Re: ANN: Reference Policy 2.20180114
On 01/16/2018 11:02 AM, Stephen Smalley wrote: On Sun, 2018-01-14 at 15:02 -0500, Chris PeBenito via refpolicy wrote: A new release, 2.20180114, of the SELinux Reference Policy is now available on the GitHub site: https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease Could we get the nnp_nosuid_transition policy capability enabled in the next release? That's my mistake; I should have enabled it in this release. Enabled in master now. -- Chris PeBenito
[PATCH v2 07/14] policycoreutils: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- policycoreutils/hll/pp/Makefile | 7 ++- policycoreutils/load_policy/Makefile | 8 policycoreutils/man/Makefile | 3 ++- policycoreutils/newrole/Makefile | 8 policycoreutils/po/Makefile | 3 ++- policycoreutils/run_init/Makefile| 8 policycoreutils/scripts/Makefile | 8 policycoreutils/secon/Makefile | 9 - policycoreutils/semodule/Makefile| 8 +++- policycoreutils/sestatus/Makefile| 8 policycoreutils/setfiles/Makefile| 5 ++--- policycoreutils/setsebool/Makefile | 10 -- 12 files changed, 39 insertions(+), 46 deletions(-) diff --git a/policycoreutils/hll/pp/Makefile b/policycoreutils/hll/pp/Makefile index 3401dcc9..ce58e0cf 100644 --- a/policycoreutils/hll/pp/Makefile +++ b/policycoreutils/hll/pp/Makefile @@ -1,9 +1,6 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -INCLUDEDIR ?= $(PREFIX)/include -MANDIR = $(PREFIX)/share/man -LIBDIR ?= $(PREFIX)/lib -LIBEXECDIR ?= $(PREFIX)/libexec +PREFIX ?= /usr +LIBEXECDIR ?= $(DESTDIR)$(PREFIX)/libexec HLLDIR ?= $(LIBEXECDIR)/selinux/hll CFLAGS ?= -Werror -Wall -W diff --git a/policycoreutils/load_policy/Makefile b/policycoreutils/load_policy/Makefile index b85833c2..720bf45f 100644 --- a/policycoreutils/load_policy/Makefile +++ b/policycoreutils/load_policy/Makefile @@ -1,8 +1,8 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -SBINDIR ?= $(DESTDIR)/sbin -MANDIR ?= $(PREFIX)/share/man -LOCALEDIR ?= /usr/share/locale +PREFIX ?= /usr +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale CFLAGS ?= -Werror -Wall -W override CFLAGS += $(LDFLAGS) -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" diff --git a/policycoreutils/man/Makefile b/policycoreutils/man/Makefile index 0d91cd46..8a8fbd49 100644 --- a/policycoreutils/man/Makefile +++ b/policycoreutils/man/Makefile @@ -1,5 +1,6 @@ # Installation directories. -MAN5DIR ?= $(DESTDIR)/usr/share/man/man5 +PREFIX ?= /usr +MAN5DIR ?= $(DESTDIR)$(PREFIX)/share/man/man5 all: diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile index 196af926..4dbe6f52 100644 --- a/policycoreutils/newrole/Makefile +++ b/policycoreutils/newrole/Makefile @@ -1,9 +1,9 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin -MANDIR ?= $(PREFIX)/share/man +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man ETCDIR ?= $(DESTDIR)/etc -LOCALEDIR = /usr/share/locale +LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y) AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y) # Enable capabilities to permit newrole to generate audit records. diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile index 58148613..c583d23a 100644 --- a/policycoreutils/po/Makefile +++ b/policycoreutils/po/Makefile @@ -2,6 +2,7 @@ # Makefile for the PO files (translation) catalog # +PREFIX ?= /usr TOP = ../.. # What is this package? @@ -12,7 +13,7 @@ INSTALL_DATA = $(INSTALL) -m 644 INSTALL_DIR= /usr/bin/install -d # destination directory -INSTALL_NLS_DIR = $(DESTDIR)/usr/share/locale +INSTALL_NLS_DIR = $(DESTDIR)$(PREFIX)/share/locale # PO catalog handling MSGMERGE = msgmerge diff --git a/policycoreutils/run_init/Makefile b/policycoreutils/run_init/Makefile index 921f0b07..4178493e 100644 --- a/policycoreutils/run_init/Makefile +++ b/policycoreutils/run_init/Makefile @@ -1,10 +1,10 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -SBINDIR ?= $(PREFIX)/sbin -MANDIR ?= $(PREFIX)/share/man +PREFIX ?= /usr +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man ETCDIR ?= $(DESTDIR)/etc -LOCALEDIR ?= /usr/share/locale +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y) AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y) diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile index d9e86ffe..cfd841ec 100644 --- a/policycoreutils/scripts/Makefile +++ b/policycoreutils/scripts/Makefile @@ -1,8 +1,8 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -SBINDIR ?= $(DESTDIR)/sbin -MANDIR ?= $(PREFIX)/share/man -LOCALEDIR ?= $(PREFIX)/share/locale +PREFIX ?= /usr +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale .PHONY: all all: fixfiles diff --git a/policycoreutils/secon/Makefile b/policycoreutils/secon/Makefile index 8e491d74..4ecbd57d 100644 --- a/policycoreutils/secon/Makefile +++ b/policycoreutils/secon/Makefile @@ -1,9 +1,8 @@ # secon tool - command-line context -PREFIX ?= $(DESTDIR)/usr -INCLUDEDIR ?= $(PREFIX)/include -BINDIR ?=
[PATCH v2 14/14] build: add prefix for includes in top Makefile
Signed-off-by: Marcus Folkesson--- Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 6da7f7b7..74d662d4 100644 --- a/Makefile +++ b/Makefile @@ -19,8 +19,8 @@ else endif ifneq ($(DESTDIR),) - CFLAGS += -I$(DESTDIR)/usr/include - LDFLAGS += -L$(DESTDIR)/usr/lib + CFLAGS += -I$(DESTDIR)$(PREFIX)/include + LDFLAGS += -L$(DESTDIR)$(PREFIX)/lib export CFLAGS export LDFLAGS endif -- 2.15.1
