rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Do a factory reset when there's no policy.kern file in a store

Browse Source 
With rpm-ostree, /var/ directory doesn't contain any file, just
directories. It means that SELinux policy can't be managed or rebuilt
and users have to use only the default policy.

This update adds /usr/share/selinux/POLICYTYPE/default directory and
selinux-factory-reset service.

/var/lib/selinux/POLICYTYPE/active

selinux-reset-policy
This commit is contained in:
Petr Lautrbach 2016-09-12 22:30:11 +02:00 committed by Lukas Vrabec
parent e3bf3ede6a
commit be68ccafef
3 changed files with 60 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
selinux-factory-reset Executable file
View File

@ -0,0 +1,17 @@
#!/bin/bash
if [ ! -f /etc/selinux/config ]; then
SELINUXTYPE=none
else
source /etc/selinux/config
fi
cp -R --preserve=mode,ownership,timestamps,links /usr/share/selinux/$1/default/* /var/lib/selinux/$1
if selinuxenabled; then
semodule -B -n
if [ "$1" = "$SELINUXTYPE" ]; then
reboot
fi
fi

17
selinux-factory-reset@.service Normal file
View File

@ -0,0 +1,17 @@
[Unit]
Description=Reset SELinux policy to factory default
DefaultDependencies=no
Requires=local-fs.target
Conflicts=shutdown.target
After=local-fs.target
Before=sysinit.target shutdown.target
ConditionSecurity=selinux
ConditionKernelCommandLine=|selinux-factory-reset
ConditionPathExists=|!/var/lib/selinux/%I/active/policy.kern
[Service]
ExecStart=/usr/libexec/selinux/selinux-factory-reset %I
Type=oneshot
TimeoutSec=0
RemainAfterExit=yes
StandardInput=tty

26
selinux-policy.spec
View File

@ -56,6 +56,12 @@ Source29: serefpolicy-contrib-%{version}.tgz
Source30: booleans.subs_dist Source30: booleans.subs_dist
Source35: docker-selinux.tgz Source35: docker-selinux.tgz
# Do a factory reset when there's no policy.kern file in a store
# http://bugzilla.redhat.com/1290659
Source100: selinux-factory-reset
Source101: selinux-factory-reset@.service
Url: http://github.com/TresysTechnology/refpolicy/wiki Url: http://github.com/TresysTechnology/refpolicy/wiki
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch BuildArch: noarch
@ -253,6 +259,10 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
%{_sharedstatedir}/selinux/%1/active/seusers \ %{_sharedstatedir}/selinux/%1/active/seusers \
%{_sharedstatedir}/selinux/%1/active/file_contexts \ %{_sharedstatedir}/selinux/%1/active/file_contexts \
%{_sharedstatedir}/selinux/%1/active/policy.kern \ %{_sharedstatedir}/selinux/%1/active/policy.kern \
%{_datadir}/selinux/%1 \
%{_libexecdir}/selinux/selinux-factory-reset \
%{_unitdir}/selinux-factory-reset@.service \
%{_unitdir}/basic.target.wants/selinux-factory-reset@%1.service \
%nil %nil
%define relabel() \ %define relabel() \
@ -312,7 +322,18 @@ for i in $contrib_modules $base_modules; do \
if [ $i != "sandbox" ];then \ if [ $i != "sandbox" ];then \
echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \ echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \
fi; \ fi; \
done done;
%define installFactoryResetFiles() \
mkdir -p %{buildroot}%{_datadir}/selinux/%1/default \
cp -R --preserve=mode,ownership,timestamps,links %{buildroot}%{_sharedstatedir}/selinux/%1/active %{buildroot}%{_datadir}/selinux/%1/default/ \
find %{buildroot}%{_datadir}/selinux/%1/default/ -name hll | xargs rm \
find %{buildroot}%{_datadir}/selinux/%1/default/ -name lang_ext | xargs sed -i 's/pp/cil/' \
mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \
install -p %{SOURCE100} %{buildroot}/%{_libexecdir}/selinux/ \
mkdir -m 755 -p %{buildroot}/%{_unitdir}/basic.target.wants/ \
install -m 644 -p %{SOURCE101} %{buildroot}/%{_unitdir}/ \
ln -s ../selinux-factory-reset@.service %{buildroot}/%{_unitdir}/basic.target.wants/selinux-factory-reset@%1.service
%build %build
@ -367,6 +388,7 @@ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOL
mv sandbox.pp %{buildroot}/usr/share/selinux/packages/sandbox.pp mv sandbox.pp %{buildroot}/usr/share/selinux/packages/sandbox.pp
%modulesList targeted %modulesList targeted
%nonBaseModulesList targeted %nonBaseModulesList targeted
%installFactoryResetFiles targeted
%endif %endif
%if %{BUILD_MINIMUM} %if %{BUILD_MINIMUM}
@ -380,6 +402,7 @@ rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
%modulesList minimum %modulesList minimum
%nonBaseModulesList minimum %nonBaseModulesList minimum
%installFactoryResetFiles minimum
%endif %endif
%if %{BUILD_MLS} %if %{BUILD_MLS}
@ -389,6 +412,7 @@ rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
%installCmds mls mls n deny %installCmds mls mls n deny
%modulesList mls %modulesList mls
%nonBaseModulesList mls %nonBaseModulesList mls
%installFactoryResetFiles mls
%endif %endif
mkdir -p %{buildroot}%{_mandir} mkdir -p %{buildroot}%{_mandir}