* [Buildroot] [PATCH 1/4] package/selinux-python: add missing empty line before URL
@ 2019-10-09 22:06 Arnout Vandecappelle
2019-10-09 22:06 ` [Buildroot] [PATCH 2/4] package/selinux-python: remove redundant dependencies Arnout Vandecappelle
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Arnout Vandecappelle @ 2019-10-09 22:06 UTC (permalink / raw
To: buildroot
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
---
package/selinux-python/Config.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/package/selinux-python/Config.in b/package/selinux-python/Config.in
index 3b6eff88af..2e314cb60d 100644
--- a/package/selinux-python/Config.in
+++ b/package/selinux-python/Config.in
@@ -9,6 +9,7 @@ menuconfig BR2_PACKAGE_SELINUX_PYTHON
A set of SELinux tools written in python that help with
managing a system with SELinux enabled. If no packages are
selected nothing will actually be built.
+
https://github.com/SELinuxProject/selinux/wiki
if BR2_PACKAGE_SELINUX_PYTHON
--
2.21.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 2/4] package/selinux-python: remove redundant dependencies
2019-10-09 22:06 [Buildroot] [PATCH 1/4] package/selinux-python: add missing empty line before URL Arnout Vandecappelle
@ 2019-10-09 22:06 ` Arnout Vandecappelle
2019-10-09 22:06 ` [Buildroot] [PATCH 3/4] package/selinux-python: use ordinary config instead of menuconfig Arnout Vandecappelle
2019-10-09 22:06 ` [Buildroot] [PATCH 4/4] package/selinux-python: always build sepolgen Arnout Vandecappelle
2 siblings, 0 replies; 7+ messages in thread
From: Arnout Vandecappelle @ 2019-10-09 22:06 UTC (permalink / raw
To: buildroot
The selinux-python package has two sub-packages, audit2allow and
sepolgen. Both of these repeat the dependencies (and comment) of the
top-level selinux-python package. Remove those redundant dependencies
(and comments).
This redundancy was introduced by commit 9d6da7a26. Originally, sepolgen
was a separate package and audit2allow was a sub-package of
policycoreutils, so both of them had these dependencies. When the two
options were moved into selinux-python, the dependencies stayed.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
---
package/selinux-python/Config.in | 19 -------------------
1 file changed, 19 deletions(-)
diff --git a/package/selinux-python/Config.in b/package/selinux-python/Config.in
index 2e314cb60d..8f78a7b825 100644
--- a/package/selinux-python/Config.in
+++ b/package/selinux-python/Config.in
@@ -16,10 +16,6 @@ if BR2_PACKAGE_SELINUX_PYTHON
config BR2_PACKAGE_SELINUX_PYTHON_AUDIT2ALLOW
bool "audit2allow"
- depends on BR2_USE_WCHAR # sepolgen
- depends on BR2_USE_MMU # sepolgen
- depends on BR2_TOOLCHAIN_HAS_THREADS # sepolgen, checkpolicy
- depends on !BR2_STATIC_LIBS # sepolgen
depends on !BR2_arc # checkpolicy
select BR2_PACKAGE_CHECKPOLICY
select BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN
@@ -33,28 +29,13 @@ config BR2_PACKAGE_SELINUX_PYTHON_AUDIT2ALLOW
audit2why - translates SELinux audit messages into a
description of why the access was denied (audit2allow -w)
-comment "audit2allow needs a toolchain w/ wchar, threads, dynamic library"
- depends on BR2_USE_MMU
- depends on !BR2_arc
- depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS || \
- BR2_STATIC_LIBS
-
config BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN
bool "sepolgen"
- depends on BR2_USE_WCHAR
- depends on BR2_USE_MMU
- depends on BR2_TOOLCHAIN_HAS_THREADS
- depends on !BR2_STATIC_LIBS
select BR2_PACKAGE_SEMODULE_UTILS
help
This package contains a Python module that allows you to
generate an initial SELinux policy module template.