[PATCH v2 06/14] mcstrans: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- mcstrans/man/Makefile | 3 ++- mcstrans/src/Makefile | 6 +++--- mcstrans/utils/Makefile | 6 +++--- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/mcstrans/man/Makefile b/mcstrans/man/Makefile index 8e971192..5030fa81 100644 --- a/mcstrans/man/Makefile +++ b/mcstrans/man/Makefile @@ -1,5 +1,6 @@ # Installation directories. -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 +PREFIX ?= /usr +MAN8DIR ?= $(DESTDIR)$(PREFIX)/share/man/man8 all: diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile index 3f4a89c3..26423c29 100644 --- a/mcstrans/src/Makefile +++ b/mcstrans/src/Makefile @@ -1,9 +1,9 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib +PREFIX ?= /usr +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib SBINDIR ?= $(DESTDIR)/sbin INITDIR ?= $(DESTDIR)/etc/rc.d/init.d -SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd +SYSTEMDDIR ?= $(DESTDIR)$(PREFIX)/lib/systemd LIBSEPOLA ?= $(LIBDIR)/libsepol.a PROG_SRC=mcstrans.c mcscolor.c mcstransd.c mls_level.c diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile index 4d3cbfcb..79eb8438 100644 --- a/mcstrans/utils/Makefile +++ b/mcstrans/utils/Makefile @@ -1,7 +1,7 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib -SBINDIR ?= $(PREFIX)/sbin +PREFIX ?= /usr +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin LIBSEPOLA ?= $(LIBDIR)/libsepol.a CFLAGS ?= -Wall -- 2.15.1
[PATCH v2 09/14] restorecond: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- restorecond/Makefile | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/restorecond/Makefile b/restorecond/Makefile index ada94aeb..a2316947 100644 --- a/restorecond/Makefile +++ b/restorecond/Makefile @@ -1,13 +1,12 @@ PKG_CONFIG ?= pkg-config # Installation directories. -PREFIX ?= $(DESTDIR)/usr -SBINDIR ?= $(PREFIX)/sbin -LIBDIR ?= $(PREFIX)/lib -MANDIR = $(PREFIX)/share/man +PREFIX ?= /usr +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin +MANDIR = $(DESTDIR)$(PREFIX)/share/man AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart -DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services -SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd +DBUSSERVICEDIR = $(DESTDIR)$(PREFIX)/share/dbus-1/services +SYSTEMDDIR ?= $(DESTDIR)$(PREFIX)/lib/systemd autostart_DATA = sealertauto.desktop INITDIR ?= $(DESTDIR)/etc/rc.d/init.d -- 2.15.1
[PATCH v2 10/14] sandbox: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- sandbox/Makefile | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/sandbox/Makefile b/sandbox/Makefile index 05c3d658..5a6b707a 100644 --- a/sandbox/Makefile +++ b/sandbox/Makefile @@ -1,14 +1,14 @@ PYTHON ?= python # Installation directories. -PREFIX ?= $(DESTDIR)/usr +PREFIX ?= /usr SYSCONFDIR ?= $(DESTDIR)/etc/sysconfig -LIBDIR ?= $(PREFIX)/lib -BINDIR ?= $(PREFIX)/bin -SBINDIR ?= $(PREFIX)/sbin -MANDIR ?= $(PREFIX)/share/man +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale -SHAREDIR ?= $(PREFIX)/share/sandbox +SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/sandbox override CFLAGS += -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W override LDLIBS += -lselinux -lcap-ng SEUNSHARE_OBJS = seunshare.o -- 2.15.1
[PATCH v2 11/14] secilc: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- secilc/Makefile | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/secilc/Makefile b/secilc/Makefile index 1cac53e4..5b0a4852 100644 --- a/secilc/Makefile +++ b/secilc/Makefile @@ -1,8 +1,6 @@ -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin -MANDIR ?= $(PREFIX)/share/man -LIBDIR ?= $(PREFIX)/lib -INCLUDEDIR ?= $(PREFIX)/include +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man SECILC = secilc SECILC_SRCS := secilc.c -- 2.15.1
[PATCH v2 12/14] semodule-utils: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- semodule-utils/semodule_expand/Makefile | 8 +++- semodule-utils/semodule_link/Makefile| 8 +++- semodule-utils/semodule_package/Makefile | 8 +++- 3 files changed, 9 insertions(+), 15 deletions(-) diff --git a/semodule-utils/semodule_expand/Makefile b/semodule-utils/semodule_expand/Makefile index 072f2137..c2ab3f65 100644 --- a/semodule-utils/semodule_expand/Makefile +++ b/semodule-utils/semodule_expand/Makefile @@ -1,9 +1,7 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -INCLUDEDIR ?= $(PREFIX)/include -BINDIR ?= $(PREFIX)/bin -LIBDIR ?= $(PREFIX)/lib -MANDIR ?= $(PREFIX)/share/man +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man CFLAGS ?= -Werror -Wall -W override LDLIBS += -lsepol diff --git a/semodule-utils/semodule_link/Makefile b/semodule-utils/semodule_link/Makefile index cc4687bd..bcf98765 100644 --- a/semodule-utils/semodule_link/Makefile +++ b/semodule-utils/semodule_link/Makefile @@ -1,9 +1,7 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -INCLUDEDIR ?= $(PREFIX)/include -BINDIR ?= $(PREFIX)/bin -MANDIR ?= $(PREFIX)/share/man -LIBDIR ?= $(PREFIX)/lib +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man CFLAGS ?= -Werror -Wall -W override LDLIBS += -lsepol diff --git a/semodule-utils/semodule_package/Makefile b/semodule-utils/semodule_package/Makefile index 96dd7c4f..33a95e16 100644 --- a/semodule-utils/semodule_package/Makefile +++ b/semodule-utils/semodule_package/Makefile @@ -1,9 +1,7 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -INCLUDEDIR ?= $(PREFIX)/include -BINDIR ?= $(PREFIX)/bin -LIBDIR ?= $(PREFIX)/lib -MANDIR ?= $(PREFIX)/share/man +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man CFLAGS ?= -Werror -Wall -W override LDLIBS += -lsepol -- 2.15.1
Rework of Makefiles v2
Hi, I have updated the patchset. Please test to compile with: make DESTDIR=/tmp/myroot PREFIX=/myusr install Changes: v2: - Use separate directories for shared libraries as before( Comment from Stephen Smalley) - Rework all packages (not just selinux/sepol/semanage) Best regards Marcus Folkesson
