From 691ce0c988701bf5512bbf41a24edaefc43f6fc0 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Fri, 14 Aug 2015 15:36:48 -0700 Subject: [PATCH 1/4] policycoreutils: prune installed tools/files - Exclude all python scripts when the python flag is off. - Add nls use flag to disable gettext - Add extra use flag to disable Gentoo provided tools and OpenRC goo. - Drop live ebuild, we don't really need it. --- ...4.ebuild => policycoreutils-2.4-r1.ebuild} | 57 ++++-- .../policycoreutils-9999.ebuild | 181 ------------------ 2 files changed, 36 insertions(+), 202 deletions(-) rename sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/{policycoreutils-2.4.ebuild => policycoreutils-2.4-r1.ebuild} (80%) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-2.4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-2.4-r1.ebuild similarity index 80% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-2.4.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-2.4-r1.ebuild index d7d0b772ec..3f085c4eb6 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-2.4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-2.4-r1.ebuild @@ -15,12 +15,12 @@ SEMNG_VER="${PV}" SELNX_VER="${PV}" SEPOL_VER="${PV}" -IUSE="audit pam dbus python" +IUSE="audit extra nls pam dbus python" DESCRIPTION="SELinux core utilities" HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" SRC_URI="https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20150202/${MY_P}.tar.gz - mirror://gentoo/policycoreutils-extra-${EXTRAS_VER}.tar.bz2" + extra? ( mirror://gentoo/policycoreutils-extra-${EXTRAS_VER}.tar.bz2 )" LICENSE="GPL-2" SLOT="0" @@ -32,7 +32,7 @@ DEPEND=">=sys-libs/libselinux-${SELNX_VER}[python?] >=sys-libs/libsemanage-${SEMNG_VER}[python?] sys-libs/libcap-ng >=sys-libs/libsepol-${SEPOL_VER} - sys-devel/gettext + nls? ( sys-devel/gettext ) python? ( dev-python/ipy[${PYTHON_USEDEP}] ) @@ -86,11 +86,18 @@ src_prepare() { # directory. We really should optimize this as it is ugly, but the extra # code is needed for Gentoo at the same time that policycoreutils is present # (so we cannot use an additional package for now). - S="${S2}" - python_copy_sources + if use extra ; then + S="${S2}" + python_copy_sources + fi else - sed s/sepolicy// -i Makefile + for dir in audit2allow gui scripts \ + semanage sepolicy sepolgen-ifgen + do + sed -e "s/ $dir / /" -i Makefile || die + done fi + use nls || sed -e "s/ po / /" -i Makefile || die } src_compile() { @@ -109,13 +116,17 @@ src_compile() { if use python ; then S="${S1}" # Regular policycoreutils python_foreach_impl building - S="${S2}" # Extra set - python_foreach_impl building + if use extra ; then + S="${S2}" # Extra set + python_foreach_impl building + fi else BUILD_DIR="${S1}" building - BUILD_DIR="${S2}" - building + if use extra ; then + BUILD_DIR="${S2}" + building + fi fi } @@ -140,22 +151,27 @@ src_install() { if use python ; then S="${S1}" # policycoreutils python_foreach_impl installation-policycoreutils - S="${S2}" # extras - python_foreach_impl installation-extras - S="${S1}" # back for later + if use extra ; then + S="${S2}" # extras + python_foreach_impl installation-extras + S="${S1}" # back for later + fi else BUILD_DIR="${S1}" installation-policycoreutils - BUILD_DIR="${S2}" - installation-extras + if use extra ; then + BUILD_DIR="${S2}" + installation-extras + fi fi # remove redhat-style init script rm -fR "${D}/etc/rc.d" # compatibility symlinks -# dosym /sbin/setfiles /usr/sbin/setfiles - dosym /$(get_libdir)/rc/runscript_selinux.so /$(get_libdir)/rcscripts/runscript_selinux.so + if use extra ; then + dosym /$(get_libdir)/rc/runscript_selinux.so /$(get_libdir)/rcscripts/runscript_selinux.so + fi # location for policy definitions dodir /usr/lib/selinux/policy @@ -166,9 +182,8 @@ src_install() { for pyscript in audit2allow sepolgen-ifgen sepolicy chcat; do python_replicate_script "${ED}/usr/bin/${pyscript}" done - for pyscript in semanage rlpkg; do - python_replicate_script "${ED}/usr/sbin/${pyscript}" - done + python_replicate_script "${ED}/usr/sbin/semanage" + use extra && python_replicate_script "${ED}/usr/sbin/rlpkg" fi dodir /usr/share/doc/${PF}/mcstrans/examples @@ -177,5 +192,5 @@ src_install() { pkg_postinst() { # The selinux_gentoo init script is no longer needed with recent OpenRC - elog "The selinux_gentoo init script will be removed in future versions since it is not needed with OpenRC 0.13." + use extra && elog "The selinux_gentoo init script will be removed in future versions since it is not needed with OpenRC 0.13." } diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild deleted file mode 100644 index a83119396f..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/policycoreutils/policycoreutils-9999.ebuild +++ /dev/null @@ -1,181 +0,0 @@ -# Copyright 1999-2015 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/policycoreutils/policycoreutils-9999.ebuild,v 1.1 2015/06/09 15:38:25 swift Exp $ - -EAPI="5" -PYTHON_COMPAT=( python2_7 ) -PYTHON_REQ_USE="xml" - -inherit multilib python-r1 toolchain-funcs eutils - -MY_P="${P//_/-}" -MY_RELEASEDATE="20150202" - -EXTRAS_VER="1.33" -SEMNG_VER="${PV}" -SELNX_VER="${PV}" -SEPOL_VER="${PV}" - -IUSE="audit pam dbus" - -DESCRIPTION="SELinux core utilities" -HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki" - -if [[ ${PV} == 9999 ]] ; then - inherit git-r3 - EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git" - SRC_URI="mirror://gentoo/policycoreutils-extra-${EXTRAS_VER}.tar.bz2" - S="${WORKDIR}/${MY_P}/${PN}" - S1="${WORKDIR}/${MY_P}/${PN}" - S2="${WORKDIR}/policycoreutils-extra" -else - SRC_URI="https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20150202/${MY_P}.tar.gz - mirror://gentoo/policycoreutils-extra-${EXTRAS_VER}.tar.bz2" - KEYWORDS="~amd64 ~x86" - S="${WORKDIR}/${MY_P}" - S1="${WORKDIR}/${MY_P}" - S2="${WORKDIR}/policycoreutils-extra" -fi - -LICENSE="GPL-2" -SLOT="0" - -DEPEND=">=sys-libs/libselinux-${SELNX_VER}[python] - >=sys-libs/glibc-2.4 - >=sys-libs/libcap-1.10-r10 - >=sys-libs/libsemanage-${SEMNG_VER}[python] - sys-libs/libcap-ng - >=sys-libs/libsepol-${SEPOL_VER} - sys-devel/gettext - dev-python/ipy[${PYTHON_USEDEP}] - dbus? ( - sys-apps/dbus - dev-libs/dbus-glib - ) - audit? ( >=sys-process/audit-1.5.1 ) - pam? ( sys-libs/pam ) - ${PYTHON_DEPS}" - -### libcgroup -> seunshare -### dbus -> restorecond - -# pax-utils for scanelf used by rlpkg -RDEPEND="${DEPEND} - dev-python/sepolgen - app-misc/pax-utils" - -src_unpack() { - # Override default one because we need the SRC_URI ones even in case of 9999 ebuilds - if [[ ${PV} == 9999 ]] ; then - git-r3_src_unpack - fi - if [ -n ${A} ] ; then - S="${S2}" - unpack ${A}; - fi -} - -src_prepare() { - S="${S1}" - cd "${S}" || die "Failed to switch to ${S}" - if [[ ${PV} != 9999 ]] ; then - # If needed for live ebuilds please use /etc/portage/patches - epatch "${FILESDIR}/0010-remove-sesandbox-support.patch" - epatch "${FILESDIR}/0020-disable-autodetection-of-pam-and-audit.patch" - epatch "${FILESDIR}/0030-make-inotify-check-use-flag-triggered.patch" - epatch "${FILESDIR}/0040-reverse-access-check-in-run_init.patch" - epatch "${FILESDIR}/0070-remove-symlink-attempt-fails-with-gentoo-sandbox-approach.patch" - epatch "${FILESDIR}/0110-build-mcstrans-bug-472912.patch" - epatch "${FILESDIR}/0120-build-failure-for-mcscolor-for-CONTEXT__CONTAINS.patch" - fi - - # rlpkg