Re: ANN: Reference Policy 2.20180114

[Chris PeBenito]

On 01/16/2018 11:02 AM, Stephen Smalley wrote:

On Sun, 2018-01-14 at 15:02 -0500, Chris PeBenito via refpolicy wrote:

A new release, 2.20180114, of the SELinux Reference Policy is now
available on the GitHub site:

https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease


Could we get the nnp_nosuid_transition policy capability enabled in the
next release?


That's my mistake; I should have enabled it in this release.  Enabled in 
master now.


--
Chris PeBenito

[PATCH v2 07/14] policycoreutils: build: follow standard semantics for DESTDIR and PREFIX

[Marcus Folkesson]

Signed-off-by: Marcus Folkesson 
---
 policycoreutils/hll/pp/Makefile  |  7 ++-
 policycoreutils/load_policy/Makefile |  8 
 policycoreutils/man/Makefile |  3 ++-
 policycoreutils/newrole/Makefile |  8 
 policycoreutils/po/Makefile  |  3 ++-
 policycoreutils/run_init/Makefile|  8 
 policycoreutils/scripts/Makefile |  8 
 policycoreutils/secon/Makefile   |  9 -
 policycoreutils/semodule/Makefile|  8 +++-
 policycoreutils/sestatus/Makefile|  8 
 policycoreutils/setfiles/Makefile|  5 ++---
 policycoreutils/setsebool/Makefile   | 10 --
 12 files changed, 39 insertions(+), 46 deletions(-)

diff --git a/policycoreutils/hll/pp/Makefile b/policycoreutils/hll/pp/Makefile
index 3401dcc9..ce58e0cf 100644
--- a/policycoreutils/hll/pp/Makefile
+++ b/policycoreutils/hll/pp/Makefile
@@ -1,9 +1,6 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-INCLUDEDIR ?= $(PREFIX)/include
-MANDIR = $(PREFIX)/share/man
-LIBDIR ?= $(PREFIX)/lib
-LIBEXECDIR ?= $(PREFIX)/libexec
+PREFIX ?= /usr
+LIBEXECDIR ?= $(DESTDIR)$(PREFIX)/libexec
 HLLDIR ?= $(LIBEXECDIR)/selinux/hll
 
 CFLAGS ?= -Werror -Wall -W
diff --git a/policycoreutils/load_policy/Makefile 
b/policycoreutils/load_policy/Makefile
index b85833c2..720bf45f 100644
--- a/policycoreutils/load_policy/Makefile
+++ b/policycoreutils/load_policy/Makefile
@@ -1,8 +1,8 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-SBINDIR ?= $(DESTDIR)/sbin
-MANDIR ?= $(PREFIX)/share/man
-LOCALEDIR ?= /usr/share/locale
+PREFIX ?= /usr
+SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin
+MANDIR ?= $(DESTDIR)$(PREFIX)/share/man
+LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale
 
 CFLAGS ?= -Werror -Wall -W
 override CFLAGS += $(LDFLAGS) -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" 
-DPACKAGE="\"policycoreutils\""
diff --git a/policycoreutils/man/Makefile b/policycoreutils/man/Makefile
index 0d91cd46..8a8fbd49 100644
--- a/policycoreutils/man/Makefile
+++ b/policycoreutils/man/Makefile
@@ -1,5 +1,6 @@
 # Installation directories.
-MAN5DIR ?= $(DESTDIR)/usr/share/man/man5
+PREFIX ?= /usr
+MAN5DIR ?= $(DESTDIR)$(PREFIX)/share/man/man5
 
 all:
 
diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
index 196af926..4dbe6f52 100644
--- a/policycoreutils/newrole/Makefile
+++ b/policycoreutils/newrole/Makefile
@@ -1,9 +1,9 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-BINDIR ?= $(PREFIX)/bin
-MANDIR ?= $(PREFIX)/share/man
+PREFIX ?= /usr
+BINDIR ?= $(DESTDIR)$(PREFIX)/bin
+MANDIR ?= $(DESTDIR)$(PREFIX)/share/man
 ETCDIR ?= $(DESTDIR)/etc
-LOCALEDIR = /usr/share/locale
+LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
 PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
 AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
 # Enable capabilities to permit newrole to generate audit records.
diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
index 58148613..c583d23a 100644
--- a/policycoreutils/po/Makefile
+++ b/policycoreutils/po/Makefile
@@ -2,6 +2,7 @@
 # Makefile for the PO files (translation) catalog
 #
 
+PREFIX ?= /usr
 TOP = ../..
 
 # What is this package?
@@ -12,7 +13,7 @@ INSTALL_DATA  = $(INSTALL) -m 644
 INSTALL_DIR= /usr/bin/install -d
 
 # destination directory
-INSTALL_NLS_DIR = $(DESTDIR)/usr/share/locale
+INSTALL_NLS_DIR = $(DESTDIR)$(PREFIX)/share/locale
 
 # PO catalog handling
 MSGMERGE   = msgmerge
diff --git a/policycoreutils/run_init/Makefile 
b/policycoreutils/run_init/Makefile
index 921f0b07..4178493e 100644
--- a/policycoreutils/run_init/Makefile
+++ b/policycoreutils/run_init/Makefile
@@ -1,10 +1,10 @@
 
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-SBINDIR ?= $(PREFIX)/sbin
-MANDIR ?= $(PREFIX)/share/man
+PREFIX ?= /usr
+SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin
+MANDIR ?= $(DESTDIR)$(PREFIX)/share/man
 ETCDIR ?= $(DESTDIR)/etc
-LOCALEDIR ?= /usr/share/locale
+LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale
 PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
 AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
 
diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile
index d9e86ffe..cfd841ec 100644
--- a/policycoreutils/scripts/Makefile
+++ b/policycoreutils/scripts/Makefile
@@ -1,8 +1,8 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-SBINDIR ?= $(DESTDIR)/sbin
-MANDIR ?= $(PREFIX)/share/man
-LOCALEDIR ?= $(PREFIX)/share/locale
+PREFIX ?= /usr
+SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin
+MANDIR ?= $(DESTDIR)$(PREFIX)/share/man
+LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale
 
 .PHONY: all
 all: fixfiles
diff --git a/policycoreutils/secon/Makefile b/policycoreutils/secon/Makefile
index 8e491d74..4ecbd57d 100644
--- a/policycoreutils/secon/Makefile
+++ b/policycoreutils/secon/Makefile
@@ -1,9 +1,8 @@
 # secon tool - command-line context
-PREFIX ?= $(DESTDIR)/usr
-INCLUDEDIR ?= $(PREFIX)/include
-BINDIR ?= 

[PATCH v2 14/14] build: add prefix for includes in top Makefile

[Marcus Folkesson]

Signed-off-by: Marcus Folkesson 
---
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 6da7f7b7..74d662d4 100644
--- a/Makefile
+++ b/Makefile
@@ -19,8 +19,8 @@ else
 endif
 
 ifneq ($(DESTDIR),)
-   CFLAGS += -I$(DESTDIR)/usr/include
-   LDFLAGS += -L$(DESTDIR)/usr/lib
+   CFLAGS += -I$(DESTDIR)$(PREFIX)/include
+   LDFLAGS += -L$(DESTDIR)$(PREFIX)/lib
export CFLAGS
export LDFLAGS
 endif
-- 
2.15.1

[PATCH v2 06/14] mcstrans: build: follow standard semantics for DESTDIR and PREFIX

[Marcus Folkesson]

