Add check for config file consistency
After all reverted commit looks good, just targeted store have to be
specified when permissivedomains SELinux module is loaded.
This reverts commit f1ed716369.
This commit is contained in:
Lukas Vrabec
parent
f1ed716369
commit
2e12c978e7
|
|
@ -342,6 +342,58 @@ mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \
|
|||
#install -m 644 -p %{SOURCE101} %{buildroot}/%{_unitdir}/ \
|
||||
#ln -s ../selinux-factory-reset@.service %{buildroot}/%{_unitdir}/basic.target.wants/selinux-factory-reset@%1.service
|
||||
|
||||
# Make sure the config is consistent with what packages are installed in the system
|
||||
# this covers cases when system is installed with selinux-policy-{mls,minimal}
|
||||
# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not
|
||||
# been rebooted yet.
|
||||
# The macro should be called at the beginning of "post" (to make sure load_policy does not fail)
|
||||
# and in "posttrans" (to make sure that the store is consistent when all package transitions are done)
|
||||
# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable)
|
||||
# Steps:
|
||||
# * load values from config and its backup
|
||||
# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so
|
||||
# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used
|
||||
# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't
|
||||
%define checkConfigConsistency() \
|
||||
. %{_sysconfdir}/selinux/config; \
|
||||
if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \
|
||||
. %{_sysconfdir}/selinux/.config_backup; \
|
||||
else \
|
||||
BACKUP_SELINUXTYPE=targeted; \
|
||||
fi; \
|
||||
if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \
|
||||
if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \
|
||||
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \
|
||||
fi; \
|
||||
elif [ "%1" = "targeted" ]; then \
|
||||
if [ "%1" != "$SELINUXTYPE" ]; then \
|
||||
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
|
||||
fi; \
|
||||
elif ! ls %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \
|
||||
if [ "%1" != "$SELINUXTYPE" ]; then \
|
||||
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
|
||||
fi; \
|
||||
fi;
|
||||
|
||||
# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names
|
||||
# of variables inside so that they are easy to use later
|
||||
# This should be done in "pretrans" because config content can change during RPM operations
|
||||
# The macro has to be used in a script slot with "-p <lua>"
|
||||
%define backupConfigLua() \
|
||||
local sysconfdir = rpm.expand("%{_sysconfdir}") \
|
||||
local config_file = sysconfdir .. "/selinux/config" \
|
||||
local config_backup = sysconfdir .. "/selinux/.config_backup" \
|
||||
os.remove(config_backup) \
|
||||
if posix.stat(config_file) then \
|
||||
local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \
|
||||
local content = f:read("*all") \
|
||||
f:close() \
|
||||
local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \
|
||||
local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \
|
||||
bf:write(backup) \
|
||||
bf:close() \
|
||||
end
|
||||
|
||||
%build
|
||||
|
||||
%prep
|
||||
|
|
@ -385,7 +437,7 @@ cp %{SOURCE28} %{buildroot}/
|
|||
%makeModulesConf targeted base contrib
|
||||
%installCmds targeted mcs n allow
|
||||
# install permissivedomains.cil
|
||||
semodule -p %{buildroot} -X 100 -i %{buildroot}/permissivedomains.cil
|
||||
semodule -p %{buildroot} -X 100 -s targeted -i %{buildroot}/permissivedomains.cil
|
||||
rm -rf %{buildroot}/permissivedomains.cil
|
||||
# recreate sandbox.pp
|
||||
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
|
||||
|
|
@ -501,13 +553,20 @@ Conflicts: container-selinux < 2:1.12.1-22
|
|||
%description targeted
|
||||
SELinux Reference policy targeted base module.
|
||||
|
||||
%pretrans targeted -p <lua>
|
||||
%backupConfigLua
|
||||
|
||||
%pre targeted
|
||||
%preInstall targeted
|
||||
|
||||
%post targeted
|
||||
%checkConfigConsistency targeted
|
||||
%postInstall $1 targeted
|
||||
exit 0
|
||||
|
||||
%posttrans targeted
|
||||
%checkConfigConsistency targeted
|
||||
|
||||
%postun targeted
|
||||
if [ $1 = 0 ]; then
|
||||
source /etc/selinux/config
|
||||
|
|
@ -573,6 +632,9 @@ Conflicts: container-selinux <= 1.9.0-9
|
|||
%description minimum
|
||||
SELinux Reference policy minimum base module.
|
||||
|
||||
%pretrans minimum -p <lua>
|
||||
%backupConfigLua
|
||||
|
||||
%pre minimum
|
||||
%preInstall minimum
|
||||
if [ $1 -ne 1 ]; then
|
||||
|
|
@ -580,6 +642,7 @@ if [ $1 -ne 1 ]; then
|
|||
fi
|
||||
|
||||
%post minimum
|
||||
%checkConfigConsistency minimum
|
||||
contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
|
||||
basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
|
||||
if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then
|
||||
|
|
@ -611,6 +674,9 @@ done
|
|||
fi
|
||||
exit 0
|
||||
|
||||
%posttrans minimum
|
||||
%checkConfigConsistency minimum
|
||||
|
||||
%postun minimum
|
||||
if [ $1 = 0 ]; then
|
||||
source /etc/selinux/config
|
||||
|
|
@ -668,13 +734,20 @@ Conflicts: container-selinux <= 1.9.0-9
|
|||
%description mls
|
||||
SELinux Reference policy mls base module.
|
||||
|
||||
%pretrans mls -p <lua>
|
||||
%backupConfigLua
|
||||
|
||||
%pre mls
|
||||
%preInstall mls
|
||||
|
||||
%post mls
|
||||
%checkConfigConsistency mls
|
||||
%postInstall $1 mls
|
||||
exit 0
|
||||
|
||||
%posttrans mls
|
||||
%checkConfigConsistency mls
|
||||
|
||||
%postun mls
|
||||
if [ $1 = 0 ]; then
|
||||
source /etc/selinux/config
|
||||
|
|
|
|||
Loading…
Reference in New Issue