Re: [PATCH V2] libsemanage: Allow tmp files to be kept if a compile fails
On Mon, Jan 22, 2018 at 8:38 AM, Richard Haineswrote: > Allow the tmp build files to be kept for debugging when a policy > build fails. > > Signed-off-by: Richard Haines > --- > V2 Changes: > Remove the retain-tmp flag and just keep tmp files on build errors. > > libsemanage/src/direct_api.c | 54 > ++-- > libsemanage/src/handle.c | 2 ++ > libsemanage/src/handle.h | 1 + > 3 files changed, 40 insertions(+), 17 deletions(-) > > diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c > index a455612f..3d1cf1fe 100644 > --- a/libsemanage/src/direct_api.c > +++ b/libsemanage/src/direct_api.c > @@ -323,26 +323,44 @@ static void semanage_direct_destroy(semanage_handle_t * > sh > /* do nothing */ > } > > -static int semanage_direct_disconnect(semanage_handle_t * sh) > +static int semanage_remove_tmps(semanage_handle_t *sh) > { > - /* destroy transaction */ > - if (sh->is_in_transaction) { > - /* destroy sandbox */ > - if (semanage_remove_directory > - (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) { > + if (sh->commit_err) > + return 0; > + > + /* destroy sandbox if it exists */ > + if (semanage_remove_directory > + (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) { > + if (errno != ENOENT) { > ERR(sh, "Could not cleanly remove sandbox %s.", > semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)); > return -1; > } > - if (semanage_remove_directory > - (semanage_final_path(SEMANAGE_FINAL_TMP, > -SEMANAGE_FINAL_TOPLEVEL)) < 0) { > + } > + > + /* destroy tmp policy if it exists */ > + if (semanage_remove_directory > + (semanage_final_path(SEMANAGE_FINAL_TMP, > +SEMANAGE_FINAL_TOPLEVEL)) < 0) { > + if (errno != ENOENT) { > ERR(sh, "Could not cleanly remove tmp %s.", > semanage_final_path(SEMANAGE_FINAL_TMP, > SEMANAGE_FINAL_TOPLEVEL)); > return -1; > } > + } > + > + return 0; > +} > + > +static int semanage_direct_disconnect(semanage_handle_t *sh) > +{ > + int retval = 0; > + > + /* destroy transaction and remove tmp files if no commit error */ > + if (sh->is_in_transaction) { > semanage_release_trans_lock(sh); > + retval = semanage_remove_tmps(sh); > } > > /* Release object databases: local modifications */ > @@ -375,7 +393,7 @@ static int semanage_direct_disconnect(semanage_handle_t * > sh) > /* Release object databases: active kernel policy */ > bool_activedb_dbase_release(semanage_bool_dbase_active(sh)); > > - return 0; > + return retval; > } > > static int semanage_direct_begintrans(semanage_handle_t * sh) > @@ -1639,13 +1657,15 @@ cleanup: > > free(fc_buffer); > > - /* regardless if the commit was successful or not, remove the > - sandbox if it is still there */ > - semanage_remove_directory(semanage_path > - (SEMANAGE_TMP, SEMANAGE_TOPLEVEL)); > - semanage_remove_directory(semanage_final_path > - (SEMANAGE_FINAL_TMP, > - SEMANAGE_FINAL_TOPLEVEL)); > + /* Set commit_err so other functions can detect any errors. Note that > +* retval > 0 will be the commit number. > +*/ > + if (retval < 0) > + sh->commit_err = retval; > + > + if (semanage_remove_tmps(sh) != 0) > + retval = -1; > + > umask(mask); > > return retval; > diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c > index 4ce1df03..a6567bd4 100644 > --- a/libsemanage/src/handle.c > +++ b/libsemanage/src/handle.c > @@ -86,6 +86,8 @@ semanage_handle_t *semanage_handle_create(void) > * If any changes are made, this flag is ignored */ > sh->do_rebuild = 0; > > + sh->commit_err = 0; > + > /* By default always reload policy after commit if SELinux is > enabled. */ > sh->do_reload = (is_selinux_enabled() > 0); > > diff --git a/libsemanage/src/handle.h b/libsemanage/src/handle.h > index 1780ac81..65b15600 100644 > --- a/libsemanage/src/handle.h > +++ b/libsemanage/src/handle.h > @@ -62,6 +62,7 @@ struct semanage_handle { > int is_in_transaction; > int do_reload; /* whether to reload policy after commit */ > int do_rebuild; /* whether to rebuild policy if there were no > changes */ > + int commit_err; /* set by
Re: [PATCH v2 02/14] libselinux: build: follow standard semantics for DESTDIR and PREFIX
On 19/01/18 13:07, Marcus Folkesson wrote: > Hi Nicolas! > > On Wed, Jan 17, 2018 at 11:12:56PM +0100, Nicolas Iooss wrote: >> On Tue, Jan 16, 2018 at 9:23 PM, Marcus Folkesson >>wrote: >>> This patch solves the following issues: >>> - The pkg-config files generates odd paths when using DESTDIR without PREFIX >>> - DESTDIR is needed during compile time to compute library and header paths >>> which it should not. >>> - Installing with both DESTDIR and PREFIX set gives us odd paths >>> - Make usage of DESTDIR and PREFIX more standard >>> >>> Signed-off-by: Marcus Folkesson >>> --- >>> libselinux/include/Makefile | 4 ++-- >>> libselinux/man/Makefile | 7 --- >>> libselinux/src/Makefile | 12 +--- >>> libselinux/src/libselinux.pc.in | 2 +- >>> libselinux/utils/Makefile | 6 ++ >>> 5 files changed, 14 insertions(+), 17 deletions(-) >>> >>> diff --git a/libselinux/include/Makefile b/libselinux/include/Makefile >>> index 757a6c9c..3b51f5ce 100644 >>> --- a/libselinux/include/Makefile >>> +++ b/libselinux/include/Makefile >>> @@ -1,6 +1,6 @@ >>> # Installation directories. >>> -PREFIX ?= $(DESTDIR)/usr >>> -INCDIR ?= $(PREFIX)/include/selinux >>> +PREFIX ?= /usr >>> +INCDIR = $(DESTDIR)$(PREFIX)/include/selinux >>> >>> all: >>> >>> diff --git a/libselinux/man/Makefile b/libselinux/man/Makefile >>> index 0643e6af..233bfaa9 100644 >>> --- a/libselinux/man/Makefile >>> +++ b/libselinux/man/Makefile >>> @@ -1,7 +1,8 @@ >>> # Installation directories. >>> -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 >>> -MAN5DIR ?= $(DESTDIR)/usr/share/man/man5 >>> -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 >>> +PREFIX ?= /usr >>> +MAN8DIR ?= $(DESTDIR)$(PREFIX)/share/man/man8 >>> +MAN5DIR ?= $(DESTDIR)$(PREFIX)/share/man/man5 >>> +MAN3DIR ?= $(DESTDIR)$(PREFIX)/share/man/man3 >>> >>> all: >>> >>> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile >>> index 18df75c8..18a58164 100644 >>> --- a/libselinux/src/Makefile >>> +++ b/libselinux/src/Makefile >>> @@ -8,8 +8,8 @@ RUBYPREFIX ?= $(notdir $(RUBY)) >>> PKG_CONFIG ?= pkg-config >>> >>> # Installation directories. >>> -PREFIX ?= $(DESTDIR)/usr >>> -LIBDIR ?= $(PREFIX)/lib >>> +PREFIX ?= /usr >>> +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib >>> SHLIBDIR ?= $(DESTDIR)/lib >>> INCLUDEDIR ?= $(PREFIX)/include >>> PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) >>> @@ -19,8 +19,6 @@ PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for >>> s,m,t in imp.get_suffixe >>> RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + >>> RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + >>> RbConfig::CONFIG["rubyhdrdir"]') >>> RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " >>> -L" + RbConfig::CONFIG["archlibdir"] + " " + >>> RbConfig::CONFIG["LIBRUBYARG_SHARED"]') >>> RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts >>> RbConfig::CONFIG["vendorarchdir"]') >>> -LIBBASE ?= $(shell basename $(LIBDIR)) >>> -LIBSEPOLA ?