Merge pull request #1016 from bcressey/policycoreutils

add policycoreutils and related tools
bottlerocket-os · Aug 10, 2020 · 86dab58 · 86dab58
2 parents b8ae2b0 + b181cc2
commit 86dab58
Show file tree

Hide file tree

Showing 26 changed files with 462 additions and 55 deletions.
diff --git a/packages/Cargo.lock b/packages/Cargo.lock
diff --git a/packages/Cargo.toml b/packages/Cargo.toml
@@ -32,6 +32,7 @@ members = [
     "libacl",
     "libattr",
     "libaudit",
+    "libbzip2",
     "libcap",
     "libdbus",
     "libgcc",
@@ -48,12 +49,14 @@ members = [
     "libpcap",
     "libpcre",
     "libseccomp",
-    "libsepol",
     "libselinux",
+    "libsemanage",
+    "libsepol",
     "libstd-rust",
     "libxcrypt",
     "login",
     "ncurses",
+    "policycoreutils",
     "procps",
     "readline",
     "release",

diff --git a/packages/kernel/config-bottlerocket b/packages/kernel/config-bottlerocket
@@ -34,6 +34,10 @@ CONFIG_SECURITY_SELINUX_DISABLE=n
 # Do not allow SELinux to use `enforcing=0` behavior.
 CONFIG_SECURITY_SELINUX_DEVELOP=n
 
+# Check the protection applied by the kernel for mmap and mprotect,
+# rather than the protection requested by userspace.
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
+
 # enable /proc/config.gz
 CONFIG_IKCONFIG=y
 CONFIG_IKCONFIG_PROC=y

