From 712a7f66099bd37e55815bde4600567692cb2952 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Mar 13 2017 15:27:42 +0000 Subject: Add handling booleans via selinux-policy macros in custom policy spec files. --- diff --git a/rpm.macros b/rpm.macros index db43dba..f3be313 100644 --- a/rpm.macros +++ b/rpm.macros @@ -75,3 +75,65 @@ if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ fi \ fi \ %{nil} + +# %selinux_set_booleans [-s ] boolean [boolean]... +%selinux_set_booleans("s:") \ +. /etc/selinux/config \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +LOCAL_MODIFICATIONS=$(semanage boolean -E) \ +if [ ! -f %_file_custom_defined_booleans ]; then \ + echo "# This file is managed by selinux.macros. Do not edit it manually" > %_file_custom_defined_booleans \ +fi \ +semanage_import='' \ +for boolean in %*; do \ + boolean_name=${boolean%=*} \ + boolean_value=${boolean#*=} \ + boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \ + if [ -n "$boolean_local_string" ]; then \ + semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ + boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ + if [ -n "$boolean_customized_string" ]; then \ + /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \ + else \ + /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \ + fi \ + else \ + semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ + boolean_default_value=$(semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \ + /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \ + fi \ +done; \ +if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ +else \ + echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype} -N" \ +fi \ +%{nil} + +# %selinux_unset_booleans [-s ] boolean [boolean]... +%selinux_unset_booleans("s:") \ +. /etc/selinux/config \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +semanage_import='' \ +for boolean in %*; do \ + boolean_name=${boolean%=*} \ + boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ + if [ -n "$boolean_customized_string" ]; then \ + awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \ + if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \ + semanage_import="${semanage_import}\\n${boolean_customized_string}" \ + fi \ + fi \ +done; \ +if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ +else \ + echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype} -N" \ +fi \ +%{nil}