diff --git a/modules-mls-base.conf b/modules-mls-base.conf index 436b9bd7..5b21a3eb 100644 --- a/modules-mls-base.conf +++ b/modules-mls-base.conf @@ -92,13 +92,6 @@ userdomain = module # files = base -# Layer: system -# Module: miscfiles -# -# Miscelaneous files. -# -miscfiles = module - # Module: filesystem # Required in base # @@ -176,20 +169,6 @@ auditadm = module # logadm = module -# Layer: role -# Module: logadm -# -# logadm account on tty logins -# -logadm = module - -# Layer:role -# Module: sysadm_secadm -# -# System Administrator with Security Admin rules -# -sysadm_secadm = module - # Layer: role # Module: secadm # @@ -351,13 +330,6 @@ miscfiles = module # modutils = module -# Layer: services -# Module: automount -# -# Filesystem automounter service. -# -automount = module - # Layer: system # Module: mount # @@ -406,11 +378,3 @@ systemd = module # Policy for udev. # udev = module - -# Layer: system -# Module: userdomain -# -# Policy for user domains -# -userdomain = module - diff --git a/modules-mls-contrib.conf b/modules-mls-contrib.conf index 3f4ccc1d..163a0fb1 100644 --- a/modules-mls-contrib.conf +++ b/modules-mls-contrib.conf @@ -117,13 +117,6 @@ awstats = module # bind = module -# Layer: services -# Module: rpcbind -# -# universal addresses to RPC program number mapper -# -rpcbind = module - # Layer: services # Module: bitlbee # @@ -495,13 +488,6 @@ fprintd = module # ftp = module -# Layer: services -# Module: tftp -# -# Trivial file transfer protocol daemon -# -tftp = module - # Layer: apps # Module: games # @@ -537,13 +523,6 @@ glance = module # gnome = module -# Layer: apps -# Module: gpg -# -# Policy for GNU Privacy Guard and related programs. -# -gpg = module - # Layer: apps # Module: gpg # @@ -579,13 +558,6 @@ gssproxy = module # guest = module -# Layer: role -# Module: xguest -# -# Minimally privs guest account on X Windows logins -# -xguest = module - # Layer: services # Module: i18n_input # @@ -607,13 +579,6 @@ inetd = module # inn = module -# Layer: services -# Module: lircd -# -# LIRC daemon - decodes infrared signals and provides them on a Unix domain socket. -# -lircd = module - # Layer: apps # Module: irc # @@ -670,13 +635,6 @@ kerberos = module # kismet = module -# Layer: services -# Module: ksmtuned -# -# Kernel Samepage Merging (KSM) Tuning Daemon -# -ksmtuned = module - # Layer: services # Module: ktalk # @@ -1041,11 +999,6 @@ prelink = module unprivuser = module -# Layer: services -# Module: prelude -# -prelude = module - # Layer: services # Module: privoxy # @@ -1431,13 +1384,6 @@ timidity = off # tmpreaper = module -# Layer: apps -# Module: cpufreqselector -# -# cpufreqselector executable -# -cpufreqselector = module - # Layer: services # Module: tor # @@ -1529,13 +1475,6 @@ virt = module # vmware = module -# Layer: services -# Module: openvpn -# -# Policy for OPENVPN full-featured SSL VPN solution -# -openvpn = module - # Layer: contrib # Module: openvswitch # diff --git a/selinux-policy.spec b/selinux-policy.spec index 841af6d1..07b4d0c0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 137%{?dist}.1 +Release: 138%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -273,7 +273,6 @@ fi; %define postInstall() \ . %{_sysconfdir}/selinux/config; \ -(cd /etc/selinux/%2/modules/active/modules; rm -f vbetool.pp l2tpd.pp shutdown.pp amavis.pp clamav.pp gnomeclock.pp nsplugin.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qemu.