rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Thu Jun 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-60

Browse Source 
- Implement new spec file handling for *.pp modules which allows us to move a policy module out of the policy
This commit is contained in:
Miroslav Grepl 2014-06-19 16:53:27 +02:00
parent 13bbbdb636
commit c04c318879
2 changed files with 25 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
modules-mls-contrib.conf
View File

@ -271,13 +271,6 @@ colord = module
# #
comsat = module comsat = module
# Layer: services
# Module: consolekit
#
# ConsoleKit is a system daemon for tracking what users are logged
#
#consolekit = module
# Layer: services # Layer: services
# Module: courier # Module: courier
# #

31
selinux-policy.spec
View File

@ -11,7 +11,7 @@
%define BUILD_MINIMUM 1 %define BUILD_MINIMUM 1
%endif %endif
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1}
%define BUILD_MLS 1 %define BUILD_MLS 0
%endif %endif
%define POLICYVER 29 %define POLICYVER 29
%define POLICYCOREUTILSVER 2.1.14-74 %define POLICYCOREUTILSVER 2.1.14-74
@ -19,7 +19,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.13.1 Version: 3.13.1
Release: 59%{?dist} Release: 60%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -216,7 +216,7 @@ ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/se
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/netfilter_contexts \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/netfilter_contexts \
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/users_extra \ %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/users_extra \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/homedir_template \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/homedir_template \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/modules/*.pp \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/modules/permissivedomains.pp \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \
%ghost %{_sysconfdir}/selinux/%1/modules/active/*.local \ %ghost %{_sysconfdir}/selinux/%1/modules/active/*.local \
%ghost %{_sysconfdir}/selinux/%1/modules/active/*.bin \ %ghost %{_sysconfdir}/selinux/%1/modules/active/*.bin \
@ -310,6 +310,16 @@ if [ -e ./policy/modules-contrib.conf ];then \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \
fi; fi;
%define nonBaseModulesList() \
contrib_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst` \
base_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst` \
for i in $contrib_modules $base_modules; do \
if [ $i != "sandbox.pp" ];then \
echo "%verify(not md5 size mtime) /etc/selinux/%1/modules/active/modules/$i" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \
fi; \
done
%description %description
SELinux Reference Policy - modular. SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2.20091117 Based off of reference policy: Checked out revision 2.20091117
@ -355,6 +365,7 @@ cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/targeted
%installCmds targeted mcs n allow %installCmds targeted mcs n allow
mv %{buildroot}/%{_sysconfdir}/selinux/targeted/modules/active/modules/sandbox.pp %{buildroot}/usr/share/selinux/packages mv %{buildroot}/%{_sysconfdir}/selinux/targeted/modules/active/modules/sandbox.pp %{buildroot}/usr/share/selinux/packages
%modulesList targeted %modulesList targeted
%nonBaseModulesList targeted
%endif %endif
%if %{BUILD_MINIMUM} %if %{BUILD_MINIMUM}
@ -367,6 +378,7 @@ cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum
%installCmds minimum mcs n allow %installCmds minimum mcs n allow
rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp
%modulesList minimum %modulesList minimum
%nonBaseModulesList minimum
%endif %endif
%if %{BUILD_MLS} %if %{BUILD_MLS}
@ -375,6 +387,7 @@ rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox
%makeModulesConf mls base contrib %makeModulesConf mls base contrib
%installCmds mls mls n deny %installCmds mls mls n deny
%modulesList mls %modulesList mls
%nonBaseModulesList mls
%endif %endif
mkdir -p %{buildroot}%{_mandir} mkdir -p %{buildroot}%{_mandir}
@ -482,7 +495,7 @@ exit 0
restorecon -R -p /home restorecon -R -p /home
exit 0 exit 0
%files targeted %files targeted -f %{buildroot}/%{_usr}/share/selinux/targeted/nonbasemodules.lst
%defattr(-,root,root,-) %defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
@ -490,6 +503,7 @@ exit 0
%{_usr}/share/selinux/targeted/base.lst %{_usr}/share/selinux/targeted/base.lst
%{_usr}/share/selinux/targeted/modules-base.lst %{_usr}/share/selinux/targeted/modules-base.lst
%{_usr}/share/selinux/targeted/modules-contrib.lst %{_usr}/share/selinux/targeted/modules-contrib.lst
%{_usr}/share/selinux/targeted/nonbasemodules.lst
%endif %endif
%if %{BUILD_MINIMUM} %if %{BUILD_MINIMUM}
@ -541,7 +555,7 @@ done
fi fi
exit 0 exit 0
%files minimum %files minimum -f %{buildroot}/%{_usr}/share/selinux/minimum/nonbasemodules.lst
%defattr(-,root,root,-) %defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
@ -550,6 +564,7 @@ exit 0
%{_usr}/share/selinux/minimum/base.lst %{_usr}/share/selinux/minimum/base.lst
%{_usr}/share/selinux/minimum/modules-base.lst %{_usr}/share/selinux/minimum/modules-base.lst
%{_usr}/share/selinux/minimum/modules-contrib.lst %{_usr}/share/selinux/minimum/modules-contrib.lst
%{_usr}/share/selinux/minimum/nonbasemodules.lst
%endif %endif
%if %{BUILD_MLS} %if %{BUILD_MLS}
@ -574,16 +589,20 @@ SELinux Reference policy mls base module.
%post mls %post mls
%postInstall $1 mls %postInstall $1 mls
%files mls %files mls -f %{buildroot}/%{_usr}/share/selinux/mls/nonbasemodules.lst
%defattr(-,root,root,-) %defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
%fileList mls %fileList mls
%{_usr}/share/selinux/mls/base.lst %{_usr}/share/selinux/mls/base.lst
%{_usr}/share/selinux/mls/modules-base.lst %{_usr}/share/selinux/mls/modules-base.lst
%{_usr}/share/selinux/mls/modules-contrib.lst %{_usr}/share/selinux/mls/modules-contrib.lst
%{_usr}/share/selinux/mls/nonbasemodules.lst
%endif %endif
%changelog %changelog
* Thu Jun 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-60
- Implement new spec file handling for *.pp modules which allows us to move a policy module out of the policy
* Tue Jun 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-59 * Tue Jun 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.13.1-59
- Allow system_bus_types to use stream_sockets inherited from system_dbusd - Allow system_bus_types to use stream_sockets inherited from system_dbusd
- Allow journalctl to call getpw - Allow journalctl to call getpw