is more useful than fixfiles - sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \ - || die "fixfiles sed 1 failed" - sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \ - || die "fixfiles sed 2 failed" - - epatch_user - - python_copy_sources - # Our extra code is outside the regular directory, so set it to the extra - # directory. We really should optimize this as it is ugly, but the extra - # code is needed for Gentoo at the same time that policycoreutils is present - # (so we cannot use an additional package for now). - S="${S2}" - python_copy_sources -} - -src_compile() { - building() { - emake -C "${BUILD_DIR}" \ - AUDIT_LOG_PRIVS="y" \ - AUDITH="$(usex audit)" \ - PAMH="$(usex pam)" \ - INOTIFYH="$(usex dbus)" \ - SESANDBOX="n" \ - CC="$(tc-getCC)" \ - PYLIBVER="${EPYTHON}" \ - LIBDIR="\$(PREFIX)/$(get_libdir)" - } - S="${S1}" # Regular policycoreutils - python_foreach_impl building - S="${S2}" # Extra set - python_foreach_impl building -} - -src_install() { - # Python scripts are present in many places. There are no extension modules. - installation-policycoreutils() { - einfo "Installing policycoreutils" - emake -C "${BUILD_DIR}" DESTDIR="${D}" \ - AUDITH="$(usex audit)" \ - PAMH="$(usex pam)" \ - INOTIFYH="$(usex dbus)" \ - SESANDBOX="n" \ - AUDIT_LOG_PRIV="y" \ - PYLIBVER="${EPYTHON}" \ - LIBDIR="\$(PREFIX)/$(get_libdir)" \ - install - python_optimize - } - - installation-extras() { - einfo "Installing policycoreutils-extra" - emake -C "${BUILD_DIR}" DESTDIR="${D}" INOTIFYH="$(usex dbus)" SHLIBDIR="${D}$(get_libdir)/rc" install - python_optimize - } - - S="${S1}" # policycoreutils - python_foreach_impl installation-policycoreutils - S="${S2}" # extras - python_foreach_impl installation-extras - S="${S1}" # back for later - - # remove redhat-style init script - rm -fR "${D}/etc/rc.d" - - # compatibility symlinks - dosym /sbin/setfiles /usr/sbin/setfiles - dosym /$(get_libdir)/rc/runscript_selinux.so /$(get_libdir)/rcscripts/runscript_selinux.so - - # location for policy definitions - dodir /var/lib/selinux - keepdir /var/lib/selinux - - # Set version-specific scripts - for pyscript in audit2allow sepolgen-ifgen sepolicy chcat; do - python_replicate_script "${ED}/usr/bin/${pyscript}" - done - for pyscript in semanage rlpkg; do - python_replicate_script "${ED}/usr/sbin/${pyscript}" - done - - dodir /usr/share/doc/${PF}/mcstrans/examples - cp -dR "${S1}"/mcstrans/share/examples/* "${D}/usr/share/doc/${PF}/mcstrans/examples" -} - -pkg_postinst() { - # The selinux_gentoo init script is no longer needed with recent OpenRC - elog "The selinux_gentoo init script will be removed in future versions since it is not needed with OpenRC 0.13." -} From efde8e22e3818f49aa5ceccca3e3912e7716838c Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Fri, 14 Aug 2015 15:41:18 -0700 Subject: [PATCH 2/4] profiles: exclude a pile of ustr source code from prod images --- .../profiles/coreos/targets/generic/make.defaults | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults index 4238a596b6..9a81fc4457 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/targets/generic/make.defaults @@ -35,3 +35,10 @@ INSTALL_MASK="${INSTALL_MASK} /etc/wgetrc /etc/xinetd.d " + +# Exclude ustr's source code and debug library +INSTALL_MASK="${INSTALL_MASK} + /usr/bin/ustr-import + /usr/lib*/libustr-debug* + /usr/share/ustr-* +" From f932e4d950cc7871fa7d78cd96d02f4ad920c695 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Fri, 14 Aug 2015 15:44:31 -0700 Subject: [PATCH 3/4] checkpolicy: import from portage-stable --- .../sys-apps/checkpolicy/Manifest | 1 + .../checkpolicy/checkpolicy-2.4.ebuild | 51 +++++++++++++++++++ .../sys-apps/checkpolicy/metadata.xml | 6 +++ 3 files changed, 58 insertions(+) create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/Manifest create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-2.4.