diff --git a/Rules.modular b/Rules.modular deleted file mode 100644 index 168a14f..0000000 --- a/Rules.modular +++ /dev/null @@ -1,223 +0,0 @@ -######################################## -# -# Rules and Targets for building modular policies -# - -all_modules := $(base_mods) $(mod_mods) $(off_mods) -all_interfaces := $(all_modules:.te=.if) - -base_pkg := $(builddir)base.pp -base_fc := $(builddir)base.fc -base_conf := $(builddir)base.conf -base_mod := $(tmpdir)/base.mod - -users_extra := $(tmpdir)/users_extra - -base_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf - -base_pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps) -base_te_files := $(base_mods) -base_post_te_files := $(user_files) $(poldir)/constraints -base_fc_files := $(base_mods:.te=.fc) - -mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp))) - -# policy packages to install -instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) $(mod_pkgs)) - -# search layer dirs for source files -vpath %.te $(all_layers) -vpath %.if $(all_layers) -vpath %.fc $(all_layers) - -.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc)) - -######################################## -# -# default action: create all module packages -# -default: policy - -all policy: base modules - -base: $(base_pkg) - -modules: $(mod_pkgs) - -install: $(instpkg) $(appfiles) - -######################################## -# -# Load all configured modules -# -load: $(instpkg) $(appfiles) -# make sure two directories exist since they are not -# created by semanage - @mkdir -p $(policypath) $(dir $(fcpath)) - @echo "Loading configured modules." - $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) - -######################################## -# -# Install policy packages -# -$(modpkgdir)/%.pp: $(builddir)%.pp - @mkdir -p $(modpkgdir) - @echo "Installing $(NAME) $(@F) policy package." - $(verbose) $(INSTALL) -m 0644 $^ $(modpkgdir) - -######################################## -# -# Build module packages -# -$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te - @echo "Compliling $(NAME) $(@F) module" - @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(call perrole-expansion,$(basename $(@F)),$@.role) - $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) - $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ - -$(tmpdir)/%.mod.fc: $(m4support) %.fc - @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) $(m4support) $^ > $@ - -$(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc - @echo "Creating $(NAME) $(@F) policy package" - @test -d $(builddir) || mkdir -p $(builddir) - $(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc - -######################################## -# -# Create a base module package -# -$(base_pkg): $(base_mod) $(base_fc) $(users_extra) $(tmpdir)/seusers - @echo "Creating $(NAME) base module package" - @test -d $(builddir) || mkdir -p $(builddir) - $(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers - -ifneq "$(UNK_PERMS)" "" -$(base_mod): CHECKMODULE += -U $(UNK_PERMS) -endif -$(base_mod): $(base_conf) - @echo "Compiling $(NAME) base module" - $(verbose) $(CHECKMODULE) $^ -o $@ - -$(tmpdir)/seusers: $(seusers) - @mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) $(m4support) $^ | $(GREP) '^[a-z_]' > $@ - -$(users_extra): $(m4support) $(user_files) - @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \ - $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@ - -######################################## -# -# Construct a base.conf -# -$(base_conf): $(base_sections) - @echo "Creating $(NAME) base module $(@F)" - @test -d $(@D) || mkdir -p $(@D) - $(verbose) cat $^ > $@ - -$(tmpdir)/pre_te_files.conf: M4PARAM += -D self_contained_policy -$(tmpdir)/pre_te_files.conf: $(base_pre_te_files) - @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) $^ > $@ - -$(tmpdir)/generated_definitions.conf: - @test -d $(tmpdir) || mkdir -p $(tmpdir) -# define all available object classes - $(verbose) $(genperm) $(avs) $(secclass) > $@ - $(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@) - $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true - -$(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy -$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun) - $(verbose) $(M4) $(M4PARAM) $^ > $@ - -$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror) - @test -d $(tmpdir) || mkdir -p $(tmpdir) - @echo "divert(-1)" > $@ - $(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp - $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@ - @echo "divert" >> $@ - -$(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy -$(tmpdir)/rolemap.conf: $(rolemap) - $(verbose) echo "" > $@ - $(call parse-rolemap,base,$@) - -$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy -$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf -ifeq "$(strip $(base_te_files))" "" - $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf") -endif - @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) -s $^ > $@ - -$(tmpdir)/post_te_files.conf: M4PARAM += -D self_contained_policy -$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(base_post_te_files) - @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) $^ > $@ - -# extract attributes and put them first. extract post te stuff -# like genfscon and put last. -$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf - $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf - $(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf -# these have to run individually because order matters: - $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf - -######################################## -# -# Construct a base.fc -# -$(base_fc): $(tmpdir)/$(notdir $(base_fc)).tmp $(fcsort) - $(verbose) $(fcsort) $< $@ - -$(tmpdir)/$(notdir $(base_fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(base_fc_files) -ifeq ($(base_fc_files),) - $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf") -endif - @echo "Creating $(NAME) base module file contexts." - @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) $^ > $@ - -######################################## -# -# Appconfig files -# -$(appdir)/customizable_types: $(base_conf) - @mkdir -p $(appdir) - $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types - $(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@ - -######################################## -# -# Validate linking and expanding of modules -# -validate: $(base_pkg) $(mod_pkgs) - @echo "Validating policy linking." - $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^ - $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin - @echo "Success." - -######################################## -# -# Clean the sources -# -clean: - rm -f $(base_conf) - rm -f $(base_fc) - rm -f $(builddir)*.pp - rm -f $(net_contexts) - rm -fR $(tmpdir) - -.PHONY: default all policy base modules install load clean validate diff --git a/Rules.monolithic b/Rules.monolithic deleted file mode 100644 index 5b0d534..0000000 --- a/Rules.monolithic +++ /dev/null @@ -1,258 +0,0 @@ -######################################## -# -# Rules and Targets for building monolithic policies -# - -# determine the policy version and current kernel version if possible -pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ') -kv := $(shell cat /selinux/policyvers) - -# dont print version warnings if we are unable to determine -# the currently running kernel's policy version -ifeq "$(kv)" "" - kv := $(pv) -endif - -policy_conf = $(builddir)policy.conf -fc = $(builddir)file_contexts -polver = $(builddir)policy.$(pv) -homedir_template = $(builddir)homedir_template - -M4PARAM += -D self_contained_policy - -# install paths -loadpath = $(policypath)/$(notdir $(polver)) - -appfiles += $(installdir)/booleans $(installdir)/seusers $(userpath)/local.users - -# for monolithic policy use all base and module to create policy -all_modules := $(strip $(base_mods) $(mod_mods)) -# off module interfaces included to make sure all interfaces are expanded. -all_interfaces := $(all_modules:.te=.if) $(off_mods:.te=.if) -all_te_files := $(all_modules) -all_fc_files := $(all_modules:.te=.fc) - -pre_te_files := $(secclass) $(isids) $(avs) $(m4support) $(poldir)/mls $(poldir)/mcs $(policycaps) -post_te_files := $(user_files) $(poldir)/constraints - -policy_sections := $(tmpdir)/pre_te_files.conf $(tmpdir)/all_attrs_types.conf $(tmpdir)/global_bools.