diff --git a/packages/libbzip2/0001-simplify-shared-object-build.patch b/packages/libbzip2/0001-simplify-shared-object-build.patch
@@ -0,0 +1,43 @@
+From e76e1ea775d7a1897775767fc17626389372f6e9 Mon Sep 17 00:00:00 2001
+From: Ben Cressey <[email protected]>
+Date: Wed, 29 Jul 2020 19:46:30 +0000
+Subject: [PATCH] simplify shared object build
+
+Signed-off-by: Ben Cressey <[email protected]>
+---
+ Makefile-libbz2_so | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/Makefile-libbz2_so b/Makefile-libbz2_so
+index fb0f230..5e26467 100644
+--- a/Makefile-libbz2_so
++++ b/Makefile-libbz2_so
+@@ -22,9 +22,6 @@
+
+
+ SHELL=/bin/sh
+-CC=gcc
+-BIGFILES=-D_FILE_OFFSET_BITS=64
+-CFLAGS=-fpic -fPIC -Wall -Winline -O2 -g $(BIGFILES)
+
+ OBJS= blocksort.o  \
+       huffman.o    \
+@@ -35,13 +32,12 @@ OBJS= blocksort.o  \
+       bzlib.o
+
+ all: $(OBJS)
+-	$(CC) -shared -Wl,-soname -Wl,libbz2.so.1.0 -o libbz2.so.1.0.8 $(OBJS)
+-	$(CC) $(CFLAGS) -o bzip2-shared bzip2.c libbz2.so.1.0.8
++	$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname -Wl,libbz2.so.1 -o libbz2.so.1.0.8 $(OBJS)
+ 	rm -f libbz2.so.1.0
+ 	ln -s libbz2.so.1.0.8 libbz2.so.1.0
+
+ clean: 
+-	rm -f $(OBJS) bzip2.o libbz2.so.1.0.8 libbz2.so.1.0 bzip2-shared
++	rm -f $(OBJS) libbz2.so.1.0.8 libbz2.so.1.0
+
+ blocksort.o: blocksort.c
+ 	$(CC) $(CFLAGS) -c blocksort.c
+-- 
+2.21.0
+
diff --git a/packages/libbzip2/Cargo.toml b/packages/libbzip2/Cargo.toml
@@ -0,0 +1,16 @@
+[package]
+name = "libbzip2"
+version = "0.1.0"
+edition = "2018"
+publish = false
+build = "build.rs"
+
+[lib]
+path = "pkg.rs"
+
+[[package.metadata.build-package.external-files]]
+url = "https://sourceware.org/pub/bzip2/bzip2-1.0.8.tar.gz"
+sha512 = "083f5e675d73f3233c7930ebe20425a533feedeaaa9d8cc86831312a6581cefbe6ed0d08d2fa89be81082f2a5abdabca8b3c080bf97218a1bd59dc118a30b9f3"
+
+[build-dependencies]
+glibc = { path = "../glibc" }
diff --git a/packages/libbzip2/build.rs b/packages/libbzip2/build.rs
@@ -0,0 +1,9 @@
+use std::process::{exit, Command};
+
+fn main() -> Result<(), std::io::Error> {
+    let ret = Command::new("buildsys").arg("build-package").status()?;
+    if !ret.success() {
+        exit(1);
+    }
+    Ok(())
+}
diff --git a/packages/libbzip2/bzip2.pc.in b/packages/libbzip2/bzip2.pc.in
@@ -0,0 +1,10 @@
+prefix=__PREFIX__
+exec_prefix=__EXEC_PREFIX__
+libdir=__LIBDIR__
+includedir=__INCLUDEDIR__
+
+Name: bzip2
+Description: __DESCRIPTION__
+Version: __VERSION__
+Libs: -L${libdir} -lbz2
+Cflags: -I${includedir}
diff --git a/packages/libbzip2/libbzip2.spec b/packages/libbzip2/libbzip2.spec
@@ -0,0 +1,61 @@
+Name: %{_cross_os}libbzip2
+Version: 1.0.8
+Release: 1%{?dist}
+Summary: Library for bzip2 compression
+License: bzip2-1.0.6
+URL: http://www.bzip.org
+Source0: https://sourceware.org/pub/bzip2/bzip2-%{version}.tar.gz
+Source1: bzip2.pc.in
+Patch1: 0001-simplify-shared-object-build.patch
+BuildRequires: %{_cross_os}glibc-devel
+
+%description
+%{summary}.
+
+%package devel
+Summary: Files for development using the library for bzip2 compression
+Requires: %{name}
+
+%description devel
+%{summary}.
+
+%prep
+%autosetup -n bzip2-%{version} -p1
+sed \
+  -e "s,__PREFIX__,%{_cross_prefix},g" \
+  -e "s,__EXEC_PREFIX__,%{_cross_exec_prefix},g" \
+  -e "s,__LIBDIR__,%{_cross_libdir},g" \
+  -e "s,__INCLUDEDIR__,%{_cross_includedir},g" \
+  -e "s,__VERSION__,%{version},g" \
+  -e "s,__DESCRIPTION__,%{description},g" \
+  %{S:1} > bzip2.pc
+
+%global set_env \
+%set_cross_build_flags \\\
+export CC="%{_cross_target}-gcc" \\\
+export CFLAGS="${CFLAGS} -fpic -fPIC" \\\
+%{nil}
+
+%build
+%set_env
+%make_build -f Makefile-libbz2_so all
+
+%install
+install -d %{buildroot}{%{_cross_libdir},%{_cross_includedir},%{_cross_pkgconfigdir}}
+install -m 755 libbz2.so.%{version} %{buildroot}%{_cross_libdir}
+ln -s libbz2.so.%{version} %{buildroot}%{_cross_libdir}/libbz2.so.1
+ln -s libbz2.so.1 %{buildroot}%{_cross_libdir}/libbz2.so
+install -m 644 bzlib.h %{buildroot}%{_cross_includedir}
+install -m 644 bzip2.pc %{buildroot}%{_cross_pkgconfigdir}
+
+%files
+%license LICENSE
+%{_cross_attribution_file}
+%{_cross_libdir}/*.so.*
+
+%files devel
+%{_cross_libdir}/*.so
+%{_cross_includedir}/*.h
+%{_cross_pkgconfigdir}/*.pc
+
+%changelog
diff --git a/packages/libbzip2/pkg.rs b/packages/libbzip2/pkg.rs
@@ -0,0 +1 @@
+// not used
diff --git a/packages/libselinux/0001-adjust-default-selinux-directory.patch b/packages/libselinux/0001-adjust-default-selinux-directory.patch
diff --git a/packages/libselinux/libselinux-tmpfiles.conf b/packages/libselinux/libselinux-tmpfiles.conf
diff --git a/packages/libselinux/libselinux.spec b/packages/libselinux/libselinux.spec
@@ -5,8 +5,6 @@ Summary: Library for SELinux
 License: LicenseRef-SELinux-PD
 URL: https://github.com/SELinuxProject/
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20191204/libselinux-%{version}.tar.gz
-Source1: libselinux-tmpfiles.conf
-Patch1: 0001-adjust-default-selinux-directory.patch
 BuildRequires: %{_cross_os}glibc-devel
 BuildRequires: %{_cross_os}libpcre-devel
 BuildRequires: %{_cross_os}libsepol-devel
@@ -15,6 +13,15 @@ Requires: %{_cross_os}libpcre
 %description
 %{summary}.
 
