# Copyright 1999-2002 Gentoo Technologies, Inc. # Distributed under the terms of the GNU General Public License v2 #we use this next variable to avoid duplicating stuff on cvs #GFILESDIR=${PORTDIR}/sys-kernel/linux-sources/files OKV=2.4.18 KV=selinux-2.4 S=${WORKDIR}/linux-${KV} ETYPE="sources" LICENSE="GPL-2" SLOT="0" KEYWORDS="x86 -ppc -sparc -sparc64" DESCRIPTION="LSM patched kernel with SELinux archive" SRC_URI="http://www.kernel.org/pub/linux/kernel/v2.4/linux-${OKV}.tar.bz2 http://www.nsa.gov/selinux/patches/lsm-2.4-2002070313.patch.gz http://www.nsa.gov/selinux/patches/selinux-2.4-2002070313.patch.gz" PROVIDE="virtual/linux-sources" HOMEPAGE="http://www.kernel.org/ http://www.nsa.gov/selinux" if [ $ETYPE = "sources" ] && [ -z "`use build`" ] then #console-tools is needed to solve the loadkeys fiasco; binutils version needed to avoid Athlon/PIII/SSE assembler bugs. DEPEND=">=sys-devel/binutils-2.11.90.0.31" RDEPEND=">=sys-libs/ncurses-5.2 sys-devel/perl >=sys-apps/modutils- 2.4.2 sys-devel/make" fi [ -z "$LINUX_HOSTCFLAGS" ] && LINUX_HOSTCFLAGS="-Wall -Wstrict-prototypes -O2 - fomit-frame-pointer -I${S}/include" src_unpack() { cd ${WORKDIR} unpack linux-${OKV}.tar.bz2 mv linux linux-${KV} || die cd ${S} cat ${DISTDIR}/lsm-2.4-2002070313.patch.gz | gzip -d | patch -p1 || die cat ${DISTDIR}/selinux-2.4-2002070313.patch.gz | gzip -d | patch -p1 || die #sometimes we have icky kernel symbols; this seems to get rid of them make mrproper || die #this file is required for other things to build properly, so we autogenerate it make include/linux/version.h || die #fix silly permissions in tarball cd ${WORKDIR} chown -R 0.0 * chmod -R a+r-w+X,u+w * # Gentoo Linux uses /boot, so fix 'make install' to work properly cd ${S} mv Makefile Makefile.orig sed -e 's:#export\tINSTALL_PATH:export\tINSTALL_PATH:' \ Makefile.orig >Makefile || die # test, remove me if Makefile ok rm Makefile.orig } src_compile() { if [ "$ETYPE" = "headers" ] then yes "" | make oldconfig echo "Ignore any errors from the yes command above." fi } src_install() { if [ "$ETYPE" = "sources" ] then dodir /usr/src echo ">>> Copying sources..." mv ${WORKDIR}/* ${D}/usr/src else #linux-headers dodir /usr/include/linux cp -ax ${S}/include/linux/* ${D}/usr/include/linux rm -rf ${D}/usr/include/linux/modules dodir /usr/include/asm cp -ax ${S}/include/asm-i386/* ${D}/usr/include/asm fi } pkg_preinst() { if [ "$ETYPE" = "headers" ] then [ -L ${ROOT}usr/include/linux ] && rm ${ROOT}usr/include/linux [ -L ${ROOT}usr/include/asm ] && rm ${ROOT}usr/include/asm true fi } pkg_postinst() { [ "$ETYPE" = "headers" ] && return if [ ! -e ${ROOT}usr/src/linux ] then rm -f ${ROOT}usr/src/linux ln -sf linux-${KV} ${ROOT}/usr/src/linux fi }
*** Bug 6692 has been marked as a duplicate of this bug. ***
Personally, I'd be very dubious of anything that comes from nsa.gov...
I'm sorry you are dubious, but i'll say the same thing i say to everyone. The patches are there, if you don't trust the nsa go read them. This is a legitimate project with legitimate goals, you should all read about it. It also has patched utilities (such as fileutils). I'd like to write ebuilds for all of them, but am unsure how to handle the dependancies of things without making 20 new virtuals. If you guys don't want to put the ebuilds in because of their origin I guess i'll go elsewhere but these packages are a tremendous security asset.
Well, I'm sure there are enough security obs^H^H^H^ minded gentoo users out there that these patches would come in handy for them. I'm not a representative of the project, so please don't interpret my commants as such. However, you say that they provide additional patches for ebuilds already present. So instead of creating new ebuilds for the non-kernel related stuff, why not create a new USE flag called "selinux" or something like that. That way you could customize the current ebuilds to use your patches (and require more dependancies) as defined by the presence of (or lack thereof) the USE="selinux" flag. This way you could probably avoid all the unecessary virtuals and the potential for conflicts. If you want to see how this is done (albeit on a smaller scale), check out the XFree edbuild and see how it deals with the 3dfx USE flag.
I think this is a good kernel to add into the portage tree, Joshua. Unfortunately, because of the freeze, we can not add it yet. As for the other patched applications you mentioned, can you open a new bug report outlining which packages and what they would need?
I think this would be an interesting addition to Portage. The last time I checked, though, SELinux needed to patch _most_ of the software that was going to operate with a SELinux kernel, including FTP daemons etc. Is this still the case? Are these patches readily available for most software, or just selected software (one FTPd, eg. wu-ftpd)?
Seemant; should I just add this to Portage and mask it, or should I wait until the freeze is over? There is a nice psychilogical value in closing as many bugs as I can on my list... ;)
joachim, add it (remember ~arch masking)
Okay, I'm on it. I'm converting it to the new eclass system and upgrading to 2.4.19 while I'm at it. Seemant, would it be a good idea to add the crypt patch and such here, or should it be a completely bare bones selinux patched kernel?
Commited. Please test. FWIW, I did not use crypt etc. IUSE="".