans.init +index 2804ec0..c660290 100644 +--- a/mcstrans/src/mcstrans.init ++++ b/mcstrans/src/mcstrans.init +@@ -51,7 +51,7 @@ start(){ + fi + + unset HOME MAIL USER USERNAME +- daemon $prog "$EXTRAOPTIONS" ++ start-stop-daemon --start --quiet --exec $prog -- "$EXTRAOPTIONS" + RETVAL=$? + echo + if test $RETVAL = 0 ; then +-- +1.9.1 + diff --git a/recipes-security/selinux/policycoreutils/enable-mcstrans.patch b/recipes-security/selinux/policycoreutils/enable-mcstrans.patch new file mode 100644 index 0000000..e923903 --- /dev/null +++ b/recipes-security/selinux/policycoreutils/enable-mcstrans.patch @@ -0,0 +1,17 @@ +Add the "mcstrans" subdir so it gets built too. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Roy Li <rongqing...@windriver.com> +diff --git a/Makefile b/Makefile +index 83ebd45..3ae784f 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,5 +1,7 @@ + SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui + ++SUBDIRS += mcstrans ++ + INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) + + ifeq (${INOTIFYH}, /usr/include/sys/inotify.h) diff --git a/recipes-security/selinux/policycoreutils_2.3.bb b/recipes-security/selinux/policycoreutils_2.3.bb index 447e6c9..c837266 100644 --- a/recipes-security/selinux/policycoreutils_2.3.bb +++ b/recipes-security/selinux/policycoreutils_2.3.bb @@ -13,4 +13,6 @@ SRC_URI += "\ file://policycoreutils-semanage-edit-user.patch \ file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \ file://policycoreutils-fix-TypeError-for-seobject.py.patch \ + file://0001-mcstrans-fix-the-init-script.patch \ + file://enable-mcstrans.patch \ " diff --git a/recipes-security/selinux/policycoreutils_git.bb b/recipes-security/selinux/policycoreutils_git.bb index 823edb2..b630797 100644 --- a/recipes-security/selinux/policycoreutils_git.bb +++ b/recipes-security/selinux/policycoreutils_git.bb @@ -9,4 +9,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833" SRC_URI += "\ file://policycoreutils-fix-sepolicy-install-path.patch \ file://policycoreutils-make-O_CLOEXEC-optional.patch \ + file://0001-mcstrans-fix-the-init-script.patch \ + file://enable-mcstrans.patch \ " -- 2.1.0 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto