Patchwork [02/17] libselinux: new package

login
register
mail settings
Submitter Clayton Shotwell
Date Sept. 4, 2013, 11:09 p.m.
Message ID <1378336196-27403-3-git-send-email-clshotwe@rockwellcollins.com>
Download mbox | patch
Permalink /patch/272746/
State Superseded
Headers show

Comments

Clayton Shotwell - Sept. 4, 2013, 11:09 p.m.
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
 package/Config.in                |    1 +
 package/libselinux/Config.in     |   22 +++++++
 package/libselinux/libselinux.mk |  128 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 151 insertions(+), 0 deletions(-)
 create mode 100644 package/libselinux/Config.in
 create mode 100644 package/libselinux/libselinux.mk
Thomas Petazzoni - Sept. 5, 2013, 7:51 a.m.
Dear Clayton Shotwell,

On Wed, 4 Sep 2013 18:09:41 -0500, Clayton Shotwell wrote:

>  menu "Security"
>  source "package/libsepol/Config.in"
> +source "package/libselinux/Config.in"
>  endmenu

Same comment as previous package: libselinux is a library, so it should
be under Target packages -> Libraries.

>  
>  menu "System tools"
> diff --git a/package/libselinux/Config.in b/package/libselinux/Config.in
> new file mode 100644
> index 0000000..4f3be64
> --- /dev/null
> +++ b/package/libselinux/Config.in
> @@ -0,0 +1,22 @@
> +config BR2_PACKAGE_LIBSELINUX
> +	bool "libselinux"
> +	depends on BR2_LINUX_KERNEL

Hum, can you clarify why a dependency on the kernel is needed here?

> +	help
> +	  libselinux is the runtime SELinux library that provides interfaces 
> +	  (e.g. library functions for the SELinux kernel APIs like getcon(), 
> +	  other support functions like getseuserbyname()) to SELinux-aware 
> +	  applications. libselinux may use the shared libsepol to manipulate 
> +	  the binary policy if necessary (e.g. to downgrade the policy format 
> +	  to an older version supported by the kernel) when loading policy.
> +	  
> +	  http://selinuxproject.org/page/Main_Page
> +
> +if BR2_PACKAGE_LIBSELINUX
> +
> +config BR2_PACKAGE_LIBSELINUX_PYTHON_BINDINGS
> +	select BR2_PACKAGE_PYTHON

Here I am not sure whether we should have:

 (1) An option that selects BR2_PACKAGE_PYTHON (as you did)

 (2) An option that depends on BR2_PACKAGE_PYTHON

 (3) No option at all, and have the package automatically enable Python
     bindings when BR2_PACKAGE_PYTHON is enabled.

What do the others think?

> +	bool "python bindings"
> +	help
> +	  enable building python bindings
> +
> +endif
> diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
> new file mode 100644
> index 0000000..ed90186
> --- /dev/null
> +++ b/package/libselinux/libselinux.mk
> @@ -0,0 +1,128 @@
> +################################################################################
> +#
> +# libselinux
> +#
> +################################################################################

One empty line between header and variables.

> +LIBSELINUX_VERSION = 2.1.13
> +LIBSELINUX_SOURCE = libselinux-$(LIBSELINUX_VERSION).tar.gz

This line is not needed, that's the default value.

> +LIBSELINUX_SITE = http://userspace.selinuxproject.org/releases/20130423/
> +LIBSELINUX_LICENSE = PublicDomain
> +LIBSELINUX_LICENSE_FILES = LICENSE
> +
> +##############################
> +# Target Section
> +##############################

Comment not needed.

> +LIBSELINUX_DEPENDENCIES = libsepol pcre

Then you should select BR2_PACKAGE_LIBSEPOL and BR2_PACKAGE_PCRE in
your Config.in file.

> +
> +LIBSELINUX_INSTALL_STAGING = YES
> +LIBSELINUX_INSTALL_TARGET = YES

This last line is not needed, that's the default.

