[PATCH v2 1/1] libselinux, libsemanage: Replace PYSITEDIR with PYTHONLIBDIR
libselinux and libsemanage Makefiles invoke site.getsitepackages() in
order to get the path to the directory /usr/lib/pythonX.Y/site-packages
that matches the Python interpreter chosen with $(PYTHON). This method
is incompatible with Python virtual environments, as described in
https://github.com/pypa/virtualenv/issues/355#issuecomment-10250452 .
This issue has been opened for more than 5 years.
On the contrary python/semanage/ and python/sepolgen/ Makefiles use
distutils.sysconfig.get_python_lib() in order to get the site-packages
path into a variable named PYTHONLIBDIR. This way of computing
PYTHONLIBDIR is compatible with virtual environments and gives the same
result as PYSITEDIR.
As PYTHONLIBDIR works in more cases than PYSITEDIR, make libselinux and
libsemanage Makefiles use it. And as native code is installed (as part
of the SWIG wrapper), use "plat_specific=1" in order to use /usr/lib64
on systems which distinguish /usr/lib64 from /usr/lib.
Signed-off-by: Nicolas Iooss
---
v2: add plat_specific=1
.travis.yml | 5 +
libselinux/src/Makefile | 10 +-
libsemanage/src/Makefile | 8
3 files changed, 10 insertions(+), 13 deletions(-)
diff --git a/.travis.yml b/.travis.yml
index 0312e996e333..63c7a544aa45 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -96,9 +96,6 @@ before_script:
- export PKG_CONFIG_PATH="/opt/python/$($PYTHON -c 'import
sys;print("%d.%d.%d" % sys.version_info[:3])')/lib/pkgconfig"
# PyPy does not provide a config file for pkg-config nor a pypy-c.so
- if echo "$PYVER" | grep -q pypy ; then export PYINC=-I$($PYTHON -c 'import
sys;print(sys.prefix)')/include PYLIBS= ; fi
- # Python virtualenvs do not support "import site;
print(site.getsitepackages()[0]"
- # cf. https://github.com/pypa/virtualenv/issues/355#issuecomment-10250452
- - export PYSITEDIR="/usr/lib/$($PYTHON -c 'import sys;print("python%d.%d" %
sys.version_info[:2])')/site-packages"
# Find the Ruby executable with version $RUBYLIBVER
- export RUBY="$(ls -d -1 "$HOME/.rvm/rubies/ruby-$RUBYLIBVER"*/bin/ruby |
head -n 1)"
@@ -126,7 +123,7 @@ script:
# Set up environment variables for the tests
- export LD_LIBRARY_PATH="$DESTDIR/usr/lib:$DESTDIR/lib"
- export
PATH="$DESTDIR/usr/sbin:$DESTDIR/usr/bin:$DESTDIR/sbin:$DESTDIR/bin:$PATH"
- - export PYTHONPATH="$DESTDIR$PYSITEDIR"
+ - export PYTHONPATH="$DESTDIR$($PYTHON -c "from distutils.sysconfig import
*;print(get_python_lib(prefix='/usr'))")"
- export RUBYLIB="$DESTDIR/$($RUBY -e 'puts
RbConfig::CONFIG["vendorlibdir"]'):$DESTDIR/$($RUBY -e 'puts
RbConfig::CONFIG["vendorarchdir"]')"
# Show variables (to help debugging issues)
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 18588da586bf..8af04aab0ec2 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -14,7 +14,7 @@ SHLIBDIR ?= /lib
INCLUDEDIR ?= $(PREFIX)/include
PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
-PYSITEDIR ?= $(shell $(PYTHON) -c 'import site;
print(site.getsitepackages()[0])')
+PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *;
print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))")
PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for s,m,t in
imp.get_suffixes() if t == imp.C_EXTENSION][0])')
RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"]
+ " -I" + RbConfig::CONFIG["rubyhdrdir"]')
RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L"
+ RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]')
@@ -191,10 +191,10 @@ install: all
ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO)
$(DESTDIR)$(LIBDIR)/$(TARGET)
install-pywrap: pywrap
- test -d $(DESTDIR)$(PYSITEDIR)/selinux || install -m 755 -d
$(DESTDIR)$(PYSITEDIR)/selinux
- install -m 755 $(SWIGSO) $(DESTDIR)$(PYSITEDIR)/_selinux$(PYCEXT)
- install -m 755 $(AUDIT2WHYSO)
$(DESTDIR)$(PYSITEDIR)/selinux/audit2why$(PYCEXT)
- install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYSITEDIR)/selinux/__init__.py
+ test -d $(DESTDIR)$(PYTHONLIBDIR)/selinux || install -m 755 -d
$(DESTDIR)$(PYTHONLIBDIR)/selinux
+ install -m 755 $(SWIGSO) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
+ install -m 755 $(AUDIT2WHYSO)
$(DESTDIR)$(PYTHONLIBDIR)/selinux/audit2why$(PYCEXT)
+ install -m 644 $(SWIGPYOUT)
$(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
install-rubywrap: rubywrap
test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d
$(DESTDIR)$(RUBYINSTALL)
diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
index e98d8760acb7..dea751e5b436 100644
--- a/libsemanage/src/Makefile
+++ b/libsemanage/src/Makefile
@@ -13,7 +13,7 @@ LIBDIR ?= $(PREFIX)/lib
INCLUDEDIR ?= $(PREFIX)/include
PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
-PYSITEDIR ?= $(shell $(PYTHON) -c 'i
[PATCH] selinux: Add support for the SCTP portcon keyword
Update libsepol, checkpolicy and the CIL compiler to support the SCTP
portcon keyword.
