From owner-p4-projects@FreeBSD.ORG  Sun Jul 10 11:51:30 2005
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 605DE16A420; Sun, 10 Jul 2005 11:51:30 +0000 (GMT)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 23EC316A41C
	for <perforce@freebsd.org>; Sun, 10 Jul 2005 11:51:30 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D36C143D45
	for <perforce@freebsd.org>; Sun, 10 Jul 2005 11:51:29 +0000 (GMT)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.1/8.13.1) with ESMTP id j6ABpTPe053751
	for <perforce@freebsd.org>; Sun, 10 Jul 2005 11:51:29 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.1/8.13.1/Submit) id j6ABpTGD053747
	for perforce@freebsd.org; Sun, 10 Jul 2005 11:51:29 GMT
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Sun, 10 Jul 2005 11:51:29 GMT
Message-Id: <200507101151.j6ABpTGD053747@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 79915 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Jul 2005 11:51:31 -0000

http://perforce.freebsd.org/chv.cgi?CH=79915

Change 79915 by rwatson@rwatson_zoo on 2005/07/10 11:51:25

	Implement NO_SEBSD, which controls the building of many
	SEBSD-related tools, libraries, and the inclusion of
	SEBSD-specific functionality into some base system components.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/lib/Makefile#16 edit
.. //depot/projects/trustedbsd/sebsd/sbin/Makefile#12 edit
.. //depot/projects/trustedbsd/sebsd/sys/modules/Makefile#14 edit
.. //depot/projects/trustedbsd/sebsd/usr.bin/login/Makefile#6 edit
.. //depot/projects/trustedbsd/sebsd/usr.bin/login/login.c#9 edit
.. //depot/projects/trustedbsd/sebsd/usr.sbin/Makefile#13 edit
.. //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/Makefile#4 edit
.. //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/database.c#5 edit
.. //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/do_command.c#7 edit
.. //depot/projects/trustedbsd/sebsd/usr.sbin/pwd_mkdb/Makefile#4 edit
.. //depot/projects/trustedbsd/sebsd/usr.sbin/pwd_mkdb/pwd_mkdb.c#7 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/lib/Makefile#16 (text+ko) ====

@@ -34,7 +34,7 @@
 	libpmc ${_libpthread} ${_libsdp} ${_libsm} ${_libsmb} ${_libsmdb} \
 	${_libsmutil} libstand libtelnet ${_libthr} ${_libthread_db} libufs \
 	libugidfw ${_libusbhid} ${_libvgl} libwrap liby libz ${_bind} \
-	libsebsd libsepol
+	${_libsebsd} ${_libsepol}
 
 .if exists(${.CURDIR}/csu/${MACHINE_ARCH}-elf)
 _csu=csu/${MACHINE_ARCH}-elf
@@ -77,6 +77,11 @@
 _libio=		libio
 .endif
 
+.if !defined(NO_SEBSD)
+_libsebsd=	libsebsd
+_libsepol=	libsepol
+.endif
+
 .if !defined(NO_SENDMAIL)
 _libmilter=	libmilter
 _libsm=		libsm

==== //depot/projects/trustedbsd/sebsd/sbin/Makefile#12 (text+ko) ====

@@ -81,8 +81,8 @@
 	rtsol \
 	savecore \
 	${_sconfig} \
-	sebsd_checkpolicy \
-	sebsd_setfiles \
+	${_sebsd_checkpolicy} \
+	${_sebsd_setfiles} \
 	setfsmac \
 	shutdown \
 	slattach \
@@ -111,6 +111,11 @@
 _pflogd=	pflogd
 .endif
 
+.if !defined(NO_SEBSD)
+_sebsd_checkpolicy=	sebsd_checkpolicy
+_sebsd_setfiles=	sebsd_setfiles
+.endif
+
 .if !defined(NO_INET6)
 _ip6fw=		ip6fw
 _ping6=		ping6

==== //depot/projects/trustedbsd/sebsd/sys/modules/Makefile#14 (text+ko) ====

@@ -204,7 +204,7 @@
 	sbsh \
 	scd \
 	${_scsi_low} \
-	sebsd \
+	${_sebsd} \
 	sf \
 	${_sio} \
 	sis \
@@ -309,6 +309,10 @@
 _pf=		pf
 .endif
 
+.if !defined(NO_SEBSD) || defined(ALL_MODULES)
+_sebsd=		sebsd
+.endif
+
 .if ${MACHINE_ARCH} == "i386"
 # XXX some of these can move to the general case when de-i386'ed
 # XXX some of these can move now, but are untested on other architectures.

==== //depot/projects/trustedbsd/sebsd/usr.bin/login/Makefile#6 (text+ko) ====

@@ -3,18 +3,25 @@
 
 PROG=	login
 SRCS=	login.c login_fbtab.c
-CFLAGS+=-I${.CURDIR}/../../lib/libsebsd
-CFLAGS+=-I${.CURDIR}/../../contrib/sebsd/libselinux/include
-CFLAGS+=-I${.CURDIR}/../../sys
-CFLAGS+=-I${.CURDIR}/../../sys/security/sebsd
 CFLAGS+=-DLOGALL
-DPADD=	${LIBUTIL} ${LIBPAM} ${LIBSEBSD}
-LDADD=	-lutil ${MINUSLPAM} -lsebsd
+DPADD=	${LIBUTIL} ${LIBPAM}
+LDADD=	-lutil ${MINUSLPAM}
 MAN=	login.1 login.access.5
+
 .if !defined(NO_SETUID_LOGIN)
 BINOWN=	root
 BINMODE=4555
 PRECIOUSPROG=
 .endif
 