-comment "sepolgen needs a toolchain w/ wchar, threads, dynamic library"
- depends on BR2_USE_MMU
- depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS || \
- BR2_STATIC_LIBS
-
endif
comment "selinux-python packages needs a toolchain w/ wchar, threads, dynamic library"
--
2.21.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 3/4] package/selinux-python: use ordinary config instead of menuconfig
2019-10-09 22:06 [Buildroot] [PATCH 1/4] package/selinux-python: add missing empty line before URL Arnout Vandecappelle
2019-10-09 22:06 ` [Buildroot] [PATCH 2/4] package/selinux-python: remove redundant dependencies Arnout Vandecappelle
@ 2019-10-09 22:06 ` Arnout Vandecappelle
2019-10-09 22:06 ` [Buildroot] [PATCH 4/4] package/selinux-python: always build sepolgen Arnout Vandecappelle
2 siblings, 0 replies; 7+ messages in thread
From: Arnout Vandecappelle @ 2019-10-09 22:06 UTC (permalink / raw
To: buildroot
selinux-python only has two sub-options, so menuconfig is overkill.
Convert it to a normal config with indented sub-option.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
---
package/selinux-python/Config.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/package/selinux-python/Config.in b/package/selinux-python/Config.in
index 8f78a7b825..144dc131e1 100644
--- a/package/selinux-python/Config.in
+++ b/package/selinux-python/Config.in
@@ -1,4 +1,4 @@
-menuconfig BR2_PACKAGE_SELINUX_PYTHON
+config BR2_PACKAGE_SELINUX_PYTHON
bool "selinux-python"
depends on BR2_USE_MMU
depends on BR2_USE_WCHAR
--
2.21.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 4/4] package/selinux-python: always build sepolgen
2019-10-09 22:06 [Buildroot] [PATCH 1/4] package/selinux-python: add missing empty line before URL Arnout Vandecappelle
2019-10-09 22:06 ` [Buildroot] [PATCH 2/4] package/selinux-python: remove redundant dependencies Arnout Vandecappelle
2019-10-09 22:06 ` [Buildroot] [PATCH 3/4] package/selinux-python: use ordinary config instead of menuconfig Arnout Vandecappelle
@ 2019-10-09 22:06 ` Arnout Vandecappelle
2019-10-10 7:26 ` Thomas Petazzoni
2 siblings, 1 reply; 7+ messages in thread
From: Arnout Vandecappelle @ 2019-10-09 22:06 UTC (permalink / raw
To: buildroot
The selinux-python package has two suboptions, audit2allow and sepolgen.
If neither of them is selected, nothing gets installed, which is not so
nice. Since audit2allow selects sepolgen, sepolgen will always be
installed if anything is installed. Therefore, it makes no sense to have
a separate option for sepolgen.
Remove the BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN and always install
sepolgen. With this, it's more logical to move the unconditional
addition of sepolgen to SELINUX_PYTHON_MAKE_DIRS before audit2allow.
Remove selecting BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN from the legacy
handling of BR2_PACKAGE_SEPOLGEN. It already selects
BR2_PACKAGE_SELINUX_PYTHON, so sepolgen is implied.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
---
Config.in.legacy | 1 -
package/selinux-python/Config.in | 14 ++++----------
package/selinux-python/selinux-python.mk | 6 ++----
3 files changed, 6 insertions(+), 15 deletions(-)
diff --git a/Config.in.legacy b/Config.in.legacy
index 4a670f0f0e..feb0a7d819 100644
--- a/Config.in.legacy
+++ b/Config.in.legacy
@@ -1693,7 +1693,6 @@ config BR2_PACKAGE_SEPOLGEN
bool "sepolgen package has been removed"
select BR2_LEGACY
select BR2_PACKAGE_SELINUX_PYTHON
- select BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN
help
Sepolgen is no longer a individual package, but instead has
been moved into the selinux-python package by the SELinux
diff --git a/package/selinux-python/Config.in b/package/selinux-python/Config.in
index 144dc131e1..0ab4ec848d 100644
--- a/package/selinux-python/Config.in
+++ b/package/selinux-python/Config.in
@@ -7,8 +7,10 @@ config BR2_PACKAGE_SELINUX_PYTHON
select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
help
A set of SELinux tools written in python that help with
- managing a system with SELinux enabled. If no packages are
- selected nothing will actually be built.
+ managing a system with SELinux enabled.
