From de82d855b5fd198d9f6d82a1d963a72e522b53ee Mon Sep 17 00:00:00 2001
From: Daniel J Walsh
Date: Fri, 3 Feb 2006 14:59:07 +0000
Subject: [PATCH] *** empty log message ***
---
.cvsignore | 1 +
Makefile.devel | 146 +++++++++++++++++++++++++++++++++++++++++++
modules-strict.conf | 7 +++
policygentool | 148 ++++++++++++++++++++++++++++++++++++++++++++
selinux-policy.spec | 38 ++++++++----
sources | 2 +-
6 files changed, 330 insertions(+), 12 deletions(-)
create mode 100644 Makefile.devel
create mode 100644 policygentool
diff --git a/.cvsignore b/.cvsignore
index eb023596..4fd8058f 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -34,3 +34,4 @@ serefpolicy-2.2.6.tgz
serefpolicy-2.2.7.tgz
serefpolicy-2.2.8.tgz
serefpolicy-2.2.9.tgz
+serefpolicy-2.2.10.tgz
diff --git a/Makefile.devel b/Makefile.devel
new file mode 100644
index 00000000..4f59b227
--- /dev/null
+++ b/Makefile.devel
@@ -0,0 +1,146 @@
+
+-include build.conf
+
+# executables
+PREFIX := /usr
+BINDIR := $(PREFIX)/bin
+SBINDIR := $(PREFIX)/sbin
+CHECKMODULE := $(BINDIR)/checkmodule
+SEMODULE := $(SBINDIR)/semodule
+SEMOD_PKG := $(BINDIR)/semodule_package
+
+# helper tools
+AWK ?= gawk
+INSTALL ?= install
+M4 ?= m4
+SED ?= sed
+EINFO ?= echo
+
+# set default build options
+NAME ?= $(shell . /etc/selinux/config; echo $$SELINUXTYPE)
+MLSENABLED := $(shell cat /selinux/mls)
+
+ifeq ($(MLSENABLED),1)
+MCSFLAG=-mcs
+endif
+
+TYPE ?= $(NAME)${MCSFLAG}
+DIRECT_INITRC ?= n
+POLY ?= n
+
+# installation paths
+SHAREDIR := $(PREFIX)/share/selinux
+MODPKGDIR := $(SHAREDIR)/$(NAME)
+HEADERDIR := $(SHAREDIR)/refpolicy/include
+
+# compile strict policy if requested.
+ifneq ($(findstring strict,$(TYPE)),)
+ M4PARAM += -D strict_policy
+endif
+
+# compile targeted policy if requested.
+ifneq ($(findstring targeted,$(TYPE)),)
+ M4PARAM += -D targeted_policy
+endif
+
+# enable MLS if requested.
+ifneq ($(findstring -mls,$(TYPE)),)
+ M4PARAM += -D enable_mls
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
+# enable MLS if MCS requested.
+ifneq ($(findstring -mcs,$(TYPE)),)
+ M4PARAM += -D enable_mcs
+ CHECKPOLICY += -M
+ CHECKMODULE += -M
+endif
+
+# enable distribution-specific policy
+ifneq ($(DISTRO),)
+ M4PARAM += -D distro_$(DISTRO)
+endif
+
+# enable polyinstantiation
+ifeq ($(POLY),y)
+ M4PARAM += -D enable_polyinstantiation
+endif
+
+ifeq ($(DIRECT_INITRC),y)
+ M4PARAM += -D direct_sysadm_daemon
+endif
+
+ifneq ($(VERBOSE),y)
+ quiet := @
+endif
+
+M4PARAM += -D hide_broken_symptoms
+
+# policy headers
+m4support := $(wildcard $(HEADERDIR)/*.spt)
+all_interfaces := $(wildcard $(HEADERDIR)/*.if)
+rolemap := $(HEADERDIR)/rolemap
+
+detected_mods := $(wildcard *.te)
+detected_ifs := $(detected_mods:.te=.if)
+all_packages := $(detected_mods:.te=.pp)
+install_mods := $(MODPKGDIR)/$(all_packages)
+
+########################################
+#
+# Functions
+#
+
+# parse-rolemap modulename,outputfile
+define parse-rolemap
+ $(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+ $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+endef
+
+# peruser-expansion modulename,outputfile
+define peruser-expansion
+ $(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" > $2
+ $(call parse-rolemap,$1,$2)
+ $(verbose) echo "')" >> $2
+endef
+
+########################################
+#
+# Main targets
+#
+
+all: $(all_packages)
+
+########################################
+#
+# Build module packages
+#
+tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
+ @$(EINFO) "Compliling $(NAME) $(basename $(@F)) module"
+ @test -d tmp || mkdir -p tmp
+ $(call peruser-expansion,$(basename $(@F)),$@.role)
+ $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+
+tmp/%.mod.fc: $(m4support) %.fc
+ $(verbose) $(M4) $(M4PARAM) $^ > $@
+
+%.pp: tmp/%.mod tmp/%.mod.fc
+ @echo "Creating $(NAME) $(@F) policy package"
+ $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
+
