[CentOS-devel] TOMOYO enabled kernels for CentOS

Sun Feb 15 06:35:16 UTC 2009
Tetsuo Handa <from-centos at I-love.SAKURA.ne.jp>


I'm an author of TOMOYO Linux, access control extension for Linux kernel.

TOMOYO Linux 2.x is now in security-testing-2.6.git tree and will be included
into upstream sooner or later.

I'm also maintaining RPM packages for CentOS 3.9/4.7/5.2 .
I'm ready to support kernel-2.6.18-128.el5 as soon as CentOS 5.3 gets released.

While http://wiki.centos.org/HowTos/Packages/ContributeYourRPMs says
"Submit the .spec file along with a URL to the src.rpm file to CentOS-devel
mailing list;", I only pasted a script which generates a spec file because
the kernel's spec file is very large.
#! /bin/sh
# This is a kernel build script for CentOS 5.2's 2.6.18 kernel.

die () {
    echo $1
    exit 1

cd /tmp/ || die "Can't chdir to /tmp/ ."

if [ ! -r kernel-2.6.18-92.1.22.el5.src.rpm ]
    wget http://ftp.riken.jp/Linux/centos/5.2/updates/SRPMS/kernel-2.6.18-92.1.22.el5.src.rpm || die "Can't download source package."
rpm -ivh kernel-2.6.18-92.1.22.el5.src.rpm || die "Can't install source package."

cd /usr/src/redhat/SOURCES/ || die "Can't chdir to /usr/src/redhat/SOURCES/ ."
if [ ! -r ccs-patch-1.6.6-20090202.tar.gz ]
    wget http://osdn.dl.sourceforge.jp/tomoyo/30297/ccs-patch-1.6.6-20090202.tar.gz || die "Can't download patch."

cd /tmp/ || die "Can't chdir to /tmp/ ."
cp -p /usr/src/redhat/SPECS/kernel-2.6.spec . || die "Can't copy spec file."
patch << "EOF" || die "Can't patch spec file."
--- kernel-2.6.spec	2008-12-17 01:17:06.000000000 +0900
+++ kernel-2.6.spec	2008-12-17 14:58:33.000000000 +0900
@@ -66,7 +66,7 @@
 # that the kernel isn't the stock distribution kernel, for example,
 # by setting the define to ".local" or ".bz123456"
-#% define buildid
+%define buildid _tomoyo_1.6.6
 %define sublevel 18
 %define kversion 2.6.%{sublevel}
@@ -281,6 +281,9 @@
 # to versions below the minimum
+# TOMOYO Linux
+%define signmodules 0
 # First the general kernel 2.6 required versions as per
 # Documentation/Changes
@@ -306,7 +309,7 @@
 %define kernel_prereq  fileutils, module-init-tools, initscripts >= 8.11.1-1, mkinitrd >= 4.2.21-1
-Name: kernel
+Name: ccs-kernel
 Group: System Environment/Kernel
 License: GPLv2
 URL: http://www.kernel.org/
@@ -4854,6 +4857,10 @@
+# TOMOYO Linux
+tar -zxf %_sourcedir/ccs-patch-1.6.6-20090202.tar.gz
+patch -sp1 < patches/ccs-patch-2.6.18-centos-5.2.diff
 cp %{SOURCE10} Documentation/
 mkdir configs
@@ -4913,6 +4920,9 @@
 for i in *.config
   mv $i .config
+  # TOMOYO Linux
+  cat config.ccs >> .config
+  sed -i -e "s/CONFIG_DEBUG_INFO=.*/# CONFIG_DEBUG_INFO is not set/" -- .config
   Arch=`head -1 .config | cut -b 3-`
   make ARCH=$Arch nonint_oldconfig > /dev/null
   echo "# $Arch" > configs/$i
mv kernel-2.6.spec ccs-kernel.spec || die "Can't rename spec file."
echo ""
echo ""
echo ""
echo "Edit /tmp/ccs-kernel.spec if needed, and run"
echo "rpmbuild -bb --without kabichk /tmp/ccs-kernel.spec"
echo "to build kernel rpm packages."
exit 0
I posted this message as I have several questions.

(1) TOMOYO can't be built as a kernel module, and will break kabi compatibility

    Is it possible to add "a rebuilt kernel with added drivers and filesystem
    support" which breaks kabi compatibility checking into CentOS repository?

(2) I'm everytime manually patching .spec file and rebuilding RPM package.
    This causes some delays between the CentOS's kernel release and TOMOYO
    enabled kernel release. To be able to release updates as soon as possible,
    I will be happy if an automated build environment is available.

    Can I release updates sooner than now?

(3) Whose GPG key is used for signing "modules in TOMOYO enabled kernel RPM
    package" and "TOMOYO enabled kernel RPM packages"?