Signed-off-by: Marcus Folkesson 
---
 mcstrans/man/Makefile   | 3 ++-
 mcstrans/src/Makefile   | 6 +++---
 mcstrans/utils/Makefile | 6 +++---
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/mcstrans/man/Makefile b/mcstrans/man/Makefile
index 8e971192..5030fa81 100644
--- a/mcstrans/man/Makefile
+++ b/mcstrans/man/Makefile
@@ -1,5 +1,6 @@
 # Installation directories.
-MAN8DIR ?= $(DESTDIR)/usr/share/man/man8
+PREFIX ?= /usr
+MAN8DIR ?= $(DESTDIR)$(PREFIX)/share/man/man8
 
 all:
 
diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
index 3f4a89c3..26423c29 100644
--- a/mcstrans/src/Makefile
+++ b/mcstrans/src/Makefile
@@ -1,9 +1,9 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-LIBDIR ?= $(PREFIX)/lib
+PREFIX ?= /usr
+LIBDIR ?= $(DESTDIR)$(PREFIX)/lib
 SBINDIR ?= $(DESTDIR)/sbin
 INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
-SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd
+SYSTEMDDIR ?= $(DESTDIR)$(PREFIX)/lib/systemd
 LIBSEPOLA ?= $(LIBDIR)/libsepol.a
 
 PROG_SRC=mcstrans.c  mcscolor.c  mcstransd.c  mls_level.c
diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
index 4d3cbfcb..79eb8438 100644
--- a/mcstrans/utils/Makefile
+++ b/mcstrans/utils/Makefile
@@ -1,7 +1,7 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-LIBDIR ?= $(PREFIX)/lib
-SBINDIR ?= $(PREFIX)/sbin
+PREFIX ?= /usr
+LIBDIR ?= $(DESTDIR)$(PREFIX)/lib
+SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin
 LIBSEPOLA ?= $(LIBDIR)/libsepol.a
 
 CFLAGS ?= -Wall
-- 
2.15.1

[PATCH v2 09/14] restorecond: build: follow standard semantics for DESTDIR and PREFIX

[Marcus Folkesson]

Signed-off-by: Marcus Folkesson 
---
 restorecond/Makefile | 11 +--
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/restorecond/Makefile b/restorecond/Makefile
index ada94aeb..a2316947 100644
--- a/restorecond/Makefile
+++ b/restorecond/Makefile
@@ -1,13 +1,12 @@
 PKG_CONFIG ?= pkg-config
 
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-SBINDIR ?= $(PREFIX)/sbin
-LIBDIR ?= $(PREFIX)/lib
-MANDIR = $(PREFIX)/share/man
+PREFIX ?= /usr
+SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin
+MANDIR = $(DESTDIR)$(PREFIX)/share/man
 AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart
-DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services
-SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd
+DBUSSERVICEDIR = $(DESTDIR)$(PREFIX)/share/dbus-1/services
+SYSTEMDDIR ?= $(DESTDIR)$(PREFIX)/lib/systemd
 
 autostart_DATA = sealertauto.desktop
 INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
-- 
2.15.1

[PATCH v2 10/14] sandbox: build: follow standard semantics for DESTDIR and PREFIX

[Marcus Folkesson]

Signed-off-by: Marcus Folkesson 
---
 sandbox/Makefile | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/sandbox/Makefile b/sandbox/Makefile
index 05c3d658..5a6b707a 100644
--- a/sandbox/Makefile
+++ b/sandbox/Makefile
@@ -1,14 +1,14 @@
 PYTHON ?= python
 
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
+PREFIX ?= /usr
 SYSCONFDIR ?= $(DESTDIR)/etc/sysconfig
-LIBDIR ?= $(PREFIX)/lib
-BINDIR ?= $(PREFIX)/bin
-SBINDIR ?= $(PREFIX)/sbin
-MANDIR ?= $(PREFIX)/share/man
+LIBDIR ?= $(DESTDIR)$(PREFIX)/lib
+BINDIR ?= $(DESTDIR)$(PREFIX)/bin
+SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin
+MANDIR ?= $(DESTDIR)$(PREFIX)/share/man
 LOCALEDIR ?= /usr/share/locale
-SHAREDIR ?= $(PREFIX)/share/sandbox
+SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/sandbox
 override CFLAGS += -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W
 override LDLIBS += -lselinux -lcap-ng
 SEUNSHARE_OBJS = seunshare.o
-- 
2.15.1

[PATCH v2 11/14] secilc: build: follow standard semantics for DESTDIR and PREFIX

[Marcus Folkesson]

Signed-off-by: Marcus Folkesson 
---
 secilc/Makefile | 8 +++-
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/secilc/Makefile b/secilc/Makefile
index 1cac53e4..5b0a4852 100644
--- a/secilc/Makefile
+++ b/secilc/Makefile
@@ -1,8 +1,6 @@
-PREFIX ?= $(DESTDIR)/usr
-BINDIR ?= $(PREFIX)/bin
-MANDIR ?= $(PREFIX)/share/man
-LIBDIR ?= $(PREFIX)/lib
-INCLUDEDIR ?= $(PREFIX)/include
+PREFIX ?= /usr
+BINDIR ?= $(DESTDIR)$(PREFIX)/bin
+MANDIR ?= $(DESTDIR)$(PREFIX)/share/man
 
 SECILC = secilc
 SECILC_SRCS := secilc.c
-- 
2.15.1

[PATCH v2 12/14] semodule-utils: build: follow standard semantics for DESTDIR and PREFIX

[Marcus Folkesson]

Signed-off-by: Marcus Folkesson 
---
 semodule-utils/semodule_expand/Makefile  | 8 +++-
 semodule-utils/semodule_link/Makefile| 8 +++-
 semodule-utils/semodule_package/Makefile | 8 +++-
 3 files changed, 9 insertions(+), 15 deletions(-)

diff --git a/semodule-utils/semodule_expand/Makefile 
b/semodule-utils/semodule_expand/Makefile
index 072f2137..c2ab3f65 100644
--- a/semodule-utils/semodule_expand/Makefile
+++ b/semodule-utils/semodule_expand/Makefile
@@ -1,9 +1,7 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-INCLUDEDIR ?= $(PREFIX)/include
-BINDIR ?= $(PREFIX)/bin
-LIBDIR ?= $(PREFIX)/lib
-MANDIR ?= $(PREFIX)/share/man
+PREFIX ?= /usr
+BINDIR ?= $(DESTDIR)$(PREFIX)/bin
+MANDIR ?= $(DESTDIR)$(PREFIX)/share/man
 
 CFLAGS ?= -Werror -Wall -W
 override LDLIBS += -lsepol
diff --git a/semodule-utils/semodule_link/Makefile 
b/semodule-utils/semodule_link/Makefile
index cc4687bd..bcf98765 100644
--- a/semodule-utils/semodule_link/Makefile
+++ b/semodule-utils/semodule_link/Makefile
@@ -1,9 +1,7 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-INCLUDEDIR ?= $(PREFIX)/include
-BINDIR ?= $(PREFIX)/bin
-MANDIR ?= $(PREFIX)/share/man
-LIBDIR ?= $(PREFIX)/lib
+PREFIX ?= /usr
+BINDIR ?= $(DESTDIR)$(PREFIX)/bin
+MANDIR ?= $(DESTDIR)$(PREFIX)/share/man
 
 CFLAGS ?= -Werror -Wall -W
 override LDLIBS += -lsepol
diff --git a/semodule-utils/semodule_package/Makefile 
b/semodule-utils/semodule_package/Makefile
index 96dd7c4f..33a95e16 100644
--- a/semodule-utils/semodule_package/Makefile
+++ b/semodule-utils/semodule_package/Makefile
@@ -1,9 +1,7 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-INCLUDEDIR ?= $(PREFIX)/include
-BINDIR ?= $(PREFIX)/bin
-LIBDIR ?= $(PREFIX)/lib
-MANDIR ?= $(PREFIX)/share/man
+PREFIX ?= /usr
+BINDIR ?= $(DESTDIR)$(PREFIX)/bin
+MANDIR ?= $(DESTDIR)$(PREFIX)/share/man
 
 CFLAGS ?= -Werror -Wall -W
 override LDLIBS += -lsepol
-- 
2.15.1

Rework of Makefiles v2

[Marcus Folkesson]

Hi,

I have updated the patchset.