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf - -# search layer dirs for source files -vpath %.te $(all_layers) -vpath %.if $(all_layers) -vpath %.fc $(all_layers) - -######################################## -# -# default action: build policy locally -# -default: policy - -policy: $(polver) - -install: $(loadpath) $(fcpath) $(appfiles) - -load: $(tmpdir)/load - -checklabels: $(fcpath) -restorelabels: $(fcpath) -relabel: $(fcpath) -resetlabels: $(fcpath) - -######################################## -# -# Build a binary policy locally -# -ifneq "$(UNK_PERMS)" "" -$(polver): CHECKPOLICY += -U $(UNK_PERMS) -endif -$(polver): $(policy_conf) - @echo "Compiling $(NAME) $(polver)" -ifneq ($(pv),$(kv)) - @echo - @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" - @echo -endif - $(verbose) $(CHECKPOLICY) $^ -o $@ - -######################################## -# -# Install a binary policy -# -ifneq "$(UNK_PERMS)" "" -$(loadpath): CHECKPOLICY += -U $(UNK_PERMS) -endif -$(loadpath): $(policy_conf) - @mkdir -p $(policypath) - @echo "Compiling and installing $(NAME) $(loadpath)" -ifneq ($(pv),$(kv)) - @echo - @echo "WARNING: Policy version mismatch! Is your OUTPUT_POLICY set correctly?" - @echo -endif - $(verbose) $(CHECKPOLICY) $^ -o $@ - -######################################## -# -# Load the binary policy -# -reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) - @echo "Loading $(NAME) $(loadpath)" - $(verbose) $(LOADPOLICY) -q $(loadpath) - @touch $(tmpdir)/load - -######################################## -# -# Construct a monolithic policy.conf -# -$(policy_conf): $(policy_sections) - @echo "Creating $(NAME) $(@F)" - @test -d $(@D) || mkdir -p $(@D) - $(verbose) cat $^ > $@ - -$(tmpdir)/pre_te_files.conf: $(pre_te_files) - @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) $^ > $@ - -$(tmpdir)/generated_definitions.conf: $(all_te_files) - @test -d $(tmpdir) || mkdir -p $(tmpdir) -# define all available object classes - $(verbose) $(genperm) $(avs) $(secclass) > $@ - $(verbose) $(call create-base-per-role-tmpl,$(basename $(notdir $(all_modules))),$@) - $(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true - -$(tmpdir)/global_bools.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(globalbool) $(globaltun) - $(verbose) $(M4) $(M4PARAM) $^ > $@ - -$(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror) - @test -d $(tmpdir) || mkdir -p $(tmpdir) - @echo "divert(-1)" > $@ - $(verbose) $(M4) $^ >> $(tmpdir)/$(@F).tmp - $(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@ - @echo "divert" >> $@ - -$(tmpdir)/rolemap.conf: $(rolemap) - $(verbose) echo "" > $@ - $(call parse-rolemap,base,$@) - -$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf -ifeq "$(strip $(all_te_files))" "" - $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf") -endif - @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) -s $^ > $@ - -$(tmpdir)/post_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(post_te_files) - @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) $^ > $@ - -# extract attributes and put them first. extract post te stuff -# like genfscon and put last. -$(tmpdir)/all_attrs_types.conf $(tmpdir)/only_te_rules.conf $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.conf - $(verbose) $(get_type_attr_decl) $(tmpdir)/all_te_files.conf | $(SORT) > $(tmpdir)/all_attrs_types.conf - $(verbose) cat $(tmpdir)/post_te_files.conf > $(tmpdir)/all_post.conf -# these have to run individually because order matters: - $(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true - $(verbose) $(comment_move_decl) $(tmpdir)/all_te_files.conf > $(tmpdir)/only_te_rules.conf - -######################################## -# -# Remove the dontaudit rules from the policy.conf -# -enableaudit: $(policy_conf) - @test -d $(tmpdir) || mkdir -p $(tmpdir) - @echo "Removing dontaudit rules from $(notdir $(policy_conf))" - $(verbose) $(GREP) -v dontaudit $^ > $(tmpdir)/policy.audit - $(verbose) mv $(tmpdir)/policy.audit $(policy_conf) - -######################################## -# -# Construct file_contexts -# -$(fc): $(tmpdir)/$(notdir $(fc)).tmp $(fcsort) - $(verbose) $(fcsort) $< $@ - $(verbose) $(GREP) -e