add patch from upstream to fix missing roletypes

(Portage version: 2.2.12/cvs/Linux x86_64, signed Manifest commit with key 0x7EF137EC935B0EAF)

3 files changed, 240 insertions, 1 deletions

diff --git a/sys-apps/policycoreutils/ChangeLog b/sys-apps/policycoreutils/ChangeLog
index 1e83b86acaae..46f075d0657c 100644
--- a/sys-apps/policycoreutils/ChangeLog
+++ b/sys-apps/policycoreutils/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-apps/policycoreutils
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/policycoreutils/ChangeLog,v 1.145 2014/11/14 19:20:37 swift Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/policycoreutils/ChangeLog,v 1.146 2014/11/22 12:59:49 perfinion Exp $
+
+*policycoreutils-2.4_rc6-r1 (22 Nov 2014)
+
+  22 Nov 2014; Jason Zaman <perfinon@gentoo.org>
+  +files/0001-policycoreutils-pp-add-roletype-statements-for-both-.patch,
+  +policycoreutils-2.4_rc6-r1.ebuild:
+  add patch from upstream to fix missing roletypes
 
 *policycoreutils-2.4_rc6 (14 Nov 2014)
 
diff --git a/sys-apps/policycoreutils/files/0001-policycoreutils-pp-add-roletype-statements-for-both-.patch b/sys-apps/policycoreutils/files/0001-policycoreutils-pp-add-roletype-statements-for-both-.patch
new file mode 100644
index 000000000000..6ed451649e3e
--- /dev/null
+++ b/sys-apps/policycoreutils/files/0001-policycoreutils-pp-add-roletype-statements-for-both-.patch
@@ -0,0 +1,61 @@
+From 7a09af2123bc0d86787ef82fc2ff43810f1712c0 Mon Sep 17 00:00:00 2001
+From: Steve Lawrence <slawrence@tresys.com>
+Date: Wed, 19 Nov 2014 11:21:42 -0500
+Subject: [PATCH 1/2] policycoreutils: pp: add roletype statements for both
+ declared and required type/typeattributes
+
+Currently, roletype statements are only added for types when they are
+declared (not required). This means that in policy like:
+
+  require {
+    type foo_t;
+  }
+  type bar_t;
+  role staff_r types foo_t, bar_t;
+
+only bar_t is associated with staff_r. This patch moves the code that
+generates roletype statements for types to outside the SCOPE_DECL check
+so that roletype statements are generated for all types, regardless of
+the required/declared scope. It further moves the code outside of the
+type/typeattribute flavor check so that roletype statements are also
+generated for typeattributes.
+
+Reported-by: Sven Vermeulen <sven.vermeulen@siphos.be>
+Signed-off-by: Steve Lawrence <slawrence@tresys.com>
+Reviewed-by: Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com>
+Tested-by: Jason Zaman <jason@perfinion.com>
+---
+ policycoreutils/hll/pp/pp.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/policycoreutils/hll/pp/pp.c b/policycoreutils/hll/pp/pp.c
+index b1ef27f..4b9f310 100644
+--- a/policycoreutils/hll/pp/pp.c
++++ b/policycoreutils/hll/pp/pp.c
+@@ -2083,6 +2083,11 @@ static int type_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
+ 		cil_println(indent, "(typeattributeset " GEN_REQUIRE_ATTR " %s)", key);
+ 	}
+ 
++	rc = roletype_role_in_ancestor_to_cil(pdb, decl_stack, key, indent);
++	if (rc != 0) {
++		goto exit;
++	}
++
+ 	switch(type->flavor) {
+ 	case TYPE_TYPE:
+ 		if (scope == SCOPE_DECL) {