Please test to compile with:
make DESTDIR=/tmp/myroot PREFIX=/myusr install


Changes:
v2:
- Use separate directories for shared libraries as before( Comment from
  Stephen Smalley)
- Rework all packages (not just selinux/sepol/semanage)


Best regards
Marcus Folkesson

[PATCH v2 02/14] libselinux: build: follow standard semantics for DESTDIR and PREFIX

[Marcus Folkesson]

This patch solves the following issues:
- The pkg-config files generates odd paths when using DESTDIR without PREFIX
- DESTDIR is needed during compile time to compute library and header paths 
which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard

Signed-off-by: Marcus Folkesson 
---
 libselinux/include/Makefile |  4 ++--
 libselinux/man/Makefile |  7 ---
 libselinux/src/Makefile | 12 +---
 libselinux/src/libselinux.pc.in |  2 +-
 libselinux/utils/Makefile   |  6 ++
 5 files changed, 14 insertions(+), 17 deletions(-)

diff --git a/libselinux/include/Makefile b/libselinux/include/Makefile
index 757a6c9c..3b51f5ce 100644
--- a/libselinux/include/Makefile
+++ b/libselinux/include/Makefile
@@ -1,6 +1,6 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-INCDIR ?= $(PREFIX)/include/selinux
+PREFIX ?= /usr
+INCDIR = $(DESTDIR)$(PREFIX)/include/selinux
 
 all:
 
diff --git a/libselinux/man/Makefile b/libselinux/man/Makefile
index 0643e6af..233bfaa9 100644
--- a/libselinux/man/Makefile
+++ b/libselinux/man/Makefile
@@ -1,7 +1,8 @@
 # Installation directories.
-MAN8DIR ?= $(DESTDIR)/usr/share/man/man8
-MAN5DIR ?= $(DESTDIR)/usr/share/man/man5
-MAN3DIR ?= $(DESTDIR)/usr/share/man/man3
+PREFIX ?= /usr
+MAN8DIR ?= $(DESTDIR)$(PREFIX)/share/man/man8
+MAN5DIR ?= $(DESTDIR)$(PREFIX)/share/man/man5
+MAN3DIR ?= $(DESTDIR)$(PREFIX)/share/man/man3
 
 all:
 
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 18df75c8..18a58164 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -8,8 +8,8 @@ RUBYPREFIX ?= $(notdir $(RUBY))
 PKG_CONFIG ?= pkg-config
 
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-LIBDIR ?= $(PREFIX)/lib
+PREFIX ?= /usr
+LIBDIR ?= $(DESTDIR)$(PREFIX)/lib
 SHLIBDIR ?= $(DESTDIR)/lib
 INCLUDEDIR ?= $(PREFIX)/include
 PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
@@ -19,8 +19,6 @@ PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for s,m,t 
in imp.get_suffixe
 RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] 
+ " -I" + RbConfig::CONFIG["rubyhdrdir"]')
 RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" 
+ RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]')
 RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts 
RbConfig::CONFIG["vendorarchdir"]')
-LIBBASE ?= $(shell basename $(LIBDIR))
-LIBSEPOLA ?= $(LIBDIR)/libsepol.a
 
 VERSION = $(shell cat ../VERSION)
 LIBVERSION = 1
@@ -148,7 +146,7 @@ $(LIBSO): $(LOBJS)
ln -sf $@ $(TARGET)
 
 $(LIBPC): $(LIBPC).in ../VERSION
-   sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; 
s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):; 
s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@
+   sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; 
s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):; 
s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@
 
 selinuxswig_python_exception.i: ../include/selinux/selinux.h
bash -e exception.sh > $@ || (rm -f $@ ; false)
@@ -156,8 +154,8 @@ selinuxswig_python_exception.i: ../include/selinux/selinux.h
 $(AUDIT2WHYLOBJ): audit2why.c
$(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ 
$<
 
-$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA)
-   $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(PYLIBS)
+$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ)
+   $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(PYLIBS) 
-l:libsepol.a
 
 %.o:  %.c policy.h
$(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
diff --git a/libselinux/src/libselinux.pc.in b/libselinux/src/libselinux.pc.in
index 2e90a844..7c66b1fa 100644
--- a/libselinux/src/libselinux.pc.in
+++ b/libselinux/src/libselinux.pc.in
@@ -1,6 +1,6 @@
 prefix=@prefix@
 exec_prefix=${prefix}
-libdir=${exec_prefix}/@libdir@
+libdir=@libdir@
 includedir=@includedir@
 
 Name: libselinux
diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index eb4851a9..9adce6d3 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -1,8 +1,6 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-LIBDIR ?= $(PREFIX)/lib
-SBINDIR ?= $(PREFIX)/sbin
-INCLUDEDIR ?= $(PREFIX)/include
+PREFIX ?= /usr
+SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin
 
 OS ?= $(shell uname)
 
-- 
2.15.1

[PATCH v2 03/14] libsemanage: build: follow standard semantics for DESTDIR and PREFIX

[Marcus Folkesson]

This patch solves the following issues:
- DESTDIR is needed during compile time to compute library and header paths 
which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard

Signed-off-by: Marcus Folkesson 
---
 libsemanage/include/Makefile  | 4 ++--
 libsemanage/man/Makefile  | 5 +++--
 libsemanage/src/Makefile  | 9 +++--
 libsemanage/src/libsemanage.pc.in | 2 +-
 libsemanage/tests/Makefile| 3 ---
 libsemanage/utils/Makefile| 4 ++--
 6 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/libsemanage/include/Makefile b/libsemanage/include/Makefile
index b660660e..f4234b9e 100644
--- a/libsemanage/include/Makefile
+++ b/libsemanage/include/Makefile
@@ -1,6 +1,6 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-INCDIR ?= $(PREFIX)/include/semanage
+PREFIX ?= /usr
+INCDIR ?= $(DESTDIR)$(PREFIX)/include/semanage
 
 all:
 
diff --git a/libsemanage/man/Makefile b/libsemanage/man/Makefile
index 852043d4..43c2b3f6 100644
--- a/libsemanage/man/Makefile
+++ b/libsemanage/man/Makefile
@@ -1,6 +1,7 @@
 # Installation directories.
-MAN3DIR ?= $(DESTDIR)/usr/share/man/man3
-MAN5DIR ?= $(DESTDIR)/usr/share/man/man5
+PREFIX ?= /usr
+MAN3DIR ?= $(DESTDIR)$(PREFIX)/share/man/man3
+MAN5DIR ?= $(DESTDIR)$(PREFIX)/share/man/man5
 
 all:
 
diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
index fdb178f5..f66d1b73 100644
--- a/libsemanage/src/Makefile
+++ b/libsemanage/src/Makefile
@@ -8,9 +8,8 @@ RUBYPREFIX ?= $(notdir $(RUBY))
 PKG_CONFIG ?= pkg-config
 
