summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSven Vermeulen <swift@gentoo.org>2012-01-14 19:57:53 +0000
committerSven Vermeulen <swift@gentoo.org>2012-01-14 19:57:53 +0000
commit1ad4126a9d0b135731ed86f1226eb04f0b619ceb (patch)
tree814da63743441b33fa80240696b745b51fed0eae
parentalpha/ia64/s390/sh/sparc stable wrt #393937 (diff)
downloadgentoo-2-1ad4126a9d0b135731ed86f1226eb04f0b619ceb.tar.gz
gentoo-2-1ad4126a9d0b135731ed86f1226eb04f0b619ceb.tar.bz2
gentoo-2-1ad4126a9d0b135731ed86f1226eb04f0b619ceb.zip
Fix bug #393401, #375475
(Portage version: 2.1.10.41/cvs/Linux x86_64)
-rw-r--r--sys-apps/policycoreutils/ChangeLog13
-rw-r--r--sys-apps/policycoreutils/metadata.xml3
-rw-r--r--sys-apps/policycoreutils/policycoreutils-2.1.0-r2.ebuild136
3 files changed, 150 insertions, 2 deletions
diff --git a/sys-apps/policycoreutils/ChangeLog b/sys-apps/policycoreutils/ChangeLog
index aece87eba0eb..ee248190b992 100644
--- a/sys-apps/policycoreutils/ChangeLog
+++ b/sys-apps/policycoreutils/ChangeLog
@@ -1,6 +1,15 @@
# ChangeLog for sys-apps/policycoreutils
-# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/policycoreutils/ChangeLog,v 1.94 2011/11/12 18:13:09 swift Exp $
+# Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/policycoreutils/ChangeLog,v 1.95 2012/01/14 19:57:53 swift Exp $
+
+ 14 Jan 2012; <swift@gentoo.org> +policycoreutils-2.1.0-r2.ebuild,
+ metadata.xml:
+ Mark audit as a local USE flag
+
+*policycoreutils-2.1.0-r2 (14 Jan 2012)
+
+ 14 Jan 2012; <swift@gentoo.org> +policycoreutils-2.1.0-r2.ebuild:
+ Override auto-detection of pam and audit, use USE flags for this
12 Nov 2011; <swift@gentoo.org> -policycoreutils-2.0.82.ebuild,
-policycoreutils-2.0.82-r1.ebuild, -policycoreutils-2.0.85.ebuild,
diff --git a/sys-apps/policycoreutils/metadata.xml b/sys-apps/policycoreutils/metadata.xml
index 87cddb01c888..04b9b39ac0fe 100644
--- a/sys-apps/policycoreutils/metadata.xml
+++ b/sys-apps/policycoreutils/metadata.xml
@@ -14,4 +14,7 @@
avc_enforcing to query the current mode of the system, enforcing or
permissive.
</longdescription>
+ <use>
+ <flag name='audit'>Enable support for <pkg>sys-process/audit</pkg> and use the audit_* functions (like audit_getuid instead of getuid())</flag>
+ </use>
</pkgmetadata>
diff --git a/sys-apps/policycoreutils/policycoreutils-2.1.0-r2.ebuild b/sys-apps/policycoreutils/policycoreutils-2.1.0-r2.ebuild
new file mode 100644
index 000000000000..b2e07845059d
--- /dev/null
+++ b/sys-apps/policycoreutils/policycoreutils-2.1.0-r2.ebuild
@@ -0,0 +1,136 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/policycoreutils/policycoreutils-2.1.0-r2.ebuild,v 1.1 2012/01/14 19:57:53 swift Exp $
+
+EAPI="3"
+PYTHON_DEPEND="*"
+PYTHON_USE_WITH="xml"
+SUPPORT_PYTHON_ABIS="1"
+RESTRICT_PYTHON_ABIS="*-jython"
+
+inherit multilib python toolchain-funcs eutils
+
+EXTRAS_VER="1.21"
+SEMNG_VER="2.1.0"
+SELNX_VER="2.1.0"
+SEPOL_VER="2.1.0"
+
+IUSE="audit pam"
+
+DESCRIPTION="SELinux core utilities"
+HOMEPAGE="http://userspace.selinuxproject.org"
+SRC_URI="http://userspace.selinuxproject.org/releases/20110727/devel/${P}.tar.gz
+ http://dev.gentoo.org/~swift/patches/policycoreutils/policycoreutils-2.0.85-sesandbox.patch.gz
+ http://dev.gentoo.org/~swift/patches/policycoreutils/policycoreutils-2.0.85-fix-seunshare-vuln.patch.gz
+ http://dev.gentoo.org/~swift/patches/policycoreutils/policycoreutils-2.1.0-fix-makefile-pam-audit.patch.gz
+ mirror://gentoo/policycoreutils-extra-${EXTRAS_VER}.tar.bz2
+ mirror://gentoo/policycoreutils-2.0.85-python3.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+
+COMMON_DEPS=">=sys-libs/libselinux-${SELNX_VER}[python]
+ >=sys-libs/glibc-2.4
+ >=sys-libs/libcap-1.10-r10
+ >=sys-libs/libsemanage-${SEMNG_VER}[python]
+ sys-libs/libcap-ng
+ >=sys-libs/libsepol-${SEPOL_VER}
+ sys-devel/gettext
+ audit? ( >=sys-process/audit-1.5.1 )
+ pam? ( sys-libs/pam )"
+
+# pax-utils for scanelf used by rlpkg
+RDEPEND="${COMMON_DEPS}
+ dev-python/sepolgen
+ app-misc/pax-utils"
+
+DEPEND="${COMMON_DEPS}"
+
+S2=${WORKDIR}/policycoreutils-extra
+
+src_prepare() {
+ # rlpkg is more useful than fixfiles
+ sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \
+ || die "fixfiles sed 1 failed"
+ sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \
+ || die "fixfiles sed 2 failed"
+ # We currently do not support MCS, so the sandbox code in policycoreutils
+ # is not usable yet. However, work for MCS is on the way and a reported
+ # vulnerability (bug #374897) might go by unnoticed if we ignore it now.