Signed-off-by: Richard Haines
---
checkpolicy/checkpolicy.c | 5 +
checkpolicy/policy_define.c| 5 +
libsepol/cil/src/cil.c | 1 +
libsepol/cil/src/cil_binary.c | 6 ++
libsepol/cil/src/cil_build_ast.c | 2 ++
libsepol/cil/src/cil_internal.h| 4 +++-
libsepol/cil/src/cil_policy.c | 2 ++
libsepol/cil/src/cil_tree.c| 2 ++
libsepol/include/sepol/port_record.h | 1 +
libsepol/src/kernel_to_cil.c | 4
libsepol/src/kernel_to_common.c| 3 +++
libsepol/src/kernel_to_conf.c | 4
libsepol/src/module_to_cil.c | 4
libsepol/src/port_record.c | 2 ++
libsepol/src/ports.c | 7 +++
secilc/docs/cil_network_labeling_statements.md | 5 +++--
secilc/test/policy.cil | 1 +
17 files changed, 55 insertions(+), 3 deletions(-)
diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
index 923b47c1..fbda4558 100644
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@@ -69,6 +69,9 @@
#ifndef IPPROTO_DCCP
#define IPPROTO_DCCP 33
#endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
#include
#include
#include
@@ -944,6 +947,8 @@ int main(int argc, char **argv)
protocol = IPPROTO_UDP;
else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
protocol = IPPROTO_DCCP;
+ else if (!strcmp(ans, "sctp") || !strcmp(ans, "SCTP"))
+ protocol = IPPROTO_SCTP;
else {
printf("unknown protocol\n");
break;
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 2c5db55d..11fd37d8 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -40,6 +40,9 @@
#ifndef IPPROTO_DCCP
#define IPPROTO_DCCP 33
#endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
#include
#include
#include
@@ -5004,6 +5007,8 @@ int define_port_context(unsigned int low, unsigned int
high)
protocol = IPPROTO_UDP;
} else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
protocol = IPPROTO_DCCP;
+ } else if ((strcmp(id, "sctp") == 0) || (strcmp(id, "SCTP") == 0)) {
+ protocol = IPPROTO_SCTP;
} else {
yyerror2("unrecognized protocol %s", id);
goto bad;
diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 5a64c2bc..2a7ec063 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -109,6 +109,7 @@ static void cil_init_keys(void)
CIL_KEY_UDP = cil_strpool_add("udp");
CIL_KEY_TCP = cil_strpool_add("tcp");
CIL_KEY_DCCP = cil_strpool_add("dccp");
+ CIL_KEY_SCTP = cil_strpool_add("sctp");
CIL_KEY_AUDITALLOW = cil_strpool_add("auditallow");
CIL_KEY_TUNABLEIF = cil_strpool_add("tunableif");
CIL_KEY_ALLOW = cil_strpool_add("allow");
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index 431cd9cd..0cc6eeb1 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -34,6 +34,9 @@
#ifndef IPPROTO_DCCP
#define IPPROTO_DCCP 33
#endif
+#ifndef IPPROTO_SCTP
+#define IPPROTO_SCTP 132
+#endif
#include
#include
@@ -3272,6 +3275,9 @@ int cil_portcon_to_policydb(policydb_t *pdb, struct
cil_sort *portcons)
case CIL_PROTOCOL_DCCP:
new_ocon->u.port.protocol = IPPROTO_DCCP;
break;
+ case CIL_PROTOCOL_SCTP:
+ new_ocon->u.port.protocol = IPPROTO_SCTP;
+ break;
default:
/* should not get here */
rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index e84336bf..b90b0f60 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -4405,6 +4405,8 @@ int cil_gen_portcon(struct cil_db *db, struct
cil_tree_node *parse_current, stru
portcon->proto = CIL_PROTOCOL_TCP;
} else if (proto == CIL_KEY_DCCP) {
portcon->proto = CIL_PROTOCOL_DCCP;
+ } else if (proto == CIL_KEY_SCTP) {
+ portcon->proto = CIL_PROTOCOL_SCTP;
} else {
cil_log(CIL_ERR, "Invalid protocol\n");
rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
index 8393e391..6ff32285 100644
--- a/libsepol/cil/src/cil_internal.h
+++ b/libsepol/cil/src/cil_internal.h
@@ -103,6 +103,7 @@ char *CI
