FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS Development

 
 
LinkBack Thread Tools
 
Old 02-15-2009, 05:35 AM
Tetsuo Handa
 
Default TOMOYO enabled kernels for CentOS

Hello.

I'm an author of TOMOYO Linux, access control extension for Linux kernel.

TOMOYO Linux 2.x is now in security-testing-2.6.git tree and will be included
into upstream sooner or later.
http://git.kernel.org/?p=linux/kernel/git/jmorris/security-testing-2.6.git;a=shortlog;h=next

I'm also maintaining RPM packages for CentOS 3.9/4.7/5.2 .
I'm ready to support kernel-2.6.18-128.el5 as soon as CentOS 5.3 gets released.

While http://wiki.centos.org/HowTos/Packages/ContributeYourRPMs says
"Submit the .spec file along with a URL to the src.rpm file to CentOS-devel
mailing list;", I only pasted a script which generates a spec file because
the kernel's spec file is very large.
--------------------
#! /bin/sh
#
# This is a kernel build script for CentOS 5.2's 2.6.18 kernel.
#

die () {
echo $1
exit 1
}

cd /tmp/ || die "Can't chdir to /tmp/ ."

if [ ! -r kernel-2.6.18-92.1.22.el5.src.rpm ]
then
wget http://ftp.riken.jp/Linux/centos/5.2/updates/SRPMS/kernel-2.6.18-92.1.22.el5.src.rpm || die "Can't download source package."
fi
rpm -ivh kernel-2.6.18-92.1.22.el5.src.rpm || die "Can't install source package."

cd /usr/src/redhat/SOURCES/ || die "Can't chdir to /usr/src/redhat/SOURCES/ ."
if [ ! -r ccs-patch-1.6.6-20090202.tar.gz ]
then
wget http://osdn.dl.sourceforge.jp/tomoyo/30297/ccs-patch-1.6.6-20090202.tar.gz || die "Can't download patch."
fi

cd /tmp/ || die "Can't chdir to /tmp/ ."
cp -p /usr/src/redhat/SPECS/kernel-2.6.spec . || die "Can't copy spec file."
patch << "EOF" || die "Can't patch spec file."
--- kernel-2.6.spec 2008-12-17 01:17:06.000000000 +0900
+++ kernel-2.6.spec 2008-12-17 14:58:33.000000000 +0900
@@ -66,7 +66,7 @@
# that the kernel isn't the stock distribution kernel, for example,
# by setting the define to ".local" or ".bz123456"
#
-#% define buildid
+%define buildid _tomoyo_1.6.6
#
%define sublevel 18
%define kversion 2.6.%{sublevel}
@@ -281,6 +281,9 @@
# to versions below the minimum
#

+# TOMOYO Linux
+%define signmodules 0
+
#
# First the general kernel 2.6 required versions as per
# Documentation/Changes
@@ -306,7 +309,7 @@
#
%define kernel_prereq fileutils, module-init-tools, initscripts >= 8.11.1-1, mkinitrd >= 4.2.21-1

-Name: kernel
+Name: ccs-kernel
Group: System Environment/Kernel
License: GPLv2
URL: http://www.kernel.org/
@@ -4854,6 +4857,10 @@

# END OF PATCH APPLICATIONS

+# TOMOYO Linux
+tar -zxf %_sourcedir/ccs-patch-1.6.6-20090202.tar.gz
+patch -sp1 < patches/ccs-patch-2.6.18-centos-5.2.diff
+
cp %{SOURCE10} Documentation/

mkdir configs
@@ -4913,6 +4920,9 @@
for i in *.config
do
mv $i .config
+ # TOMOYO Linux
+ cat config.ccs >> .config
+ sed -i -e "s/CONFIG_DEBUG_INFO=.*/# CONFIG_DEBUG_INFO is not set/" -- .config
Arch=`head -1 .config | cut -b 3-`
make ARCH=$Arch nonint_oldconfig > /dev/null
echo "# $Arch" > configs/$i
EOF
mv kernel-2.6.spec ccs-kernel.spec || die "Can't rename spec file."
echo ""
echo ""
echo ""
echo "Edit /tmp/ccs-kernel.spec if needed, and run"
echo "rpmbuild -bb --without kabichk /tmp/ccs-kernel.spec"
echo "to build kernel rpm packages."
exit 0
--------------------
I posted this message as I have several questions.