[PATCH v2 02/14] libselinux: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues: - The pkg-config files generates odd paths when using DESTDIR without PREFIX - DESTDIR is needed during compile time to compute library and header paths which it should not. - Installing with both DESTDIR and PREFIX set gives us odd paths - Make usage of DESTDIR and PREFIX more standard Signed-off-by: Marcus Folkesson--- libselinux/include/Makefile | 4 ++-- libselinux/man/Makefile | 7 --- libselinux/src/Makefile | 12 +--- libselinux/src/libselinux.pc.in | 2 +- libselinux/utils/Makefile | 6 ++ 5 files changed, 14 insertions(+), 17 deletions(-) diff --git a/libselinux/include/Makefile b/libselinux/include/Makefile index 757a6c9c..3b51f5ce 100644 --- a/libselinux/include/Makefile +++ b/libselinux/include/Makefile @@ -1,6 +1,6 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -INCDIR ?= $(PREFIX)/include/selinux +PREFIX ?= /usr +INCDIR = $(DESTDIR)$(PREFIX)/include/selinux all: diff --git a/libselinux/man/Makefile b/libselinux/man/Makefile index 0643e6af..233bfaa9 100644 --- a/libselinux/man/Makefile +++ b/libselinux/man/Makefile @@ -1,7 +1,8 @@ # Installation directories. -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 -MAN5DIR ?= $(DESTDIR)/usr/share/man/man5 -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 +PREFIX ?= /usr +MAN8DIR ?= $(DESTDIR)$(PREFIX)/share/man/man8 +MAN5DIR ?= $(DESTDIR)$(PREFIX)/share/man/man5 +MAN3DIR ?= $(DESTDIR)$(PREFIX)/share/man/man3 all: diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 18df75c8..18a58164 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -8,8 +8,8 @@ RUBYPREFIX ?= $(notdir $(RUBY)) PKG_CONFIG ?= pkg-config # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib +PREFIX ?= /usr +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib SHLIBDIR ?= $(DESTDIR)/lib INCLUDEDIR ?= $(PREFIX)/include PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) @@ -19,8 +19,6 @@ PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for s,m,t in imp.get_suffixe RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]') RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]') RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]') -LIBBASE ?= $(shell basename $(LIBDIR)) -LIBSEPOLA ?= $(LIBDIR)/libsepol.a VERSION = $(shell cat ../VERSION) LIBVERSION = 1 @@ -148,7 +146,7 @@ $(LIBSO): $(LOBJS) ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION - sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):; s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@ + sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):; s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@ selinuxswig_python_exception.i: ../include/selinux/selinux.h bash -e exception.sh > $@ || (rm -f $@ ; false) @@ -156,8 +154,8 @@ selinuxswig_python_exception.i: ../include/selinux/selinux.h $(AUDIT2WHYLOBJ): audit2why.c $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $< -$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA) - $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(PYLIBS) +$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) + $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(PYLIBS) -l:libsepol.a %.o: %.c policy.h $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $< diff --git a/libselinux/src/libselinux.pc.in b/libselinux/src/libselinux.pc.in index 2e90a844..7c66b1fa 100644 --- a/libselinux/src/libselinux.pc.in +++ b/libselinux/src/libselinux.pc.in @@ -1,6 +1,6 @@ prefix=@prefix@ exec_prefix=${prefix} -libdir=${exec_prefix}/@libdir@ +libdir=@libdir@ includedir=@includedir@ Name: libselinux diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile index eb4851a9..9adce6d3 100644 --- a/libselinux/utils/Makefile +++ b/libselinux/utils/Makefile @@ -1,8 +1,6 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib -SBINDIR ?= $(PREFIX)/sbin -INCLUDEDIR ?= $(PREFIX)/include +PREFIX ?= /usr +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin OS ?= $(shell uname) -- 2.15.1
[PATCH v2 03/14] libsemanage: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues: - DESTDIR is needed during compile time to compute library and header paths which it should not. - Installing with both DESTDIR and PREFIX set gives us odd paths - Make usage of DESTDIR and PREFIX more standard Signed-off-by: Marcus Folkesson--- libsemanage/include/Makefile | 4 ++-- libsemanage/man/Makefile | 5 +++-- libsemanage/src/Makefile | 9 +++-- libsemanage/src/libsemanage.pc.in | 2 +- libsemanage/tests/Makefile| 3 --- libsemanage/utils/Makefile| 4 ++-- 6 files changed, 11 insertions(+), 16 deletions(-) diff --git a/libsemanage/include/Makefile b/libsemanage/include/Makefile index b660660e..f4234b9e 100644 --- a/libsemanage/include/Makefile +++ b/libsemanage/include/Makefile @@ -1,6 +1,6 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -INCDIR ?= $(PREFIX)/include/semanage +PREFIX ?= /usr +INCDIR ?= $(DESTDIR)$(PREFIX)/include/semanage all: diff --git a/libsemanage/man/Makefile b/libsemanage/man/Makefile index 852043d4..43c2b3f6 100644 --- a/libsemanage/man/Makefile +++ b/libsemanage/man/Makefile @@ -1,6 +1,7 @@ # Installation directories. -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 -MAN5DIR ?= $(DESTDIR)/usr/share/man/man5 +PREFIX ?= /usr +MAN3DIR ?= $(DESTDIR)$(PREFIX)/share/man/man3 +MAN5DIR ?= $(DESTDIR)$(PREFIX)/share/man/man5 all: diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile index fdb178f5..f66d1b73 100644 --- a/libsemanage/src/Makefile +++ b/libsemanage/src/Makefile @@ -8,9 +8,8 @@ RUBYPREFIX ?= $(notdir $(RUBY)) PKG_CONFIG ?= pkg-config # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib -SHLIBDIR ?= $(DESTDIR)/lib +PREFIX ?= /usr +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib INCLUDEDIR ?