Add handling booleans via selinux-policy macros in custom policy spec files.

2017-03-13 16:27:05 +01:00 · 2017-03-13 16:27:05 +01:00 · 6fa7bc6ada
commit 6fa7bc6ada
parent 469c7cb44c
1 changed files with 62 additions and 0 deletions
--- a/rpm.macros
+++ b/rpm.macros
@ -75,3 +75,65 @@ if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
   fi \
 fi \
 %{nil}
+
+# %selinux_set_booleans [-s <policytype>] boolean [boolean]...
+%selinux_set_booleans("s:") \
+. /etc/selinux/config \
+_policytype=%{-s*} \
+if [ -z "${_policytype}" ]; then \
+  _policytype="targeted" \
+fi \
+LOCAL_MODIFICATIONS=$(semanage boolean -E) \
+if [ ! -f %_file_custom_defined_booleans ]; then \
+    echo "# This file is managed by selinux.macros. Do not edit it manually" > %_file_custom_defined_booleans \
+fi \
+semanage_import='' \
+for boolean in %*; do \
+    boolean_name=${boolean%=*} \
+    boolean_value=${boolean#*=} \
+    boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \
+    if [ -n "$boolean_local_string" ]; then \
+        semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
+        boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
+        if [ -n "$boolean_customized_string" ]; then \
+            /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \
+        else \
+            /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \
+        fi \
+    else \
+        semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \
+        boolean_default_value=$(semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \
+        /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \
+    fi \
+done; \
+if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+    /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
+else \
+    echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype} -N" \
+fi \
+%{nil}
+
+# %selinux_unset_booleans [-s <policytype>] boolean [boolean]...
+%selinux_unset_booleans("s:") \
+. /etc/selinux/config \
+_policytype=%{-s*} \
+if [ -z "${_policytype}" ]; then \
+  _policytype="targeted" \
+fi \
+semanage_import='' \
+for boolean in %*; do \
+    boolean_name=${boolean%=*} \
+    boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \
+    if [ -n "$boolean_customized_string" ]; then \
+        awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \
+        if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \
+            semanage_import="${semanage_import}\\n${boolean_customized_string}" \
+        fi \
+    fi \
+done; \
+if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \
+    /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \
+else \
+    echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype} -N" \
+fi \
+%{nil}