+%package utils
+Summary: A set of utilities for SELinux
+Requires: %{name}
+Requires: %{_cross_os}libpcre
+Requires: %{_cross_os}libsepol
+
+%description utils
+%{summary}.
+
 %package devel
 Summary: Files for development using the library for SELinux
 Requires: %{name}
@@ -45,17 +52,45 @@ export USE_PCRE2='y' \\\
 %set_env
 %make_install
 
-install -d %{buildroot}%{_cross_tmpfilesdir}
-install -p -m 0644 %{S:1} %{buildroot}%{_cross_tmpfilesdir}/libselinux.conf
-
 %files
 %license LICENSE
 %{_cross_attribution_file}
 %{_cross_libdir}/*.so.*
-%{_cross_tmpfilesdir}/libselinux.conf
-%exclude %{_cross_sbindir}
 %exclude %{_cross_mandir}
 
+%files utils
+%{_cross_sbindir}/avcstat
+%{_cross_sbindir}/sefcontext_compile
+%exclude %{_cross_sbindir}/compute_av
+%exclude %{_cross_sbindir}/compute_create
+%exclude %{_cross_sbindir}/compute_member
+%exclude %{_cross_sbindir}/compute_relabel
+%exclude %{_cross_sbindir}/compute_user
+%exclude %{_cross_sbindir}/getconlist
+%exclude %{_cross_sbindir}/getdefaultcon
+%exclude %{_cross_sbindir}/getenforce
+%exclude %{_cross_sbindir}/getfilecon
+%exclude %{_cross_sbindir}/getpidcon
+%exclude %{_cross_sbindir}/getsebool
+%exclude %{_cross_sbindir}/getseuser
+%exclude %{_cross_sbindir}/matchpathcon
+%exclude %{_cross_sbindir}/policyvers
+%exclude %{_cross_sbindir}/selabel_digest
+%exclude %{_cross_sbindir}/selabel_get_digests_all_partial_matches
+%exclude %{_cross_sbindir}/selabel_lookup
+%exclude %{_cross_sbindir}/selabel_lookup_best_match
+%exclude %{_cross_sbindir}/selabel_partial_match
+%exclude %{_cross_sbindir}/selinux_check_access
+%exclude %{_cross_sbindir}/selinux_check_securetty_context
+%exclude %{_cross_sbindir}/selinuxconlist
+%exclude %{_cross_sbindir}/selinuxdefcon
+%exclude %{_cross_sbindir}/selinuxenabled
+%exclude %{_cross_sbindir}/selinuxexeccon
+%exclude %{_cross_sbindir}/setenforce
+%exclude %{_cross_sbindir}/setfilecon
+%exclude %{_cross_sbindir}/togglesebool
+%exclude %{_cross_sbindir}/validatetrans
+
 %files devel
 %{_cross_libdir}/*.a
 %{_cross_libdir}/*.so

diff --git a/packages/libsemanage/Cargo.toml b/packages/libsemanage/Cargo.toml
@@ -0,0 +1,20 @@
+[package]
+name = "libsemanage"
+version = "0.1.0"
+edition = "2018"
+publish = false
+build = "build.rs"
+
+[lib]
+path = "pkg.rs"
+
+[[package.metadata.build-package.external-files]]
+url = "https://github.com/SELinuxProject/selinux/releases/download/20191204/libsemanage-3.0.tar.gz"
+sha512 = "f960e1bd6815d3c9f000efa7ae717bc7937e742af5a7fea4aa865cf1aee49486e34897d83dbdb9cf77975a09a5ad77e5512d47690a74512a468a89432b72a42c"
+
+[build-dependencies]
+glibc = { path = "../glibc" }
+libaudit = { path = "../libaudit" }
+libbzip2 = { path = "../libbzip2" }
+libselinux = { path = "../libselinux" }
+libsepol = { path = "../libsepol" }
diff --git a/packages/libsemanage/build.rs b/packages/libsemanage/build.rs
@@ -0,0 +1,9 @@
+use std::process::{exit, Command};
+
+fn main() -> Result<(), std::io::Error> {
+    let ret = Command::new("buildsys").arg("build-package").status()?;
+    if !ret.success() {
+        exit(1);
+    }
+    Ok(())
+}