feat: add policycoreutils for building squashfs with SELinux

Only install setfiles, add libselinux as a dependency Also unify the version for all SELinux userspace components Signed-off-by: Dmitry Sharshakov <dmitry.sharshakov@siderolabs.com>
siderolabs · Aug 26, 2024 · 2b8dab4 · 2b8dab4
1 parent ef48079
commit 2b8dab4
Show file tree

Hide file tree

Showing 11 changed files with 144 additions and 9 deletions.
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -37,7 +37,7 @@
                 "mirror/ncurses",
                 "PCRE2Project/pcre2",
                 "plougher/squashfs-tools",
-                "https://github.com/SELinuxProject/selinux.git",
+                "SELinuxProject/selinux",
                 "git://git.savannah.gnu.org/make.git",
                 "git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git",
                 "git://git.savannah.gnu.org/automake.git",

diff --git a/Pkgfile b/Pkgfile
@@ -183,11 +183,6 @@ vars:
   libnl_sha256: 9fe43ccbeeea72c653bdcf8c93332583135cda46a79507bfd0a483bb57f65939
   libnl_sha512: 80fbbc079299c90afd2a5eda62e4d4f98bf4ef23958c3ce5101f4ed4d81d783af733213bb3bab15f218555d8460bc2394898f909f4ac024fc27281faec86a041
 
-  # renovate: datasource=git-tags depName=SELinuxProject/selinux
-  libsepol_version: 3.7
-  libsepol_sha256: cd741e25244e7ef6cd934d633614131a266c3eaeab33d8bfa45e8a93b45cc901
-  libsepol_sha512: 85d12d0ba5a7a3225f08d041a18fd59641608db5e0a78a1e9649754e45be54a807cd422d4889b88da6e806b4af546336c7a0913448f08ac33dc6ffb983890ef8
-
   # renovate: datasource=git-tags extractVersion=^v(?<version>.*)$ depName=https://gitlab.com/gnutls/libtasn1.git
   libtasn1_version: 4.19.0
   libtasn1_sha256: 1613f0ac1cf484d6ec0ce3b8c06d56263cc7242f1c23b30d82d23de345a63f7a
@@ -310,7 +305,13 @@ vars:
   rhash_sha512: 00a7e5e058b53ce20ae79509815452ed9cb699d1322b678220b72c61dea3ea2f8fa131acfade8bb6d9f6af913f0c3c472330841181b22314b8755166310c946f
 
   # renovate: datasource=git-tags depName=SELinuxProject/selinux
-  secilc_version: 3.7
+  selinux_version: 3.7
+  libselinux_sha256: ea03f42d13a4f95757997dba8cf0b26321fac5d2f164418b4cc856a92d2b17bd
+  libselinux_sha512: e949c20b606c50ad521b9592ce55ad6658e8c4b24d9838028f5aba0a4fc762b6d0d0d0d207f5bef7a2e41485e12d91382fa6090df27152dbb40071b273419352
+  libsepol_sha256: cd741e25244e7ef6cd934d633614131a266c3eaeab33d8bfa45e8a93b45cc901
+  libsepol_sha512: 85d12d0ba5a7a3225f08d041a18fd59641608db5e0a78a1e9649754e45be54a807cd422d4889b88da6e806b4af546336c7a0913448f08ac33dc6ffb983890ef8
+  policycoreutils_sha256: 58fe4e481edfb4456c114925442e11389df17394925acdba3de211145ce5ea98
+  policycoreutils_sha512: 30e3413b15df0bf1a994d2b3a03a719f89b3ee521a708b92fcc684822152145722cb3ef28fd5b7c42b779281b0bd4d69d65c0bc2605eec1af3f388609d985500
   secilc_sha256: 0802e920b779e9e915bb7e68ee22e995f99776554cfcdf9a2af6cb7c3b9873dc
   secilc_sha512: 1f6061587242b63583370e04cc113b4884060c6071774b90908655df17ddc702187960d1f5b1ed53de9eb6ebd7f0029160e58d8c5f0c1126464bf6222f6f7d3e
 