+.if !defined(NO_SEBSD)
+CFLAGS+=-I${.CURDIR}/../../lib/libsebsd
+CFLAGS+=-I${.CURDIR}/../../contrib/sebsd/libselinux/include
+CFLAGS+=-I${.CURDIR}/../../sys
+CFLAGS+=-I${.CURDIR}/../../sys/security/sebsd
+CFLAGS+=-DSEBSD
+DPADD+=	${LIBSEBSD}
+LDADD+=	-lsebsd
+.endif
+
 .include <bsd.prog.mk>

==== //depot/projects/trustedbsd/sebsd/usr.bin/login/login.c#9 (text+ko) ====

@@ -139,7 +139,9 @@
 static char		*username;	/* user name */
 static char		*olduser;	/* previous user name */
 
+#ifdef SEBSD
 static char             *user_role;     /* role/type specified with username */
+#endif
 
 /*
  * Prompts
@@ -295,6 +297,7 @@
 				badlogin(olduser);
 		}
 
+#ifdef SEBSD
 		char *rp = username;
 		while (*rp && *rp != '/')
 			rp++;
@@ -302,6 +305,8 @@
 			*rp = 0;
 			user_role = rp+1;
 		}
+#endif
+
 		/*
 		 * Load the PAM policy and set some variables
 		 */
@@ -508,6 +513,7 @@
 			    username, tty);
 	}
 
+#ifdef SEBSD
 	/*
 	 * Determine if we must execute a transition when we
 	 * run our shell, for MAC policies which require it.  For now,
@@ -594,6 +600,7 @@
 		mac_free(newttylabel);
 	}
 nosebsd:
+#endif /* !SEBSD */
 
 	/*
 	 * Destroy environment unless user has requested its

==== //depot/projects/trustedbsd/sebsd/usr.sbin/Makefile#13 (text+ko) ====

@@ -146,8 +146,8 @@
 	rwhod \
 	sa \
 	${_sendmail} \
-	sebsd_loadpolicy \
-	sebsd_newrole \
+	${_sebsd_loadpolicy} \
+	${_sebsd_newrole} \
 	setkey \
 	setpmac \
 	${_sicontrol} \
@@ -244,6 +244,11 @@
 _lpr=		lpr
 .endif
 
+.if !defined(NO_SEBSD)
+_sebsd_loadpolicy=	sebsd_loadpolicy
+.sebsd_newrole=		sebsd_newrole
+.endif
+
 .if !defined(NO_SENDMAIL)
 _editmap=	editmap
 _mailstats=	mailstats

==== //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/Makefile#4 (text+ko) ====

@@ -4,10 +4,16 @@
 MAN=	cron.8
 SRCS=	cron.c database.c do_command.c job.c user.c popen.c
 
-CFLAGS+= -I${.CURDIR}/../../../sys
 CFLAGS+= -DLOGIN_CAP
 
-DPADD=	${LIBCRON} ${LIBUTIL} ${LIBSEBSD}
-LDADD=	${LIBCRON} -lutil -lsebsd
+DPADD=	${LIBCRON} ${LIBUTIL}
+LDADD=	${LIBCRON} -lutil
+
+.if !defined(SEBSD)
+CFLAGS+= -I${.CURDIR}/../../../sys
+CFLAGS+= -DSEBSD
+DPADD+=	${LIBSEBSD}
+LDADD+=	-lsebsd
+.endif
 
 .include <bsd.prog.mk>

==== //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/database.c#5 (text+ko) ====

@@ -253,6 +253,7 @@
 		free_user(u);
 		log_it(fname, getpid(), "RELOAD", tabname);
 	}
+#ifdef SEBSD
 	if (is_selinux_enabled()) {
 		/*
 		 * Perform a virtual entrypoint access decision on
@@ -300,6 +301,7 @@
 	                goto next_crontab;
 	        }
 	}
+#endif /* !SEBSD */
 	u = load_user(crontab_fd, pw, fname);
 	if (u != NULL) {
 		u->mtime = statbuf->st_mtime;

==== //depot/projects/trustedbsd/sebsd/usr.sbin/cron/cron/do_command.c#7 (text+ko) ====

@@ -274,6 +274,7 @@
 				_exit(OK_EXIT);
 			}
 # endif /*DEBUGGING*/
+#ifdef SEBSD
 			if (is_selinux_enabled()) {
 				mac_t mac;
 				char *context, *labeltext, *argv[4];
@@ -301,12 +302,15 @@
 				argv[3] = NULL;
 				mac_execve(shell, argv, e->envp, mac);
 			} else {
+#endif /* !SEBSD */
 				execle(shell, shell, "-c", e->cmd, (char *)0,
 				    e->envp);
+#ifdef SEBSD
 			}
 			warn("execl: couldn't exec `%s'", shell);
 			_exit(ERROR_EXIT);
 		}
+#endif /* !SEBSD */
 		break;
 	default:
 		/* parent process */

==== //depot/projects/trustedbsd/sebsd/usr.sbin/pwd_mkdb/Makefile#4 (text+ko) ====

@@ -10,4 +10,8 @@
 WARNS?=	4
 CFLAGS+= -I${.CURDIR}/../../lib/libc/gen		# for pw_scan.h
 
+.if !defined(NO_SEBSD)
+CFLAGS+= -DSEBSD
+.endif
+
 .include <bsd.prog.mk>

==== //depot/projects/trustedbsd/sebsd/usr.sbin/pwd_mkdb/pwd_mkdb.c#7 (text+ko) ====

@@ -721,6 +721,7 @@
 		errno = sverrno;
 		error(buf);
 	}
+#ifdef SEBSD
 	if (label) {
 		mac_t mac;
 		if (mac_from_text(&mac, label)) {
@@ -732,6 +733,7 @@
 			return;
 		}
 	}
+#endif /* !SEBSD */
 }
 
 void