= $(LIBDIR)/libsepol.a >>> >>> VERSION = $(shell cat ../VERSION) >>> LIBVERSION = 1 >>> @@ -148,7 +146,7 @@ $(LIBSO): $(LOBJS) >>> ln -sf $@ $(TARGET) >>> >>> $(LIBPC): $(LIBPC).in ../VERSION >>> - sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; >>> s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):; >>> s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@ >>> + sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; >>> s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):; >>> s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@ >>> >>> selinuxswig_python_exception.i: ../include/selinux/selinux.h >>> bash -e exception.sh > $@ || (rm -f $@ ; false) >>> @@ -156,8 +154,8 @@ selinuxswig_python_exception.i: >>> ../include/selinux/selinux.h >>> $(AUDIT2WHYLOBJ): audit2why.c >>> $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c >>> -o $@ $< >>> >>> -$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA) >>> - $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(PYLIBS) >>> +$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) >>> + $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(PYLIBS) >>> -l:libsepol.a >> >> Hello, >> This change makes audit2why.so no longer being rebuilt when libsepol's >> code change. This is an issue when debugging issues in libsepol, which >> is why I added $(LIBSEPOLA) to the dependencies of $(AUDIT2WHYSO) in >> commit dcd135cc06ab ("Re-link programs after libsepol.a is updated" >> [1]). >> By the way, I like the change from using a "hardcoded" path to >> libsepol.a to telling the compiler to look into directories specified >> with option -L in LDFLAGS. This would ease the packaging a little bit, >> as it makes defining LIBSEPOLA no longer necessary (if I understood >> the changes correctly, I have not tested this point). Is there a way >> to ask the compiler for the resolved location of a static library, in >> a way which can be used to compute the value of LIBSEPOLA? ("gcc
[PATCH V2] libsemanage: Allow tmp files to be kept if a compile fails
Allow the tmp build files to be kept for debugging when a policy build fails. Signed-off-by: Richard Haines--- V2 Changes: Remove the retain-tmp flag and just keep tmp files on build errors. libsemanage/src/direct_api.c | 54 ++-- libsemanage/src/handle.c | 2 ++ libsemanage/src/handle.h | 1 + 3 files changed, 40 insertions(+), 17 deletions(-) diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c index a455612f..3d1cf1fe 100644 --- a/libsemanage/src/direct_api.c +++ b/libsemanage/src/direct_api.c @@ -323,26 +323,44 @@ static void semanage_direct_destroy(semanage_handle_t * sh /* do nothing */ } -static int semanage_direct_disconnect(semanage_handle_t * sh) +static int semanage_remove_tmps(semanage_handle_t *sh) { - /* destroy transaction */ - if (sh->is_in_transaction) { - /* destroy sandbox */ - if (semanage_remove_directory - (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) { + if (sh->commit_err) + return 0; + + /* destroy sandbox if it exists */ + if (semanage_remove_directory + (semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)) < 0) { + if (errno != ENOENT) { ERR(sh, "Could not cleanly remove sandbox %s.", semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL)); return -1; } - if (semanage_remove_directory - (semanage_final_path(SEMANAGE_FINAL_TMP, -SEMANAGE_FINAL_TOPLEVEL)) < 0) { + } + + /* destroy tmp policy if it exists */ + if (semanage_remove_directory + (semanage_final_path(SEMANAGE_FINAL_TMP, +SEMANAGE_FINAL_TOPLEVEL)) < 0) { + if (errno != ENOENT) { ERR(sh, "Could not cleanly remove tmp %s.", semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FINAL_TOPLEVEL)); return -1; } + } + + return 0; +} + +static int semanage_direct_disconnect(semanage_handle_t *sh) +{ + int retval = 0; + + /* destroy transaction and remove tmp files if no commit error */ + if (sh->is_in_transaction) { semanage_release_trans_lock(sh); + retval = semanage_remove_tmps(sh); } /* Release object databases: local modifications */ @@ -375,7 +393,7 @@ static int semanage_direct_disconnect(semanage_handle_t * sh) /* Release object databases: active kernel policy */ bool_activedb_dbase_release(semanage_bool_dbase_active(sh)); - return 0; + return retval; } static int semanage_direct_begintrans(semanage_handle_t * sh) @@ -1639,13 +1657,15 @@ cleanup: free(fc_buffer); - /* regardless if the commit was successful or not, remove the - sandbox if it is still there */ - semanage_remove_directory(semanage_path - (SEMANAGE_TMP, SEMANAGE_TOPLEVEL)); - semanage_remove_directory(semanage_final_path - (SEMANAGE_FINAL_TMP, - SEMANAGE_FINAL_TOPLEVEL)); + /* Set commit_err so other functions can detect any errors. Note that +* retval > 0 will be the commit number. +*/ + if (retval < 0) + sh->commit_err = retval; + + if (semanage_remove_tmps(sh) != 0) + retval = -1; + umask(mask); return retval; diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c index 4ce1df03..a6567bd4 100644 --- a/libsemanage/src/handle.c +++ b/libsemanage/src/handle.c @@ -86,6 +86,8 @@ semanage_handle_t *semanage_handle_create(void) * If any changes are made, this flag is ignored */ sh->do_rebuild = 0; + sh->commit_err = 0; + /* By default always reload policy after commit if SELinux is enabled. */ sh->do_reload = (is_selinux_enabled() > 0); diff --git a/libsemanage/src/handle.h b/libsemanage/src/handle.h index 1780ac81..65b15600 100644 --- a/libsemanage/src/handle.h +++ b/libsemanage/src/handle.h @@ -62,6 +62,7 @@ struct semanage_handle { int is_in_transaction; int do_reload; /* whether to reload policy after commit */ int do_rebuild; /* whether to rebuild policy if there were no changes */ + int commit_err; /* set by semanage_direct_commit() */ int modules_modified; int create_store; /* whether to create the store if it does not exist * this will only have an effect on direct connections */ -- 2.14.3
[PATCH] libsemanage: Return commit number if save-previous false
Stop overwriting the commit number for the default save-previous flag setting (false) in semanage.conf. Allows semodule -v -i to show the correct commit number. Signed-off-by: Richard Haines--- libsemanage/src/semanage_store.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c index 37ff5ace..936e6495 100644 --- a/libsemanage/src/semanage_store.c +++ b/libsemanage/src/semanage_store.c @@ -1740,9 +1740,9 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) if (!sh->conf->save_previous) { int errsv = errno; - retval = semanage_remove_directory(backup); - if (retval < 0) { + if (semanage_remove_directory(backup) != 0) { ERR(sh, "Could not delete previous directory %s.", backup); + retval = -1; goto cleanup; } errno = errsv; -- 2.14.3
Re: [PATCH V6 1/2] security: Add a cred_getsecid hook
On 1/21/2018 9:27 PM, Matthew Garrett wrote: > On Tue, Jan 9, 2018 at 8:36 AM, Matthew Garrettwrote: >> For IMA purposes, we want to be able to obtain the prepared secid in the >> bprm structure before the credentials are committed. Add a cred_getsecid >> hook that makes this possible. > Any feedback on this version of the set? Sorry for the delay. I'm having a mindset crisis on secids just now, and I'm not completely sure if I have any issue with this particular hook. Don't wait for me. If everyone else is OK with it, go ahead.