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-LIBDIR ?= $(PREFIX)/lib
-SHLIBDIR ?= $(DESTDIR)/lib
+PREFIX ?= /usr
+LIBDIR ?= $(DESTDIR)$(PREFIX)/lib
 INCLUDEDIR ?= $(PREFIX)/include
 PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
 PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
@@ -20,8 +19,6 @@ RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + 
RbConfig::CONFIG["rubyarchhdrdir"] +
 RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" 
+ RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]')
 RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts 
RbConfig::CONFIG["vendorarchdir"]')
 
-LIBBASE=$(shell basename $(LIBDIR))
-
 DEFAULT_SEMANAGE_CONF_LOCATION=$(DESTDIR)/etc/selinux/semanage.conf
 
 ifeq ($(DEBUG),1)
@@ -95,7 +92,7 @@ $(LIBSO): $(LOBJS)
ln -sf $@ $(TARGET)
 
 $(LIBPC): $(LIBPC).in ../VERSION
-   sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; 
s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
+   sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; 
s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
 
 semanageswig_python_exception.i: ../include/semanage/semanage.h
bash -e exception.sh > $@ || (rm -f $@ ; false)
diff --git a/libsemanage/src/libsemanage.pc.in 
b/libsemanage/src/libsemanage.pc.in
index d3eaa062..43681ddb 100644
--- a/libsemanage/src/libsemanage.pc.in
+++ b/libsemanage/src/libsemanage.pc.in
@@ -1,6 +1,6 @@
 prefix=@prefix@
 exec_prefix=${prefix}
-libdir=${exec_prefix}/@libdir@
+libdir=@libdir@
 includedir=@includedir@
 
 Name: libsemanage
diff --git a/libsemanage/tests/Makefile b/libsemanage/tests/Makefile
index 2ef8d30d..324766a0 100644
--- a/libsemanage/tests/Makefile
+++ b/libsemanage/tests/Makefile
@@ -1,6 +1,3 @@
-PREFIX ?= $(DESTDIR)/usr
-LIBDIR ?= $(PREFIX)/lib
-
 # Add your test source files here:
 SOURCES = $(sort $(wildcard *.c))
 
diff --git a/libsemanage/utils/Makefile b/libsemanage/utils/Makefile
index 725f0eec..f527ad07 100644
--- a/libsemanage/utils/Makefile
+++ b/libsemanage/utils/Makefile
@@ -1,6 +1,6 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-LIBEXECDIR ?= $(PREFIX)/libexec
+PREFIX ?= /usr
+LIBEXECDIR ?= $(DESTDIR)$(PREFIX)/libexec
 SELINUXEXECDIR ?= $(LIBEXECDIR)/selinux/
 
 all:
-- 
2.15.1

[PATCH v2 05/14] gui: build: follow standard semantics for DESTDIR and PREFIX

[Marcus Folkesson]

Signed-off-by: Marcus Folkesson 
---
 gui/Makefile | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/gui/Makefile b/gui/Makefile
index cfe47405..5efd17d7 100644
--- a/gui/Makefile
+++ b/gui/Makefile
@@ -1,9 +1,9 @@
 # Installation directories.
-PREFIX ?= ${DESTDIR}/usr
-BINDIR ?= $(PREFIX)/bin
-SHAREDIR ?= $(PREFIX)/share/system-config-selinux
-DATADIR ?= $(PREFIX)/share
-MANDIR ?= $(PREFIX)/share/man
+PREFIX ?= /usr
+BINDIR ?= $(DESTDIR)$(PREFIX)/bin
+SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/system-config-selinux
+DATADIR ?= $(DESTDIR)$(PREFIX)/share
+MANDIR ?= $(DESTDIR)$(PREFIX)/share/man
 
 TARGETS= \
 booleansPage.py \
-- 
2.15.1

[PATCH v2 04/14] checkpolicy: build: follow standard semantics for DESTDIR and PREFIX

[Marcus Folkesson]

This patch solves the following issues:
- DESTDIR is needed during compile time to compute library
  and header paths which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard

Signed-off-by: Marcus Folkesson 
---
 checkpolicy/Makefile  | 9 -
 checkpolicy/test/Makefile | 7 +++
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile
index 68e11f2a..0c341d02 100644
--- a/checkpolicy/Makefile
+++ b/checkpolicy/Makefile
@@ -1,11 +1,10 @@
 #
 # Makefile for building the checkpolicy program
 #
-PREFIX ?= $(DESTDIR)/usr
-BINDIR ?= $(PREFIX)/bin
-MANDIR ?= $(PREFIX)/share/man
-LIBDIR ?= $(PREFIX)/lib
-INCLUDEDIR ?= $(PREFIX)/include
+PREFIX ?= /usr
+BINDIR ?= $(DESTDIR)$(PREFIX)/bin
+MANDIR ?= $(DESTDIR)$(PREFIX)/share/man
+LIBDIR ?= $(DESTDIR)$(PREFIX)/lib
 LIBSEPOLA ?= $(LIBDIR)/libsepol.a
 TARGETS = checkpolicy checkmodule
 
diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
index 59fa4460..8f4393d2 100644
--- a/checkpolicy/test/Makefile
+++ b/checkpolicy/test/Makefile
@@ -1,10 +1,9 @@
 #
 # Makefile for building the dispol program
 #
-PREFIX ?= $(DESTDIR)/usr
-BINDIR ?= $(PREFIX)/bin
-LIBDIR ?= $(PREFIX)/lib
-INCLUDEDIR ?= $(PREFIX)/include
+PREFIX ?= /usr
+BINDIR ?= $(DESTDIR)$(PREFIX)/bin
+LIBDIR ?= $(DESTDIR)$(PREFIX)/lib
 LIBSEPOLA ?= $(LIBDIR)/libsepol.a
 
 CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
-- 
2.15.1

[PATCH v2 08/14] python: build: follow standard semantics for DESTDIR and PREFIX

[Marcus Folkesson]

Signed-off-by: Marcus Folkesson 
---
 python/audit2allow/Makefile   | 10 --
 python/chcat/Makefile |  8 
 python/semanage/Makefile  | 13 ++---
 python/sepolgen/src/sepolgen/Makefile |  3 ++-
 python/sepolicy/Makefile  | 18 +-
 5 files changed, 25 insertions(+), 27 deletions(-)

diff --git a/python/audit2allow/Makefile b/python/audit2allow/Makefile
index 8db8075f..a73c8c68 100644
--- a/python/audit2allow/Makefile
+++ b/python/audit2allow/Makefile
@@ -1,12 +1,10 @@
 PYTHON ?= python
 
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-BINDIR ?= $(PREFIX)/bin
-LIBDIR ?= $(PREFIX)/lib
-MANDIR ?= $(PREFIX)/share/man
-LOCALEDIR ?= /usr/share/locale
-INCLUDEDIR ?= $(PREFIX)/include
+PREFIX ?= /usr
+BINDIR ?= $(DESTDIR)$(PREFIX)/bin
+LIBDIR ?= $(DESTDIR)$(PREFIX)/lib
+MANDIR ?= $(DESTDIR)$(PREFIX)/share/man
 LIBSEPOLA ?= $(LIBDIR)/libsepol.a
 