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp pkcsslotd.pp smstools.pp ) \ if [ -e /etc/selinux/%2/.rebuild ]; then \ rm /etc/selinux/%2/.rebuild; \ /usr/sbin/semodule -B -n -s %2; \ @@ -475,17 +474,22 @@ exit 0 restorecon -R -p /home exit 0 -%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-137.1 -set -x +%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138 +CR=$'\n' +INPUT="" for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*disabled`; do - module=`basename $i | sed 's/.pp.disabled//'` - if [ -d /var/lib/selinux/targeted/active/modules/100/$module ]; then - semodule -d $module - fi + module=`basename $i | sed 's/.pp.disabled//'` + if [ -d /var/lib/selinux/targeted/active/modules/100/$module ]; then + touch /var/lib/selinux/targeted/active/modules/disabled/$p + fi done for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*.pp`; do - semodule -i $i + INPUT="${INPUT}${CR}module -N -a $i" done +echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N +if /usr/sbin/selinuxenabled ; then + /usr/sbin/load_policy +fi exit 0 %files targeted -f %{buildroot}/%{_usr}/share/selinux/targeted/nonbasemodules.lst @@ -518,18 +522,21 @@ SELinux Reference policy minimum base module. %pre minimum %preInstall minimum if [ $1 -ne 1 ]; then - /usr/sbin/semodule -s minimum -l 2>/dev/null | awk '{ if ($3 != "Disabled") print $1; }' > /usr/share/selinux/minimum/instmodules.lst + /usr/sbin/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > /usr/share/selinux/minimum/instmodules.lst fi %post minimum contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst` basepackages=`cat /usr/share/selinux/minimum/modules-base.lst` +if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then + mkdir /var/lib/selinux/minimum/active/modules/disabled +fi if [ $1 -eq 1 ]; then for p in $contribpackages; do - touch /etc/selinux/minimum/modules/active/modules/$p.disabled + touch /var/lib/selinux/minimum/active/modules/disabled/$p done -for p in $basepackages apache.pp dbus.pp inetd.pp kerberos.pp mta.pp nis.pp; do - rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled +for p in $basepackages apache dbus inetd kerberos mta nis; do + rm -f /var/lib/selinux/minimum/active/modules/disabled/$p done /usr/sbin/semanage import -S minimum -f - << __eof login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ @@ -540,16 +547,37 @@ __eof else instpackages=`cat /usr/share/selinux/minimum/instmodules.lst` for p in $contribpackages; do - touch /etc/selinux/minimum/modules/active/modules/$p.disabled + touch /var/lib/selinux/minimum/active/modules/disabled/$p done for p in $instpackages apache dbus inetd kerberos mta nis; do - rm -f /etc/selinux/minimum/modules/active/modules/$p.pp.disabled + rm -f /var/lib/selinux/minimum/active/modules/disabled/$p done /usr/sbin/semodule -B -s minimum %relabel minimum fi exit 0 +%triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138 +if [ `ls -A /var/lib/selinux/minimum/active/modules/disabled/` ]; then + rm -f /var/lib/selinux/minimum/active/modules/disabled/* +fi +CR=$'\n' +INPUT="" +for i in `find /etc/selinux/minimum/modules/active/modules/ -name \*disabled`; do + module=`basename $i | sed 's/.pp.disabled//'` + if [ -d /var/lib/selinux/minimum/active/modules/100/$module ]; then + touch /var/lib/selinux/minimum/active/modules/disabled/$p + fi +done +for i in `find /etc/selinux/minimum/modules/active/modules/ -name \*.pp`; do + INPUT="${INPUT}${CR}module -N -a $i" +done +echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N +if /usr/sbin/selinuxenabled ; then + /usr/sbin/load_policy +fi +exit 0 + %files minimum -f %{buildroot}/%{_usr}/share/selinux/minimum/nonbasemodules.lst %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u @@ -585,6 +613,26 @@ SELinux Reference policy mls base module. %post mls %postInstall $1 mls + +%triggerpostun mls -- selinux-policy-mls < 3.13.1-138 +CR=$'\n' +INPUT="" +for i in `find /etc/selinux/mls/modules/active/modules/ -name \*disabled`; do + module=`basename $i | sed 's/.pp.disabled//'` + if [ -d /var/lib/selinux/mls/active/modules/100/$module ]; then + touch /var/lib/selinux/mls/active/modules/disabled/$p + fi +done +for i in `find /etc/selinux/mls/modules/active/modules/ -name \*.pp`; do + INPUT="${INPUT}${CR}module -N -a $i" +done +echo "$INPUT" | %{_sbindir}/semanage import -S mls -N +if /usr/sbin/selinuxenabled ; then + /usr/sbin/load_policy +fi +exit 0 + + %files mls -f %{buildroot}/%{_usr}/share/selinux/mls/nonbasemodules.lst %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u