> +
> +LIBSELINUX_MAKE_CMDS = $(TARGET_CONFIGURE_OPTS) LDFLAGS="$(TARGET_LDFLAGS) -lpcre -lpthread"

This could use a little bit of wrapping:

LIBSELINUX_MAKE_CMDS = \
	$(TARGET_CONFIGURE_OPTS) \
	LDFLAGS="$(TARGET_LDFLAGS) -lpcre -lpthread"

BTW, I'm not sure _MAKE_CMDS is really the appropriate suffix, maybe
_MAKE_OPTS ?

> +ifeq ($(BR2_PACKAGE_LIBSELINUX_PYTHON_BINDINGS),y)
> +
> +LIBSELINUX_DEPENDENCIES += python host-swig host-python
> +LIBSELINUX_MAKE_CMDS += PYINC="-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
> +	PYTHONLIBDIR="-L$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
> +	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
> +	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
> +
> +define LIBSELINUX_PYTHON_BUILD_CMDS
> +	$(MAKE) -C $(@D) $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR) swigify
> +	$(MAKE) -C $(@D) $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR) pywrap

DESTDIR really needed at build time ?

> +endef
> +
> +define LIBSELINUX_PYTHON_INSTALL_STAGING_CMDS
> +	$(MAKE) -C $(@D) install-pywrap $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
> +endef
> +
> +define LIBSELINUX_PYTHON_INSTALL_TARGET_CMDS
> +	$(MAKE) -C $(@D) install-pywrap $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
> +endef
> +
> +define LIBSELINUX_PYTHON_UNINSTALL_STAGING_CMDS
> +	rm -rf $(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages/selinux
> +endef
> +
> +define LIBSELINUX_PYTHON_UNINSTALL_TARGET_CMDS
> +	rm -rf $(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages/selinux
> +endef

You can get rid of install commands.

> +
> +endif
> +
> +define LIBSELINUX_BUILD_CMDS
> +	$(MAKE) -C $(@D) $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR) all

DESTDIR unneeded at build time.

> +	$(LIBSELINUX_PYTHON_BUILD_CMDS)
> +endef
> +
> +define LIBSELINUX_INSTALL_STAGING_CMDS
> +	$(MAKE) -C $(@D) install $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
> +	$(LIBSELINUX_PYTHON_INSTALL_STAGING_CMDS)
> +endef
> +
> +define LIBSELINUX_INSTALL_TARGET_CMDS
> +	$(MAKE) -C $(@D) install $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
> +	$(LIBSELINUX_PYTHON_INSTALL_TARGET_CMDS)
> +endef
> +
> +define LIBSELINUX_CLEAN_CMDS
> +	$(MAKE) -C $(@D) clean
> +endef
> +
> +LIBSELINUX_SBIN_FILES = avcstat compute_av compute_create compute_member \
> +	compute_relabel compute_user getconlist getdefaultcon getenforce \
> +	getfilecon getpidcon getsebool getseuser matchpathcon policyvers \
> +	sefcontext_compile selinux_check_securetty_context selinuxenabled \
> +	selinuxexeccon setenforce setfilecon togglesebool
> +
> +define LIBSELINUX_UNINSTALL_STAGING_CMDS
> +	rm -rf $(addprefix $(STAGING_DIR), /usr/include/selinux \
> +		$(addprefix /usr/sbin/, $(LIBSELINUX_SBIN_FILES)) \
> +		/usr/lib/pkgconfig/libselinux* /usr/lib/libselinux* /lib/libselinux*)
> +	rm -f $(addprefix $(STAGING_DIR)/usr/man/man3/,$(notdir $(wildcard $(@D)/man/man3/*.3)))
> +	rm -f $(addprefix $(STAGING_DIR)/usr/man/man5/,$(notdir $(wildcard $(@D)/man/man5/*.5)))
> +	rm -f $(addprefix $(STAGING_DIR)/usr/man/man8/,$(notdir $(wildcard $(@D)/man/man8/*.8)))
> +	$(LIBSELINUX_PYTHON_UNINSTALL_STAGING_CMDS)
> +endef
> +
> +define LIBSELINUX_UNINSTALL_TARGET_CMDS
> +	rm -rf $(addprefix $(TARGET_DIR), /usr/include/selinux \
> +		$(addprefix /usr/sbin/, $(LIBSELINUX_SBIN_FILES)) \
> +		/usr/lib/pkgconfig/libselinux* /usr/lib/libselinux* /lib/libselinux*)
> +	$(LIBSELINUX_PYTHON_UNINSTALL_TARGET_CMDS)
> +endef

Yeah, just drop the uninstall commands.