 CFLAGS ?= -Werror -Wall -W
diff --git a/python/chcat/Makefile b/python/chcat/Makefile
index 0fd12d6d..947734a0 100644
--- a/python/chcat/Makefile
+++ b/python/chcat/Makefile
@@ -1,8 +1,8 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-BINDIR ?= $(PREFIX)/bin
-MANDIR ?= $(PREFIX)/share/man
-LOCALEDIR ?= $(PREFIX)/share/locale
+PREFIX ?= /usr
+BINDIR ?= $(DESTDIR)$(PREFIX)/bin
+MANDIR ?= $(DESTDIR)$(PREFIX)/share/man
+LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale
 
 .PHONY: all
 all: chcat
diff --git a/python/semanage/Makefile b/python/semanage/Makefile
index 132162bc..70759087 100644
--- a/python/semanage/Makefile
+++ b/python/semanage/Makefile
@@ -1,13 +1,12 @@
 PYTHON ?= python
 
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-LIBDIR ?= $(PREFIX)/lib
-SBINDIR ?= $(PREFIX)/sbin
-MANDIR = $(PREFIX)/share/man
-PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; 
print(get_python_lib(1))")
-PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)
-BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
+PREFIX ?= /usr
+SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin
+MANDIR = $(DESTDIR)$(PREFIX)/share/man
+PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; 
print(get_python_lib(prefix='$(PREFIX)'))")
+PACKAGEDIR ?= $(DESTDIR)$(PYTHONLIBDIR)
+BASHCOMPLETIONDIR ?= $(DESTDIR)$(PREFIX)/share/bash-completion/completions
 
 TARGETS=semanage
 
diff --git a/python/sepolgen/src/sepolgen/Makefile 
b/python/sepolgen/src/sepolgen/Makefile
index d3aa7715..2121a955 100644
--- a/python/sepolgen/src/sepolgen/Makefile
+++ b/python/sepolgen/src/sepolgen/Makefile
@@ -1,5 +1,6 @@
+PREFIX ?= /usr
 PYTHON ?= python
-PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; 
print(get_python_lib(1))")
+PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; 
print(get_python_lib(prefix='$(PREFIX)'))")
 PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/sepolgen
 
 all:
diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile
index 5a56e6c8..c528ae43 100644
--- a/python/sepolicy/Makefile
+++ b/python/sepolicy/Makefile
@@ -1,14 +1,14 @@
 PYTHON ?= python
 
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-LIBDIR ?= $(PREFIX)/lib
-BINDIR ?= $(PREFIX)/bin
-DATADIR ?= $(PREFIX)/share
-MANDIR ?= $(PREFIX)/share/man
-LOCALEDIR ?= /usr/share/locale
-BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
-SHAREDIR ?= $(PREFIX)/share/sandbox
+PREFIX ?= /usr
+LIBDIR ?= $(DESTDIR)$(PREFIX)/lib
+BINDIR ?= $(DESTDIR)$(PREFIX)/bin
+DATADIR ?= $(DESTDIR)$(PREFIX)/share
+MANDIR ?= $(DESTDIR)$(PREFIX)/share/man
+LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale
+BASHCOMPLETIONDIR ?= $(DESTDIR)$(PREFIX)/share/bash-completion/completions
+SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/sandbox
 CFLAGS ?= -Wall -Werror -Wextra -W
 override CFLAGS += -DPACKAGE="policycoreutils" -DSHARED -shared
 
@@ -30,7 +30,7 @@ test:
@$(PYTHON) test_sepolicy.py -v
 
 install:
-   $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root 
$(DESTDIR)`
+   $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n 
"$(DESTDIR)$(PREFIX)" && echo --root $(DESTDIR)$(PREFIX)`
[ -d $(BINDIR) ] || mkdir -p $(BINDIR)
install -m 755 sepolicy.py $(BINDIR)/sepolicy
(cd $(BINDIR); ln -sf sepolicy sepolgen)
-- 
2.15.1

[PATCH v2 01/14] libsepol: build: follow standard semantics for DESTDIR and PREFIX

[Marcus Folkesson]

This patch solves the following issues:
- The pkg-config files generates odd paths when using DESTDIR without PREFIX
- DESTDIR is needed during compile time to compute library and header paths 
which it should not.
- Installing with both DESTDIR and PREFIX set gives us odd paths
- Make usage of DESTDIR and PREFIX more standard

Signed-off-by: Marcus Folkesson 
---
 README  | 2 +-
 libsepol/include/Makefile   | 4 ++--
 libsepol/man/Makefile   | 5 +++--
 libsepol/src/Makefile   | 7 +++
 libsepol/src/libsepol.pc.in | 2 +-
 libsepol/utils/Makefile | 4 ++--
 6 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/README b/README
index 7fc7b17b..174551a1 100644
--- a/README
+++ b/README
@@ -19,6 +19,6 @@ lacks library functions or other dependencies relied upon by 
your
 distribution.  If it breaks, you get to keep both pieces.
 
 To install libsepol on macOS (mainly for policy analysis):
-cd libsepol; make DESTDIR=/usr/local PREFIX=/usr/local install
+cd libsepol; make PREFIX=/usr/local install
 
 This requires GNU coreutils (brew install coreutils).
diff --git a/libsepol/include/Makefile b/libsepol/include/Makefile
index 56b7a114..ad5c34a4 100644
--- a/libsepol/include/Makefile
+++ b/libsepol/include/Makefile
@@ -1,6 +1,6 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-INCDIR ?= $(PREFIX)/include/sepol
+PREFIX ?= /usr
+INCDIR = $(DESTDIR)$(PREFIX)/include/sepol
 CILDIR ?= ../cil
 
 all:
diff --git a/libsepol/man/Makefile b/libsepol/man/Makefile
index 11924334..4f3d9fa2 100644
--- a/libsepol/man/Makefile
+++ b/libsepol/man/Makefile
@@ -1,6 +1,7 @@
 # Installation directories.
-MAN8DIR ?= $(DESTDIR)/usr/share/man/man8
-MAN3DIR ?= $(DESTDIR)/usr/share/man/man3
+PREFIX ?= /usr
+MAN8DIR ?= $(DESTDIR)$(PREFIX)/share/man/man8
+MAN3DIR ?= $(DESTDIR)$(PREFIX)/share/man/man3
 
 all:
 
diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile
index 819d261b..d158398f 100644
--- a/libsepol/src/Makefile
+++ b/libsepol/src/Makefile
@@ -1,10 +1,9 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
+PREFIX ?= /usr
 INCLUDEDIR ?= $(PREFIX)/include
-LIBDIR ?= $(PREFIX)/lib
+LIBDIR ?= $(DESTDIR)$(PREFIX)/lib
 SHLIBDIR ?= $(DESTDIR)/lib
 RANLIB ?= ranlib
-LIBBASE ?= $(shell basename $(LIBDIR))
 CILDIR ?= ../cil
 
 VERSION = $(shell cat ../VERSION)
@@ -52,7 +51,7 @@ $(LIBSO): $(LOBJS) $(LIBMAP)
ln -sf $@ $(TARGET) 
 
 $(LIBPC): $(LIBPC).in ../VERSION
-   sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; 
s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
+   sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; 
s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@
 
 $(LIBMAP): $(LIBMAP).in
 ifneq ($(DISABLE_CIL),y)
diff --git a/libsepol/src/libsepol.pc.in b/libsepol/src/libsepol.pc.in
index e52f5892..f807fec6 100644
--- a/libsepol/src/libsepol.pc.in
+++ b/libsepol/src/libsepol.pc.in
@@ -1,6 +1,6 @@
 prefix=@prefix@
 exec_prefix=${prefix}
-libdir=${exec_prefix}/@libdir@
+libdir=@libdir@
 includedir=@includedir@
 