+
+ The sepolgen program is always installed. It allows to
+ generate an initial SELinux policy module template.
https://github.com/SELinuxProject/selinux/wiki
@@ -18,7 +20,6 @@ config BR2_PACKAGE_SELINUX_PYTHON_AUDIT2ALLOW
bool "audit2allow"
depends on !BR2_arc # checkpolicy
select BR2_PACKAGE_CHECKPOLICY
- select BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN
select BR2_PACKAGE_SEMODULE_UTILS
help
This module installs two programs:
@@ -29,13 +30,6 @@ config BR2_PACKAGE_SELINUX_PYTHON_AUDIT2ALLOW
audit2why - translates SELinux audit messages into a
description of why the access was denied (audit2allow -w)
-config BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN
- bool "sepolgen"
- select BR2_PACKAGE_SEMODULE_UTILS
- help
- This package contains a Python module that allows you to
- generate an initial SELinux policy module template.
-
endif
comment "selinux-python packages needs a toolchain w/ wchar, threads, dynamic library"
diff --git a/package/selinux-python/selinux-python.mk b/package/selinux-python/selinux-python.mk
index 978bee7c88..ebd91d5ab3 100644
--- a/package/selinux-python/selinux-python.mk
+++ b/package/selinux-python/selinux-python.mk
@@ -24,15 +24,13 @@ SELINUX_PYTHON_MAKE_OPTS += \
PYTHONLIBDIR="usr/lib/python$(PYTHON_VERSION_MAJOR)"
endif
+SELINUX_PYTHON_MAKE_DIRS = sepolgen/src/sepolgen
+
ifeq ($(BR2_PACKAGE_SELINUX_PYTHON_AUDIT2ALLOW),y)
SELINUX_PYTHON_DEPENDENCIES += checkpolicy
SELINUX_PYTHON_MAKE_DIRS += audit2allow
endif
-ifeq ($(BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN),y)
-SELINUX_PYTHON_MAKE_DIRS += sepolgen/src/sepolgen
-endif
-
define SELINUX_PYTHON_BUILD_CMDS
$(foreach d,$(SELINUX_PYTHON_MAKE_DIRS),
$(MAKE) -C $(@D)/$(d) $(SELINUX_PYTHON_MAKE_OPTS) \
--
2.21.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 4/4] package/selinux-python: always build sepolgen
2019-10-09 22:06 ` [Buildroot] [PATCH 4/4] package/selinux-python: always build sepolgen Arnout Vandecappelle
@ 2019-10-10 7:26 ` Thomas Petazzoni
2019-10-10 7:56 ` Arnout Vandecappelle
0 siblings, 1 reply; 7+ messages in thread
From: Thomas Petazzoni @ 2019-10-10 7:26 UTC (permalink / raw
To: buildroot
Hello,
On Thu, 10 Oct 2019 00:06:41 +0200
"Arnout Vandecappelle (Essensium/Mind)" <arnout@mind.be> wrote:
> The selinux-python package has two suboptions, audit2allow and sepolgen.
> If neither of them is selected, nothing gets installed, which is not so
> nice. Since audit2allow selects sepolgen, sepolgen will always be
> installed if anything is installed. Therefore, it makes no sense to have
> a separate option for sepolgen.
That does not take into account the fact that our Buildroot package
does not install everything that selinux-python provides.
selinux-python provides:
- audit2allow, a bunch of Python tools that use the sepolgen Python
module, provided by the same package
- chcat, a standalone Python that uses libselinux + semanage (it seems)
- semanage, a Python tool that uses sepolicy and provides the seobject
module used by chcat
- sepolgen, a Python module used by audit2allow
- sepolicy, a Python module used by semanage
As you can see, there's much more than audit2allow and sepolgen in this
package, even though those additional things are not installed today.