diff --git a/libselinux/patches/busybox-ln.patch b/libselinux/patches/busybox-ln.patch
@@ -0,0 +1,19 @@
+diff --git a/src/Makefile b/src/Makefile
+index 41cfbdca..f82ec529 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -188,12 +188,12 @@ install: all
+ 	install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
+ 	test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
+ 	install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
+-	ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
++	ln -sf $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
+
+ install-pywrap: pywrap
+ 	CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) .
+ 	install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
+-	ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
++	ln -sf $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
+
+ install-rubywrap: rubywrap
+ 	test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL) 
diff --git a/libselinux/patches/musl-lstat.patch b/libselinux/patches/musl-lstat.patch
@@ -0,0 +1,24 @@
+Patch from https://bugs.gentoo.org/905711#c10 to build with musl
+
+diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c
+index bc6ed935..3bc0d8dd 100644
+--- a/src/selinux_restorecon.c
++++ b/src/selinux_restorecon.c
+@@ -438,7 +438,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ 	file_spec_t *prevfl, *fl;
+ 	uint32_t h;
+ 	int ret;
+-	struct stat64 sb;
++	struct stat sb;
+
+ 	__pthread_mutex_lock(&fl_mutex);
+
+@@ -452,7 +452,7 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ 	for (prevfl = &fl_head[h], fl = fl_head[h].next; fl;
+ 	     prevfl = fl, fl = fl->next) {
+ 		if (ino == fl->ino) {
+-			ret = lstat64(fl->file, &sb);
++			ret = lstat(fl->file, &sb);
+ 			if (ret < 0 || sb.st_ino != ino) {
+ 				freecon(fl->con);
+ 				free(fl->file);
diff --git a/libselinux/patches/selabel-digest-uninit.patch b/libselinux/patches/selabel-digest-uninit.patch
@@ -0,0 +1,13 @@
+diff --git a/utils/selabel_digest.c b/utils/selabel_digest.c
+index 47aad21f..c574d3fd 100644
+--- a/utils/selabel_digest.c
++++ b/utils/selabel_digest.c
+@@ -65,7 +65,7 @@ int main(int argc, char **argv)
+ 	size_t digest_len, i, num_specfiles;
+
+ 	char cmd_buf[4096];
+-	char *cmd_ptr;
++	char *cmd_ptr = NULL;
+ 	char *sha1_buf = NULL;
+
+ 	struct selabel_handle *hnd;
diff --git a/libselinux/pkg.yaml b/libselinux/pkg.yaml
@@ -0,0 +1,30 @@
+name: libselinux
+dependencies:
+  - stage: base
+  - stage: patch
+  - stage: musl-fts
+  - stage: libsepol
+  - stage: pcre
+  - stage: pkg-config
+steps:
+  - sources:
+      - url: https://github.com/SELinuxProject/selinux/releases/download/{{ .selinux_version }}/libselinux-{{ .selinux_version }}.tar.gz
+        destination: libselinux.tar.gz
+        sha256: "{{ .libselinux_sha256 }}"
+        sha512: "{{ .libselinux_sha512 }}"
+    prepare:
+      - |
+        tar -xzf libselinux.tar.gz --strip-components=1
+
+        patch -p1 < /pkg/patches/musl-lstat.patch
+        patch -p1 < /pkg/patches/selabel-digest-uninit.patch
+        patch -p1 < /pkg/patches/busybox-ln.patch
+    build:
+      - |
+        make -j $(nproc) FTS_LDLIBS="-l:libfts.a"
+    install:
+      - |
+        make install DESTDIR=/rootfs PREFIX=/toolchain
+finalize:
+  - from: /rootfs
+    to: /
diff --git a/libsepol/pkg.yaml b/libsepol/pkg.yaml
@@ -6,7 +6,7 @@ dependencies:
   - stage: m4
 steps:
   - sources:
-      - url: https://github.com/SELinuxProject/selinux/releases/download/{{ .libsepol_version }}/libsepol-{{ .libsepol_version }}.tar.gz
+      - url: https://github.com/SELinuxProject/selinux/releases/download/{{ .selinux_version }}/libsepol-{{ .selinux_version }}.tar.gz
         destination: libsepol.tar.gz
         sha256: "{{ .libsepol_sha256 }}"
         sha512: "{{ .libsepol_sha512 }}"