 Name: libsepol
diff --git a/libsepol/utils/Makefile b/libsepol/utils/Makefile
index fba1d8a0..8ce4bf47 100644
--- a/libsepol/utils/Makefile
+++ b/libsepol/utils/Makefile
@@ -1,6 +1,6 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
-BINDIR ?= $(PREFIX)/bin
+PREFIX ?= /usr
+BINDIR ?= $(DESTDIR)$(PREFIX)/bin
 
 CFLAGS ?= -Wall -Werror
 override CFLAGS += -I../include
-- 
2.15.1

Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails

[William Roberts]

On Tue, Jan 16, 2018 at 8:00 AM, Stephen Smalley  wrote:
> On Tue, 2018-01-16 at 07:47 -0800, William Roberts wrote:
>> On Mon, Jan 15, 2018 at 9:32 AM, Stephen Smalley
>>  wrote:
>> > On Jan 14, 2018 10:36 AM, "Richard Haines" > > rnet.com>
>> > wrote:
>> >
>> > Add new option to semanage.conf that allows the tmp build files
>> > to be kept for debugging when building policy.
>> >
>> >
>> > Would it be better to just retain the files by default if there is
>> > an error?
>>
>> I thought about this as well, my reasoning as to why Richard's
>> approach was
>> better is that if someone does it N times trying to figure out an
>> issue,
>> then there would be N piles of files in the tmp folder. This way they
>> have to opt in to have their tmp folder spammed.
>
> I believe that the tmp directories are deleted and re-created by
> libsemanage each time before use (otherwise we'd have a different
> problem with not removing them, since we could end up with a mix of
> files from different, incomplete transactions being intermingled
> there). So I don't think this would be a problem.  It might however

Oh I see it looks like its just generating a /tmp "store" directory
under the semanage path. I thought that enum was triggering a true
/tmp style thing. I should have looksed closer.

> require saving the commit success/failure result in the handle so that
> we know in semanage_direct_disconnect() whether or not we should delete
> it.

Now that I understand that tid-bit, I think you're right, let's just
leave it on error.

>
> If we truly need to make it optional, then I'd rather have it be an
> option flag to semodule and a runtime setting of libsemanage (ala
> reload, disable_dontaudit, etc) than a semanage.conf setting, as this
> is something a user will want to be able to use without having to edit
> a config file, re-run the transaction, and then re-edit the config file
> each time.  But I'm not convinced we can't just make it the default
> behavior whenever the commit fails.  Deleting the tmp files
> automatically only really makes sense when it succeeds.



>
>>
>> >
>> >
>> > Signed-off-by: Richard Haines 
>> > ---
>> >  libsemanage/man/man5/semanage.conf.5 |  8 
>> >  libsemanage/src/conf-parse.y | 15 ++-
>> >  libsemanage/src/conf-scan.l  |  1 +
>> >  libsemanage/src/direct_api.c | 21 -
>> >  libsemanage/src/semanage_conf.h  |  1 +
>> >  5 files changed, 36 insertions(+), 10 deletions(-)
>> >
>> > diff --git a/libsemanage/man/man5/semanage.conf.5
>> > b/libsemanage/man/man5/semanage.conf.5
>> > index 8f8de55a..10cab65a 100644
>> > --- a/libsemanage/man/man5/semanage.conf.5
>> > +++ b/libsemanage/man/man5/semanage.conf.5
>> > @@ -121,6 +121,14 @@ and by default it is set to "false".
>> >  Please note that since this option deletes all HLL files, an
>> > updated HLL
>> > compiler will not be able to recompile the original HLL file into
>> > CIL.
>> >  In order to compile the original HLL file into CIL, the same HLL
>> > file will
>> > need to be reinstalled.
>> >
>> > +.TP
>> > +.B retain-tmp
>> > +When set to "true", tmp directories (the sandbox at
>> > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/tmp \fRand/or the final
>> > policy at
>> > \fBstore-root/final/\fR[\fIpolicy-store\fR]) will be retained after
>> > compilation to allow debugging of any build errors. Note that on a
>> > successful build the sandbox becomes
>> > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/active\fR.
>> > +.br
>> > +The
>> > +.B retain-tmp
>> > +option can be set to either "true" or "false" and by default it is
>> > set to
>> > "false".
>> > +
>> >  .SH "SEE ALSO"
>> >  .TP
>> >  semanage(8)
>> > diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-
>> > parse.y
>> > index b527e893..f098e55d 100644
>> > --- a/libsemanage/src/conf-parse.y
>> > +++ b/libsemanage/src/conf-parse.y
>> > @@ -61,7 +61,7 @@ static int parse_errors;
>> >
>> >  %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS
>> > SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE
>> > STORE_ROOT
>> >  %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START
>> > DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
>> > -%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
>> > +%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL RETAIN_TMP
>> >  %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START
>> > BLOCK_END
>> >  %token PROG_PATH PROG_ARGS
>> >  %token  ARG
>> > @@ -95,6 +95,7 @@ single_opt: module_store
>> > |   bzip_blocksize
>> > |   bzip_small
>> > |   remove_hll
>> > +   |   retain_tmp
>> >  ;
>> >
>> >  module_store:   MODULE_STORE '=' ARG {
>> > @@ -268,6 +269,17 @@ remove_hll:  REMOVE_HLL'=' ARG {
>> > free($3);
>> >  }
>> >
>> > +retain_tmp:  RETAIN_TMP'=' ARG {
>> > +   if 

Re: ANN: Reference Policy 2.20180114

[Stephen Smalley]

On Sun, 2018-01-14 at 15:02 -0500, Chris PeBenito via refpolicy wrote:
> A new release, 2.20180114, of the SELinux Reference Policy is now 
> available on the GitHub site:
> 
> https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease

Could we get the nnp_nosuid_transition policy capability enabled in the
next release?

Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails

[Stephen Smalley]

On Tue, 2018-01-16 at 07:47 -0800, William Roberts wrote:
> On Mon, Jan 15, 2018 at 9:32 AM, Stephen Smalley
>  wrote:
> > On Jan 14, 2018 10:36 AM, "Richard Haines"  > rnet.com>
> > wrote:
> > 
> > Add new option to semanage.conf that allows the tmp build files
> > to be kept for debugging when building policy.
> > 
> > 
> > Would it be better to just retain the files by default if there is
> > an error?
> 
> I thought about this as well, my reasoning as to why Richard's
> approach was
> better is that if someone does it N times trying to figure out an
> issue,
> then there would be N piles of files in the tmp folder. This way they
> have to opt in to have their tmp folder spammed.

I believe that the tmp directories are deleted and re-created by
libsemanage each time before use (otherwise we'd have a different
problem with not removing them, since we could end up with a mix of
files from different, incomplete transactions being intermingled
there). So I don't think this would be a problem.  It might however
require saving the commit success/failure result in the handle so that
we know in semanage_direct_disconnect() whether or not we should delete
it.

If we truly need to make it optional, then I'd rather have it be an
option flag to semodule and a runtime setting of libsemanage (ala
reload, disable_dontaudit, etc) than a semanage.conf setting, as this
is something a user will want to be able to use without having to edit
a config file, re-run the transaction, and then re-edit the config file
each time.  But I'm not convinced we can't just make it the default
behavior whenever the commit fails.  Deleting the tmp files
automatically only really makes sense when it succeeds.