= $(PREFIX)/include PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX)) @@ -20,8 +19,6 @@ RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]') RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]') -LIBBASE=$(shell basename $(LIBDIR)) - DEFAULT_SEMANAGE_CONF_LOCATION=$(DESTDIR)/etc/selinux/semanage.conf ifeq ($(DEBUG),1) @@ -95,7 +92,7 @@ $(LIBSO): $(LOBJS) ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION - sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ + sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ semanageswig_python_exception.i: ../include/semanage/semanage.h bash -e exception.sh > $@ || (rm -f $@ ; false) diff --git a/libsemanage/src/libsemanage.pc.in b/libsemanage/src/libsemanage.pc.in index d3eaa062..43681ddb 100644 --- a/libsemanage/src/libsemanage.pc.in +++ b/libsemanage/src/libsemanage.pc.in @@ -1,6 +1,6 @@ prefix=@prefix@ exec_prefix=${prefix} -libdir=${exec_prefix}/@libdir@ +libdir=@libdir@ includedir=@includedir@ Name: libsemanage diff --git a/libsemanage/tests/Makefile b/libsemanage/tests/Makefile index 2ef8d30d..324766a0 100644 --- a/libsemanage/tests/Makefile +++ b/libsemanage/tests/Makefile @@ -1,6 +1,3 @@ -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib - # Add your test source files here: SOURCES = $(sort $(wildcard *.c)) diff --git a/libsemanage/utils/Makefile b/libsemanage/utils/Makefile index 725f0eec..f527ad07 100644 --- a/libsemanage/utils/Makefile +++ b/libsemanage/utils/Makefile @@ -1,6 +1,6 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBEXECDIR ?= $(PREFIX)/libexec +PREFIX ?= /usr +LIBEXECDIR ?= $(DESTDIR)$(PREFIX)/libexec SELINUXEXECDIR ?= $(LIBEXECDIR)/selinux/ all: -- 2.15.1
[PATCH v2 05/14] gui: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- gui/Makefile | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/gui/Makefile b/gui/Makefile index cfe47405..5efd17d7 100644 --- a/gui/Makefile +++ b/gui/Makefile @@ -1,9 +1,9 @@ # Installation directories. -PREFIX ?= ${DESTDIR}/usr -BINDIR ?= $(PREFIX)/bin -SHAREDIR ?= $(PREFIX)/share/system-config-selinux -DATADIR ?= $(PREFIX)/share -MANDIR ?= $(PREFIX)/share/man +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/system-config-selinux +DATADIR ?= $(DESTDIR)$(PREFIX)/share +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man TARGETS= \ booleansPage.py \ -- 2.15.1
[PATCH v2 04/14] checkpolicy: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues: - DESTDIR is needed during compile time to compute library and header paths which it should not. - Installing with both DESTDIR and PREFIX set gives us odd paths - Make usage of DESTDIR and PREFIX more standard Signed-off-by: Marcus Folkesson--- checkpolicy/Makefile | 9 - checkpolicy/test/Makefile | 7 +++ 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile index 68e11f2a..0c341d02 100644 --- a/checkpolicy/Makefile +++ b/checkpolicy/Makefile @@ -1,11 +1,10 @@ # # Makefile for building the checkpolicy program # -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin -MANDIR ?= $(PREFIX)/share/man -LIBDIR ?= $(PREFIX)/lib -INCLUDEDIR ?= $(PREFIX)/include +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib LIBSEPOLA ?= $(LIBDIR)/libsepol.a TARGETS = checkpolicy checkmodule diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile index 59fa4460..8f4393d2 100644 --- a/checkpolicy/test/Makefile +++ b/checkpolicy/test/Makefile @@ -1,10 +1,9 @@ # # Makefile for building the dispol program # -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin -LIBDIR ?= $(PREFIX)/lib -INCLUDEDIR ?= $(PREFIX)/include +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib LIBSEPOLA ?= $(LIBDIR)/libsepol.a CFLAGS ?= -g -Wall -W -Werror -O2 -pipe -- 2.15.1
[PATCH v2 08/14] python: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- python/audit2allow/Makefile | 10 -- python/chcat/Makefile | 8 python/semanage/Makefile | 13 ++--- python/sepolgen/src/sepolgen/Makefile | 3 ++- python/sepolicy/Makefile | 18 +- 5 files changed, 25 insertions(+), 27 deletions(-) diff --git a/python/audit2allow/Makefile b/python/audit2allow/Makefile index 8db8075f..a73c8c68 100644 --- a/python/audit2allow/Makefile +++ b/python/audit2allow/Makefile @@ -1,12 +1,10 @@ PYTHON ?= python # Installation directories. -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin -LIBDIR ?= $(PREFIX)/lib -MANDIR ?= $(PREFIX)/share/man -LOCALEDIR ?= /usr/share/locale -INCLUDEDIR ?= $(PREFIX)/include +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man LIBSEPOLA ?= $(LIBDIR)/libsepol.a CFLAGS ?= -Werror -Wall -W diff --git a/python/chcat/Makefile b/python/chcat/Makefile index 0fd12d6d..947734a0 100644 --- a/python/chcat/Makefile +++ b/python/chcat/Makefile @@ -1,8 +1,8 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin -MANDIR ?= $(PREFIX)/share/man -LOCALEDIR ?= $(PREFIX)/share/locale +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale .PHONY: all all: chcat diff --git a/python/semanage/Makefile b/python/semanage/Makefile index 132162bc..70759087 100644 --- a/python/semanage/Makefile +++ b/python/semanage/Makefile @@ -1,13 +1,12 @@ PYTHON ?= python # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib -SBINDIR ?= $(PREFIX)/sbin -MANDIR = $(PREFIX)/share/man -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(1))") -PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR) -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions +PREFIX ?= /usr +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin +MANDIR = $(DESTDIR)$(PREFIX)/share/man +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(prefix='$(PREFIX)'))") +PACKAGEDIR ?= $(DESTDIR)$(PYTHONLIBDIR) +BASHCOMPLETIONDIR ?= $(DESTDIR)$(PREFIX)/share/bash-completion/completions TARGETS=semanage diff --git a/python/sepolgen/src/sepolgen/Makefile b/python/sepolgen/src/sepolgen/Makefile index d3aa7715..2121a955 100644 --- a/python/sepolgen/src/sepolgen/Makefile +++ b/python/sepolgen/src/sepolgen/Makefile @@ -1,5 +1,6 @@ +PREFIX ?= /usr PYTHON ?= python -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(1))") +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(prefix='$(PREFIX)'))") PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/sepolgen all: diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile index 5a56e6c8..c528ae43 100644 --- a/python/sepolicy/Makefile +++ b/python/sepolicy/Makefile @@ -1,14 +1,14 @@ PYTHON ?= python # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib -BINDIR ?= $(PREFIX)/bin -DATADIR ?= $(PREFIX)/share -MANDIR ?= $(PREFIX)/share/man -LOCALEDIR ?= /usr/share/locale -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions -SHAREDIR ?= $(PREFIX)/share/sandbox +PREFIX ?= /usr +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +DATADIR ?= $(DESTDIR)$(PREFIX)/share +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale +BASHCOMPLETIONDIR ?= $(DESTDIR)$(PREFIX)/share/bash-completion/completions +SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/sandbox CFLAGS ?= -Wall -Werror -Wextra -W override CFLAGS += -DPACKAGE="policycoreutils" -DSHARED -shared @@ -30,7 +30,7 @@ test: @$(PYTHON) test_sepolicy.py -v install: - $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` + $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)$(PREFIX)" && echo --root $(DESTDIR)$(PREFIX)` [ -d $(BINDIR) ] || mkdir -p $(BINDIR) install -m 755 sepolicy.py $(BINDIR)/sepolicy (cd $(BINDIR); ln -sf sepolicy sepolgen) -- 2.15.1