+tmp/all_interfaces.conf: $(m4support) $(all_interfaces) $(detected_ifs)
+ @test -d tmp || mkdir -p tmp
+ $(verbose) m4 $^ | sed -e s/dollarsstar/\$$\*/g > $@
+
+########################################
+#
+# Clean the environment
+#
+
+clean:
+ rm -fR tmp
+ rm -f *.pp
+
+.PHONY: clean install all default
diff --git a/modules-strict.conf b/modules-strict.conf
index cb6ad283..5d7d2b3d 100644
--- a/modules-strict.conf
+++ b/modules-strict.conf
@@ -1127,3 +1127,10 @@ miscfiles = module
#
ipsec = module
+# Layer: admin
+# Module: mrtg
+#
+# System log analyzer and reporter
+#
+mrtg = module
+
diff --git a/policygentool b/policygentool
new file mode 100644
index 00000000..d3f28a62
--- /dev/null
+++ b/policygentool
@@ -0,0 +1,148 @@
+#! /usr/bin/env python
+# Copyright (C) 2006 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# policygentool is a tool for the initial generation of SELinux policy
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+# 02111-1307 USA
+#
+#
+import os, sys, getopt
+import seobject
+import re
+
+########################### Interface File #############################
+interface="\n\
+## TEMPLATETYPE policy\n\
+## \n\
+## \n\
+## More descriptive text about TEMPLATETYPE. The \n\
+## tag can also use ,
, and \n\
+## html tags for formatting.\n\
+##
\n\
+## \n\
+## This policy supports the following TEMPLATETYPE features:\n\
+##
\n\
+## - Feature A
\n\
+## - Feature B
\n\
+## - Feature C
\n\
+##
\n\
+##
\n\
+## \n\
+#\n\
+\n\
+########################################\n\
+## \n\
+## Execute a domain transition to run TEMPLATETYPE.\n\
+## \n\
+## \n\
+## Domain allowed to transition.\n\
+## \n\
+#\n\
+interface(`TEMPLATETYPE_domtrans',`\n\
+ gen_requires(`\n\
+ type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;\n\
+ ')\n\
+\n\
+ domain_auto_trans($1,TEMPLATETYPE_exec_t,TEMPLATETYPE_t)\n\
+\n\
+ allow $1 TEMPLATETYPE_t:fd use;\n\
+ allow TEMPLATETYPE_t $1:fd use;\n\
+ allow $1 TEMPLATETYPE_t:fifo_file rw_file_perms;\n\
+ allow $1 TEMPLATETYPE_t:process sigchld;\n\
+')\n\
+"
+
+########################### Type Enforcement File #############################
+te="\n\
+policy_module(TEMPLATE,1.0.0)\n\
+\n\
+########################################\n\
+#\n\
+# Declarations\n\
+#\n\
+\n\
+type TEMPLATETYPE_t;\n\
+type TEMPLATETYPE_exec_t;\n\
+domain_type(TEMPLATETYPE_t)\n\
+init_daemon_domain(TEMPLATETYPE_t, TEMPLATETYPE_exec_t)\n\
+\n\
+########################################\n\
+#\n\
+# TEMPLATETYPE local policy\n\
+#\n\
+# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.\n"
+
+########################### File Context ##################################
+fc="\n\
+# TEMPLATETYPE executable will have:\n\
+# label: system_u:object_r:TEMPLATETYPE_exec_t\n\
+# MLS sensitivity: s0\n\
+# MCS categories: \n\
+\n\
+EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)\n\
+"
+def errorExit(error):
+ sys.stderr.write("%s: " % sys.argv[0])
+ sys.stderr.write("%s\n" % error)
+ sys.stderr.flush()
+ sys.exit(1)
+
+
+def write_te_file(module):
+ file="%s.te" % module
+ newte=re.sub("TEMPLATETYPE", module, te)
+ if os.path.exists(file):
+ errorExit("%s already exists" % file)
+ fd = open(file, 'w')
+ fd.write(newte)
+ fd.close()
+
+def write_if_file(module):
+ file="%s.if" % module
+ newif=re.sub("TEMPLATETYPE", module, interface)
+ if os.path.exists(file):
+ errorExit("%s already exists" % file)
+ fd = open(file, 'w')
+ fd.write(newif)
+ fd.close()
+
+def write_fc_file(module, executable):
+ file="%s.fc" % module
+ newfc=re.sub("TEMPLATETYPE", module, fc)
+ newfc=re.sub("EXECUTABLE", executable, newfc)
+ if os.path.exists(file):
+ errorExit("%s already exists" % file)
+ fd = open(file, 'w')
+ fd.write(newfc)
+ fd.close()
+
+def gen_policy(module, executable):
+ write_te_file(module)
+ write_if_file(module)
+ write_fc_file(module, executable)
+
+if __name__ == '__main__':
+ def usage(message = ""):