> 
> > 
> > 
> > Signed-off-by: Richard Haines 
> > ---
> >  libsemanage/man/man5/semanage.conf.5 |  8 
> >  libsemanage/src/conf-parse.y | 15 ++-
> >  libsemanage/src/conf-scan.l  |  1 +
> >  libsemanage/src/direct_api.c | 21 -
> >  libsemanage/src/semanage_conf.h  |  1 +
> >  5 files changed, 36 insertions(+), 10 deletions(-)
> > 
> > diff --git a/libsemanage/man/man5/semanage.conf.5
> > b/libsemanage/man/man5/semanage.conf.5
> > index 8f8de55a..10cab65a 100644
> > --- a/libsemanage/man/man5/semanage.conf.5
> > +++ b/libsemanage/man/man5/semanage.conf.5
> > @@ -121,6 +121,14 @@ and by default it is set to "false".
> >  Please note that since this option deletes all HLL files, an
> > updated HLL
> > compiler will not be able to recompile the original HLL file into
> > CIL.
> >  In order to compile the original HLL file into CIL, the same HLL
> > file will
> > need to be reinstalled.
> > 
> > +.TP
> > +.B retain-tmp
> > +When set to "true", tmp directories (the sandbox at
> > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/tmp \fRand/or the final
> > policy at
> > \fBstore-root/final/\fR[\fIpolicy-store\fR]) will be retained after
> > compilation to allow debugging of any build errors. Note that on a
> > successful build the sandbox becomes
> > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/active\fR.
> > +.br
> > +The
> > +.B retain-tmp
> > +option can be set to either "true" or "false" and by default it is
> > set to
> > "false".
> > +
> >  .SH "SEE ALSO"
> >  .TP
> >  semanage(8)
> > diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-
> > parse.y
> > index b527e893..f098e55d 100644
> > --- a/libsemanage/src/conf-parse.y
> > +++ b/libsemanage/src/conf-parse.y
> > @@ -61,7 +61,7 @@ static int parse_errors;
> > 
> >  %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS
> > SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE
> > STORE_ROOT
> >  %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START
> > DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
> > -%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
> > +%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL RETAIN_TMP
> >  %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START
> > BLOCK_END
> >  %token PROG_PATH PROG_ARGS
> >  %token  ARG
> > @@ -95,6 +95,7 @@ single_opt: module_store
> > |   bzip_blocksize
> > |   bzip_small
> > |   remove_hll
> > +   |   retain_tmp
> >  ;
> > 
> >  module_store:   MODULE_STORE '=' ARG {
> > @@ -268,6 +269,17 @@ remove_hll:  REMOVE_HLL'=' ARG {
> > free($3);
> >  }
> > 
> > +retain_tmp:  RETAIN_TMP'=' ARG {
> > +   if (strcasecmp($3, "false") == 0) {
> > +   current_conf->retain_tmp = 0;
> > +   } else if (strcasecmp($3, "true") == 0) {
> > +   current_conf->retain_tmp = 1;
> > +   } else {
> > +   yyerror("retain-tmp can only be 'true' or
> > 'false'");
> > +   }
> > +   free($3);
> > +}
> > +
> >  command_block:
> >  command_start external_opts BLOCK_END  {
> >  if (new_external->path == NULL) {
> > @@ 

Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails

[William Roberts]

On Mon, Jan 15, 2018 at 9:32 AM, Stephen Smalley
 wrote:
> On Jan 14, 2018 10:36 AM, "Richard Haines" 
> wrote:
>
> Add new option to semanage.conf that allows the tmp build files
> to be kept for debugging when building policy.
>
>
> Would it be better to just retain the files by default if there is an error?

I thought about this as well, my reasoning as to why Richard's approach was
better is that if someone does it N times trying to figure out an issue,
then there would be N piles of files in the tmp folder. This way they
have to opt in to have their tmp folder spammed.

>
>
> Signed-off-by: Richard Haines 
> ---
>  libsemanage/man/man5/semanage.conf.5 |  8 
>  libsemanage/src/conf-parse.y | 15 ++-
>  libsemanage/src/conf-scan.l  |  1 +
>  libsemanage/src/direct_api.c | 21 -
>  libsemanage/src/semanage_conf.h  |  1 +
>  5 files changed, 36 insertions(+), 10 deletions(-)
>
> diff --git a/libsemanage/man/man5/semanage.conf.5
> b/libsemanage/man/man5/semanage.conf.5
> index 8f8de55a..10cab65a 100644
> --- a/libsemanage/man/man5/semanage.conf.5
> +++ b/libsemanage/man/man5/semanage.conf.5
> @@ -121,6 +121,14 @@ and by default it is set to "false".
>  Please note that since this option deletes all HLL files, an updated HLL
> compiler will not be able to recompile the original HLL file into CIL.
>  In order to compile the original HLL file into CIL, the same HLL file will
> need to be reinstalled.
>
> +.TP
> +.B retain-tmp
> +When set to "true", tmp directories (the sandbox at
> \fBstore-root/\fR[\fIpolicy-store\fR]\fB/tmp \fRand/or the final policy at
> \fBstore-root/final/\fR[\fIpolicy-store\fR]) will be retained after
> compilation to allow debugging of any build errors. Note that on a
> successful build the sandbox becomes
> \fBstore-root/\fR[\fIpolicy-store\fR]\fB/active\fR.
> +.br
> +The
> +.B retain-tmp
> +option can be set to either "true" or "false" and by default it is set to
> "false".
> +
>  .SH "SEE ALSO"
>  .TP
>  semanage(8)
> diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
> index b527e893..f098e55d 100644
> --- a/libsemanage/src/conf-parse.y
> +++ b/libsemanage/src/conf-parse.y
> @@ -61,7 +61,7 @@ static int parse_errors;
>
>  %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS
> SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT
>  %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START
> DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
> -%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL
> +%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL RETAIN_TMP
>  %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
>  %token PROG_PATH PROG_ARGS
>  %token  ARG
> @@ -95,6 +95,7 @@ single_opt: module_store
> |   bzip_blocksize
> |   bzip_small
> |   remove_hll
> +   |   retain_tmp
>  ;
>
>  module_store:   MODULE_STORE '=' ARG {
> @@ -268,6 +269,17 @@ remove_hll:  REMOVE_HLL'=' ARG {
> free($3);
>  }
>
> +retain_tmp:  RETAIN_TMP'=' ARG {
> +   if (strcasecmp($3, "false") == 0) {
> +   current_conf->retain_tmp = 0;
> +   } else if (strcasecmp($3, "true") == 0) {
> +   current_conf->retain_tmp = 1;
> +   } else {
> +   yyerror("retain-tmp can only be 'true' or 'false'");
> +   }
> +   free($3);
> +}
> +
>  command_block:
>  command_start external_opts BLOCK_END  {
>  if (new_external->path == NULL) {
> @@ -352,6 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
> conf->bzip_small = 0;
> conf->ignore_module_cache = 0;
> conf->remove_hll = 0;
> +   conf->retain_tmp = 0;
>
> conf->save_previous = 0;
> conf->save_linked = 0;
> diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
> index 607bbf0b..e26c3494 100644
> --- a/libsemanage/src/conf-scan.l
> +++ b/libsemanage/src/conf-scan.l
> @@ -54,6 +54,7 @@ handle-unknownreturn HANDLE_UNKNOWN;
>  bzip-blocksize return BZIP_BLOCKSIZE;
>  bzip-small return BZIP_SMALL;
>  remove-hll return REMOVE_HLL;
> +retain-tmp return RETAIN_TMP;
>  "[load_policy]"   return LOAD_POLICY_START;
>  "[setfiles]"  return SETFILES_START;
>  "[sefcontext_compile]"  return SEFCONTEXT_COMPILE_START;
> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
> index a455612f..5d2a443c 100644
> --- a/libsemanage/src/direct_api.c
> +++ b/libsemanage/src/direct_api.c
> @@ -326,7 +326,10 @@ static void semanage_direct_destroy(semanage_handle_t *
> sh
>  static int semanage_direct_disconnect(semanage_handle_t * sh)
>  {
> /* destroy transaction */
> -   if (sh->is_in_transaction) {
> +   if (sh->is_in_transaction)
> +   semanage_release_trans_lock(sh);

Re: [PATCH] python/semanage: Remove redundant and broken moduleRecords.modify()

[Stephen Smalley]

On Thu, 2018-01-11 at 18:44 +0100, Vit Mojzis wrote:
> moduleRecords.modify() calls nonexistent function
> semanage_module_update_file (maybe it should have been
> semanage_module_upgrade_file which is now obsolete and calls
> semanage_module_install_file) and the job of updating a module is
> done
> by moduleRecords.add().
> 
> Signed-off-by: Vit Mojzis 

Thanks, applied.