[PATCH v3 12/14] semodule-utils: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- semodule-utils/semodule_expand/Makefile | 8 +++- semodule-utils/semodule_link/Makefile| 8 +++- semodule-utils/semodule_package/Makefile | 8 +++- 3 files changed, 9 insertions(+), 15 deletions(-) diff --git a/semodule-utils/semodule_expand/Makefile b/semodule-utils/semodule_expand/Makefile index 072f2137..c2ab3f65 100644 --- a/semodule-utils/semodule_expand/Makefile +++ b/semodule-utils/semodule_expand/Makefile @@ -1,9 +1,7 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -INCLUDEDIR ?= $(PREFIX)/include -BINDIR ?= $(PREFIX)/bin -LIBDIR ?= $(PREFIX)/lib -MANDIR ?= $(PREFIX)/share/man +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man CFLAGS ?= -Werror -Wall -W override LDLIBS += -lsepol diff --git a/semodule-utils/semodule_link/Makefile b/semodule-utils/semodule_link/Makefile index cc4687bd..bcf98765 100644 --- a/semodule-utils/semodule_link/Makefile +++ b/semodule-utils/semodule_link/Makefile @@ -1,9 +1,7 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -INCLUDEDIR ?= $(PREFIX)/include -BINDIR ?= $(PREFIX)/bin -MANDIR ?= $(PREFIX)/share/man -LIBDIR ?= $(PREFIX)/lib +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man CFLAGS ?= -Werror -Wall -W override LDLIBS += -lsepol diff --git a/semodule-utils/semodule_package/Makefile b/semodule-utils/semodule_package/Makefile index 96dd7c4f..33a95e16 100644 --- a/semodule-utils/semodule_package/Makefile +++ b/semodule-utils/semodule_package/Makefile @@ -1,9 +1,7 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -INCLUDEDIR ?= $(PREFIX)/include -BINDIR ?= $(PREFIX)/bin -LIBDIR ?= $(PREFIX)/lib -MANDIR ?= $(PREFIX)/share/man +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man CFLAGS ?= -Werror -Wall -W override LDLIBS += -lsepol -- 2.15.1
[PATCH v3 09/14] restorecond: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- restorecond/Makefile | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/restorecond/Makefile b/restorecond/Makefile index ada94aeb..a2316947 100644 --- a/restorecond/Makefile +++ b/restorecond/Makefile @@ -1,13 +1,12 @@ PKG_CONFIG ?= pkg-config # Installation directories. -PREFIX ?= $(DESTDIR)/usr -SBINDIR ?= $(PREFIX)/sbin -LIBDIR ?= $(PREFIX)/lib -MANDIR = $(PREFIX)/share/man +PREFIX ?= /usr +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin +MANDIR = $(DESTDIR)$(PREFIX)/share/man AUTOSTARTDIR = $(DESTDIR)/etc/xdg/autostart -DBUSSERVICEDIR = $(DESTDIR)/usr/share/dbus-1/services -SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd +DBUSSERVICEDIR = $(DESTDIR)$(PREFIX)/share/dbus-1/services +SYSTEMDDIR ?= $(DESTDIR)$(PREFIX)/lib/systemd autostart_DATA = sealertauto.desktop INITDIR ?= $(DESTDIR)/etc/rc.d/init.d -- 2.15.1
Re: [PATCH V6 1/2] security: Add a cred_getsecid hook
On Tue, Jan 9, 2018 at 8:36 AM, Matthew Garrettwrote: > For IMA purposes, we want to be able to obtain the prepared secid in the > bprm structure before the credentials are committed. Add a cred_getsecid > hook that makes this possible. Any feedback on this version of the set?