> +##############################
> +# Host Section
> +##############################

Drop this header.

> +HOST_LIBSELINUX_DEPENDENCIES = host-python host-libsepol host-swig host-pcre

So for the host variant, the Python bindings are always enabled? Is
there a reason for that?

> +
> +HOST_LIBSELINUX_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) LDFLAGS="$(HOST_LDFLAGS) -lpcre -lpthread"\
> +	PYINC="-I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
> +	PYTHONLIBDIR="-L$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
> +	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
> +	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/" \
> +
> +define HOST_LIBSELINUX_BUILD_CMDS
> +	$(MAKE) -C $(@D) $(HOST_LIBSELINUX_MAKE_CMDS) DESTDIR=$(HOST_DIR) all
> +	$(MAKE) -C $(@D) $(HOST_LIBSELINUX_MAKE_CMDS) DESTDIR=$(HOST_DIR) swigify
> +	$(MAKE) -C $(@D) $(HOST_LIBSELINUX_MAKE_CMDS) DESTDIR=$(HOST_DIR) pywrap

DESTDIR usually not needed at build time.

> +endef
> +
> +define HOST_LIBSELINUX_INSTALL_CMDS
> +	$(MAKE) -C $(@D) install install-pywrap $(HOST_LIBSELINUX_MAKE_CMDS) DESTDIR=$(HOST_DIR)
> +	mv $(HOST_DIR)/lib/libselinux.so.1 $(HOST_DIR)/usr/lib
> +	(cd $(HOST_DIR)/usr/lib; rm -f libselinux.so; ln -s libselinux.so.1 libselinux.so)
> +	rmdir $(HOST_DIR)/lib
> +	(if -f $(HOST_DIR)/sbin/matchpathcon; then \
> +		mv $(HOST_DIR)/sbin/matchpathcon $(HOST_DIR)/usr/sbin/; \
> +		rmdir $(HOST_DIR)/sbin; \
> +	fi)

Same suggestion as above: what if you pass DESTDIR=$(HOST_DIR)/usr ?

Thanks!

Thomas
Clayton Shotwell - Sept. 5, 2013, 1:18 p.m.
Thomas,

Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote on 09/05/2013 
02:51:29 AM:

> >  menu "Security"
> >  source "package/libsepol/Config.in"
> > +source "package/libselinux/Config.in"
> >  endmenu
> 
> Same comment as previous package: libselinux is a library, so it should
> be under Target packages -> Libraries.

Agree

> > +config BR2_PACKAGE_LIBSELINUX
> > +   bool "libselinux"
> > +   depends on BR2_LINUX_KERNEL
> 
> Hum, can you clarify why a dependency on the kernel is needed here?

Probably shouldn't be an explicit one, though SELinux will not work 
outside of Linux.  I will go ahead and remove this dependency.

> > +config BR2_PACKAGE_LIBSELINUX_PYTHON_BINDINGS
> > +   select BR2_PACKAGE_PYTHON
> 
> Here I am not sure whether we should have:
> 
>  (1) An option that selects BR2_PACKAGE_PYTHON (as you did)
> 
>  (2) An option that depends on BR2_PACKAGE_PYTHON
> 
>  (3) No option at all, and have the package automatically enable Python
>      bindings when BR2_PACKAGE_PYTHON is enabled.
> 
> What do the others think?

I added this option because the policycoreutils package contains utilities 
that rely on the python bindings from the libselinux and sepolgen 
packages.  What I can do is remove the option and have the bindings for 
libselinux and sepolgen depend on BR2_PACKAGE_PYTHON. I can then change 
policycoreutils select BR2_PACKAGE_PYTHON which would enable the other 
two.  This would also allow the bindings to be generated any time Python 
support is enabled.
 
> Then you should select BR2_PACKAGE_LIBSEPOL and BR2_PACKAGE_PCRE in
> your Config.in file.