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/metadata.xml diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/Manifest new file mode 100644 index 0000000000..cd28827b4f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/Manifest @@ -0,0 +1 @@ +DIST checkpolicy-2.4.tar.gz 65238 SHA256 9bbdac28a88de4c405c769730863f3adcd266adbfa45881a5de67e3a4895bcd4 SHA512 8c5c22d9510305e7f518d1a5818f5b36895210f48835d8d24a43b2d34e79881cebcc8cd588bb663c0613a4f878db125c22a4b4df3d0f63b8fb8f88350abc61cc WHIRLPOOL b717428b4411e526cc47ed2be88d7e7e4d48153404b90d50e510fd0cc10cc0452661d0b6b0cc200bb09ae1cc040ae59aae68a8c748611db3ca4cd262f8e8f932 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-2.4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-2.4.ebuild new file mode 100644 index 0000000000..7db4da548c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-2.4.ebuild @@ -0,0 +1,51 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-apps/checkpolicy/checkpolicy-2.4.ebuild,v 1.3 2015/05/10 09:07:48 perfinion Exp $ + +EAPI="5" + +inherit toolchain-funcs eutils + +MY_P="${P//_/-}" + +SEPOL_VER="${PV}" +SEMNG_VER="${PV}" + +DESCRIPTION="SELinux policy compiler" +HOMEPAGE="http://userspace.selinuxproject.org" +SRC_URI="https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20150202/${MY_P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="amd64 x86" +IUSE="debug" + +DEPEND=">=sys-libs/libsepol-${SEPOL_VER} + >=sys-libs/libsemanage-${SEMNG_VER} + sys-devel/flex + sys-devel/bison" + +RDEPEND=">=sys-libs/libsemanage-${SEMNG_VER}" + +S="${WORKDIR}/${MY_P}" + +src_prepare() { + epatch_user +} + +src_compile() { + emake CC="$(tc-getCC)" YACC="bison -y" LIBDIR="\$(PREFIX)/$(get_libdir)" +} + +src_install() { + emake DESTDIR="${D}" install + + if use debug; then + dobin "${S}/test/dismod" + dobin "${S}/test/dispol" + fi +} + +pkg_postinst() { + einfo "This checkpolicy can compile version `checkpolicy -V |cut -f 1 -d ' '` policy." +} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/metadata.xml new file mode 100644 index 0000000000..92f48e0172 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/metadata.xml @@ -0,0 +1,6 @@ + + + + selinux + SELinux policy compilier + From c3e0c54d9e842feeb4b34144939bfb864b689c3c Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Fri, 14 Aug 2015 15:49:44 -0700 Subject: [PATCH 4/4] checkpolicy: use includes and libsepol.a from $ROOT Not sure why this is static instead of dynamic in the first place, but at least this fixes the build error caused by using the SDK root. --- .../{checkpolicy-2.4.ebuild => checkpolicy-2.4-r1.ebuild} | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/{checkpolicy-2.4.ebuild => checkpolicy-2.4-r1.ebuild} (86%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-2.4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-2.4-r1.ebuild similarity index 86% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-2.4.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-2.4-r1.ebuild index 7db4da548c..caa46f3394 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-2.4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/checkpolicy/checkpolicy-2.4-r1.ebuild @@ -34,7 +34,10 @@ src_prepare() { } src_compile() { - emake CC="$(tc-getCC)" YACC="bison -y" LIBDIR="\$(PREFIX)/$(get_libdir)" + emake CC="$(tc-getCC)" YACC="bison -y" \ + INCLUDEDIR="${ROOT}\$(PREFIX)/include" + LIBDIR="\$(PREFIX)/$(get_libdir)" \ + LDLIBS="${ROOT}\$(LIBDIR)/libsepol.a -lfl" } src_install() {