[PATCH v3 10/14] sandbox: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- sandbox/Makefile | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/sandbox/Makefile b/sandbox/Makefile index 05c3d658..5a6b707a 100644 --- a/sandbox/Makefile +++ b/sandbox/Makefile @@ -1,14 +1,14 @@ PYTHON ?= python # Installation directories. -PREFIX ?= $(DESTDIR)/usr +PREFIX ?= /usr SYSCONFDIR ?= $(DESTDIR)/etc/sysconfig -LIBDIR ?= $(PREFIX)/lib -BINDIR ?= $(PREFIX)/bin -SBINDIR ?= $(PREFIX)/sbin -MANDIR ?= $(PREFIX)/share/man +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale -SHAREDIR ?= $(PREFIX)/share/sandbox +SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/sandbox override CFLAGS += -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -W override LDLIBS += -lselinux -lcap-ng SEUNSHARE_OBJS = seunshare.o -- 2.15.1
Rework of Makefiles v3
Hi all, I have updated the patchset. Please test to compile with: make DESTDIR=/tmp/myroot PREFIX=/myusr install or make DESTDIR=/tmp/myroot install As said before, the goal with this patchset is to clean up the Makefiles on unused symbols, use standard semantics and keep all the old functionality. Changes: v3: - python: Add missing slash - Top makefile: Add default prefix - python, mcstrans, selinux: keep the possibility to specify LIBSEPOLA to make depending component recompile on change. If not specified, fall back to libsepola in LDFLAGS path. v2: - Use separate directories for shared libraries as before( Comment from Stephen Smalley) - Rework all packages (not just selinux/sepol/semanage)
[PATCH v3 11/14] secilc: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- secilc/Makefile | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/secilc/Makefile b/secilc/Makefile index 1cac53e4..5b0a4852 100644 --- a/secilc/Makefile +++ b/secilc/Makefile @@ -1,8 +1,6 @@ -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin -MANDIR ?= $(PREFIX)/share/man -LIBDIR ?= $(PREFIX)/lib -INCLUDEDIR ?= $(PREFIX)/include +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man SECILC = secilc SECILC_SRCS := secilc.c -- 2.15.1
[PATCH v3 08/14] python: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- python/audit2allow/Makefile | 17 ++--- python/chcat/Makefile | 8 python/semanage/Makefile | 11 +-- python/sepolgen/src/sepolgen/Makefile | 3 ++- python/sepolicy/Makefile | 18 +- 5 files changed, 30 insertions(+), 27 deletions(-) diff --git a/python/audit2allow/Makefile b/python/audit2allow/Makefile index 8db8075f..d1d4ca8d 100644 --- a/python/audit2allow/Makefile +++ b/python/audit2allow/Makefile @@ -1,19 +1,22 @@ PYTHON ?= python # Installation directories. -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin -LIBDIR ?= $(PREFIX)/lib -MANDIR ?= $(PREFIX)/share/man -LOCALEDIR ?= /usr/share/locale -INCLUDEDIR ?= $(PREFIX)/include -LIBSEPOLA ?= $(LIBDIR)/libsepol.a +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man CFLAGS ?= -Werror -Wall -W +# If no specific libsepol.a is specified, fall back on LDFLAGS search path +ifeq ($(LIBSEPOLA),) + LDFLAGS += -l:libsepol.a +endif + all: audit2why sepolgen-ifgen-attr-helper sepolgen-ifgen-attr-helper: sepolgen-ifgen-attr-helper.o $(LIBSEPOLA) + $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) audit2why: ln -sf audit2allow audit2why diff --git a/python/chcat/Makefile b/python/chcat/Makefile index 0fd12d6d..947734a0 100644 --- a/python/chcat/Makefile +++ b/python/chcat/Makefile @@ -1,8 +1,8 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin -MANDIR ?= $(PREFIX)/share/man -LOCALEDIR ?= $(PREFIX)/share/locale +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale .PHONY: all all: chcat diff --git a/python/semanage/Makefile b/python/semanage/Makefile index 132162bc..0218222d 100644 --- a/python/semanage/Makefile +++ b/python/semanage/Makefile @@ -1,13 +1,12 @@ PYTHON ?= python # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib -SBINDIR ?= $(PREFIX)/sbin -MANDIR = $(PREFIX)/share/man -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(1))") +PREFIX ?= /usr +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin +MANDIR = $(DESTDIR)$(PREFIX)/share/man +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(prefix='$(PREFIX)'))") PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR) -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions +BASHCOMPLETIONDIR ?= $(DESTDIR)$(PREFIX)/share/bash-completion/completions TARGETS=semanage diff --git a/python/sepolgen/src/sepolgen/Makefile b/python/sepolgen/src/sepolgen/Makefile index d3aa7715..2121a955 100644 --- a/python/sepolgen/src/sepolgen/Makefile +++ b/python/sepolgen/src/sepolgen/Makefile @@ -1,5 +1,6 @@ +PREFIX ?= /usr PYTHON ?= python -PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(1))") +PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(prefix='$(PREFIX)'))") PACKAGEDIR ?= $(DESTDIR)/$(PYTHONLIBDIR)/sepolgen all: diff --git a/python/sepolicy/Makefile b/python/sepolicy/Makefile index 5a56e6c8..1c02ee06 100644 --- a/python/sepolicy/Makefile +++ b/python/sepolicy/Makefile @@ -1,14 +1,14 @@ PYTHON ?= python # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib -BINDIR ?= $(PREFIX)/bin -DATADIR ?= $(PREFIX)/share -MANDIR ?= $(PREFIX)/share/man -LOCALEDIR ?= /usr/share/locale -BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions -SHAREDIR ?= $(PREFIX)/share/sandbox +PREFIX ?= /usr +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +DATADIR ?= $(DESTDIR)$(PREFIX)/share +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale +BASHCOMPLETIONDIR ?= $(DESTDIR)$(PREFIX)/share/bash-completion/completions +SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/sandbox CFLAGS ?= -Wall -Werror -Wextra -W override CFLAGS += -DPACKAGE="policycoreutils" -DSHARED -shared @@ -30,7 +30,7 @@ test: @$(PYTHON) test_sepolicy.py -v install: - $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` + $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` [ -d $(BINDIR) ] || mkdir -p $(BINDIR) install -m 755 sepolicy.py $(BINDIR)/sepolicy (cd $(BINDIR); ln -sf sepolicy sepolgen) -- 2.15.1
