Prepare selinux-policy package for SELinux store migration
This commit is contained in:
Petr Lautrbach
parent
04f749c8f0
commit
a345bb5a25
@ -14,12 +14,12 @@
|
||||
%define BUILD_MLS 1
|
||||
%endif
|
||||
%define POLICYVER 29
|
||||
%define POLICYCOREUTILSVER 2.1.14-74
|
||||
%define CHECKPOLICYVER 2.1.12-3
|
||||
%define POLICYCOREUTILSVER 2.4-0
|
||||
%define CHECKPOLICYVER 2.4-0
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.13.1
|
||||
Release: 137%{?dist}
|
||||
Release: 137%{?dist}.1
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -95,6 +95,7 @@ SELinux sandbox policy used for the policycoreutils-sandbox package
|
||||
|
||||
%post sandbox
|
||||
rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
|
||||
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
|
||||
semodule -n -i /usr/share/selinux/packages/sandbox.pp
|
||||
if /usr/sbin/selinuxenabled ; then
|
||||
/usr/sbin/load_policy
|
||||
@ -170,37 +171,21 @@ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOL
|
||||
make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \
|
||||
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \
|
||||
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \
|
||||
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 SEMODULE="semodule -p %{buildroot} -X 100 " load \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
|
||||
touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
|
||||
touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
|
||||
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
|
||||
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
||||
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
|
||||
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
|
||||
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/seusers \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.local \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/nodes.local \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/users_extra.local \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/users.local \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs.bin \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.bin \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/file_contexts.homedirs.bin \
|
||||
touch %{buildroot}%{_sysconfdir}/selinux/%1/file_contexts.bin \
|
||||
cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \
|
||||
bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \
|
||||
rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \
|
||||
for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \
|
||||
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \
|
||||
mkdir -p %{buildroot}%{_usr}/share/selinux/packages \
|
||||
/usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \
|
||||
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
|
||||
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
|
||||
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
|
||||
ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
|
||||
%nil
|
||||
|
||||
%define fileList() \
|
||||
@ -210,24 +195,12 @@ ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/se
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
|
||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
|
||||
%dir %{_sysconfdir}/selinux/%1/logins \
|
||||
%dir %{_sysconfdir}/selinux/%1/modules \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
|
||||
%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \
|
||||
%dir %{_sysconfdir}/selinux/%1/modules/active/modules \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/base.pp \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.template \
|
||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/seusers.final \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/netfilter_contexts \
|
||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/users_extra \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/homedir_template \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \
|
||||
%ghost %{_sysconfdir}/selinux/%1/modules/active/*.local \
|
||||
%ghost %{_sysconfdir}/selinux/%1/modules/active/*.bin \
|
||||
%ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \
|
||||
%dir %{_sharedstatedir}/selinux/%1/active \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
|
||||
%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
|
||||
%ghost %{_sysconfdir}/selinux/%1/*.bin \
|
||||
%dir %{_sysconfdir}/selinux/%1/policy/ \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
|
||||
%{_sysconfdir}/selinux/%1/.policy.sha512 \
|
||||
@ -250,9 +223,10 @@ ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/se
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
|
||||
%dir %{_sysconfdir}/selinux/%1/contexts/files \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
|
||||
%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs* \
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
|
||||
# %ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \
|
||||
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
|
||||
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
|
||||
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
|
||||
@ -312,18 +286,18 @@ else \
|
||||
fi;
|
||||
|
||||
%define modulesList() \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s.pp ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/base.lst \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/base.lst \
|
||||
if [ -e ./policy/modules-contrib.conf ];then \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
|
||||
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
|
||||
fi;
|
||||
|
||||
%define nonBaseModulesList() \
|
||||
contrib_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst` \
|
||||
