selinux-sandbox: add package 2.7 (20170804)

Move policycoreutils/sandbox to sandbox:

* Move and rebase patch:
  - policycoreutils-sandbox-de-bashify.patch

* Cleanup policycoreutils.inc

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>

recipes-security/selinux/policycoreutils.inc

@@ -9,7 +9,6 @@ LICENSE = "GPLv2+"
 
 SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
             file://policycoreutils-fixfiles-de-bashify.patch \
-            file://policycoreutils-sandbox-de-bashify.patch \
            "
 
 PAM_SRC_URI = "file://pam.d/newrole \
@@ -64,15 +63,6 @@ RDEPENDS_${BPN}-python += "\
 	libsemanage-python \
 "
 RDEPENDS_${BPN}-runinit += "libselinux"
-RDEPENDS_${BPN}-sandbox += "\
-	python-math \
-	python-shell \
-	python-subprocess \
-	python-textutils \
-	python-unixadmin \
-	libselinux-python \
-	${BPN}-python \
-"
 RDEPENDS_${BPN}-secon += "libselinux"
 RDEPENDS_${BPN}-semanage = "\
 	python-core \
@@ -128,7 +118,6 @@ PACKAGES =+ "\
 	${PN}-newrole \
 	${PN}-python \
 	${PN}-runinit \
-	${PN}-sandbox \
 	${PN}-secon \
 	${PN}-semanage \
 	${PN}-semodule \
@@ -171,12 +160,6 @@ FILES_${PN}-runinit += "\
 	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \
 "
 FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/.debug/* ${prefix}/libexec/selinux/hll/.debug"
-FILES_${PN}-sandbox += "\
-	${datadir}/sandbox/* \
-	${bindir}/sandbox \
-	${sbindir}/seunshare \
-	${sysconfdir}/sysconfig/sandbox \
-"
 FILES_${PN}-secon += "${bindir}/secon"
 FILES_${PN}-semanage = "\
 	${sbindir}/semanage \

recipes-security/selinux/selinux-sandbox.inc

@@ -0,0 +1,28 @@
+SUMMARY = "Run cmd under an SELinux sandbox"
+DESCRIPTION = "\
+Run application within a tightly confined SELinux domain. The default \
+sandbox domain only allows applications the ability to read and write \
+stdin, stdout and any other file descriptors handed to it."
+
+SECTION = "base"
+LICENSE = "GPLv2+"
+
+SRC_URI += "file://sandbox-de-bashify.patch \
+"
+
+DEPENDS += "libcap-ng libselinux"
+
+RDEPENDS_${PN} += "\
+        python-math \
+        python-shell \
+        python-subprocess \
+        python-textutils \
+        python-unixadmin \
+        libselinux-python \
+        selinux-python \
+"
+
+FILES_${PN} += "\
+        ${datadir}/sandbox/sandboxX.sh \
+        ${datadir}/sandbox/start \
+"

recipes-security/selinux/selinux-sandbox/sandbox-de-bashify.patch

@@ -9,25 +9,26 @@ sandboxX script, so point them at /bin/sh instead.
 Upstream-Status: Pending
 
 Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
 ---
  sandbox/sandbox.init | 2 +-
  sandbox/sandboxX.sh  | 2 +-
  2 files changed, 2 insertions(+), 2 deletions(-)
 
-diff --git a/sandbox/sandbox.init b/sandbox/sandbox.init
+diff --git a/sandbox.init b/sandbox.init
 index b3979bf..1893dc8 100644
---- a/sandbox/sandbox.init
-+++ b/sandbox/sandbox.init
+--- a/sandbox.init
++++ b/sandbox.init
 @@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/bin/sh
  ## BEGIN INIT INFO
  # Provides: sandbox
  # Default-Start: 3 4 5
-diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
+diff --git a/sandboxX.sh b/sandboxX.sh
 index eaa500d..8755d75 100644
---- a/sandbox/sandboxX.sh
-+++ b/sandbox/sandboxX.sh
+--- a/sandboxX.sh
++++ b/sandboxX.sh
 @@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/bin/sh

recipes-security/selinux/selinux-sandbox_2.7.bb

@@ -0,0 +1,7 @@
+include selinux_20170804.inc
+include ${BPN}.inc
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
+
+SRC_URI[md5sum] = "7360e9dc7b1757b7f82face655982bfa"
+SRC_URI[sha256sum] = "9490620380ab6d428a92869002a51ada0343ca35fa2a6905595745902a64c541"