[PATCH v3 07/14] policycoreutils: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- policycoreutils/hll/pp/Makefile | 7 ++- policycoreutils/load_policy/Makefile | 8 policycoreutils/man/Makefile | 3 ++- policycoreutils/newrole/Makefile | 8 policycoreutils/po/Makefile | 3 ++- policycoreutils/run_init/Makefile| 8 policycoreutils/scripts/Makefile | 8 policycoreutils/secon/Makefile | 9 - policycoreutils/semodule/Makefile| 8 +++- policycoreutils/sestatus/Makefile| 8 policycoreutils/setfiles/Makefile| 5 ++--- policycoreutils/setsebool/Makefile | 10 -- 12 files changed, 39 insertions(+), 46 deletions(-) diff --git a/policycoreutils/hll/pp/Makefile b/policycoreutils/hll/pp/Makefile index 3401dcc9..ce58e0cf 100644 --- a/policycoreutils/hll/pp/Makefile +++ b/policycoreutils/hll/pp/Makefile @@ -1,9 +1,6 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -INCLUDEDIR ?= $(PREFIX)/include -MANDIR = $(PREFIX)/share/man -LIBDIR ?= $(PREFIX)/lib -LIBEXECDIR ?= $(PREFIX)/libexec +PREFIX ?= /usr +LIBEXECDIR ?= $(DESTDIR)$(PREFIX)/libexec HLLDIR ?= $(LIBEXECDIR)/selinux/hll CFLAGS ?= -Werror -Wall -W diff --git a/policycoreutils/load_policy/Makefile b/policycoreutils/load_policy/Makefile index b85833c2..720bf45f 100644 --- a/policycoreutils/load_policy/Makefile +++ b/policycoreutils/load_policy/Makefile @@ -1,8 +1,8 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -SBINDIR ?= $(DESTDIR)/sbin -MANDIR ?= $(PREFIX)/share/man -LOCALEDIR ?= /usr/share/locale +PREFIX ?= /usr +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale CFLAGS ?= -Werror -Wall -W override CFLAGS += $(LDFLAGS) -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\"" diff --git a/policycoreutils/man/Makefile b/policycoreutils/man/Makefile index 0d91cd46..8a8fbd49 100644 --- a/policycoreutils/man/Makefile +++ b/policycoreutils/man/Makefile @@ -1,5 +1,6 @@ # Installation directories. -MAN5DIR ?= $(DESTDIR)/usr/share/man/man5 +PREFIX ?= /usr +MAN5DIR ?= $(DESTDIR)$(PREFIX)/share/man/man5 all: diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile index 196af926..4dbe6f52 100644 --- a/policycoreutils/newrole/Makefile +++ b/policycoreutils/newrole/Makefile @@ -1,9 +1,9 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin -MANDIR ?= $(PREFIX)/share/man +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man ETCDIR ?= $(DESTDIR)/etc -LOCALEDIR = /usr/share/locale +LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y) AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y) # Enable capabilities to permit newrole to generate audit records. diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile index 58148613..c583d23a 100644 --- a/policycoreutils/po/Makefile +++ b/policycoreutils/po/Makefile @@ -2,6 +2,7 @@ # Makefile for the PO files (translation) catalog # +PREFIX ?= /usr TOP = ../.. # What is this package? @@ -12,7 +13,7 @@ INSTALL_DATA = $(INSTALL) -m 644 INSTALL_DIR= /usr/bin/install -d # destination directory -INSTALL_NLS_DIR = $(DESTDIR)/usr/share/locale +INSTALL_NLS_DIR = $(DESTDIR)$(PREFIX)/share/locale # PO catalog handling MSGMERGE = msgmerge diff --git a/policycoreutils/run_init/Makefile b/policycoreutils/run_init/Makefile index 921f0b07..4178493e 100644 --- a/policycoreutils/run_init/Makefile +++ b/policycoreutils/run_init/Makefile @@ -1,10 +1,10 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -SBINDIR ?= $(PREFIX)/sbin -MANDIR ?= $(PREFIX)/share/man +PREFIX ?= /usr +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man ETCDIR ?= $(DESTDIR)/etc -LOCALEDIR ?= /usr/share/locale +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y) AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y) diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile index d9e86ffe..cfd841ec 100644 --- a/policycoreutils/scripts/Makefile +++ b/policycoreutils/scripts/Makefile @@ -1,8 +1,8 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -SBINDIR ?= $(DESTDIR)/sbin -MANDIR ?= $(PREFIX)/share/man -LOCALEDIR ?= $(PREFIX)/share/locale +PREFIX ?= /usr +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man +LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale .PHONY: all all: fixfiles diff --git a/policycoreutils/secon/Makefile b/policycoreutils/secon/Makefile index 8e491d74..4ecbd57d 100644 --- a/policycoreutils/secon/Makefile +++ b/policycoreutils/secon/Makefile @@ -1,9 +1,8 @@ # secon tool - command-line context -PREFIX ?= $(DESTDIR)/usr -INCLUDEDIR ?= $(PREFIX)/include -BINDIR ?=
[PATCH v3 06/14] mcstrans: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- mcstrans/man/Makefile | 3 ++- mcstrans/src/Makefile | 18 +++--- mcstrans/utils/Makefile | 20 ++-- 3 files changed, 27 insertions(+), 14 deletions(-) diff --git a/mcstrans/man/Makefile b/mcstrans/man/Makefile index 8e971192..5030fa81 100644 --- a/mcstrans/man/Makefile +++ b/mcstrans/man/Makefile @@ -1,5 +1,6 @@ # Installation directories. -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 +PREFIX ?= /usr +MAN8DIR ?= $(DESTDIR)$(PREFIX)/share/man/man8 all: diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile index 3f4a89c3..09551d63 100644 --- a/mcstrans/src/Makefile +++ b/mcstrans/src/Makefile @@ -1,10 +1,14 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib +PREFIX ?= /usr +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib SBINDIR ?= $(DESTDIR)/sbin INITDIR ?= $(DESTDIR)/etc/rc.d/init.d -SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd -LIBSEPOLA ?= $(LIBDIR)/libsepol.a +SYSTEMDDIR ?= $(DESTDIR)$(PREFIX)/lib/systemd + +# If no specific libsepol.a is specified, fall back on LDFLAGS search path +ifeq ($(LIBSEPOLA),) + LDFLAGS += -l:libsepol.a +endif PROG_SRC=mcstrans.c mcscolor.c mcstransd.c mls_level.c PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC)) @@ -15,11 +19,11 @@ override CFLAGS += -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 all: $(PROG) -$(PROG): $(PROG_OBJS) - $(CC) $(LDFLAGS) -pie -o $@ $^ -lselinux -lcap -lpcre $(LIBSEPOLA) +$(PROG): $(PROG_OBJS) $(LIBSEPOLA) + $(CC) -pie -o $@ $^ -lselinux -lcap -lpcre $(LDFLAGS) %.o: %.c - $(CC) $(CFLAGS) -fPIE -c -o $@ $< + $(CC) $(CFLAGS) -fPIE -c -o $@ $< $(LDFLAGS) install: all test -d $(SBINDIR) || install -m 755 -d $(SBINDIR) diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile index 4d3cbfcb..0a0452a4 100644 --- a/mcstrans/utils/Makefile +++ b/mcstrans/utils/Makefile @@ -1,18 +1,26 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib -SBINDIR ?= $(PREFIX)/sbin -LIBSEPOLA ?= $(LIBDIR)/libsepol.a +PREFIX ?= /usr +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin CFLAGS ?= -Wall override CFLAGS += -I../src -D_GNU_SOURCE override LDLIBS += -lselinux -lpcre -TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c))) +TARGETS=transcon untranscon + +# If no specific libsepol.a is specified, fall back on LDFLAGS search path +ifeq ($(LIBSEPOLA),) + LDFLAGS += -l:libsepol.a +endif all: $(TARGETS) -$(TARGETS): ../src/mcstrans.o ../src/mls_level.o $(LIBSEPOLA) +transcon: transcon.o ../src/mcstrans.o ../src/mls_level.o $(LIBSEPOLA) + $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) -lpcre -lselinux + +untranscon: untranscon.o ../src/mcstrans.o ../src/mls_level.o $(LIBSEPOLA) + $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) -lpcre -lselinux install: all -mkdir -p $(SBINDIR) -- 2.15.1