[PATCH v2 01/14] libsepol: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues: - The pkg-config files generates odd paths when using DESTDIR without PREFIX - DESTDIR is needed during compile time to compute library and header paths which it should not. - Installing with both DESTDIR and PREFIX set gives us odd paths - Make usage of DESTDIR and PREFIX more standard Signed-off-by: Marcus Folkesson--- README | 2 +- libsepol/include/Makefile | 4 ++-- libsepol/man/Makefile | 5 +++-- libsepol/src/Makefile | 7 +++ libsepol/src/libsepol.pc.in | 2 +- libsepol/utils/Makefile | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/README b/README index 7fc7b17b..174551a1 100644 --- a/README +++ b/README @@ -19,6 +19,6 @@ lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces. To install libsepol on macOS (mainly for policy analysis): -cd libsepol; make DESTDIR=/usr/local PREFIX=/usr/local install +cd libsepol; make PREFIX=/usr/local install This requires GNU coreutils (brew install coreutils). diff --git a/libsepol/include/Makefile b/libsepol/include/Makefile index 56b7a114..ad5c34a4 100644 --- a/libsepol/include/Makefile +++ b/libsepol/include/Makefile @@ -1,6 +1,6 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -INCDIR ?= $(PREFIX)/include/sepol +PREFIX ?= /usr +INCDIR = $(DESTDIR)$(PREFIX)/include/sepol CILDIR ?= ../cil all: diff --git a/libsepol/man/Makefile b/libsepol/man/Makefile index 11924334..4f3d9fa2 100644 --- a/libsepol/man/Makefile +++ b/libsepol/man/Makefile @@ -1,6 +1,7 @@ # Installation directories. -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 +PREFIX ?= /usr +MAN8DIR ?= $(DESTDIR)$(PREFIX)/share/man/man8 +MAN3DIR ?= $(DESTDIR)$(PREFIX)/share/man/man3 all: diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile index 819d261b..d158398f 100644 --- a/libsepol/src/Makefile +++ b/libsepol/src/Makefile @@ -1,10 +1,9 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr +PREFIX ?= /usr INCLUDEDIR ?= $(PREFIX)/include -LIBDIR ?= $(PREFIX)/lib +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib SHLIBDIR ?= $(DESTDIR)/lib RANLIB ?= ranlib -LIBBASE ?= $(shell basename $(LIBDIR)) CILDIR ?= ../cil VERSION = $(shell cat ../VERSION) @@ -52,7 +51,7 @@ $(LIBSO): $(LOBJS) $(LIBMAP) ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION - sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ + sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ $(LIBMAP): $(LIBMAP).in ifneq ($(DISABLE_CIL),y) diff --git a/libsepol/src/libsepol.pc.in b/libsepol/src/libsepol.pc.in index e52f5892..f807fec6 100644 --- a/libsepol/src/libsepol.pc.in +++ b/libsepol/src/libsepol.pc.in @@ -1,6 +1,6 @@ prefix=@prefix@ exec_prefix=${prefix} -libdir=${exec_prefix}/@libdir@ +libdir=@libdir@ includedir=@includedir@ Name: libsepol diff --git a/libsepol/utils/Makefile b/libsepol/utils/Makefile index fba1d8a0..8ce4bf47 100644 --- a/libsepol/utils/Makefile +++ b/libsepol/utils/Makefile @@ -1,6 +1,6 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin CFLAGS ?= -Wall -Werror override CFLAGS += -I../include -- 2.15.1
Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails
On Tue, Jan 16, 2018 at 8:00 AM, Stephen Smalleywrote: > On Tue, 2018-01-16 at 07:47 -0800, William Roberts wrote: >> On Mon, Jan 15, 2018 at 9:32 AM, Stephen Smalley >> wrote: >> > On Jan 14, 2018 10:36 AM, "Richard Haines" > > rnet.com> >> > wrote: >> > >> > Add new option to semanage.conf that allows the tmp build files >> > to be kept for debugging when building policy. >> > >> > >> > Would it be better to just retain the files by default if there is >> > an error? >> >> I thought about this as well, my reasoning as to why Richard's >> approach was >> better is that if someone does it N times trying to figure out an >> issue, >> then there would be N piles of files in the tmp folder. This way they >> have to opt in to have their tmp folder spammed. > > I believe that the tmp directories are deleted and re-created by > libsemanage each time before use (otherwise we'd have a different > problem with not removing them, since we could end up with a mix of > files from different, incomplete transactions being intermingled > there). So I don't think this would be a problem. It might however Oh I see it looks like its just generating a /tmp "store" directory under the semanage path. I thought that enum was triggering a true /tmp style thing. I should have looksed closer. > require saving the commit success/failure result in the handle so that > we know in semanage_direct_disconnect() whether or not we should delete > it. Now that I understand that tid-bit, I think you're right, let's just leave it on error. > > If we truly need to make it optional, then I'd rather have it be an > option flag to semodule and a runtime setting of libsemanage (ala > reload, disable_dontaudit, etc) than a semanage.conf setting, as this > is something a user will want to be able to use without having to edit > a config file, re-run the transaction, and then re-edit the config file > each time. But I'm not convinced we can't just make it the default > behavior whenever the commit fails. Deleting the tmp files > automatically only really makes sense when it succeeds. > >> >> > >> > >> > Signed-off-by: