- Fix the SELinux policies for cachefilesd.

- Compress the installed policy files. - Must include sys/stat.h to use stat() and co. [RH BZ 565135]. - Remove tail comments from functions.
2010-03-02 13:34:48 +00:00 · 2010-03-02 13:34:48 +00:00 · 21e4096bd7
commit 21e4096bd7
parent 5ddc028225
4 changed files with 150 additions and 25 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -6,3 +6,4 @@ cachefilesd-0.5.tar.bz2
 cachefilesd-0.6.tar.bz2
 cachefilesd-0.7.tar.bz2
 cachefilesd-0.9.tar.bz2
+cachefilesd-0.10.tar.bz2
--- a/cachefilesd-0.10-security-contexts.patch
+++ b/cachefilesd-0.10-security-contexts.patch
@ -0,0 +1,27 @@
+commit e8ce3e8205c9aabfe61bc3b34142b9b98e4e0611
+Author: Steve Dickson <steved@redhat.com>
+Date:   Sat Feb 27 05:00:57 2010 -0500
+
+    Set default SELinux security contexts on startup.
+    
+    Make sure the SELinux security contexts are set on files
+    and directories that the cachefilesd daemon needs to access.
+    
+    Signed-off-by: Steve Dickson <steved@redhat.com>
+
+diff --git a/cachefilesd.initd b/cachefilesd.initd
+index 06c4237..bbddcbc 100755
+--- a/cachefilesd.initd
+++ b/cachefilesd.initd
+@@ -49,6 +49,11 @@ case "$1" in
+ 		fi
+ 	}
+ 
+	# Set security contexts 
+	/sbin/restorecon /sbin/cachefilesd
+	/sbin/restorecon /dev/cachefiles
+	/sbin/restorecon -R /var/fscache
+
+ 	# Start daemon.
+ 	daemon --pidfile=$PIDFILE $PROG ${OPTIONS}
+ 	RETVAL=$?
--- a/cachefilesd.spec
+++ b/cachefilesd.spec
@ -1,27 +1,48 @@
+%define selinux_variants mls strict targeted
+%define selinux_policyver %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
+
 Name:           cachefilesd
-Version:        0.9
-Release:        3%{?dist}
+Version:        0.10
+Release:        1%{?dist}
 Summary:        CacheFiles userspace management daemon
 Group:          System Environment/Daemons
-License:        GPLv2+
+License:        GPL
 URL:  		http://people.redhat.com/~dhowells/fscache/
 Source0:        http://people.redhat.com/dhowells/fscache/cachefilesd-%{version}.tar.bz2

+Patch00: cachefilesd-0.10-security-contexts.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
-BuildRequires: automake, autoconf
+BuildRequires: automake, autoconf, selinux-policy-doc
 Requires(post): /sbin/chkconfig, /sbin/service
 Requires(preun): /sbin/chkconfig, /sbin/service
+Requires:       %{name}-selinux = %{version}-%{release}

 %description
 The cachefilesd daemon manages the caching files and directory that are
-that are used by network filesystems such a AFS and NFS to  
+that are used by network filesystems such a AFS and NFS to
 do persistent caching to the local disk.

+%package selinux
+Summary:        SELinux policy module supporting cachefilesd
+Group:          System Environment/Base
+BuildRequires:  checkpolicy, selinux-policy-devel, hardlink
+%if "%{selinux_policyver}" != ""
+Requires:       selinux-policy >= %{selinux_policyver}
+%endif
+Requires(post):   /usr/sbin/semodule, /sbin/restorecon
+Requires(postun): /usr/sbin/semodule, /sbin/restorecon
+
+%description selinux
+SELinux policy module supporting cachefilesd
+
 %prep
 %setup -q

+%patch00 -p1
+
 %build
-%ifarch s390 s390x sparcv9 sparc64
+%ifarch s390 s390x
 PIE="-fPIE"
 %else
 PIE="-fpie"
@ -31,6 +52,17 @@ CFLAGS="`echo $RPM_OPT_FLAGS $ARCH_OPT_FLAGS $PIE`"

 make all

+# Build SELinux policy modules
+cd selinux
+for selinuxvariant in %{selinux_variants}
+do
+    make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
+    mkdir ${selinuxvariant}
+    mv cachefilesd.pp ${selinuxvariant}/cachefilesd.pp
+    bzip2 -9 ${selinuxvariant}/cachefilesd.pp
+    make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
+done
+cd -

 %install
 rm -rf %{buildroot}
@ -38,17 +70,45 @@ mkdir -p %{buildroot}/sbin
 mkdir -p %{buildroot}%{_sysconfdir}/rc.d/init.d
 mkdir -p %{buildroot}%{_mandir}/{man5,man8}
 mkdir -p %{buildroot}/usr/share/doc/%{name}-%{version}
+mkdir -p %{buildroot}/usr/share/doc/%{name}-selinux-%{version}
+mkdir -p %{buildroot}%{_localstatedir}/fscache
 make DESTDIR=%{buildroot} install

 install -m 644 cachefilesd.conf %{buildroot}%{_sysconfdir}
 install -m 755 cachefilesd.initd %{buildroot}%{_sysconfdir}/rc.d/init.d/cachefilesd
+install -m 644 selinux/move-cache.txt %{buildroot}/usr/share/doc/%{name}-selinux-%{version}/
+
+# Install SELinux policy modules
+cd selinux
+for selinuxvariant in %{selinux_variants}
+do
+    install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
+    install -p -m 644 ${selinuxvariant}/cachefilesd.pp.bz2 \
+           %{buildroot}%{_datadir}/selinux/${selinuxvariant}
+done
+cd -
+
+# Hardlink identical policy module packages together
+/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux

 %clean
 rm -rf $RPM_BUILD_ROOT

-%post 
+%post
 /sbin/chkconfig --add %{name}

+if [ "$1" -ge 1 ]; then
+	/sbin/service cachefilesd condrestart > /dev/null
+fi
+
+%post selinux
+# Install SELinux policy modules
+for selinuxvariant in %{selinux_variants}
+do
+  /usr/sbin/semodule -s ${selinuxvariant} -i \
+    %{_datadir}/selinux/${selinuxvariant}/cachefilesd.pp.bz2 &> /dev/null || :
+done
+
 %preun
 if [ $1 -eq 0 ]; then
 	/sbin/service cachefilesd stop
@ -56,10 +116,23 @@ if [ $1 -eq 0 ]; then
 fi

 %postun
-if [ "$1" -ge 1 ]; then
-	/sbin/service cachefilesd condrestart > /dev/null
+if [ $1 -eq 0 ]; then
+	# Fix up non-standard directory context
+	/sbin/restorecon -R %{_localstatedir}/fscache || :
 fi

+%postun selinux
+# Clean up after package removal
+if [ $1 -eq 0 ]; then
+  # Remove SELinux policy modules
+  for selinuxvariant in %{selinux_variants}
+  do
+    /usr/sbin/semodule -s ${selinuxvariant} -r cachefilesd &> /dev/null || :
+  done
+  # Clean up any remaining file contexts (shouldn't be any really)
+  [ -d %{_localstatedir}/fscache ] && \
+    /sbin/restorecon -R %{_localstatedir}/fscache &> /dev/null || :
+fi

 %files
 %defattr(-,root,root)
@ -69,26 +142,51 @@ fi
 %attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/cachefilesd
 /sbin/*
 %{_mandir}/*/*
+%{_localstatedir}/fscache
+
+%files selinux
+%defattr(-,root,root,0755)
+%doc selinux/move-cache.txt
+%doc selinux/*.fc
+%doc selinux/*.if
+%doc selinux/*.te
+%{_datadir}/selinux/*/cachefilesd.pp.bz2

 %changelog
-* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

-* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+* Thu Feb 25 2010 David Howells <dhowells@redhat.com>
+- Fix the SELinux policies for cachefilesd.
+- Compress the installed policy files.

-* Fri Jan  9 2009 Steve Dickson <steved@redhat.com> 0.9-1
- Upgraded to latest upstream version: 0.9
+* Tue Feb 23 2010 David Howells <dhowells@redhat.com>
+- Must include sys/stat.h to use stat() and co. [RH BZ 565135].
+- Remove tail comments from functions.

-* Tue Jul 15 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.7-5
- fix license tag
+* Thu Aug 9 2007 David Howells <dhowells@redhat.com> 0.9-1
+- The cachefiles module no longer accepts directory fds on cull and inuse
+  commands, but rather uses current working directory.

-* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 0.7-4
- Autorebuild for GCC 4.3
+* Mon Jul 2 2007 David Howells <dhowells@redhat.com> 0.8-16
+- Use stat64/fstatat64 to avoid EOVERFLOW errors from the kernel on large files.
+
+* Tue Nov 15 2006 David Howells <dhowells@redhat.com> 0.8-15
+- Made cachefilesd ask the kernel whether cullable objects are in use and omit
+  them from the cull table if they are.
+- Made the size of cachefilesd's culling tables configurable.
+- Updated the manual pages.
+
+* Mon Nov 14 2006 David Howells <dhowells@redhat.com> 0.8-14
+- Documented SELinux interaction.
+
+* Fri Nov 10 2006 David Howells <dhowells@redhat.com> 0.8-11
+- Include SELinux policy for cachefilesd.

 * Thu Oct 19 2006 Steve Dickson <steved@redhat.com> 0.7-3
- Fixed typo that was causing the howto.txt not to
-  be installed.
+- Fixed typo that was causing the howto.txt not to be installed.
+
+* Tue Oct 17 2006 David Howells <dhowells@redhat.com> 0.8-1
+- Use /dev/cachefiles if it present in preference to /proc/fs/cachefiles.
+- Use poll rather than SIGURG on /dev/cachefilesd.

 * Sun Oct 01 2006 Jesse Keating <jkeating@redhat.com> - 0.7-2
 - rebuilt for unwind info generation, broken in gcc-4.1.1-21
@ -101,7 +199,7 @@ fi
 - Added the fcull/fstop/frun options

 * Fri Aug 11 2006 Steve Dickson <steved@redhat.com> 0.5-1
- Upgraded to 0.5 which fixed initial scan problem when 
+- Upgraded to 0.5 which fixed initial scan problem when
  started on an empty cache (bz 202184)

 * Tue Aug  8 2006 Steve Dickson <steved@redhat.com> 0.4-3
@ -120,7 +218,7 @@ fi

 * Fri Jul 28 2006 Steve Dickson <steved@redhat.com> 0.3-2
 - Added post and preun rules
- Changed init.d script to up right before portmapper. 
+- Changed init.d script to up right before portmapper.

 * Fri Jun  9 2006 Steve Dickson <steved@redhat.com> 0.3-1
 - Incorporated David Howells manual page updates
@ -132,4 +230,3 @@ fi

 * Sat Apr 22 2006 Steve Dickson <steved@redhat.com> 0.1-1
 - Initial commit
-
--- a/2
+++ b/2
@ -1 +1 @@
-6c674f253f61dd61e26c60ce3edc02c5  cachefilesd-0.9.tar.bz2
+ba27ed4b5e8165c46175501bf703ac08  cachefilesd-0.10.tar.bz2