[PATCH v3 03/14] libsemanage: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues: - DESTDIR is needed during compile time to compute library and header paths which it should not. - Installing with both DESTDIR and PREFIX set gives us odd paths - Make usage of DESTDIR and PREFIX more standard Signed-off-by: Marcus Folkesson--- libsemanage/include/Makefile | 4 ++-- libsemanage/man/Makefile | 5 +++-- libsemanage/src/Makefile | 9 +++-- libsemanage/src/libsemanage.pc.in | 2 +- libsemanage/tests/Makefile| 3 --- libsemanage/utils/Makefile| 4 ++-- 6 files changed, 11 insertions(+), 16 deletions(-) diff --git a/libsemanage/include/Makefile b/libsemanage/include/Makefile index b660660e..f4234b9e 100644 --- a/libsemanage/include/Makefile +++ b/libsemanage/include/Makefile @@ -1,6 +1,6 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -INCDIR ?= $(PREFIX)/include/semanage +PREFIX ?= /usr +INCDIR ?= $(DESTDIR)$(PREFIX)/include/semanage all: diff --git a/libsemanage/man/Makefile b/libsemanage/man/Makefile index 852043d4..43c2b3f6 100644 --- a/libsemanage/man/Makefile +++ b/libsemanage/man/Makefile @@ -1,6 +1,7 @@ # Installation directories. -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 -MAN5DIR ?= $(DESTDIR)/usr/share/man/man5 +PREFIX ?= /usr +MAN3DIR ?= $(DESTDIR)$(PREFIX)/share/man/man3 +MAN5DIR ?= $(DESTDIR)$(PREFIX)/share/man/man5 all: diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile index fdb178f5..f66d1b73 100644 --- a/libsemanage/src/Makefile +++ b/libsemanage/src/Makefile @@ -8,9 +8,8 @@ RUBYPREFIX ?= $(notdir $(RUBY)) PKG_CONFIG ?= pkg-config # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib -SHLIBDIR ?= $(DESTDIR)/lib +PREFIX ?= /usr +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib INCLUDEDIR ?= $(PREFIX)/include PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX)) @@ -20,8 +19,6 @@ RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]') RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]') -LIBBASE=$(shell basename $(LIBDIR)) - DEFAULT_SEMANAGE_CONF_LOCATION=$(DESTDIR)/etc/selinux/semanage.conf ifeq ($(DEBUG),1) @@ -95,7 +92,7 @@ $(LIBSO): $(LOBJS) ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION - sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ + sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ semanageswig_python_exception.i: ../include/semanage/semanage.h bash -e exception.sh > $@ || (rm -f $@ ; false) diff --git a/libsemanage/src/libsemanage.pc.in b/libsemanage/src/libsemanage.pc.in index d3eaa062..43681ddb 100644 --- a/libsemanage/src/libsemanage.pc.in +++ b/libsemanage/src/libsemanage.pc.in @@ -1,6 +1,6 @@ prefix=@prefix@ exec_prefix=${prefix} -libdir=${exec_prefix}/@libdir@ +libdir=@libdir@ includedir=@includedir@ Name: libsemanage diff --git a/libsemanage/tests/Makefile b/libsemanage/tests/Makefile index 2ef8d30d..324766a0 100644 --- a/libsemanage/tests/Makefile +++ b/libsemanage/tests/Makefile @@ -1,6 +1,3 @@ -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib - # Add your test source files here: SOURCES = $(sort $(wildcard *.c)) diff --git a/libsemanage/utils/Makefile b/libsemanage/utils/Makefile index 725f0eec..f527ad07 100644 --- a/libsemanage/utils/Makefile +++ b/libsemanage/utils/Makefile @@ -1,6 +1,6 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBEXECDIR ?= $(PREFIX)/libexec +PREFIX ?= /usr +LIBEXECDIR ?= $(DESTDIR)$(PREFIX)/libexec SELINUXEXECDIR ?= $(LIBEXECDIR)/selinux/ all: -- 2.15.1
[PATCH v3 14/14] build: add prefix for includes in top Makefile
Signed-off-by: Marcus Folkesson--- Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 6da7f7b7..6baea148 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,4 @@ +PREFIX ?= /usr OPT_SUBDIRS ?= dbus gui mcstrans python restorecond sandbox semodule-utils SUBDIRS=libsepol libselinux libsemanage checkpolicy secilc policycoreutils $(OPT_SUBDIRS) PYSUBDIRS=libselinux libsemanage @@ -19,8 +20,8 @@ else endif ifneq ($(DESTDIR),) - CFLAGS += -I$(DESTDIR)/usr/include - LDFLAGS += -L$(DESTDIR)/usr/lib + CFLAGS += -I$(DESTDIR)$(PREFIX)/include + LDFLAGS += -L$(DESTDIR)$(PREFIX)/lib export CFLAGS export LDFLAGS endif -- 2.15.1
[PATCH v3 01/14] libsepol: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues: - The pkg-config files generates odd paths when using DESTDIR without PREFIX - DESTDIR is needed during compile time to compute library and header paths which it should not. - Installing with both DESTDIR and PREFIX set gives us odd paths - Make usage of DESTDIR and PREFIX more standard Signed-off-by: Marcus Folkesson--- README | 2 +- libsepol/include/Makefile | 4 ++-- libsepol/man/Makefile | 5 +++-- libsepol/src/Makefile | 7 +++ libsepol/src/libsepol.pc.in | 2 +- libsepol/utils/Makefile | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/README b/README index 7fc7b17b..174551a1 100644 --- a/README +++ b/README @@ -19,6 +19,6 @@ lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces. To install libsepol on macOS (mainly for policy analysis): -cd libsepol; make DESTDIR=/usr/local PREFIX=/usr/local install +cd libsepol; make PREFIX=/usr/local install This requires GNU coreutils (brew install coreutils). diff --git a/libsepol/include/Makefile b/libsepol/include/Makefile index 56b7a114..ad5c34a4 100644 --- a/libsepol/include/Makefile +++ b/libsepol/include/Makefile @@ -1,6 +1,6 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -INCDIR ?= $(PREFIX)/include/sepol +PREFIX ?= /usr +INCDIR = $(DESTDIR)$(PREFIX)/include/sepol CILDIR ?= ../cil all: diff --git a/libsepol/man/Makefile b/libsepol/man/Makefile index 11924334..4f3d9fa2 100644 --- a/libsepol/man/Makefile +++ b/libsepol/man/Makefile @@ -1,6 +1,7 @@ # Installation directories. -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 +PREFIX ?