Add check for config file consistency

After all reverted commit looks good, just targeted store have to be
specified when permissivedomains SELinux module is loaded.

This reverts commit f1ed716369.
This commit is contained in:
Lukas Vrabec 2019-04-12 21:06:26 +02:00
parent f1ed716369
commit 2e12c978e7
No known key found for this signature in database
GPG Key ID: 47201AC42F29CE06

View File

@ -342,6 +342,58 @@ mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \
#install -m 644 -p %{SOURCE101} %{buildroot}/%{_unitdir}/ \ #install -m 644 -p %{SOURCE101} %{buildroot}/%{_unitdir}/ \
#ln -s ../selinux-factory-reset@.service %{buildroot}/%{_unitdir}/basic.target.wants/selinux-factory-reset@%1.service #ln -s ../selinux-factory-reset@.service %{buildroot}/%{_unitdir}/basic.target.wants/selinux-factory-reset@%1.service
# Make sure the config is consistent with what packages are installed in the system
# this covers cases when system is installed with selinux-policy-{mls,minimal}
# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not
# been rebooted yet.
# The macro should be called at the beginning of "post" (to make sure load_policy does not fail)
# and in "posttrans" (to make sure that the store is consistent when all package transitions are done)
# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable)
# Steps:
# * load values from config and its backup
# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so
# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used
# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't
%define checkConfigConsistency() \
. %{_sysconfdir}/selinux/config; \
if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \
. %{_sysconfdir}/selinux/.config_backup; \
else \
BACKUP_SELINUXTYPE=targeted; \
fi; \
if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \
if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \
fi; \
elif [ "%1" = "targeted" ]; then \
if [ "%1" != "$SELINUXTYPE" ]; then \
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
fi; \
elif ! ls %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \
if [ "%1" != "$SELINUXTYPE" ]; then \
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
fi; \
fi;
# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names
# of variables inside so that they are easy to use later
# This should be done in "pretrans" because config content can change during RPM operations
# The macro has to be used in a script slot with "-p <lua>"
%define backupConfigLua() \
local sysconfdir = rpm.expand("%{_sysconfdir}") \
local config_file = sysconfdir .. "/selinux/config" \
local config_backup = sysconfdir .. "/selinux/.config_backup" \
os.remove(config_backup) \
if posix.stat(config_file) then \
local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \
local content = f:read("*all") \
f:close() \
local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \
local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \
bf:write(backup) \
bf:close() \
end
%build %build
%prep %prep
@ -385,7 +437,7 @@ cp %{SOURCE28} %{buildroot}/
%makeModulesConf targeted base contrib %makeModulesConf targeted base contrib
%installCmds targeted mcs n allow %installCmds targeted mcs n allow
# install permissivedomains.cil # install permissivedomains.cil
semodule -p %{buildroot} -X 100 -i %{buildroot}/permissivedomains.cil semodule -p %{buildroot} -X 100 -s targeted -i %{buildroot}/permissivedomains.cil
rm -rf %{buildroot}/permissivedomains.cil rm -rf %{buildroot}/permissivedomains.cil
# recreate sandbox.pp # recreate sandbox.pp
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
@ -501,13 +553,20 @@ Conflicts: container-selinux < 2:1.12.1-22
%description targeted %description targeted
SELinux Reference policy targeted base module. SELinux Reference policy targeted base module.
%pretrans targeted -p <lua>
%backupConfigLua
%pre targeted %pre targeted
%preInstall targeted %preInstall targeted
%post targeted %post targeted
%checkConfigConsistency targeted
%postInstall $1 targeted %postInstall $1 targeted
exit 0 exit 0
%posttrans targeted
%checkConfigConsistency targeted
%postun targeted %postun targeted
if [ $1 = 0 ]; then if [ $1 = 0 ]; then
source /etc/selinux/config source /etc/selinux/config
@ -573,6 +632,9 @@ Conflicts: container-selinux <= 1.9.0-9
%description minimum %description minimum
SELinux Reference policy minimum base module. SELinux Reference policy minimum base module.
%pretrans minimum -p <lua>
%backupConfigLua
%pre minimum %pre minimum
%preInstall minimum %preInstall minimum
if [ $1 -ne 1 ]; then if [ $1 -ne 1 ]; then
@ -580,6 +642,7 @@ if [ $1 -ne 1 ]; then
fi fi
%post minimum %post minimum
%checkConfigConsistency minimum
contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst` contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
basepackages=`cat /usr/share/selinux/minimum/modules-base.lst` basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then
@ -611,6 +674,9 @@ done
fi fi
exit 0 exit 0
%posttrans minimum
%checkConfigConsistency minimum
%postun minimum %postun minimum
if [ $1 = 0 ]; then if [ $1 = 0 ]; then
source /etc/selinux/config source /etc/selinux/config
@ -668,13 +734,20 @@ Conflicts: container-selinux <= 1.9.0-9
%description mls %description mls
SELinux Reference policy mls base module. SELinux Reference policy mls base module.
%pretrans mls -p <lua>
%backupConfigLua
%pre mls %pre mls
%preInstall mls %preInstall mls
%post mls %post mls
%checkConfigConsistency mls
%postInstall $1 mls %postInstall $1 mls
exit 0 exit 0
%posttrans mls
%checkConfigConsistency mls
%postun mls %postun mls
if [ $1 = 0 ]; then if [ $1 = 0 ]; then
source /etc/selinux/config source /etc/selinux/config