> ---
>  python/semanage/seobject.py | 5 -
>  1 file changed, 5 deletions(-)
> 
> diff --git a/python/semanage/seobject.py
> b/python/semanage/seobject.py
> index b927b18..740bd7c 100644
> --- a/python/semanage/seobject.py
> +++ b/python/semanage/seobject.py
> @@ -423,11 +423,6 @@ class moduleRecords(semanageRecords):
>  raise ValueError(_("Could not disable module
> %s") % m)
>  self.commit()
>  
> -def modify(self, file):
> -rc = semanage_module_update_file(self.sh, file)
> -if rc >= 0:
> -self.commit()
> -
>  def delete(self, module, priority):
>  rc = semanage_set_default_priority(self.sh, priority)
>  if rc < 0:

Re: [PATCH] python/semanage: bring semanageRecords.set_reload back

[Stephen Smalley]

On Thu, 2018-01-11 at 17:22 +0100, Petr Lautrbach wrote:
> It's used by third parties, e.g. Ansible modules
> 
> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1527745

Thanks, applied.

> 
> Signed-off-by: Petr Lautrbach 
> ---
>  python/semanage/seobject.py | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/python/semanage/seobject.py
> b/python/semanage/seobject.py
> index b927b184..c2966251 100644
> --- a/python/semanage/seobject.py
> +++ b/python/semanage/seobject.py
> @@ -260,6 +260,9 @@ class semanageRecords:
>  else:
>  self.mylog = nulllogger()
>  
> +def set_reload(self, load):
> +self.noreload = not load
> +
>  def get_handle(self, store):
>  global is_mls_enabled
>  

Re: BUG: unable to handle kernel NULL pointer dereference in sidtab_search_core

[Dmitry Vyukov via Selinux]

On Fri, Dec 22, 2017 at 9:56 PM, Paul Moore  wrote:
>>> wrote:
 Hello,

 syzkaller hit the following crash on
 6084b576dca2e898f5c101baef151f7bfdbb606d
 git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
 compiler: gcc (GCC) 7.1.1 20170620
 .config is attached
 Raw console output is attached.
 C reproducer is attached
 syzkaller reproducer is attached. See https://goo.gl/kgGztJ
 for information about syzkaller reproducers


 SELinux: security_compute_sid:  unrecognized SID 1
 SELinux: security_compute_sid:  unrecognized SID 1
 SELinux: security_compute_sid:  unrecognized SID 1
 SELinux: security_compute_sid:  unrecognized SID 1
 SELinux: security_compute_sid:  unrecognized SID 1
 BUG: unable to handle kernel NULL pointer dereference at 
 0001
 IP: sidtab_search_core+0x88/0x110 security/selinux/ss/sidtab.c:100
 PGD 0 P4D 0
 Oops:  [#1] SMP
 Dumping ftrace buffer:
(ftrace buffer empty)
 Modules linked in:
 CPU: 1 PID: 4252 Comm: kworker/u4:1 Not tainted 
 4.15.0-rc3-next-20171214+
 #67
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
 Google 01/01/2011
 RIP: 0010:sidtab_search_core+0x88/0x110 
 security/selinux/ss/sidtab.c:100
 RSP: 0018:c900028abc18 EFLAGS: 00010293
 RAX: 8802131a87c0 RBX: 0001 RCX: 8165d978
 RDX:  RSI: 0001 RDI: 83fd17a0
 RBP: c900028abc40 R08: 0001 R09: 0001
 R10: c900028abbe0 R11:  R12: 0001
 R13: 0001 R14:  R15: 880214d93800
 FS:  () GS:88021fd0() 
 knlGS:
 CS:  0010 DS:  ES:  CR0: 80050033
 CR2: 0001 CR3: 000214e31000 CR4: 001406e0
 DR0:  DR1:  DR2: 
 DR3:  DR6: fffe0ff0 DR7: 0400
 Call Trace:
  sidtab_search+0x1f/0x30 security/selinux/ss/sidtab.c:111
  security_compute_sid.part.11+0xe2/0x710 
 security/selinux/ss/services.c:1618
  security_compute_sid+0x92/0xa0 security/selinux/ss/services.c:1598
  security_transition_sid+0x57/0x70 security/selinux/ss/services.c:1764
  selinux_bprm_set_creds+0x215/0x2f0 security/selinux/hooks.c:2423
  security_bprm_set_creds+0x41/0x60 security/security.c:332
  prepare_binprm+0xae/0x1f0 fs/exec.c:1561
  do_execveat_common.isra.30+0x6f7/0xb90 fs/exec.c:1784
  do_execve+0x31/0x40 fs/exec.c:1848
  call_usermodehelper_exec_async+0x104/0x190 kernel/umh.c:100
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524
 Code: 8b 5b 50 48 85 db 75 e5 e8 e6 c9 c5 ff 49 8b 5f 18 48 85 db 75 
 10 eb
 43 e8 d6 c9 c5 ff 48 8b 5b 50 48 85 db 74 35 e8 c8 c9 c5 ff <44> 8b 23 
 41 83
 fc 02 76 e4 e8 ba c9 c5 ff 41 83 fc 03 75 1c 48
 RIP: sidtab_search_core+0x88/0x110 security/selinux/ss/sidtab.c:100 
 RSP:
 c900028abc18
 CR2: 0001
 ---[ end trace 571c0ea6c6959387 ]---
 Kernel panic - not syncing: Fatal exception
 Dumping ftrace buffer:
(ftrace buffer empty)
 Kernel Offset: disabled
 Rebooting in 86400 seconds..
>>>
>>> Based on the reproducer and the stack trace, I'm guessing the system
>>> is attempting to load a kernel module for a a defined, but unloaded,
>>> protocol.  Looking quickly at the SELinux bprm and sidtab code,
>>> nothing obvious is jumping out at me.  Considering the number of false
>>> positives I've been seeing from syzbot lately, I'm assuming this is
>>> more of the same.
>>
>> Hi Paul,
>>
>> What are these false positives? Please elaborate.
>> There is no single false positive that I am aware of. All the ones
>> that were debugged are real kernel bugs.
>
> I've replied to several of the syzbot automated reports with the
> "invalid" response.  I haven't been keeping track, but it seems like
> approximately 50% of the SELinux related reports don't make sense upon
> inspection.

 Can you please point me to some of these bugs? I don't see anything
 like this in my inbox, in google group nor in database.
>>>
>>> Not easily, no.  I don't keep track of these reports once I've
>>> responded to the syzbot mail.
>>
>> There must be traces of this in database and on mailing lists (even if
>> you drop syzkaller-bugs@ syzbot will re-add it). So far I did not find
>> any traces...