[Buildroot] [PATCH 02/17] libselinux: new package

Thomas Petazzoni thomas.petazzoni at free-electrons.com
Thu Sep 5 07:51:29 UTC 2013


Dear Clayton Shotwell,

On Wed, 4 Sep 2013 18:09:41 -0500, Clayton Shotwell wrote:

>  menu "Security"
>  source "package/libsepol/Config.in"
> +source "package/libselinux/Config.in"
>  endmenu

Same comment as previous package: libselinux is a library, so it should
be under Target packages -> Libraries.

>  
>  menu "System tools"
> diff --git a/package/libselinux/Config.in b/package/libselinux/Config.in
> new file mode 100644
> index 0000000..4f3be64
> --- /dev/null
> +++ b/package/libselinux/Config.in
> @@ -0,0 +1,22 @@
> +config BR2_PACKAGE_LIBSELINUX
> +	bool "libselinux"
> +	depends on BR2_LINUX_KERNEL

Hum, can you clarify why a dependency on the kernel is needed here?

> +	help
> +	  libselinux is the runtime SELinux library that provides interfaces 
> +	  (e.g. library functions for the SELinux kernel APIs like getcon(), 
> +	  other support functions like getseuserbyname()) to SELinux-aware 
> +	  applications. libselinux may use the shared libsepol to manipulate 
> +	  the binary policy if necessary (e.g. to downgrade the policy format 
> +	  to an older version supported by the kernel) when loading policy.
> +	  
> +	  http://selinuxproject.org/page/Main_Page
> +
> +if BR2_PACKAGE_LIBSELINUX
> +
> +config BR2_PACKAGE_LIBSELINUX_PYTHON_BINDINGS
> +	select BR2_PACKAGE_PYTHON

Here I am not sure whether we should have:

 (1) An option that selects BR2_PACKAGE_PYTHON (as you did)

 (2) An option that depends on BR2_PACKAGE_PYTHON

 (3) No option at all, and have the package automatically enable Python
     bindings when BR2_PACKAGE_PYTHON is enabled.

What do the others think?

> +	bool "python bindings"
> +	help
> +	  enable building python bindings
> +
> +endif
> diff --git a/package/libselinux/libselinux.mk b/package/libselinux/libselinux.mk
> new file mode 100644
> index 0000000..ed90186
> --- /dev/null
> +++ b/package/libselinux/libselinux.mk
> @@ -0,0 +1,128 @@
> +################################################################################
> +#
> +# libselinux
> +#
> +################################################################################

One empty line between header and variables.

> +LIBSELINUX_VERSION = 2.1.13
> +LIBSELINUX_SOURCE = libselinux-$(LIBSELINUX_VERSION).tar.gz

This line is not needed, that's the default value.

> +LIBSELINUX_SITE = http://userspace.selinuxproject.org/releases/20130423/
> +LIBSELINUX_LICENSE = PublicDomain
> +LIBSELINUX_LICENSE_FILES = LICENSE
> +
> +##############################
> +# Target Section
> +##############################

Comment not needed.

> +LIBSELINUX_DEPENDENCIES = libsepol pcre

Then you should select BR2_PACKAGE_LIBSEPOL and BR2_PACKAGE_PCRE in
your Config.in file.

> +
> +LIBSELINUX_INSTALL_STAGING = YES
> +LIBSELINUX_INSTALL_TARGET = YES

This last line is not needed, that's the default.

> +
> +LIBSELINUX_MAKE_CMDS = $(TARGET_CONFIGURE_OPTS) LDFLAGS="$(TARGET_LDFLAGS) -lpcre -lpthread"

This could use a little bit of wrapping:

LIBSELINUX_MAKE_CMDS = \
	$(TARGET_CONFIGURE_OPTS) \
	LDFLAGS="$(TARGET_LDFLAGS) -lpcre -lpthread"

BTW, I'm not sure _MAKE_CMDS is really the appropriate suffix, maybe
_MAKE_OPTS ?

> +ifeq ($(BR2_PACKAGE_LIBSELINUX_PYTHON_BINDINGS),y)
> +
> +LIBSELINUX_DEPENDENCIES += python host-swig host-python
> +LIBSELINUX_MAKE_CMDS += PYINC="-I$(STAGING_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
> +	PYTHONLIBDIR="-L$(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
> +	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
> +	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/"
> +
> +define LIBSELINUX_PYTHON_BUILD_CMDS
> +	$(MAKE) -C $(@D) $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR) swigify
> +	$(MAKE) -C $(@D) $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR) pywrap

DESTDIR really needed at build time ?

> +endef
> +
> +define LIBSELINUX_PYTHON_INSTALL_STAGING_CMDS
> +	$(MAKE) -C $(@D) install-pywrap $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
> +endef
> +
> +define LIBSELINUX_PYTHON_INSTALL_TARGET_CMDS
> +	$(MAKE) -C $(@D) install-pywrap $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
> +endef
> +
> +define LIBSELINUX_PYTHON_UNINSTALL_STAGING_CMDS
> +	rm -rf $(STAGING_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages/selinux
> +endef
> +
> +define LIBSELINUX_PYTHON_UNINSTALL_TARGET_CMDS
> +	rm -rf $(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages/selinux
> +endef

You can get rid of install commands.