base_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst` \
|
||||
for i in $contrib_modules $base_modules; do \
|
||||
if [ $i != "sandbox.pp" ];then \
|
||||
echo "%verify(not md5 size mtime) /etc/selinux/%1/modules/active/modules/$i" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \
|
||||
if [ $i != "sandbox" ];then \
|
||||
echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \
|
||||
fi; \
|
||||
done
|
||||
|
||||
@ -339,12 +313,13 @@ contrib_path=`pwd`
|
||||
refpolicy_path=`pwd`
|
||||
cp $contrib_path/* $refpolicy_path/policy/modules/contrib
|
||||
|
||||
%install
|
||||
mkdir selinux_config
|
||||
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do
|
||||
cp $i selinux_config
|
||||
done
|
||||
tar zxvf selinux_config/config.tgz
|
||||
|
||||
%install
|
||||
# Build targeted policy
|
||||
%{__rm} -fR %{buildroot}
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/selinux
|
||||
@ -356,18 +331,23 @@ cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
|
||||
|
||||
# Always create policy module package directories
|
||||
mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/
|
||||
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
|
||||
|
||||
mkdir -p %{buildroot}%{_usr}/share/selinux/packages
|
||||
|
||||
# Install devel
|
||||
make clean
|
||||
%if %{BUILD_TARGETED}
|
||||
# Build targeted policy
|
||||
# Commented out because only targeted ref policy currently builds
|
||||
mkdir -p %{buildroot}%{_usr}/share/selinux/targeted
|
||||
cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/targeted
|
||||
%makeCmds targeted mcs n allow
|
||||
%makeModulesConf targeted base contrib
|
||||
%installCmds targeted mcs n allow
|
||||
mv %{buildroot}/%{_sysconfdir}/selinux/targeted/modules/active/modules/sandbox.pp %{buildroot}/usr/share/selinux/packages
|
||||
# recreate sandbox.pp
|
||||
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
|
||||
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 sandbox.pp
|
||||
mv sandbox.pp %{buildroot}/usr/share/selinux/packages/sandbox.pp
|
||||
%modulesList targeted
|
||||
%nonBaseModulesList targeted
|
||||
%endif
|
||||
@ -381,6 +361,7 @@ cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum
|
||||
%makeModulesConf targeted base contrib
|
||||
%installCmds minimum mcs n allow
|
||||
rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp
|
||||
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
|
||||
%modulesList minimum
|
||||
%nonBaseModulesList minimum
|
||||
%endif
|
||||
@ -413,6 +394,7 @@ mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinu
|
||||
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
|
||||
echo '%%_selinux_policy_version %{version}-%{release}' > %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
||||
|
||||
|
||||
rm -rf selinux_config
|
||||
%clean
|
||||
%{__rm} -fR %{buildroot}
|
||||
@ -441,9 +423,6 @@ SELINUXTYPE=targeted
|
||||
restorecon /etc/selinux/config 2> /dev/null || :
|
||||
else
|
||||
. /etc/selinux/config
|
||||
# if first time update booleans.local needs to be copied to sandbox
|
||||
[ -f /etc/selinux/${SELINUXTYPE}/booleans.local ] && mv /etc/selinux/${SELINUXTYPE}/booleans.local /etc/selinux/targeted/modules/active/
|
||||
[ -f /etc/selinux/${SELINUXTYPE}/seusers ] && cp -f /etc/selinux/${SELINUXTYPE}/seusers /etc/selinux/${SELINUXTYPE}/modules/active/seusers
|
||||
fi
|
||||
exit 0
|
||||
|
||||
@ -496,16 +475,30 @@ exit 0
|
||||
restorecon -R -p /home
|
||||
exit 0
|
||||
|
||||
%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-137.1
|
||||
set -x
|
||||
for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*disabled`; do
|
||||
module=`basename $i | sed 's/.pp.disabled//'`
|
||||
if [ -d /var/lib/selinux/targeted/active/modules/100/$module ]; then
|
||||
semodule -d $module
|
||||
fi
|
||||
done
|
||||
for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*.pp`; do
|
||||
semodule -i $i
|
||||
done
|
||||
exit 0
|
||||
|
||||
%files targeted -f %{buildroot}/%{_usr}/share/selinux/targeted/nonbasemodules.lst
|
||||
%defattr(-,root,root,-)
|
||||
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
|
||||
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
|
||||
%fileList targeted
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/targeted/modules/active/modules/permissivedomains.pp
|
||||
# %verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains
|
||||
%{_usr}/share/selinux/targeted/base.lst
|
||||
%{_usr}/share/selinux/targeted/modules-base.lst
|
||||
%{_usr}/share/selinux/targeted/modules-contrib.lst
|
||||
%{_usr}/share/selinux/targeted/nonbasemodules.lst
|
||||
%{_sharedstatedir}/selinux/targeted/active/commit_num
|
||||
%endif
|
||||
|
||||
%if %{BUILD_MINIMUM}
|
||||
@ -562,11 +555,12 @@ exit 0
|
||||
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
|
||||
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
|
||||
%fileList minimum
|
||||
%verify(not md5 size mtime) %{_sysconfdir}/selinux/minimum/modules/active/modules/permissivedomains.pp
|
||||
# %verify(not md5 size mtime) %{_sysconfdir}/selinux/minimum/modules/active/modules/permissivedomains.pp
|
||||
%{_usr}/share/selinux/minimum/base.lst
|
||||
%{_usr}/share/selinux/minimum/modules-base.lst
|
||||
%{_usr}/share/selinux/minimum/modules-contrib.lst
|
||||
%{_usr}/share/selinux/minimum/nonbasemodules.lst
|
||||
%{_sharedstatedir}/selinux/minimum/active/commit_num
|
||||
%endif
|
||||
|
||||
%if %{BUILD_MLS}
|
||||
@ -599,6 +593,7 @@ SELinux Reference policy mls base module.
|
||||
%{_usr}/share/selinux/mls/modules-base.lst
|
||||
%{_usr}/share/selinux/mls/modules-contrib.lst
|
||||
%{_usr}/share/selinux/mls/nonbasemodules.lst
|
||||
%{_sharedstatedir}/selinux/mls/active/commit_num
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
|
||||
Loading…
Reference in New Issue
Block a user