+ print '%s ModuleName Executable' % sys.argv[0]
+ sys.exit(1)
+
+ if len(sys.argv) != 3:
+ usage()
+
+ gen_policy(sys.argv[1], sys.argv[2])
+
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 28161064..c4c7c0d0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -1,12 +1,12 @@
%define distro redhat
%define monolithic n
%define POLICYVER 20
-%define POLICYCOREUTILSVER 1.29.17-1
+%define POLICYCOREUTILSVER 1.29.18-1
%define CHECKPOLICYVER 1.28-3
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.2.9
-Release: 2
+Version: 2.2.10
+Release: 1
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -23,6 +23,8 @@ Source9: modules-strict.conf
Source10: booleans-strict.conf
Source11: seusers-strict
Source12: setrans-strict.conf
+Source13: policygentool
+Source14: Makefile.devel
Url: http://serefpolicy.sourceforge.net
BuildRoot: %{_tmppath}/serefpolicy-buildroot
@@ -36,6 +38,7 @@ SELinux Base package
%files
%{_mandir}/man8/*
+%doc /usr/share/doc/%{name}-%{version}
%package targeted
Summary: SELinux targeted base policy
@@ -49,10 +52,12 @@ Prereq: selinux-policy = %{version}-%{release}
%description targeted
SELinux Reference policy targeted base module.
-%define installCmds() \
+%define setupCmds() \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} bare \
cp -f ${RPM_SOURCE_DIR}/modules-%1.conf ./policy/modules.conf \
cp -f ${RPM_SOURCE_DIR}/booleans-%1.conf ./policy/booleans.conf \
+
+%define installCmds() \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} base.pp \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} modules \
%{__mkdir} -p $RPM_BUILD_ROOT/%{_usr}/share/selinux/%1/ \
@@ -115,11 +120,11 @@ if [ -s /etc/selinux/config ]; then \
fi
%define rebuildpolicy() \
-semodule -b /usr/share/selinux/%1/base.pp -s %1 \
-for file in $(ls /usr/share/selinux/%1 | grep -v -e base.pp -e enableaudit.pp ) \
-do \
- semodule -i /usr/share/selinux/%1/$file -s %1;\
-done; \
+( cd /usr/share/selinux/%1; \
+semodule -b base.pp -s %1; \
+x=`ls | grep -v -e base.pp -e enableaudit.pp | awk '{ print "-i " $1 }'`; \
+[ -z "$x" ] || semodule $x -s %1; \
+);\
rm -f %{_sysconfdir}/selinux/%1/policy/policy.*.rpmnew
%define relabel() \
@@ -150,23 +155,29 @@ install -m 644 man/man8/*.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
# Commented out because only targeted ref policy currently builds
make clean
make conf
+%setupCmds targeted targeted-mcs y
%installCmds targeted targeted-mcs y
# Build strict policy
# Commented out because only targeted ref policy currently builds
make clean
make conf
+make NAME=strict TYPE=strict-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} bare
+make NAME=strict TYPE=strict-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} conf
%installCmds strict strict-mcs y
# Build mls policy
make clean
make conf
+%setupCmds mls strict-mls n
%installCmds mls strict-mls n
-# Install sources
+# Install devel
make clean
make
-make DESTDIR=$RPM_BUILD_ROOT install-headers
+make DESTDIR=$RPM_BUILD_ROOT PKGNAME=%{name}-%{version} install-headers install-docs
+install -m 755 ${RPM_SOURCE_DIR}/policygentool ${RPM_BUILD_ROOT}/usr/share/selinux/refpolicy/
+install -m 755 ${RPM_SOURCE_DIR}/Makefile.devel ${RPM_BUILD_ROOT}/usr/share/selinux/refpolicy/Makefile
%clean
%{__rm} -fR $RPM_BUILD_ROOT
@@ -280,9 +291,14 @@ SELinux Reference policy development files
%dir %{_usr}/share/selinux/refpolicy
%dir %{_usr}/share/selinux/refpolicy/include
%{_usr}/share/selinux/refpolicy/include/*
+%{_usr}/share/selinux/refpolicy/Makefile
+%{_usr}/share/selinux/refpolicy/policygentool
%changelog
+* Wed Feb 1 2006 Dan Walsh 2.2.10-1
+- Fixes for the -devel package
+
* Wed Feb 1 2006 Dan Walsh 2.2.9-2
- Fix for spamd to use ldap
diff --git a/sources b/sources
index 53917c26..148720c1 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-a795741d83a3bc84cc508236316ff80b serefpolicy-2.2.9.tgz
+b89cd3e61692bd15973e4f74ac3f2bec serefpolicy-2.2.10.tgz