> +
> +endif
> +
> +define LIBSELINUX_BUILD_CMDS
> +	$(MAKE) -C $(@D) $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR) all

DESTDIR unneeded at build time.

> +	$(LIBSELINUX_PYTHON_BUILD_CMDS)
> +endef
> +
> +define LIBSELINUX_INSTALL_STAGING_CMDS
> +	$(MAKE) -C $(@D) install $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
> +	$(LIBSELINUX_PYTHON_INSTALL_STAGING_CMDS)
> +endef
> +
> +define LIBSELINUX_INSTALL_TARGET_CMDS
> +	$(MAKE) -C $(@D) install $(LIBSELINUX_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
> +	$(LIBSELINUX_PYTHON_INSTALL_TARGET_CMDS)
> +endef
> +
> +define LIBSELINUX_CLEAN_CMDS
> +	$(MAKE) -C $(@D) clean
> +endef
> +
> +LIBSELINUX_SBIN_FILES = avcstat compute_av compute_create compute_member \
> +	compute_relabel compute_user getconlist getdefaultcon getenforce \
> +	getfilecon getpidcon getsebool getseuser matchpathcon policyvers \
> +	sefcontext_compile selinux_check_securetty_context selinuxenabled \
> +	selinuxexeccon setenforce setfilecon togglesebool
> +
> +define LIBSELINUX_UNINSTALL_STAGING_CMDS
> +	rm -rf $(addprefix $(STAGING_DIR), /usr/include/selinux \
> +		$(addprefix /usr/sbin/, $(LIBSELINUX_SBIN_FILES)) \
> +		/usr/lib/pkgconfig/libselinux* /usr/lib/libselinux* /lib/libselinux*)
> +	rm -f $(addprefix $(STAGING_DIR)/usr/man/man3/,$(notdir $(wildcard $(@D)/man/man3/*.3)))
> +	rm -f $(addprefix $(STAGING_DIR)/usr/man/man5/,$(notdir $(wildcard $(@D)/man/man5/*.5)))
> +	rm -f $(addprefix $(STAGING_DIR)/usr/man/man8/,$(notdir $(wildcard $(@D)/man/man8/*.8)))
> +	$(LIBSELINUX_PYTHON_UNINSTALL_STAGING_CMDS)
> +endef
> +
> +define LIBSELINUX_UNINSTALL_TARGET_CMDS
> +	rm -rf $(addprefix $(TARGET_DIR), /usr/include/selinux \
> +		$(addprefix /usr/sbin/, $(LIBSELINUX_SBIN_FILES)) \
> +		/usr/lib/pkgconfig/libselinux* /usr/lib/libselinux* /lib/libselinux*)
> +	$(LIBSELINUX_PYTHON_UNINSTALL_TARGET_CMDS)
> +endef

Yeah, just drop the uninstall commands.

> +##############################
> +# Host Section
> +##############################

Drop this header.

> +HOST_LIBSELINUX_DEPENDENCIES = host-python host-libsepol host-swig host-pcre

So for the host variant, the Python bindings are always enabled? Is
there a reason for that?

> +
> +HOST_LIBSELINUX_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) LDFLAGS="$(HOST_LDFLAGS) -lpcre -lpthread"\
> +	PYINC="-I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/" \
> +	PYTHONLIBDIR="-L$(HOST_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/" \
> +	PYLIBVER="python$(PYTHON_VERSION_MAJOR)" \
> +	SWIG_LIB="$(HOST_DIR)/usr/share/swig/$(SWIG_VERSION)/" \
> +
> +define HOST_LIBSELINUX_BUILD_CMDS
> +	$(MAKE) -C $(@D) $(HOST_LIBSELINUX_MAKE_CMDS) DESTDIR=$(HOST_DIR) all
> +	$(MAKE) -C $(@D) $(HOST_LIBSELINUX_MAKE_CMDS) DESTDIR=$(HOST_DIR) swigify
> +	$(MAKE) -C $(@D) $(HOST_LIBSELINUX_MAKE_CMDS) DESTDIR=$(HOST_DIR) pywrap

DESTDIR usually not needed at build time.

> +endef
> +
> +define HOST_LIBSELINUX_INSTALL_CMDS
> +	$(MAKE) -C $(@D) install install-pywrap $(HOST_LIBSELINUX_MAKE_CMDS) DESTDIR=$(HOST_DIR)
> +	mv $(HOST_DIR)/lib/libselinux.so.1 $(HOST_DIR)/usr/lib
> +	(cd $(HOST_DIR)/usr/lib; rm -f libselinux.so; ln -s libselinux.so.1 libselinux.so)
> +	rmdir $(HOST_DIR)/lib
> +	(if -f $(HOST_DIR)/sbin/matchpathcon; then \
> +		mv $(HOST_DIR)/sbin/matchpathcon $(HOST_DIR)/usr/sbin/; \
> +		rmdir $(HOST_DIR)/sbin; \
> +	fi)

Same suggestion as above: what if you pass DESTDIR=$(HOST_DIR)/usr ?

Thanks!

Thomas
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com


More information about the buildroot mailing list