= /usr +MAN8DIR ?= $(DESTDIR)$(PREFIX)/share/man/man8 +MAN3DIR ?= $(DESTDIR)$(PREFIX)/share/man/man3 all: diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile index 819d261b..d158398f 100644 --- a/libsepol/src/Makefile +++ b/libsepol/src/Makefile @@ -1,10 +1,9 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr +PREFIX ?= /usr INCLUDEDIR ?= $(PREFIX)/include -LIBDIR ?= $(PREFIX)/lib +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib SHLIBDIR ?= $(DESTDIR)/lib RANLIB ?= ranlib -LIBBASE ?= $(shell basename $(LIBDIR)) CILDIR ?= ../cil VERSION = $(shell cat ../VERSION) @@ -52,7 +51,7 @@ $(LIBSO): $(LOBJS) $(LIBMAP) ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION - sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ + sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):' < $< > $@ $(LIBMAP): $(LIBMAP).in ifneq ($(DISABLE_CIL),y) diff --git a/libsepol/src/libsepol.pc.in b/libsepol/src/libsepol.pc.in index e52f5892..f807fec6 100644 --- a/libsepol/src/libsepol.pc.in +++ b/libsepol/src/libsepol.pc.in @@ -1,6 +1,6 @@ prefix=@prefix@ exec_prefix=${prefix} -libdir=${exec_prefix}/@libdir@ +libdir=@libdir@ includedir=@includedir@ Name: libsepol diff --git a/libsepol/utils/Makefile b/libsepol/utils/Makefile index fba1d8a0..8ce4bf47 100644 --- a/libsepol/utils/Makefile +++ b/libsepol/utils/Makefile @@ -1,6 +1,6 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin CFLAGS ?= -Wall -Werror override CFLAGS += -I../include -- 2.15.1
[PATCH v3 02/14] libselinux: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues: - The pkg-config files generates odd paths when using DESTDIR without PREFIX - DESTDIR is needed during compile time to compute library and header paths which it should not. - Installing with both DESTDIR and PREFIX set gives us odd paths - Make usage of DESTDIR and PREFIX more standard Signed-off-by: Marcus Folkesson--- libselinux/include/Makefile | 4 ++-- libselinux/man/Makefile | 7 --- libselinux/src/Makefile | 14 +- libselinux/src/libselinux.pc.in | 2 +- libselinux/utils/Makefile | 6 ++ 5 files changed, 18 insertions(+), 15 deletions(-) diff --git a/libselinux/include/Makefile b/libselinux/include/Makefile index 757a6c9c..3b51f5ce 100644 --- a/libselinux/include/Makefile +++ b/libselinux/include/Makefile @@ -1,6 +1,6 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -INCDIR ?= $(PREFIX)/include/selinux +PREFIX ?= /usr +INCDIR = $(DESTDIR)$(PREFIX)/include/selinux all: diff --git a/libselinux/man/Makefile b/libselinux/man/Makefile index 0643e6af..233bfaa9 100644 --- a/libselinux/man/Makefile +++ b/libselinux/man/Makefile @@ -1,7 +1,8 @@ # Installation directories. -MAN8DIR ?= $(DESTDIR)/usr/share/man/man8 -MAN5DIR ?= $(DESTDIR)/usr/share/man/man5 -MAN3DIR ?= $(DESTDIR)/usr/share/man/man3 +PREFIX ?= /usr +MAN8DIR ?= $(DESTDIR)$(PREFIX)/share/man/man8 +MAN5DIR ?= $(DESTDIR)$(PREFIX)/share/man/man5 +MAN3DIR ?= $(DESTDIR)$(PREFIX)/share/man/man3 all: diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 18df75c8..e18c00f2 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -8,8 +8,8 @@ RUBYPREFIX ?= $(notdir $(RUBY)) PKG_CONFIG ?= pkg-config # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib +PREFIX ?= /usr +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib SHLIBDIR ?= $(DESTDIR)/lib INCLUDEDIR ?= $(PREFIX)/include PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX)) @@ -19,8 +19,6 @@ PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for s,m,t in imp.get_suffixe RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]') RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]') RUBYINSTALL ?= $(DESTDIR)$(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]') -LIBBASE ?= $(shell basename $(LIBDIR)) -LIBSEPOLA ?= $(LIBDIR)/libsepol.a VERSION = $(shell cat ../VERSION) LIBVERSION = 1 @@ -50,6 +48,12 @@ LIBSO=$(TARGET).$(LIBVERSION) AUDIT2WHYLOBJ=$(PYPREFIX)audit2why.lo AUDIT2WHYSO=$(PYPREFIX)audit2why.so + +# If no specific libsepol.a is specified, fall back on LDFLAGS search path +ifeq ($(LIBSEPOLA),) + LDFLAGS += -l:libsepol.a +endif + GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i SRCS= $(filter-out $(GENERATED) audit2why.c, $(sort $(wildcard *.c))) @@ -148,7 +152,7 @@ $(LIBSO): $(LOBJS) ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION - sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBBASE):; s:@includedir@:$(INCLUDEDIR):; s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@ + sed -e 's/@VERSION@/$(VERSION)/; s:@prefix@:$(PREFIX):; s:@libdir@:$(LIBDIR):; s:@includedir@:$(INCLUDEDIR):; s:@PCRE_MODULE@:$(PCRE_MODULE):' < $< > $@ selinuxswig_python_exception.i: ../include/selinux/selinux.h bash -e exception.sh > $@ || (rm -f $@ ; false) diff --git a/libselinux/src/libselinux.pc.in b/libselinux/src/libselinux.pc.in index 2e90a844..7c66b1fa 100644 --- a/libselinux/src/libselinux.pc.in +++ b/libselinux/src/libselinux.pc.in @@ -1,6 +1,6 @@ prefix=@prefix@ exec_prefix=${prefix} -libdir=${exec_prefix}/@libdir@ +libdir=@libdir@ includedir=@includedir@ Name: libselinux diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile index eb4851a9..9adce6d3 100644 --- a/libselinux/utils/Makefile +++ b/libselinux/utils/Makefile @@ -1,8 +1,6 @@ # Installation directories. -PREFIX ?= $(DESTDIR)/usr -LIBDIR ?= $(PREFIX)/lib -SBINDIR ?= $(PREFIX)/sbin -INCLUDEDIR ?= $(PREFIX)/include +PREFIX ?= /usr +SBINDIR ?= $(DESTDIR)$(PREFIX)/sbin OS ?= $(shell uname) -- 2.15.1
[PATCH v3 04/14] checkpolicy: build: follow standard semantics for DESTDIR and PREFIX
