Merge pull request #579 from amazonlinux/enable-selinux

enable SELinux support

packages/Cargo.toml

@@ -43,7 +43,10 @@ members = [
     "libnftnl",
     "libnl",
     "libpcap",
+    "libpcre",
     "libseccomp",
+    "libsepol",
+    "libselinux",
     "libstd-rust",
     "libxcrypt",
     "login",

packages/coreutils/Cargo.toml

@@ -17,4 +17,5 @@ glibc = { path = "../glibc" }
 libacl = { path = "../libacl" }
 libattr = { path = "../libattr" }
 libcap = { path = "../libcap" }
+libselinux = { path = "../libselinux" }
 libxcrypt = { path = "../libxcrypt" }

packages/coreutils/coreutils.spec

@@ -9,10 +9,12 @@ BuildRequires: %{_cross_os}glibc-devel
 BuildRequires: %{_cross_os}libacl-devel
 BuildRequires: %{_cross_os}libattr-devel
 BuildRequires: %{_cross_os}libcap-devel
+BuildRequires: %{_cross_os}libselinux-devel
 BuildRequires: %{_cross_os}libxcrypt-devel
 Requires: %{_cross_os}libacl
 Requires: %{_cross_os}libattr
 Requires: %{_cross_os}libcap
+Requires: %{_cross_os}libselinux
 Requires: %{_cross_os}libxcrypt
 
 %description
@@ -27,6 +29,7 @@ Requires: %{_cross_os}libxcrypt
   --disable-rpath \
   --enable-single-binary=symlinks \
   --enable-no-install-program=kill,stdbuf,uptime \
+  --with-selinux \
   --without-gmp \
   --without-openssl \
 

packages/dbus-broker/Cargo.toml

@@ -16,4 +16,5 @@ sha512 = "b6db7bb9426bfce5ee46e9ef9fcfb0107f8d8fe9cd1fef3a18db33a2886cf6b67515a1
 glibc = { path = "../glibc" }
 libcap = { path = "../libcap" }
 libexpat = { path = "../libexpat" }
+libselinux = { path = "../libselinux" }
 systemd = { path = "../systemd" }

packages/dbus-broker/dbus-1-system.conf

@@ -91,6 +91,8 @@
        holes in the above policy for specific services. -->
   <includedir>system.d</includedir>
 
-  <include if_selinux_enabled="yes" selinux_root_relative="yes">contexts/dbus_contexts</include>
+  <!-- Stub out security configuration for SELinux. -->
+  <selinux>
+  </selinux>
 
 </busconfig>

packages/dbus-broker/dbus-broker.spec

@@ -13,9 +13,11 @@ BuildRequires: meson
 BuildRequires: %{_cross_os}glibc-devel
 BuildRequires: %{_cross_os}libcap-devel
 BuildRequires: %{_cross_os}libexpat-devel
+BuildRequires: %{_cross_os}libselinux-devel
 BuildRequires: %{_cross_os}systemd-devel
 Requires: %{_cross_os}libcap
 Requires: %{_cross_os}libexpat
+Requires: %{_cross_os}libselinux
 Requires: %{_cross_os}systemd
 
 %description
@@ -28,6 +30,7 @@ Requires: %{_cross_os}systemd
 CONFIGURE_OPTS=(
  -Daudit=false
  -Dlauncher=true
+ -Dselinux=true
 )
 
 %cross_meson "${CONFIGURE_OPTS[@]}"

packages/findutils/Cargo.toml

@@ -14,3 +14,4 @@ sha512 = "650a24507f8f4ebff83ad28dd27daa4785b4038dcaadc4fe00823b976e848527074cce
 
 [build-dependencies]
 glibc = { path = "../glibc" }
+libselinux = { path = "../libselinux" }

packages/findutils/findutils.spec

@@ -6,6 +6,8 @@ License: GPLv3+
 URL: http://www.gnu.org/software/findutils/
 Source0: https://ftp.gnu.org/pub/gnu/findutils/findutils-%{version}.tar.xz
 BuildRequires: %{_cross_os}glibc-devel
+BuildRequires: %{_cross_os}libselinux-devel
+Requires: %{_cross_os}libselinux
 
 %description
 %{summary}.

packages/iproute/Cargo.toml

@@ -16,3 +16,4 @@ sha512 = "47c750da2247705b1b1d1621f58987333e54370d0fff2f24106194022de793ff35dfd6
 glibc = { path = "../glibc" }
 libcap = { path = "../libcap" }
 libmnl = { path = "../libmnl" }
+libselinux = { path = "../libselinux" }

packages/iproute/iproute.spec

@@ -10,8 +10,10 @@ Patch1: 0001-skip-libelf-check.patch
 BuildRequires: %{_cross_os}glibc-devel
 BuildRequires: %{_cross_os}libcap-devel
 BuildRequires: %{_cross_os}libmnl-devel
+BuildRequires: %{_cross_os}libselinux-devel
 Requires: %{_cross_os}libcap
 Requires: %{_cross_os}libmnl
+Requires: %{_cross_os}libselinux
 
 %description
 %{summary}.