+ # As such, we will
+ # - prepare support for switching name from "sandbox" to "sesandbox"
+ epatch "${DISTDIR}/policycoreutils-2.0.85-sesandbox.patch.gz"
+ # - patch the sandbox and seunshare code to fix the vulnerability
+ # (uses, with permission, extract from
+ # http://pkgs.fedoraproject.org/gitweb/?p=policycoreutils.git;a=blob_plain;f=policycoreutils-rhat.patch;hb=HEAD)
+ epatch "${DISTDIR}/policycoreutils-2.0.85-fix-seunshare-vuln.patch.gz"
+ # But for now, disable building sandbox code
+ sed -i -e 's/sandbox //' "${S}/Makefile" || die "failed removing sandbox"
+ # Disable auto-detection of PAM and audit related stuff and override
+ epatch "${DISTDIR}/policycoreutils-2.1.0-fix-makefile-pam-audit.patch.gz"
+ # Overwrite gl.po, id.po and et.po with valid PO file
+ cp "${S}/po/sq.po" "${S}/po/gl.po" || die "failed to copy ${S}/po/sq.po to gl.po"
+ cp "${S}/po/sq.po" "${S}/po/id.po" || die "failed to copy ${S}/po/sq.po to id.po"
+ cp "${S}/po/sq.po" "${S}/po/et.po" || die "failed to copy ${S}/po/sq.po to et.po"
+ # Fixed scripts for Python 3 support
+ cp "${WORKDIR}/seobject.py" "${S}/semanage/seobject.py" || die "failed to copy seobject.py"
+ cp "${WORKDIR}/semanage" "${S}/semanage/semanage" || die "failed to copy semanage"
+ cp "${WORKDIR}/chcat" "${S}/scripts/chcat" || die "failed to copy chcat"
+ cp "${WORKDIR}/audit2allow" "${S}/audit2allow/audit2allow" || die "failed to copy audit2allow"
+}
+
+src_compile() {
+ local use_audit="n";
+ local use_pam="n";
+
+ use audit && use_audit="y";
+ use pam && use_pam="y";
+
+ python_copy_sources semanage sandbox
+ building() {
+ einfo "Compiling policycoreutils"
+ emake -C "${S}" AUDIT_LOG_PRIVS="y" AUDITH="${use_audit}" PAMH="${use_pam}" CC="$(tc-getCC)" PYLIBVER="python$(python_get_version)" || die
+ einfo "Compiling policycoreutils-extra "
+ emake -C "${S2}" AUDIT_LOG_PRIVS="y" AUDITH="${use_audit}" PAMH="${use_pam}" CC="$(tc-getCC)" PYLIBVER="python$(python_get_version)" || die
+ }
+ python_execute_function -s --source-dir semanage building
+}
+
+src_install() {
+ local use_audit="n";
+ local use_pam="n";
+
+ use audit && use_audit="y";
+ use pam && use_pam="y";
+
+ # Python scripts are present in many places. There are no extension modules.
+ installation() {
+ einfo "Installing policycoreutils"
+ emake -C "${S}" DESTDIR="${T}/images/${PYTHON_ABI}" AUDITH="${use_audit}" PAMH="${use_pam}" AUDIT_LOG_PRIV="y" PYLIBVER="python$(python_get_version)" install || return 1
+
+ einfo "Installing policycoreutils-extra"
+ emake -C "${S2}" DESTDIR="${T}/images/${PYTHON_ABI}" SHLIBDIR="${D}$(get_libdir)/rc" install || return 1
+ }
+ python_execute_function installation
+ python_merge_intermediate_installation_images "${T}/images"
+
+ # remove redhat-style init script
+ rm -fR "${D}/etc/rc.d"
+
+ # compatibility symlinks
+ dosym /sbin/setfiles /usr/sbin/setfiles
+ dosym /$(get_libdir)/rc/runscript_selinux.so /$(get_libdir)/rcscripts/runscript_selinux.so
+
+ # location for permissive definitions
+ dodir /var/lib/selinux
+ keepdir /var/lib/selinux
+}
+
+pkg_postinst() {
+ python_mod_optimize seobject.py
+}
+
+pkg_postrm() {
+ python_mod_cleanup seobject.py
+}