This patch solves the following issues: - DESTDIR is needed during compile time to compute library and header paths which it should not. - Installing with both DESTDIR and PREFIX set gives us odd paths - Make usage of DESTDIR and PREFIX more standard Signed-off-by: Marcus Folkesson--- checkpolicy/Makefile | 19 --- checkpolicy/test/Makefile | 15 ++- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile index 68e11f2a..78a8a43b 100644 --- a/checkpolicy/Makefile +++ b/checkpolicy/Makefile @@ -1,12 +1,10 @@ # # Makefile for building the checkpolicy program # -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin -MANDIR ?= $(PREFIX)/share/man -LIBDIR ?= $(PREFIX)/lib -INCLUDEDIR ?= $(PREFIX)/include -LIBSEPOLA ?= $(LIBDIR)/libsepol.a +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib TARGETS = checkpolicy checkmodule LEX = flex @@ -14,6 +12,11 @@ YACC = bison -y CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing +# If no specific libsepol.a is specified, fall back on LDFLAGS search path +ifeq ($(LIBSEPOLA),) + LDFLAGS += -l:libsepol.a +endif + override CFLAGS += -I. CHECKOBJS = y.tab.o lex.yy.o queue.o module_compiler.o parse_util.o \ @@ -27,11 +30,13 @@ all: $(TARGETS) $(MAKE) -C test checkpolicy: $(CHECKPOLOBJS) $(LIBSEPOLA) + $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) checkmodule: $(CHECKMODOBJS) $(LIBSEPOLA) + $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) %.o: %.c - $(CC) $(CFLAGS) -o $@ -c $< + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ -c $< y.tab.o: y.tab.c $(CC) $(filter-out -Werror, $(CFLAGS)) -o $@ -c $< diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile index 59fa4460..3eb1c512 100644 --- a/checkpolicy/test/Makefile +++ b/checkpolicy/test/Makefile @@ -1,19 +1,24 @@ # # Makefile for building the dispol program # -PREFIX ?= $(DESTDIR)/usr -BINDIR ?= $(PREFIX)/bin -LIBDIR ?= $(PREFIX)/lib -INCLUDEDIR ?= $(PREFIX)/include -LIBSEPOLA ?= $(LIBDIR)/libsepol.a +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +LIBDIR ?= $(DESTDIR)$(PREFIX)/lib CFLAGS ?= -g -Wall -W -Werror -O2 -pipe +# If no specific libsepol.a is specified, fall back on LDFLAGS search path +ifeq ($(LIBSEPOLA),) + LDFLAGS += -l:libsepol.a +endif + all: dispol dismod dispol: dispol.o $(LIBSEPOLA) + $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) dismod: dismod.o $(LIBSEPOLA) + $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) clean: -rm -f dispol dismod *.o -- 2.15.1
[PATCH v3 05/14] gui: build: follow standard semantics for DESTDIR and PREFIX
Signed-off-by: Marcus Folkesson--- gui/Makefile | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/gui/Makefile b/gui/Makefile index cfe47405..5efd17d7 100644 --- a/gui/Makefile +++ b/gui/Makefile @@ -1,9 +1,9 @@ # Installation directories. -PREFIX ?= ${DESTDIR}/usr -BINDIR ?= $(PREFIX)/bin -SHAREDIR ?= $(PREFIX)/share/system-config-selinux -DATADIR ?= $(PREFIX)/share -MANDIR ?= $(PREFIX)/share/man +PREFIX ?= /usr +BINDIR ?= $(DESTDIR)$(PREFIX)/bin +SHAREDIR ?= $(DESTDIR)$(PREFIX)/share/system-config-selinux +DATADIR ?= $(DESTDIR)$(PREFIX)/share +MANDIR ?= $(DESTDIR)$(PREFIX)/share/man TARGETS= \ booleansPage.py \ -- 2.15.1
Re: [PATCH] general protection fault in sock_has_perm
On 01/19/2018 09:06 AM, Paul Moore wrote: On Fri, Jan 19, 2018 at 10:49 AM, Mark Salyzynwrote: On 01/18/2018 02:36 PM, Paul Moore wrote: On Thu, Jan 18, 2018 at 4:58 PM, Mark Salyzyn wrote: general protection fault: [#1] PREEMPT SMP KASAN CPU: 1 PID: 14233 Comm: syz-executor2 Not tainted 4.4.112-g5f6325b #28 . . . [] selinux_socket_setsockopt+0x4d/0x80 security/selinux/hooks.c:4338 [] security_socket_setsockopt+0x7d/0xb0 security/security.c:1257 [] SYSC_setsockopt net/socket.c:1757 [inline] [] SyS_setsockopt+0xe8/0x250 net/socket.c:1746 [] entry_SYSCALL_64_fastpath+0x16/0x92 Code: c2 42 9b b6 81 be 01 00 00 00 48 c7 c7 a0 cb 2b 84 e8 f7 2f 6d ff 49 8d 7d 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 83 01 00 00 41 8b 75 10 31 RIP [] sock_has_perm+0x1fe/0x3e0 security/selinux/hooks.c:4069 RSP ---[ end trace 7b5aaf788fef6174 ]--- In the absence of commit a4298e4522d6 ("net: add SOCK_RCU_FREE socket flag") and all the associated infrastructure changes to take advantage of a RCU grace period before freeing, there is a heightened possibility that a security check is performed while an ill-timed setsockopt call races in from user space. It then is prudent to null check sk_security, and if the case, reject the permissions. This adjustment is orthogonal to infrastructure improvements that may nullify the needed check, but should be added as good code hygiene. I'm skeptical that this is the full solution for systems that lack the SOCK_RCU_FREE protection. Is this really limited to just setsockopt()? Maybe overstepped in my analysis and assumptions? This is a result of a fuzzer hitting an android 4.4 KASAN kernel. We (so far) have _not_ seen this with an android 4.9 KASAN kernel (which has the SOCK_RCU_FREE adjustments). There is no standalone duplication or PoC _except_ via the fuzzer. The rest of the statements stands based on this tidbit (statements of general good code hygiene, not 100% sure SOCK_RCU_FREE usage is completely covered, KISS solution etc). To be honest, yes, this may be a layer in the onion (swat this NULL check does not by itself solve the _problem_), I'd prefer kernel continuing on in a rational manner rather than panic ... and I have a gut feeling this could be a gratuitous NULL check if all the bugs in the network layer have been solved . Programming to solve a problem with one's gut is not a good practice, but hygiene is. This is 10 characters, and an estimated 1.2ns of added hygiene. No, I do not think this is limited to setsockopt, but would be willing to believe a multithreaded attack of any socket functions or ioctl would drop down to the check with sock_has_perm at possibly the wrong time in socket teardown. I'm not necessarily opposed to adding additional safety checks, if warranted, but I am opposed to adding a single check and declaring mission accomplished when there is a suspicion that additional checks may be needed. Perhaps in this particular case it really is only setsockopt(), but from what I can tell from your comments and the SOCK_RCU_FREE commit message it would appear that there is a race condition here between a socket's lifetime and its visibility to userspace. I will need to fix my comments to be clearer ... (besides, I got the error return wrong, so I will have to respin it anyways). In later kernels SOCK_RCU_FREE _appears_ to fix the race condition. In earlier kernels there is _no_ SOCK_RCU_FREE infrastructure, and thus the race condition exists. That race conditions _should_ have been solved in ToT. I have evaluated that porting all the SOCK_RCU_FREE refactoring may be too risky an endeavor for stable kernels though (maybe I am wrong about that? The author of those fixes eduma...@google.com has been notified, have yet to receive a response). Because I can not confirm that SOCK_RCU_FREE solves the problem, I am making a case for this to land in 4.9+ to ToT kernels as good hygiene. But maybe this should only go in 4.4- stable ... -- Mark