From 0cdca1b86b973cdae9b8aa6d505931b349f00490 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Sep 20 2016 09:29:25 +0000 Subject: Provide rpm macros for packages installing SELinux modules There's no unified practice how to install SELinux modules from packages and how to relabel a filesystem after the change. This update provides several new macros which should help maintainers with the process. %selinux_relabel_pre [-s ] - backups the current file_contexts for later use with fixfiles %selinux_relabel_post [-s ] - relabels a filesystem based on changes in file_contexts using fixfiles %selinux_modules_install [-s ] module [module]... %selinux_modules_uninstall [-s ] module [module]... - install and uninstall modules to the priority 200 --- diff --git a/rpm.macros b/rpm.macros new file mode 100644 index 0000000..db43dba --- /dev/null +++ b/rpm.macros @@ -0,0 +1,77 @@ +# Copyright (C) 2016 Petr Lautrbach +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# RPM macros for packages installing SELinux modules + +%_selinux_policy_version SELINUXPOLICYVERSION + +%_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts +%_file_context_file_pre %{_localstatedir}/lib/rpm-state/file_contexts.pre + +# %selinux_modules_install [-s ] module [module]... +%selinux_modules_install("s:") \ +. /etc/selinux/config \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +%{_sbindir}/semodule -n -s ${_policytype} -X 200 -i %* \ +if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + %{_sbindir}/load_policy \ +fi \ +%{nil} + +# %selinux_modules_uninstall [-s ] module [module]... +%selinux_modules_uninstall("s:") \ +. /etc/selinux/config \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ $1 -eq 0 ]; then \ + %{_sbindir}/semodule -n -X 200 -r %* &> /dev/null || : \ + if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + %{_sbindir}/load_policy \ + fi \ +fi \ +%{nil} + +# %selinux_relabel_pre [-s ] +%selinux_relabel_pre("s:") \ +. /etc/selinux/config \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \ +fi \ +%{nil} + + +# %selinux_relabel_post [-s ] +%selinux_relabel_post("s:") \ +. /etc/selinux/config \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + if [ -f %{_file_context_file_pre} ]; then \ + %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore \ + rm -f %{_file_context_file_pre} \ + fi \ +fi \ +%{nil} diff --git a/selinux-policy.spec b/selinux-policy.spec index 8c20de1..6001df3 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -61,6 +61,8 @@ Source35: docker-selinux.tgz # http://bugzilla.redhat.com/1290659 Source100: selinux-factory-reset Source101: selinux-factory-reset@.service +# Provide rpm macros for packages installing SELinux modules +Source102: rpm.macros Url: http://github.com/TresysTechnology/refpolicy/wiki BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -432,7 +434,8 @@ mv %{buildroot}%{_usr}/share/man/man8/*.html %{buildroot}%{_usr}/share/selinux/d mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinux/devel/html mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d -echo '%%_selinux_policy_version %{version}-%{release}' > %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy rm -rf selinux_config