+@@ -2090,11 +2095,6 @@ static int type_to_cil(int indent, struct policydb *pdb, struct avrule_block *UN
+ 			// object_r is implicit in checkmodule, but not with CIL,
+ 			// create it as part of base
+ 			cil_println(indent, "(roletype " DEFAULT_OBJECT " %s)", key);
+-
+-			rc = roletype_role_in_ancestor_to_cil(pdb, decl_stack, key, indent);
+-			if (rc != 0) {
+-				goto exit;
+-			}
+ 		}
+ 
+ 		if (type->flags & TYPE_FLAGS_PERMISSIVE) {
+-- 
+2.0.4
+
diff --git a/sys-apps/policycoreutils/policycoreutils-2.4_rc6-r1.ebuild b/sys-apps/policycoreutils/policycoreutils-2.4_rc6-r1.ebuild
new file mode 100644
index 000000000000..51018a520e0d
--- /dev/null
+++ b/sys-apps/policycoreutils/policycoreutils-2.4_rc6-r1.ebuild
@@ -0,0 +1,171 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/policycoreutils/policycoreutils-2.4_rc6-r1.ebuild,v 1.1 2014/11/22 12:59:49 perfinion Exp $
+
+EAPI="5"
+PYTHON_COMPAT=( python2_7 )
+PYTHON_REQ_USE="xml"
+
+inherit multilib python-r1 toolchain-funcs eutils
+
+MY_P="${P//_/-}"
+
+EXTRAS_VER="1.33"
+SEMNG_VER="2.4_rc6"
+SELNX_VER="2.4_rc6"
+SEPOL_VER="2.4_rc6"
+PATCHBUNDLE="4"
+
+IUSE="audit pam dbus"
+
+DESCRIPTION="SELinux core utilities"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
+SRC_URI="https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20140826/${MY_P}.tar.gz
+	mirror://gentoo/policycoreutils-extra-${EXTRAS_VER}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+
+COMMON_DEPS=">=sys-libs/libselinux-${SELNX_VER}[python]
+	>=sys-libs/glibc-2.4
+	>=sys-libs/libcap-1.10-r10
+	>=sys-libs/libsemanage-${SEMNG_VER}[python]
+	sys-libs/libcap-ng
+	>=sys-libs/libsepol-${SEPOL_VER}
+	sys-devel/gettext
+	dev-python/ipy[${PYTHON_USEDEP}]
+	dbus? (
+		sys-apps/dbus
+		dev-libs/dbus-glib
+	)
+	audit? ( >=sys-process/audit-1.5.1 )
+	pam? ( sys-libs/pam )
+	${PYTHON_DEPS}"
+
+### libcgroup -> seunshare
+### dbus -> restorecond
+
+# pax-utils for scanelf used by rlpkg
+RDEPEND="${COMMON_DEPS}
+	dev-python/sepolgen
+	app-misc/pax-utils"
+
+DEPEND="${COMMON_DEPS}"
+
+S="${WORKDIR}/${MY_P}"
+S1="${WORKDIR}/${MY_P}"
+S2="${WORKDIR}/policycoreutils-extra"
+
+src_prepare() {
+	epatch "${FILESDIR}/0010-remove-sesandbox-support.patch"
+	epatch "${FILESDIR}/0020-disable-autodetection-of-pam-and-audit.patch"
+	epatch "${FILESDIR}/0030-make-inotify-check-use-flag-triggered.patch"
+	epatch "${FILESDIR}/0040-reverse-access-check-in-run_init.patch"
+	epatch "${FILESDIR}/0070-remove-symlink-attempt-fails-with-gentoo-sandbox-approach.patch"
+	epatch "${FILESDIR}/0110-build-mcstrans-bug-472912.patch"
+	epatch "${FILESDIR}/0120-build-failure-for-mcscolor-for-CONTEXT__CONTAINS.patch"
+	epatch "${FILESDIR}/0001-policycoreutils-pp-add-roletype-statements-for-both-.patch"
+
+	# rlpkg is more useful than fixfiles
+	sed -i -e '/^all/s/fixfiles//' "${S}/scripts/Makefile" \
+		|| die "fixfiles sed 1 failed"
+	sed -i -e '/fixfiles/d' "${S}/scripts/Makefile" \
+		|| die "fixfiles sed 2 failed"
+
+	epatch_user
+
+	python_copy_sources
+	# Our extra code is outside the regular directory, so set it to the extra
+	# directory. We really should optimize this as it is ugly, but the extra
+	# code is needed for Gentoo at the same time that policycoreutils is present