Can do.

> > +HOST_LIBSELINUX_DEPENDENCIES = host-python host-libsepol host-
> swig host-pcre
> 
> So for the host variant, the Python bindings are always enabled? Is
> there a reason for that?

This was just a easier way than checking to see if host python is being 
installed.  Should I break this out and if so, what should I check to see 
if the host version is being installed?

The same DESTDIR comments from my previous email apply to this package 
also.  I will pull the generic changes into all of my patches and resubmit 
them if that works for you.

Thanks,
Clayton

Clayton Shotwell
Software Engineer
clshotwe@rockwellcollins.com
www.rockwellcollins.com

Patch

diff --git a/package/Config.in b/package/Config.in
index 21f7271..bf68827 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -898,6 +898,7 @@  endmenu
 
 menu "Security"
 source "package/libsepol/Config.in"
+source "package/libselinux/Config.in"
 endmenu
 
 menu "System tools"
diff --git a/package/libselinux/Config.in b/package/libselinux/Config.in
new file mode 100644
index 0000000..4f3be64
--- /dev/null
+++ b/package/libselinux/Config.in
@@ -0,0 +1,22 @@ 
+config BR2_PACKAGE_LIBSELINUX
+	bool "libselinux"
+	depends on BR2_LINUX_KERNEL
+	help
+	  libselinux is the runtime SELinux library that provides interfaces 
+	  (e.g. library functions for the SELinux kernel APIs like getcon(), 
+	  other support functions like getseuserbyname()) to SELinux-aware 
+	  applications. libselinux may use the shared libsepol to manipulate 
+	  the binary policy if necessary (e.g. to downgrade the policy format 
+	  to an older version supported by the kernel) when loading policy.
+	  
+	  http://selinuxproject.org/page/Main_Page
+
+if BR2_PACKAGE_LIBSELINUX
+
+config BR2_PACKAGE_LIBSELINUX_PYTHON_BINDINGS
+	select BR2_PACKAGE_PYTHON
+	bool "python bindings"
+	help
+	  enable building python bindings
+
+endif
diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
new file mode 100644
index 0000000..ed90186
--- /dev/null
+++ b/package/libselinux/libselinux.mk
@@ -0,0 +1,128 @@ 
+################################################################################
+#
+# libselinux
+#
+################################################################################
+LIBSELINUX_VERSION = 2.1.13
+LIBSELINUX_SOURCE = libselinux-$(LIBSELINUX_VERSION).tar.gz
+LIBSELINUX_SITE = http://userspace.selinuxproject.org/releases/20130423/
+LIBSELINUX_LICENSE = PublicDomain
+LIBSELINUX_LICENSE_FILES = LICENSE
+
+##############################
+# Target Section
+##############################
+LIBSELINUX_DEPENDENCIES = libsepol pcre
+
+LIBSELINUX_INSTALL_STAGING = YES
+LIBSELINUX_INSTALL_TARGET = YES
+
+LIBSELINUX_MAKE_CMDS = $(TARGET_CONFIGURE_OPTS) LDFLAGS="$(TARGET_LDFLAGS) -lpcre -lpthread"
+
+ifeq ($(BR2_PACKAGE_LIBSELINUX_PYTHON_BINDINGS),y)
+
+LIBSELINUX_DEPENDENCIES += python host-swig host-python
+LIBSELINUX_MAKE_CMDS += PYINC="-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
+	PYTHONLIBDIR="-L$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
+	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
+
+define LIBSELINUX_PYTHON_BUILD_CMDS
+	$(MAKE) -C $(@D) $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR) swigify
+	$(MAKE) -C $(@D) $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR) pywrap
+endef
+
