add "selinux" subpackage containing SELinux policy module

2018-06-13 11:32:25 +00:00 · 2018-06-13 11:32:25 +00:00 · 6f0fa3cf49
commit 6f0fa3cf49
parent 6565b0dbca
3 changed files with 57 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 /memcached-1.5.8.tar.gz
+/memcached-selinux-1.0.tar.gz
--- a/memcached.spec
+++ b/memcached.spec
@ -2,10 +2,15 @@
 %define groupname  memcached
 %bcond_without sasl
 %bcond_with seccomp
+%global selinuxtype	targeted
+%global selinuxmoduletype	contrib
+%global selinuxmodulename	memcached
+%global selinuxmodulever	1.0
+%global selinuxmoduledir	%{selinuxmodulename}-selinux-%{selinuxmodulever}

 Name:           memcached
 Version:        1.5.8
-Release:        1%{?dist}
+Release:        2%{?dist}
 Epoch:          0
 Summary:        High Performance, Distributed Memory Object Cache

@ -14,6 +19,8 @@ License:        BSD
 URL:            https://www.memcached.org/
 Source0:        https://www.memcached.org/files/%{name}-%{version}.tar.gz
 Source1:        memcached.sysconfig
+# SELinux policy sources: https://pagure.io/memcached-selinux/tree/master
+Source2:        https://pagure.io/memcached-selinux/raw/master/f/%{selinuxmoduledir}.tar.gz

 Patch1:         memcached-unit.patch

@ -40,8 +47,21 @@ Requires: %{name} = %{epoch}:%{version}-%{release}
 Install memcached-devel if you are developing C/C++ applications that require
 access to the memcached binary include files.

+%package selinux
+Summary: Selinux policy module
+Group: System Environment/Base
+License: GPLv2
+BuildRequires: selinux-policy
+%{?selinux_requires}
+
+%description selinux
+Install memcached-selinux to ensure your system contains the latest SELinux policy
+optimised for use with this version of memcached.
+
 %prep
-%setup -q
+# Unpack memcached sources into memcached-X.X.X directory
+# and SELinux policy sources into memcached-selinux-X.X
+%setup -q -b 2
 %patch1 -p1 -b .unit

 %build
@ -51,6 +71,10 @@ access to the memcached binary include files.

 make %{?_smp_mflags}

+pushd ../%{selinuxmoduledir}
+make
+popd
+
 %check
 # disable testing as it is unreliable on build systems
 exit 0
@ -83,6 +107,14 @@ install -Dp -m0644 scripts/memcached.service \
 # Default configs
 install -Dp -m0644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/sysconfig/%{name}

+# install SELinux policy module
+pushd ../%{selinuxmoduledir}
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{selinuxmoduletype}
+# Not installing memcached.if - interface file from selinux-policy-devel will be used
+# see. "Independant product policy" documentation for more details
+install -m 0644 %{selinuxmodulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages
+popd

 %pre
 getent group %{groupname} >/dev/null || groupadd -r %{groupname}
@ -91,10 +123,15 @@ useradd -r -g %{groupname} -d /run/memcached \
    -s /sbin/nologin -c "Memcached daemon" %{username}
 exit 0

+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}

 %post
 %systemd_post memcached.service

+%post selinux
+# install selinux policy module with priority 200 to override the default policy
+%selinux_modules_install -s %{selinuxtype} -p 200 %{_datadir}/selinux/packages/%{selinuxmodulename}.pp.bz2 &> /dev/null

 %preun
 %systemd_preun memcached.service
@ -103,6 +140,13 @@ exit 0
 %postun
 %systemd_postun_with_restart memcached.service

+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} -p 200 %{selinuxmodulename}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype} &> /dev/null

 %files
 %doc AUTHORS ChangeLog COPYING NEWS README.md doc/CONTRIBUTORS doc/*.txt
@ -117,7 +161,16 @@ exit 0
 %files devel
 %{_includedir}/memcached/*

+%files selinux
+%defattr(-,root,root,0755)
+%attr(0644,root,root) %{_datadir}/selinux/packages/%{selinuxmodulename}.pp.bz2
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{selinuxmodulename}
+%license COPYING
+
 %changelog
+* Tue Jun 05 2018 Vit Mojzis <vmojzis@redhat.com> - 0:1.5.8-2
+- add "selinux" subpackage containing SELinux policy module
+
 * Fri May 25 2018 Miroslav Lichvar <mlichvar@redhat.com> - 0:1.5.8-1
 - update to 1.5.8
 - use system CFLAGS and LDFLAGS
--- a/1
+++ b/1
@ -1 +1,2 @@
 SHA512 (memcached-1.5.8.tar.gz) = 6f0e3ce9cae3e424c41223597353b9520e7e7f97fb4719a5d520dfd34e1d917d4ee0e42bced0a5799042227b80bc4ed2778715a71b9941239db13cb367bdb088
+SHA512 (memcached-selinux-1.0.tar.gz) = 0b1f65c2f45fe15d45f470cd42c8164865d4f667cca5a2139098fdc41afa52ac867cf8edf360c8f59b878e2e41a07edd6673162f097ad9be079cffa1ddecdea5