+	# (so we cannot use an additional package for now).
+	S="${S2}"
+	python_copy_sources
+}
+
+src_compile() {
+	local use_audit="n";
+	local use_pam="n";
+	local use_dbus="n";
+	local use_sesandbox="n";
+
+	use audit && use_audit="y";
+	use pam && use_pam="y";
+	use dbus && use_dbus="y";
+
+	building() {
+		emake -C "${BUILD_DIR}" AUDIT_LOG_PRIVS="y" AUDITH="${use_audit}" PAMH="${use_pam}" INOTIFYH="${use_dbus}" SESANDBOX="${use_sesandbox}" CC="$(tc-getCC)" PYLIBVER="${EPYTHON}" || die
+	}
+	S="${S1}" # Regular policycoreutils
+	python_foreach_impl building
+	S="${S2}" # Extra set
+	python_foreach_impl building
+}
+
+src_install() {
+	local use_audit="n";
+	local use_pam="n";
+	local use_dbus="n";
+	local use_sesandbox="n";
+
+	use audit && use_audit="y";
+	use pam && use_pam="y";
+	use dbus && use_dbus="y";
+
+	# Python scripts are present in many places. There are no extension modules.
+	installation-policycoreutils() {
+		einfo "Installing policycoreutils"
+		emake -C "${BUILD_DIR}" DESTDIR="${D}" AUDITH="${use_audit}" PAMH="${use_pam}" INOTIFYH="${use_dbus}" SESANDBOX="${use_sesandbox}" AUDIT_LOG_PRIV="y" PYLIBVER="${EPYTHON}" install || return 1
+	}
+
+	installation-extras() {
+		einfo "Installing policycoreutils-extra"
+		emake -C "${BUILD_DIR}" DESTDIR="${D}" INOTIFYH="${use_dbus}" SHLIBDIR="${D}$(get_libdir)/rc" install || return 1
+	}
+
+	S="${S1}" # policycoreutils
+	python_foreach_impl installation-policycoreutils
+	S="${S2}" # extras
+	python_foreach_impl installation-extras
+	S="${S1}" # back for later
+
+	# remove redhat-style init script
+	rm -fR "${D}/etc/rc.d"
+
+	# compatibility symlinks
+	dosym /sbin/setfiles /usr/sbin/setfiles
+	dosym /$(get_libdir)/rc/runscript_selinux.so /$(get_libdir)/rcscripts/runscript_selinux.so
+
+	# location for permissive definitions
+	dodir /var/lib/selinux
+	keepdir /var/lib/selinux
+
+	# Set version-specific scripts
+	for pyscript in audit2allow sepolgen-ifgen sepolicy chcat; do
+	  python_replicate_script "${ED}/usr/bin/${pyscript}"
+	done
+	for pyscript in semanage rlpkg; do
+	  python_replicate_script "${ED}/usr/sbin/${pyscript}"
+	done
+
+	dodir /usr/share/doc/${PF}/mcstrans/examples
+	cp -dR "${S1}"/mcstrans/share/examples/* "${D}/usr/share/doc/${PF}/mcstrans/examples"
+}
+
+pkg_postinst() {
+	# The selinux_gentoo init script is no longer needed with recent OpenRC
+	elog "The selinux_gentoo init script will be removed in future versions when OpenRC 0.13.x is stabilized."
+
+	# Migrate the SELinux semanage configuration store if not done already
+	local selinuxtype=$(awk -F'=' '/SELINUXTYPE=/ {print $2}' /etc/selinux/config);
+	if [ -n "${selinuxtype}" ] && [ ! -d /var/lib/selinux/${mcs}/active ] ; then
+		ewarn "Since the 2.4 SELinux userspace, the policy module store is moved"
+		ewarn "from /etc/selinux to /var/lib/selinux. In order to continue with"
+		ewarn "the 2.4 userspace, please migrate the necessary files by executing"
+		ewarn "/usr/libexec/selinux/semanage_migrate_store. Warnings about 'else'"
+		ewarn "blocks can be safely ignored."
+		ewarn "For more information, please see"
+		ewarn "- https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration"
+	fi
+}