Richard Haines >> > --- >> > libsemanage/man/man5/semanage.conf.5 | 8 >> > libsemanage/src/conf-parse.y | 15 ++- >> > libsemanage/src/conf-scan.l | 1 + >> > libsemanage/src/direct_api.c | 21 - >> > libsemanage/src/semanage_conf.h | 1 + >> > 5 files changed, 36 insertions(+), 10 deletions(-) >> > >> > diff --git a/libsemanage/man/man5/semanage.conf.5 >> > b/libsemanage/man/man5/semanage.conf.5 >> > index 8f8de55a..10cab65a 100644 >> > --- a/libsemanage/man/man5/semanage.conf.5 >> > +++ b/libsemanage/man/man5/semanage.conf.5 >> > @@ -121,6 +121,14 @@ and by default it is set to "false". >> > Please note that since this option deletes all HLL files, an >> > updated HLL >> > compiler will not be able to recompile the original HLL file into >> > CIL. >> > In order to compile the original HLL file into CIL, the same HLL >> > file will >> > need to be reinstalled. >> > >> > +.TP >> > +.B retain-tmp >> > +When set to "true", tmp directories (the sandbox at >> > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/tmp \fRand/or the final >> > policy at >> > \fBstore-root/final/\fR[\fIpolicy-store\fR]) will be retained after >> > compilation to allow debugging of any build errors. Note that on a >> > successful build the sandbox becomes >> > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/active\fR. >> > +.br >> > +The >> > +.B retain-tmp >> > +option can be set to either "true" or "false" and by default it is >> > set to >> > "false". >> > + >> > .SH "SEE ALSO" >> > .TP >> > semanage(8) >> > diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf- >> > parse.y >> > index b527e893..f098e55d 100644 >> > --- a/libsemanage/src/conf-parse.y >> > +++ b/libsemanage/src/conf-parse.y >> > @@ -61,7 +61,7 @@ static int parse_errors; >> > >> > %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS >> > SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE >> > STORE_ROOT >> > %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START >> > DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS >> > -%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL >> > +%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL RETAIN_TMP >> > %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START >> > BLOCK_END >> > %token PROG_PATH PROG_ARGS >> > %token ARG >> > @@ -95,6 +95,7 @@ single_opt: module_store >> > | bzip_blocksize >> > | bzip_small >> > | remove_hll >> > + | retain_tmp >> > ; >> > >> > module_store: MODULE_STORE '=' ARG { >> > @@ -268,6 +269,17 @@ remove_hll: REMOVE_HLL'=' ARG { >> > free($3); >> > } >> > >> > +retain_tmp: RETAIN_TMP'=' ARG { >> > + if
Re: ANN: Reference Policy 2.20180114
On Sun, 2018-01-14 at 15:02 -0500, Chris PeBenito via refpolicy wrote: > A new release, 2.20180114, of the SELinux Reference Policy is now > available on the GitHub site: > > https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease Could we get the nnp_nosuid_transition policy capability enabled in the next release?
Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails
On Tue, 2018-01-16 at 07:47 -0800, William Roberts wrote: > On Mon, Jan 15, 2018 at 9:32 AM, Stephen Smalley >wrote: > > On Jan 14, 2018 10:36 AM, "Richard Haines" > rnet.com> > > wrote: > > > > Add new option to semanage.conf that allows the tmp build files > > to be kept for debugging when building policy. > > > > > > Would it be better to just retain the files by default if there is > > an error? > > I thought about this as well, my reasoning as to why Richard's > approach was > better is that if someone does it N times trying to figure out an > issue, > then there would be N piles of files in the tmp folder. This way they > have to opt in to have their tmp folder spammed. I believe that the tmp directories are deleted and re-created by libsemanage each time before use (otherwise we'd have a different problem with not removing them, since we could end up with a mix of files from different, incomplete transactions being intermingled there). So I don't think this would be a problem. It might however require saving the commit success/failure result in the handle so that we know in semanage_direct_disconnect() whether or not we should delete it. If we truly need to make it optional, then I'd rather have it be an option flag to semodule and a runtime setting of libsemanage (ala reload, disable_dontaudit, etc) than a semanage.conf setting, as this is something a user will want to be able to use without having to edit a config file, re-run the transaction, and then re-edit the config file each time. But I'm not convinced we can't just make it the default behavior whenever the commit fails. Deleting the tmp files automatically only really makes sense when it succeeds. > > > > > > > Signed-off-by: Richard Haines > > --- > > libsemanage/man/man5/semanage.conf.5 | 8 > > libsemanage/src/conf-parse.y | 15 ++- > > libsemanage/src/conf-scan.l | 1 + > > libsemanage/src/direct_api.c | 21 - > > libsemanage/src/semanage_conf.h | 1 + > > 5 files changed, 36 insertions(+), 10 deletions(-) > > > > diff --git a/libsemanage/man/man5/semanage.conf.5 > > b/libsemanage/man/man5/semanage.conf.5 > > index 8f8de55a..10cab65a 100644 > > --- a/libsemanage/man/man5/semanage.conf.5 > > +++ b/libsemanage/man/man5/semanage.conf.5 > > @@ -121,6 +121,14 @@ and by default it is set to "false". > > Please note that since this option deletes all HLL files, an > > updated HLL > > compiler will not be able to recompile the original HLL file into > > CIL. > > In order to compile the original HLL file into CIL, the same HLL > > file will > > need to be reinstalled. > > > > +.TP > > +.B retain-tmp > > +When set to "true", tmp directories (the sandbox at > > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/tmp \fRand/or the final > > policy at > > \fBstore-root/final/\fR[\fIpolicy-store\fR]) will be retained after > > compilation to allow debugging of any build errors. Note that