*** empty log message ***

2006-02-03 14:59:07 +00:00 · 2006-02-03 14:59:07 +00:00 · de82d855b5
commit de82d855b5
parent 38c8068bd0
6 changed files with 330 additions and 12 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -34,3 +34,4 @@ serefpolicy-2.2.6.tgz
 serefpolicy-2.2.7.tgz
 serefpolicy-2.2.8.tgz
 serefpolicy-2.2.9.tgz
+serefpolicy-2.2.10.tgz
--- a/Makefile.devel
+++ b/Makefile.devel
@ -0,0 +1,146 @@
+
+-include build.conf
+
+# executables
+PREFIX := /usr
+BINDIR := $(PREFIX)/bin
+SBINDIR := $(PREFIX)/sbin
+CHECKMODULE := $(BINDIR)/checkmodule
+SEMODULE := $(SBINDIR)/semodule
+SEMOD_PKG := $(BINDIR)/semodule_package
+
+# helper tools
+AWK ?= gawk
+INSTALL ?= install
+M4 ?= m4
+SED ?= sed
+EINFO ?= echo
+
+# set default build options
+NAME ?= $(shell . /etc/selinux/config; echo $$SELINUXTYPE)
+MLSENABLED := $(shell cat /selinux/mls)
+
+ifeq ($(MLSENABLED),1)
+MCSFLAG=-mcs
+endif
+
+TYPE ?= $(NAME)${MCSFLAG}
+DIRECT_INITRC ?= n
+POLY ?= n
+
+# installation paths
+SHAREDIR := $(PREFIX)/share/selinux
+MODPKGDIR := $(SHAREDIR)/$(NAME)
+HEADERDIR := $(SHAREDIR)/refpolicy/include
+
+# compile strict policy if requested.
+ifneq ($(findstring strict,$(TYPE)),)
+	M4PARAM += -D strict_policy
+endif
+
+# compile targeted policy if requested.
+ifneq ($(findstring targeted,$(TYPE)),)
+	M4PARAM += -D targeted_policy
+endif
+
+# enable MLS if requested.
+ifneq ($(findstring -mls,$(TYPE)),)
+	M4PARAM += -D enable_mls
+	CHECKPOLICY += -M
+	CHECKMODULE += -M
+endif
+
+# enable MLS if MCS requested.
+ifneq ($(findstring -mcs,$(TYPE)),)
+	M4PARAM += -D enable_mcs
+	CHECKPOLICY += -M
+	CHECKMODULE += -M
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+	M4PARAM += -D distro_$(DISTRO)
+endif
+
+# enable polyinstantiation
+ifeq ($(POLY),y)
+	M4PARAM += -D enable_polyinstantiation
+endif
+
+ifeq ($(DIRECT_INITRC),y)
+	M4PARAM += -D direct_sysadm_daemon
+endif
+
+ifneq ($(VERBOSE),y)
+	quiet := @
+endif
+
+M4PARAM += -D hide_broken_symptoms
+
+# policy headers
+m4support := $(wildcard $(HEADERDIR)/*.spt)
+all_interfaces := $(wildcard $(HEADERDIR)/*.if)
+rolemap := $(HEADERDIR)/rolemap
+
+detected_mods := $(wildcard *.te)
+detected_ifs := $(detected_mods:.te=.if)
+all_packages := $(detected_mods:.te=.pp)
+install_mods := $(MODPKGDIR)/$(all_packages)
+
+########################################
+#
+# Functions
+#
+
+# parse-rolemap modulename,outputfile
+define parse-rolemap
+	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# peruser-expansion modulename,outputfile
+define peruser-expansion
+	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
+	$(call parse-rolemap,$1,$2)
+	$(verbose) echo "')" >> $2
+endef
+
+########################################
+#
+# Main targets
+#
+
+all: $(all_packages)
+
+########################################
+#
+# Build module packages
+#
+tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
+	@$(EINFO) "Compliling $(NAME) $(basename $(@F)) module"
+	@test -d tmp || mkdir -p tmp
+	$(call peruser-expansion,$(basename $(@F)),$@.role)
+	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+tmp/%.mod.fc: $(m4support) %.fc
+	$(verbose) $(M4) $(M4PARAM) $^ > $@
+
+%.pp: tmp/%.mod tmp/%.mod.fc
+	@echo "Creating $(NAME) $(@F) policy package"
+	$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+
+tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
+	@test -d tmp || mkdir -p tmp
+	$(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+########################################
+#
+# Clean the environment
+#
+
+clean:
+	rm -fR tmp
+	rm -f *.pp
+
+.PHONY: clean install all default
--- a/modules-strict.conf
+++ b/modules-strict.conf
@ -1127,3 +1127,10 @@ miscfiles = module
 # 
 ipsec = module