Therefore, I think it makes sense to keep separate options for the
different components, especially because it maps with the top-level
directories of selinux-python:
$ ls
audit2allow chcat COPYING Makefile semanage sepolgen sepolicy VERSION
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 4/4] package/selinux-python: always build sepolgen
2019-10-10 7:26 ` Thomas Petazzoni
@ 2019-10-10 7:56 ` Arnout Vandecappelle
2019-10-10 8:02 ` Thomas Petazzoni
0 siblings, 1 reply; 7+ messages in thread
From: Arnout Vandecappelle @ 2019-10-10 7:56 UTC (permalink / raw
To: buildroot
On 10/10/2019 09:26, Thomas Petazzoni wrote:
> Hello,
>
> On Thu, 10 Oct 2019 00:06:41 +0200
> "Arnout Vandecappelle (Essensium/Mind)" <arnout@mind.be> wrote:
>
>> The selinux-python package has two suboptions, audit2allow and sepolgen.
>> If neither of them is selected, nothing gets installed, which is not so
>> nice. Since audit2allow selects sepolgen, sepolgen will always be
>> installed if anything is installed. Therefore, it makes no sense to have
>> a separate option for sepolgen.
>
> That does not take into account the fact that our Buildroot package
> does not install everything that selinux-python provides.
Yes, I wasn't too sure about this patch. I should have marked it as RFC.
> selinux-python provides:
>
> - audit2allow, a bunch of Python tools that use the sepolgen Python
> module, provided by the same package
>
> - chcat, a standalone Python that uses libselinux + semanage (it seems)
>
> - semanage, a Python tool that uses sepolicy and provides the seobject
> module used by chcat
>
> - sepolgen, a Python module used by audit2allow
>
> - sepolicy, a Python module used by semanage
>
> As you can see, there's much more than audit2allow and sepolgen in this
> package, even though those additional things are not installed today.
On the other hand, the way it is now is a bit stupid too...
If we ever add these other options, we could still revert this patch. But
nobody felt the need to add them in the 5 years that selinux exists in Buildroot...
Maybe we could make sepolgen default y, and perhaps even hide it (but keep the
option). Then there would be no need to revert it in the future (just add a
prompt again and keep the default y).
But anyway, I don't care that much :-) I mainly wanted to remove the redundant
depends in the suboptions.
Regards,
Arnout
>
> Therefore, I think it makes sense to keep separate options for the
> different components, especially because it maps with the top-level
> directories of selinux-python:
>
> $ ls
> audit2allow chcat COPYING Makefile semanage sepolgen sepolicy VERSION
>
> Best regards,
>
> Thomas
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 4/4] package/selinux-python: always build sepolgen
2019-10-10 7:56 ` Arnout Vandecappelle
@ 2019-10-10 8:02 ` Thomas Petazzoni
0 siblings, 0 replies; 7+ messages in thread
From: Thomas Petazzoni @ 2019-10-10 8:02 UTC (permalink / raw
To: buildroot
On Thu, 10 Oct 2019 09:56:52 +0200
Arnout Vandecappelle <arnout@mind.be> wrote:
> > As you can see, there's much more than audit2allow and sepolgen in this
> > package, even though those additional things are not installed today.
>
> On the other hand, the way it is now is a bit stupid too...
>
> If we ever add these other options, we could still revert this patch. But
> nobody felt the need to add them in the 5 years that selinux exists in Buildroot...
I discovered how this selinux-python package was organized 2 weeks ago,
while packaging it for OpenWRT. And just like what I did with this 30
patches patch series, which comes from the work I did packaging SELinux
for OpenWRT, it was also on my TODO-list to improve selinux-python in
Buildroot. But as you can imagine, this TODO-list is also filled up
with plenty of other things, so I don't know when I'll get to it.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-10-10 8:02 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-10-09 22:06 [Buildroot] [PATCH 1/4] package/selinux-python: add missing empty line before URL Arnout Vandecappelle
2019-10-09 22:06 ` [Buildroot] [PATCH 2/4] package/selinux-python: remove redundant dependencies Arnout Vandecappelle
2019-10-09 22:06 ` [Buildroot] [PATCH 3/4] package/selinux-python: use ordinary config instead of menuconfig Arnout Vandecappelle
2019-10-09 22:06 ` [Buildroot] [PATCH 4/4] package/selinux-python: always build sepolgen Arnout Vandecappelle
2019-10-10 7:26 ` Thomas Petazzoni
2019-10-10 7:56 ` Arnout Vandecappelle
2019-10-10 8:02 ` Thomas Petazzoni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.