diff --git a/policycoreutils/patches/musl-fts.patch b/policycoreutils/patches/musl-fts.patch
@@ -0,0 +1,18 @@
+diff --git a/setfiles/Makefile b/setfiles/Makefile
+index 84ffb08b..31bc07db 100644
+--- a/setfiles/Makefile
++++ b/setfiles/Makefile
+@@ -5,8 +5,11 @@ SBINDIR ?= /sbin
+ MANDIR = $(PREFIX)/share/man
+ AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
+
+-CFLAGS ?= -g -Werror -Wall -W
+-override LDLIBS += -lselinux -lsepol -lpthread
++# override with -lfts when building on Musl libc to use fts-standalone
++FTS_LDLIBS ?=
++
++CFLAGS ?= -g -Werror -Wall -W $(FTS_LDLIBS)
++override LDLIBS += -lselinux -lsepol -lpthread $(FTS_LDLIBS)
+
+ ifeq ($(AUDITH), y)
+ 	override CFLAGS += -DUSE_AUDIT
diff --git a/policycoreutils/pkg.yaml b/policycoreutils/pkg.yaml
@@ -0,0 +1,28 @@
+name: policycoreutils
+dependencies:
+  - stage: base
+  - stage: patch
+  - stage: musl-fts
+  - stage: pcre
+  - stage: libsepol
+  - stage: libselinux
+steps:
+  - sources:
+      - url: https://github.com/SELinuxProject/selinux/releases/download/{{ .selinux_version }}/policycoreutils-{{ .selinux_version }}.tar.gz
+        destination: policycoreutils.tar.gz
+        sha256: "{{ .policycoreutils_sha256 }}"
+        sha512: "{{ .policycoreutils_sha512 }}"
+    prepare:
+      - |
+        tar -xzf policycoreutils.tar.gz --strip-components=1
+
+        patch -p1 < /pkg/patches/musl-fts.patch
+    build:
+      - |
+        make -j $(nproc) SUBDIRS=setfiles FTS_LDLIBS="-l:libfts.a -lpcre2-8"
+    install:
+      - |
+        make install DESTDIR=/rootfs/toolchain SUBDIRS=setfiles
+finalize:
+  - from: /rootfs
+    to: /
diff --git a/secilc/pkg.yaml b/secilc/pkg.yaml
@@ -6,7 +6,7 @@ dependencies:
     runtime: true
 steps:
   - sources:
-      - url: https://github.com/SELinuxProject/selinux/releases/download/{{ .secilc_version }}/secilc-{{ .secilc_version }}.tar.gz
+      - url: https://github.com/SELinuxProject/selinux/releases/download/{{ .selinux_version }}/secilc-{{ .selinux_version }}.tar.gz
         destination: secilc.tar.gz
         sha256: "{{ .secilc_sha256 }}"
         sha512: "{{ .secilc_sha512 }}"

diff --git a/tools/pkg.yaml b/tools/pkg.yaml
@@ -41,6 +41,7 @@ dependencies:
   - stage: libcap
   - stage: libffi
   - stage: libnl
+  - stage: libselinux
   - stage: libsepol
   - stage: libtasn1
   - stage: libtool
@@ -61,6 +62,7 @@ dependencies:
   - stage: pcre
   - stage: perl
   - stage: pkg-config
+  - stage: policycoreutils
   - stage: protobuf
   - stage: protoc-gen-go
   - stage: protoc-gen-go-grpc