+# Layer: admin
+# Module: mrtg
+#
+# System log analyzer and reporter
+# 
+mrtg = module
+
--- a/148
+++ b/148
@ -0,0 +1,148 @@
+#! /usr/bin/env python
+# Copyright (C) 2006 Red Hat 
+# see file 'COPYING' for use and warranty information
+#
+# policygentool is a tool for the initial generation of SELinux policy
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of the GNU General Public License as
+#    published by the Free Software Foundation; either version 2 of
+#    the License, or (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, write to the Free Software
+#    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA     
+#                                        02111-1307  USA
+#
+#  
+import os, sys, getopt
+import seobject
+import re
+
+########################### Interface File #############################
+interface="\n\
+## <summary>TEMPLATETYPE policy</summary>\n\
+## <desc>\n\
+##	<p>\n\
+##		More descriptive text about TEMPLATETYPE.  The <desc>\n\
+##		tag can also use <p>, <ul>, and <ol>\n\
+##		html tags for formatting.\n\
+##	</p>\n\
+##	<p>\n\
+##		This policy supports the following TEMPLATETYPE features:\n\
+##		<ul>\n\
+##		<li>Feature A</li>\n\
+##		<li>Feature B</li>\n\
+##		<li>Feature C</li>\n\
+##		</ul>\n\
+##	</p>\n\
+## </desc>\n\
+#\n\
+\n\
+########################################\n\
+## <summary>\n\
+##	Execute a domain transition to run TEMPLATETYPE.\n\
+## </summary>\n\
+## <param name=\"domain\">\n\
+##	Domain allowed to transition.\n\
+## </param>\n\
+#\n\
+interface(`TEMPLATETYPE_domtrans',`\n\
+	gen_requires(`\n\
+		type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;\n\
+	')\n\
+\n\
+	domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)\n\
+\n\
+	allow $1 TEMPLATETYPE_t:fd use;\n\
+	allow TEMPLATETYPE_t $1:fd use;\n\
+	allow $1 TEMPLATETYPE_t:fifo_file rw_file_perms;\n\
+	allow $1 TEMPLATETYPE_t:process sigchld;\n\
+')\n\
+"
+
+########################### Type Enforcement File #############################
+te="\n\
+policy_module(TEMPLATE,1.0.0)\n\
+\n\
+########################################\n\
+#\n\
+# Declarations\n\
+#\n\
+\n\
+type TEMPLATETYPE_t;\n\
+type TEMPLATETYPE_exec_t;\n\
+domain_type(TEMPLATETYPE_t)\n\
+init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)\n\
+\n\
+########################################\n\
+#\n\
+# TEMPLATETYPE local policy\n\
+#\n\
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.\n"
+
+########################### File Context ##################################
+fc="\n\
+# TEMPLATETYPE executable will have:\n\
+# label: system_u:object_r:TEMPLATETYPE_exec_t\n\
+# MLS sensitivity: s0\n\
+# MCS categories: <none>\n\
+\n\
+EXECUTABLE		--	gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)\n\
+"
+def errorExit(error):
+	sys.stderr.write("%s: " % sys.argv[0])
+	sys.stderr.write("%s\n" % error)
+	sys.stderr.flush()
+	sys.exit(1)
+
+
+def write_te_file(module):
+	file="%s.te" % module
+	newte=re.sub("TEMPLATETYPE", module, te)
+	if os.path.exists(file):
+		errorExit("%s already exists" % file)
+	fd = open(file, 'w')
+	fd.write(newte)
+	fd.close()
+
+def write_if_file(module):
+	file="%s.if" % module
+	newif=re.sub("TEMPLATETYPE", module, interface)
+	if os.path.exists(file):
+		errorExit("%s already exists" % file)
+	fd = open(file, 'w')
+	fd.write(newif)
+	fd.close()
+
+def write_fc_file(module, executable):
+	file="%s.fc" % module
+	newfc=re.sub("TEMPLATETYPE", module, fc)
+	newfc=re.sub("EXECUTABLE", executable, newfc)
+	if os.path.exists(file):
+		errorExit("%s already exists" % file)
+	fd = open(file, 'w')
+	fd.write(newfc)
+	fd.close()
+
+def gen_policy(module, executable):
+	write_te_file(module)
+	write_if_file(module)
+	write_fc_file(module, executable)
+	
+if __name__ == '__main__':
+	def usage(message = ""):
+		print '%s ModuleName Executable' % sys.argv[0]
+		sys.exit(1)
+		
+	if len(sys.argv) != 3:
+		usage()
+
+	gen_policy(sys.argv[1], sys.argv[2])
+
+	
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -1,12 +1,12 @@
 %define distro redhat
 %define monolithic n
 %define POLICYVER 20
-%define POLICYCOREUTILSVER 1.29.17-1
+%define POLICYCOREUTILSVER 1.29.18-1
 %define CHECKPOLICYVER 1.28-3
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 2.2.9
-Release: 2
+Version: 2.2.10
+Release: 1
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -23,6 +23,8 @@ Source9: modules-strict.conf
 Source10: booleans-strict.conf
 Source11: seusers-strict
 Source12: setrans-strict.conf
+Source13: policygentool
+Source14: Makefile.devel