(1) TOMOYO can't be built as a kernel module, and will break kabi compatibility
checking.

Is it possible to add "a rebuilt kernel with added drivers and filesystem
support" which breaks kabi compatibility checking into CentOS repository?

(2) I'm everytime manually patching .spec file and rebuilding RPM package.
This causes some delays between the CentOS's kernel release and TOMOYO
enabled kernel release. To be able to release updates as soon as possible,
I will be happy if an automated build environment is available.

Can I release updates sooner than now?

(3) Whose GPG key is used for signing "modules in TOMOYO enabled kernel RPM
package" and "TOMOYO enabled kernel RPM packages"?

Regards.
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 02-15-2009, 05:48 AM
Manuel Wolfshant
 
Default TOMOYO enabled kernels for CentOS

On 02/15/2009 08:35 AM, Tetsuo Handa wrote:
> Hello.
> [...]
> I posted this message as I have several questions.
>
> (1) TOMOYO can't be built as a kernel module, and will break kabi compatibility
> checking.
>
> Is it possible to add "a rebuilt kernel with added drivers and filesystem
> support" which breaks kabi compatibility checking into CentOS repository?
>
Hello


Centos ships in it's official repositories only rpm binaries built
from the content provided by RH. Those in [Base] and [Updates] try to be
identical replicas (modulo the usual trademarks/copyrights
modifications) while those from [Centosplus] enable several (to be read:
many) modules which are included but not enabled.
Any kernels which include other modifications, especially patches,
are provided by alternate channels and private repositories. Therefore
your patch cannot be included as such in Centos's kernels as long as
RHEL does not ship it either. However I guess that a reference to TOMOYO
and a link to the alternate repo could be added in the wiki, offering
an opt-in feature for the users who want it. What I am sure is that a
kernel which breaks ABI will never be part of the official repos, ABI
compliance for its entire lifespan is one of the core features of the
distribution.

> (2) I'm everytime manually patching .spec file and rebuilding RPM package.
> This causes some delays between the CentOS's kernel release and TOMOYO
> enabled kernel release. To be able to release updates as soon as possible,
> I will be happy if an automated build environment is available.
>
> Can I release updates sooner than now?
>
Well, you could use upstream's src rpm and/or correlate with Centos
developers...

> (3) Whose GPG key is used for signing "modules in TOMOYO enabled kernel RPM
> package" and "TOMOYO enabled kernel RPM packages"?
Probably yours
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 
Old 02-15-2009, 09:40 AM
Tetsuo Handa
 
Default TOMOYO enabled kernels for CentOS

Hello.

Manuel Wolfshant wrote:
> What I am sure is that a
> kernel which breaks ABI will never be part of the official repos, ABI
> compliance for its entire lifespan is one of the core features of the
> distribution.
TOMOYO can go into none of repos listed in "Available Repositories for
CentOS" at http://wiki.centos.org/AdditionalResources/Repositories , can't it?

> However I guess that a reference to TOMOYO
> and a link to the alternate repo could be added in the wiki, offering
> an opt-in feature for the users who want it.
That approach requires of users creation of a yum configuration file which
enables a 3rd party repo, doesn't it?

Then, users won't be able to install TOMOYO enabled kernels without modifying
yum configurations. OK, I'll continue using my 3rd party repo at
http://tomoyo.sourceforge.jp/repos/ .

Thank you.
_______________________________________________
CentOS-devel mailing list
CentOS-devel@centos.org
http://lists.centos.org/mailman/listinfo/centos-devel
 

Thread Tools




All times are GMT. The time now is 02:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org