packages/libpcre/Cargo.toml

@@ -0,0 +1,16 @@
+[package]
+name = "libpcre"
+version = "0.1.0"
+edition = "2018"
+publish = false
+build = "build.rs"
+
+[lib]
+path = "pkg.rs"
+
+[[package.metadata.build-package.external-files]]
+url = "https://ftp.pcre.org/pub/pcre/pcre2-10.34.tar.bz2"
+sha512 = "77ad75f8b0b8bbfc2f57932596151bca25b06bd621e0f047e476f38cd127f43e2052460b95c281a7e874aad2b7fd86c8f3413f4a323abb74b9440a42d0ee9524"
+
+[build-dependencies]
+glibc = { path = "../glibc" }

packages/libpcre/build.rs

@@ -0,0 +1,9 @@
+use std::process::{exit, Command};
+
+fn main() -> Result<(), std::io::Error> {
+    let ret = Command::new("buildsys").arg("build-package").status()?;
+    if !ret.success() {
+        exit(1);
+    }
+    Ok(())
+}

packages/libpcre/libpcre.spec

@@ -0,0 +1,63 @@
+Name: %{_cross_os}libpcre
+Version: 10.34
+Release: 1%{?dist}
+Summary: Library for regular expressions
+License: BSD-3-Clause
+URL: https://www.pcre.org/
+Source0: https://ftp.pcre.org/pub/pcre/pcre2-%{version}.tar.bz2
+BuildRequires: %{_cross_os}glibc-devel
+
+%description
+%{summary}.
+
+%package devel
+Summary: Files for development using the library for regular expressions
+Requires: %{name}
+
+%description devel
+%{summary}.
+
+%prep
+%autosetup -n pcre2-%{version} -p1
+
+%build
+%cross_configure \
+  --enable-newline-is-lf \
+  --enable-pcre2-8 \
+  --enable-shared \
+  --enable-static \
+  --enable-unicode \
+  --disable-jit \
+  --disable-jit-sealloc \
+  --disable-pcre2-16 \
+  --disable-pcre2-32 \
+  --disable-pcre2grep-callout \
+  --disable-pcre2grep-callout-fork \
+  --disable-pcre2grep-jit \
+  --disable-pcre2grep-libbz2 \
+  --disable-pcre2grep-libz \
+  --disable-pcre2test-libedit \
+  --disable-pcre2test-libreadline \
+
+sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
+sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
+
+%make_build
+
+%install
+%make_install
+
+%files
+%{_cross_libdir}/*.so.*
+%exclude %{_cross_bindir}
+%exclude %{_cross_docdir}
+%exclude %{_cross_mandir}
+
+%files devel
+%{_cross_libdir}/*.a
+%{_cross_libdir}/*.so
+%{_cross_includedir}/*.h
+%{_cross_pkgconfigdir}/*.pc
+%exclude %{_cross_libdir}/*.la
+
+%changelog

packages/libpcre/pkg.rs

@@ -0,0 +1 @@
+// not used

packages/libselinux/0001-adjust-default-selinux-directory.patch

@@ -0,0 +1,32 @@
+From ded87ae71f953d538f7a89bfff2d0fcc417bbf06 Mon Sep 17 00:00:00 2001
+From: Ben Cressey <[email protected]>
+Date: Tue, 3 Dec 2019 22:02:35 +0000
+Subject: [PATCH] adjust default selinux directory
+
+systemd loads the SELinux policy very early, before /etc is populated
+with volatile files.
+
+We expect the policy to be immutable and shipped with the image, so
+storing it under /usr/lib is fine.
+
+Signed-off-by: Ben Cressey <[email protected]>
+---
+ src/selinux_internal.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/selinux_internal.h b/src/selinux_internal.h
+index 8b4bed2..bcaf2f7 100644
+--- a/src/selinux_internal.h
++++ b/src/selinux_internal.h
+@@ -178,7 +178,7 @@ extern int selinux_page_size hidden;
+ 	} while (0)
+
+
+-#define SELINUXDIR "/etc/selinux/"
++#define SELINUXDIR "/usr/lib/selinux/"
+ #define SELINUXCONFIG SELINUXDIR "config"
+
+ extern int has_selinux_config hidden;
+-- 
+2.21.0
+

packages/libselinux/Cargo.toml

@@ -0,0 +1,18 @@
+[package]
+name = "libselinux"
+version = "0.1.0"
+edition = "2018"
+publish = false
+build = "build.rs"
+
+[lib]
+path = "pkg.rs"
+
+[[package.metadata.build-package.external-files]]
+url = "https://github.com/SELinuxProject/selinux/releases/download/20191204/libselinux-3.0.tar.gz"
+sha512 = "6fd8c3711e25cb1363232e484268609b71d823975537b3863e403836222eba026abce8ca198f64dba6f4c1ea4deb7ecef68a0397b9656a67b363e4d74409cd95"
+
+[build-dependencies]
+glibc = { path = "../glibc" }
+libpcre = { path = "../libpcre" }
+libsepol = { path = "../libsepol" }

packages/libselinux/build.rs

@@ -0,0 +1,9 @@
+use std::process::{exit, Command};
+
+fn main() -> Result<(), std::io::Error> {
+    let ret = Command::new("buildsys").arg("build-package").status()?;
+    if !ret.success() {
+        exit(1);
+    }
+    Ok(())
+}