 Url: http://serefpolicy.sourceforge.net
 BuildRoot: %{_tmppath}/serefpolicy-buildroot
@ -36,6 +38,7 @@ SELinux Base package

 %files 
 %{_mandir}/man8/*
+%doc /usr/share/doc/%{name}-%{version}

 %package targeted
 Summary: SELinux targeted base policy
@ -49,10 +52,12 @@ Prereq: selinux-policy = %{version}-%{release}
 %description targeted
 SELinux Reference policy targeted base module.

-%define installCmds() \
+%define setupCmds() \
 make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} bare \
 cp -f ${RPM_SOURCE_DIR}/modules-%1.conf  ./policy/modules.conf \
 cp -f ${RPM_SOURCE_DIR}/booleans-%1.conf ./policy/booleans.conf \
+
+%define installCmds() \
 make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} base.pp \
 make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} modules \
 %{__mkdir} -p $RPM_BUILD_ROOT/%{_usr}/share/selinux/%1/ \
@ -115,11 +120,11 @@ if [ -s /etc/selinux/config ]; then \
 fi

 %define rebuildpolicy() \
-semodule -b /usr/share/selinux/%1/base.pp -s %1 \
-for file in $(ls /usr/share/selinux/%1 | grep -v -e base.pp -e enableaudit.pp ) \
-do \
-	semodule -i /usr/share/selinux/%1/$file -s %1;\
-done; \
+( cd /usr/share/selinux/%1; \
+semodule -b base.pp -s %1; \
+x=`ls | grep -v -e base.pp -e enableaudit.pp | awk '{ print "-i " $1 }'`; \
+[ -z "$x" ] || semodule $x -s %1; \
+);\
 rm -f %{_sysconfdir}/selinux/%1/policy/policy.*.rpmnew

 %define relabel() \
@ -150,23 +155,29 @@ install -m 644 man/man8/*.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
 # Commented out because only targeted ref policy currently builds
 make clean
 make conf
+%setupCmds targeted targeted-mcs y
 %installCmds targeted targeted-mcs y

 # Build strict policy
 # Commented out because only targeted ref policy currently builds
 make clean
 make conf
+make NAME=strict TYPE=strict-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} bare 
+make NAME=strict TYPE=strict-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} conf
 %installCmds strict strict-mcs y

 # Build mls policy
 make clean
 make conf
+%setupCmds mls strict-mls n
 %installCmds mls strict-mls n

-# Install sources
+# Install devel
 make clean
 make 
-make DESTDIR=$RPM_BUILD_ROOT install-headers
+make DESTDIR=$RPM_BUILD_ROOT PKGNAME=%{name}-%{version} install-headers install-docs
+install -m 755 ${RPM_SOURCE_DIR}/policygentool ${RPM_BUILD_ROOT}/usr/share/selinux/refpolicy/
+install -m 755 ${RPM_SOURCE_DIR}/Makefile.devel ${RPM_BUILD_ROOT}/usr/share/selinux/refpolicy/Makefile

 %clean
 %{__rm} -fR $RPM_BUILD_ROOT
@ -280,9 +291,14 @@ SELinux Reference policy development files
 %dir %{_usr}/share/selinux/refpolicy
 %dir %{_usr}/share/selinux/refpolicy/include
 %{_usr}/share/selinux/refpolicy/include/*
+%{_usr}/share/selinux/refpolicy/Makefile
+%{_usr}/share/selinux/refpolicy/policygentool

 %changelog

+* Wed Feb 1 2006 Dan Walsh <dwalsh@redhat.com> 2.2.10-1
+- Fixes for the -devel package
+
 * Wed Feb 1 2006 Dan Walsh <dwalsh@redhat.com> 2.2.9-2
 - Fix for spamd to use ldap

--- a/2
+++ b/2
@ -1 +1 @@
-a795741d83a3bc84cc508236316ff80b  serefpolicy-2.2.9.tgz
+b89cd3e61692bd15973e4f74ac3f2bec  serefpolicy-2.2.10.tgz