on a > > successful build the sandbox becomes > > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/active\fR. > > +.br > > +The > > +.B retain-tmp > > +option can be set to either "true" or "false" and by default it is > > set to > > "false". > > + > > .SH "SEE ALSO" > > .TP > > semanage(8) > > diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf- > > parse.y > > index b527e893..f098e55d 100644 > > --- a/libsemanage/src/conf-parse.y > > +++ b/libsemanage/src/conf-parse.y > > @@ -61,7 +61,7 @@ static int parse_errors; > > > > %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS > > SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE > > STORE_ROOT > > %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START > > DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS > > -%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL > > +%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL RETAIN_TMP > > %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START > > BLOCK_END > > %token PROG_PATH PROG_ARGS > > %token ARG > > @@ -95,6 +95,7 @@ single_opt: module_store > > | bzip_blocksize > > | bzip_small > > | remove_hll > > + | retain_tmp > > ; > > > > module_store: MODULE_STORE '=' ARG { > > @@ -268,6 +269,17 @@ remove_hll: REMOVE_HLL'=' ARG { > > free($3); > > } > > > > +retain_tmp: RETAIN_TMP'=' ARG { > > + if (strcasecmp($3, "false") == 0) { > > + current_conf->retain_tmp = 0; > > + } else if (strcasecmp($3, "true") == 0) { > > + current_conf->retain_tmp = 1; > > + } else { > > + yyerror("retain-tmp can only be 'true' or > > 'false'"); > > + } > > + free($3); > > +} > > + > > command_block: > > command_start external_opts BLOCK_END { > > if (new_external->path == NULL) { > > @@
Re: [PATCH] libsemanage: Allow tmp files to be kept if a compile fails
On Mon, Jan 15, 2018 at 9:32 AM, Stephen Smalleywrote: > On Jan 14, 2018 10:36 AM, "Richard Haines" > wrote: > > Add new option to semanage.conf that allows the tmp build files > to be kept for debugging when building policy. > > > Would it be better to just retain the files by default if there is an error? I thought about this as well, my reasoning as to why Richard's approach was better is that if someone does it N times trying to figure out an issue, then there would be N piles of files in the tmp folder. This way they have to opt in to have their tmp folder spammed. > > > Signed-off-by: Richard Haines > --- > libsemanage/man/man5/semanage.conf.5 | 8 > libsemanage/src/conf-parse.y | 15 ++- > libsemanage/src/conf-scan.l | 1 + > libsemanage/src/direct_api.c | 21 - > libsemanage/src/semanage_conf.h | 1 + > 5 files changed, 36 insertions(+), 10 deletions(-) > > diff --git a/libsemanage/man/man5/semanage.conf.5 > b/libsemanage/man/man5/semanage.conf.5 > index 8f8de55a..10cab65a 100644 > --- a/libsemanage/man/man5/semanage.conf.5 > +++ b/libsemanage/man/man5/semanage.conf.5 > @@ -121,6 +121,14 @@ and by default it is set to "false". > Please note that since this option deletes all HLL files, an updated HLL > compiler will not be able to recompile the original HLL file into CIL. > In order to compile the original HLL file into CIL, the same HLL file will > need to be reinstalled. > > +.TP > +.B retain-tmp > +When set to "true", tmp directories (the sandbox at > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/tmp \fRand/or the final policy at > \fBstore-root/final/\fR[\fIpolicy-store\fR]) will be retained after > compilation to allow debugging of any build errors. Note that on a > successful build the sandbox becomes > \fBstore-root/\fR[\fIpolicy-store\fR]\fB/active\fR. > +.br > +The > +.B retain-tmp > +option can be set to either "true" or "false" and by default it is set to > "false". > + > .SH "SEE ALSO" > .TP > semanage(8) > diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y > index b527e893..f098e55d 100644 > --- a/libsemanage/src/conf-parse.y > +++ b/libsemanage/src/conf-parse.y > @@ -61,7 +61,7 @@ static int parse_errors; > > %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS > SAVE_LINKED TARGET_PLATFORM COMPILER_DIR IGNORE_MODULE_CACHE STORE_ROOT > %token LOAD_POLICY_START SETFILES_START SEFCONTEXT_COMPILE_START > DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS > -%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL > +%token BZIP_BLOCKSIZE BZIP_SMALL REMOVE_HLL RETAIN_TMP > %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END > %token PROG_PATH PROG_ARGS > %token ARG > @@ -95,6 +95,7 @@ single_opt: module_store > | bzip_blocksize > | bzip_small > | remove_hll > + | retain_tmp > ; > > module_store: MODULE_STORE '=' ARG { > @@ -268,6 +269,17 @@ remove_hll: REMOVE_HLL'=' ARG { > free($3); > } > > +retain_tmp: RETAIN_TMP'=' ARG { > + if (strcasecmp($3, "false") == 0) { > + current_conf->retain_tmp = 0; > + } else if (strcasecmp($3, "true") == 0) { > + current_conf->retain_tmp = 1; > + } else { > + yyerror("retain-tmp can only be 'true' or 'false'"); > + } > + free($3); > +} > + > command_block: > command_start external_opts BLOCK_END { > if (new_external->path == NULL) { > @@ -352,6 +364,7 @@ static int semanage_conf_init(semanage_conf_t * conf) > conf->bzip_small = 0; > conf->ignore_module_cache = 0; > conf->remove_hll = 0; > + conf->retain_tmp = 0; > > conf->save_previous = 0; > conf->save_linked = 0; > diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l > index 607bbf0b..e26c3494 100644 > --- a/libsemanage/src/conf-scan.l > +++ b/libsemanage/src/conf-scan.l > @@ -54,6 +54,7 @@ handle-unknownreturn HANDLE_UNKNOWN; > bzip-blocksize return BZIP_BLOCKSIZE; > bzip-small return BZIP_SMALL; > remove-hll return REMOVE_HLL; > +retain-tmp return RETAIN_TMP; > "[load_policy]" return LOAD_POLICY_START; > "[setfiles]" return SETFILES_START; > "[sefcontext_compile]" return SEFCONTEXT_COMPILE_START; > diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c > index a455612f..5d2a443c 100644 > --- a/libsemanage/src/direct_api.c > +++ b/libsemanage/src/direct_api.c > @@ -326,7 +326,10 @@ static void semanage_direct_destroy(semanage_handle_t * > sh > static int semanage_direct_disconnect(semanage_handle_t * sh) > { > /* destroy transaction */ > - if (sh->is_in_transaction) { > + if (sh->is_in_transaction) > + semanage_release_trans_lock(sh);