+define LIBSELINUX_PYTHON_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install-pywrap $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define LIBSELINUX_PYTHON_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install-pywrap $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
+endef
+
+define LIBSELINUX_PYTHON_UNINSTALL_STAGING_CMDS
+	rm -rf $(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages/selinux
+endef
+
+define LIBSELINUX_PYTHON_UNINSTALL_TARGET_CMDS
+	rm -rf $(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages/selinux
+endef
+
+endif
+
+define LIBSELINUX_BUILD_CMDS
+	$(MAKE) -C $(@D) $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR) all
+	$(LIBSELINUX_PYTHON_BUILD_CMDS)
+endef
+
+define LIBSELINUX_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+	$(LIBSELINUX_PYTHON_INSTALL_STAGING_CMDS)
+endef
+
+define LIBSELINUX_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
+	$(LIBSELINUX_PYTHON_INSTALL_TARGET_CMDS)
+endef
+
+define LIBSELINUX_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean
+endef
+
+LIBSELINUX_SBIN_FILES = avcstat compute_av compute_create compute_member \
+	compute_relabel compute_user getconlist getdefaultcon getenforce \
+	getfilecon getpidcon getsebool getseuser matchpathcon policyvers \
+	sefcontext_compile selinux_check_securetty_context selinuxenabled \
+	selinuxexeccon setenforce setfilecon togglesebool
+
+define LIBSELINUX_UNINSTALL_STAGING_CMDS
+	rm -rf $(addprefix $(STAGING_DIR), /usr/include/selinux \
+		$(addprefix /usr/sbin/, $(LIBSELINUX_SBIN_FILES)) \
+		/usr/lib/pkgconfig/libselinux* /usr/lib/libselinux* /lib/libselinux*)
+	rm -f $(addprefix $(STAGING_DIR)/usr/man/man3/,$(notdir $(wildcard $(@D)/man/man3/*.3)))
+	rm -f $(addprefix $(STAGING_DIR)/usr/man/man5/,$(notdir $(wildcard $(@D)/man/man5/*.5)))
+	rm -f $(addprefix $(STAGING_DIR)/usr/man/man8/,$(notdir $(wildcard $(@D)/man/man8/*.8)))
+	$(LIBSELINUX_PYTHON_UNINSTALL_STAGING_CMDS)
+endef
+
+define LIBSELINUX_UNINSTALL_TARGET_CMDS
+	rm -rf $(addprefix $(TARGET_DIR), /usr/include/selinux \
+		$(addprefix /usr/sbin/, $(LIBSELINUX_SBIN_FILES)) \
+		/usr/lib/pkgconfig/libselinux* /usr/lib/libselinux* /lib/libselinux*)
+	$(LIBSELINUX_PYTHON_UNINSTALL_TARGET_CMDS)
+endef
+
+##############################
+# Host Section
+##############################
+HOST_LIBSELINUX_DEPENDENCIES = host-python host-libsepol host-swig host-pcre
+
+HOST_LIBSELINUX_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) LDFLAGS="$(HOST_LDFLAGS) -lpcre -lpthread"\
+	PYINC="-I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
+	PYTHONLIBDIR="-L$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
+	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
+	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/" \
+
+define HOST_LIBSELINUX_BUILD_CMDS
+	$(MAKE) -C $(@D) $(HOST_LIBSELINUX_MAKE_CMDS) DESTDIR=$(HOST_DIR) all
+	$(MAKE) -C $(@D) $(HOST_LIBSELINUX_MAKE_CMDS) DESTDIR=$(HOST_DIR) swigify
+	$(MAKE) -C $(@D) $(HOST_LIBSELINUX_MAKE_CMDS) DESTDIR=$(HOST_DIR) pywrap
+endef
+
+define HOST_LIBSELINUX_INSTALL_CMDS
+	$(MAKE) -C $(@D) install install-pywrap $(HOST_LIBSELINUX_MAKE_CMDS) DESTDIR=$(HOST_DIR)
+	mv $(HOST_DIR)/lib/libselinux.so.1 $(HOST_DIR)/usr/lib
+	(cd $(HOST_DIR)/usr/lib; rm -f libselinux.so; ln -s libselinux.so.1 libselinux.so)
+	rmdir $(HOST_DIR)/lib
+	(if -f $(HOST_DIR)/sbin/matchpathcon; then \
+		mv $(HOST_DIR)/sbin/matchpathcon $(HOST_DIR)/usr/sbin/; \
+		rmdir $(HOST_DIR)/sbin; \
+	fi)
+endef
+
+define HOST_LIBSELINUX_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))