Re: [PATCH] python/semanage: Remove redundant and broken moduleRecords.modify()
On Thu, 2018-01-11 at 18:44 +0100, Vit Mojzis wrote: > moduleRecords.modify() calls nonexistent function > semanage_module_update_file (maybe it should have been > semanage_module_upgrade_file which is now obsolete and calls > semanage_module_install_file) and the job of updating a module is > done > by moduleRecords.add(). > > Signed-off-by: Vit MojzisThanks, applied. > --- > python/semanage/seobject.py | 5 - > 1 file changed, 5 deletions(-) > > diff --git a/python/semanage/seobject.py > b/python/semanage/seobject.py > index b927b18..740bd7c 100644 > --- a/python/semanage/seobject.py > +++ b/python/semanage/seobject.py > @@ -423,11 +423,6 @@ class moduleRecords(semanageRecords): > raise ValueError(_("Could not disable module > %s") % m) > self.commit() > > -def modify(self, file): > -rc = semanage_module_update_file(self.sh, file) > -if rc >= 0: > -self.commit() > - > def delete(self, module, priority): > rc = semanage_set_default_priority(self.sh, priority) > if rc < 0:
Re: [PATCH] python/semanage: bring semanageRecords.set_reload back
On Thu, 2018-01-11 at 17:22 +0100, Petr Lautrbach wrote: > It's used by third parties, e.g. Ansible modules > > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1527745 Thanks, applied. > > Signed-off-by: Petr Lautrbach> --- > python/semanage/seobject.py | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/python/semanage/seobject.py > b/python/semanage/seobject.py > index b927b184..c2966251 100644 > --- a/python/semanage/seobject.py > +++ b/python/semanage/seobject.py > @@ -260,6 +260,9 @@ class semanageRecords: > else: > self.mylog = nulllogger() > > +def set_reload(self, load): > +self.noreload = not load > + > def get_handle(self, store): > global is_mls_enabled >
Re: BUG: unable to handle kernel NULL pointer dereference in sidtab_search_core
On Fri, Dec 22, 2017 at 9:56 PM, Paul Moorewrote: >>> wrote: Hello, syzkaller hit the following crash on 6084b576dca2e898f5c101baef151f7bfdbb606d git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master compiler: gcc (GCC) 7.1.1 20170620 .config is attached Raw console output is attached. C reproducer is attached syzkaller reproducer is attached. See https://goo.gl/kgGztJ for information about syzkaller reproducers SELinux: security_compute_sid: unrecognized SID 1 SELinux: security_compute_sid: unrecognized SID 1 SELinux: security_compute_sid: unrecognized SID 1 SELinux: security_compute_sid: unrecognized SID 1 SELinux: security_compute_sid: unrecognized SID 1 BUG: unable to handle kernel NULL pointer dereference at 0001 IP: sidtab_search_core+0x88/0x110 security/selinux/ss/sidtab.c:100 PGD 0 P4D 0 Oops: [#1] SMP Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 4252 Comm: kworker/u4:1 Not tainted 4.15.0-rc3-next-20171214+ #67 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:sidtab_search_core+0x88/0x110 security/selinux/ss/sidtab.c:100 RSP: 0018:c900028abc18 EFLAGS: 00010293 RAX: 8802131a87c0 RBX: 0001 RCX: 8165d978 RDX: RSI: 0001 RDI: 83fd17a0 RBP: c900028abc40 R08: 0001 R09: 0001 R10: c900028abbe0 R11: R12: 0001 R13: 0001 R14: R15: 880214d93800 FS: () GS:88021fd0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 0001 CR3: 000214e31000 CR4: 001406e0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sidtab_search+0x1f/0x30 security/selinux/ss/sidtab.c:111 security_compute_sid.part.11+0xe2/0x710 security/selinux/ss/services.c:1618 security_compute_sid+0x92/0xa0 security/selinux/ss/services.c:1598 security_transition_sid+0x57/0x70 security/selinux/ss/services.c:1764 selinux_bprm_set_creds+0x215/0x2f0 security/selinux/hooks.c:2423 security_bprm_set_creds+0x41/0x60 security/security.c:332 prepare_binprm+0xae/0x1f0 fs/exec.c:1561 do_execveat_common.isra.30+0x6f7/0xb90 fs/exec.c:1784 do_execve+0x31/0x40 fs/exec.c:1848 call_usermodehelper_exec_async+0x104/0x190 kernel/umh.c:100 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524 Code: 8b 5b 50 48 85 db 75 e5 e8 e6 c9 c5 ff 49 8b 5f 18 48 85 db 75 10 eb 43 e8 d6 c9 c5 ff 48 8b 5b 50 48 85 db 74 35 e8 c8 c9 c5 ff <44> 8b 23 41 83 fc 02 76 e4 e8 ba c9 c5 ff 41 83 fc 03 75 1c 48 RIP: sidtab_search_core+0x88/0x110 security/selinux/ss/sidtab.c:100 RSP: c900028abc18 CR2: 0001 ---[ end trace 571c0ea6c6959387 ]--- Kernel panic - not syncing: Fatal exception Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds.. >>> >>> Based on the reproducer and the stack trace, I'm guessing the system >>> is attempting to load a kernel module for a a defined, but unloaded, >>> protocol. Looking quickly at the SELinux bprm and sidtab code, >>> nothing obvious is jumping out at me. Considering the number of false >>> positives I've been seeing from syzbot lately, I'm assuming this is >>> more of the same. >> >> Hi Paul, >> >> What are these false positives? Please elaborate. >> There is no single false positive that I am aware of. All the ones >> that were debugged are real kernel bugs. > > I've replied to several of the syzbot automated reports with the > "invalid" response. I haven't been keeping track, but it seems like > approximately 50% of the SELinux related reports don't make sense upon > inspection. Can you please point me to some of these bugs? I don't see anything like this in my inbox, in google group nor in database. >>> >>> Not easily, no. I don't keep track of these reports once I've >>> responded to the syzbot mail. >> >> There must be traces of this in database and on mailing lists (even if >> you drop syzkaller-bugs@ syzbot will re-add it). So far I did not find >> any traces...