HOME -e ROLE -e USER $@ > $(homedir_template) - $(verbose) $(SED) -i -e /HOME/d -e /ROLE/d -e /USER/d $@ - -$(tmpdir)/$(notdir $(fc)).tmp: $(m4support) $(tmpdir)/generated_definitions.conf $(all_fc_files) -ifeq ($(all_fc_files),) - $(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf") -endif - @echo "Creating $(NAME) file_contexts." - @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) $^ > $@ - -$(homedir_template): $(fc) - -######################################## -# -# Install file_contexts -# -$(fcpath): $(fc) $(loadpath) $(userpath)/system.users - @echo "Validating $(NAME) file_contexts." - $(verbose) $(SETFILES) -q -c $(loadpath) $(fc) - @echo "Installing file_contexts." - @mkdir -p $(contextpath)/files - $(verbose) $(INSTALL) -m 644 $(fc) $(fcpath) - $(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath) - $(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD) -ifeq "$(DISTRO)" "rhel4" -# Setfiles in RHEL4 does not look at file_contexts.homedirs. - $(verbose) cat $@.homedirs >> $@ -# Delete the file_contexts.homedirs in case the toolchain has -# been updated, to prevent duplicate match errors. - $(verbose) rm -f $@.homedirs -endif - -######################################## -# -# Intall netfilter_contexts -# -$(ncpath): $(net_contexts) - @echo "Installing $(NAME) netfilter_contexts." - $(verbose) $(INSTALL) -m 0644 $^ $@ - -######################################## -# -# Run policy source checks -# -check: $(builddir)check.res -$(builddir)check.res: $(policy_conf) $(fc) - $(SECHECK) -s --profile=development --policy=$(policy_conf) --fcfile=$(fc) > $@ - -longcheck: $(builddir)longcheck.res -$(builddir)longcheck.res: $(policy_conf) $(fc) - $(SECHECK) -s --profile=all --policy=$(policy_conf) --fcfile=$(fc) > $@ - -######################################## -# -# Appconfig files -# -$(appdir)/customizable_types: $(policy_conf) - @mkdir -p $(appdir) - $(verbose) $(GREP) '^[[:blank:]]*type .*customizable' $< | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | $(SORT) -u > $(tmpdir)/customizable_types - $(verbose) $(INSTALL) -m 644 $(tmpdir)/customizable_types $@ - -$(installdir)/seusers: $(seusers) - @mkdir -p $(installdir) - $(verbose) $(INSTALL) -m 644 $^ $@ - -######################################## -# -# Clean the sources -# -clean: - rm -f $(policy_conf) - rm -f $(polver) - rm -f $(fc) - rm -f $(homedir_template) - rm -f $(net_contexts) - rm -f *.res - rm -fR $(tmpdir) - -.PHONY: default policy install load reload enableaudit checklabels restorelabels relabel check longcheck clean diff --git a/VERSION b/VERSION deleted file mode 100644 index 1523d62..0000000 --- a/VERSION +++ /dev/null @@ -1 +0,0 @@ -2.20100524 diff --git a/selinux-policy.spec b/selinux-policy.spec index 38ec847..ecbffdf 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -8,20 +8,17 @@ %if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1} %define BUILD_MINIMUM 1 %endif -%if %{?BUILD_OLPC:0}%{!?BUILD_OLPC:1} -%define BUILD_OLPC 0 -%endif %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} %define BUILD_MLS 1 %endif %define POLICYVER 26 %define libsepolver 2.0.44-2 -%define POLICYCOREUTILSVER 2.0.85-28 +%define POLICYCOREUTILSVER 2.0.86-10 %define CHECKPOLICYVER 2.0.26-1 Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 25%{?dist} +Release: 25.1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -33,10 +30,6 @@ Source4: setrans-targeted.conf Source5: modules-mls.conf Source6: booleans-mls.conf Source8: setrans-mls.conf -Source9: modules-olpc.conf -Source10: booleans-olpc.conf -Source11: setrans-olpc.conf -Source12: securetty_types-olpc Source13: policygentool Source14: securetty_types-targeted Source15: securetty_types-mls @@ -48,7 +41,6 @@ Source20: customizable_types Source21: config.tgz Source22: users-mls Source23: users-targeted -Source24: users-olpc Source25: users-minimum Source26: file_contexts.subs_dist @@ -56,8 +48,8 @@ Url: http://oss.tresys.com/repos/refpolicy/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch BuildRequires: python gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-python >= %{POLICYCOREUTILSVER} bzip2 -Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.14-3 -Requires(post): /usr/bin/bunzip2 /bin/mktemp /bin/awk +Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.46-4 +Requires(post): /usr/bin/bunzip2 /bin/mktemp /bin/awk /usr/bin/md5sum Requires: checkpolicy >= %{CHECKPOLICYVER} m4 Obsoletes: selinux-policy-devel <= %{version}-%{release} Provides: selinux-policy-devel = %{version}-%{release} @@ -109,9 +101,8 @@ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOL make validate UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 modules \ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install \ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ -#%{__cp} *.pp %{buildroot}/%{_usr}/share/selinux/%1/ \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \ -%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active \ +%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \ touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \ touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \ @@ -125,14 +116,18 @@ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/seli install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ -bzip2 %{buildroot}/%{_usr}/share/selinux/%1/*.pp \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' ./policy/modules.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules.lst +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' ./policy/modules.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules.lst \ +bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp.bz2 > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \ +for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/$i; done \ +rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \ +semodule -n -B -p %{buildroot}; \ +/usr/bin/md5sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} > %{buildroot}%{_sysconfdir}/selinux/%1/policy/.policymd5 \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts %nil %define fileList() \ %defattr(-,root,root) \ %dir %{_usr}/share/selinux/%1 \ -%{_usr}/share/selinux/%1/*.pp.bz2 \ %{_usr}/share/selinux/%1/modules.lst \ %dir %{_sysconfdir}/selinux/%1 \ %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ @@ -141,9 +136,12 @@ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' . %verify(not mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \ %verify(not mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \ %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \ +%config(noreplace) %dir %{_sysconfdir}/selinux/%1/modules/active/* \ +%config %dir %{_sysconfdir}/selinux/%1/modules/active/modules/* \ #%verify(not md5 size mtime) %attr(600,root,root) %config(noreplace) %{_sysconfdir}/selinux/%1/modules/active/seusers \ %dir %{_sysconfdir}/selinux/%1/policy/ \ -%ghost %{_sysconfdir}/selinux/%1/policy/policy.* \ +%config(noreplace) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ +%{_sysconfdir}/selinux/%1/policy/.policymd5 \ %dir %{_sysconfdir}/selinux/%1/contexts \ %config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ @@ -180,11 +178,6 @@ if [ -s /etc/selinux/config ]; then \ fi \ fi -%define loadpolicy() \ -( cd /usr/share/selinux/%1; \ -semodule -b base.pp.bz2 -i %2 -s %1; \ -); \ - %define relabel() \ . %{_sysconfdir}/selinux/config; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ @@ -207,7 +200,7 @@ Based off of reference policy: Checked out revision 2.20091117 %install mkdir selinux_config -for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE9} %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26};do +for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26};do cp $i selinux_config done tar zxvf selinux_config/config.tgz @@ -245,13 +238,6 @@ make clean %installCmds mls mls n y deny %endif -%if %{BUILD_OLPC} -# Build olpc policy -# Commented out because only olpc ref policy currently builds -%makeCmds olpc mcs n y allow -%installCmds olpc mcs n y allow -%endif - make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs mkdir %{buildroot}%{_usr}/share/selinux/devel/ mkdir %{buildroot}%{_usr}/share/selinux/packages/ @@ -329,14 +315,21 @@ SELinux Reference policy targeted base module. %saveFileContext targeted %post targeted -packages=`cat /usr/share/selinux/targeted/modules.lst` +md5=`md5sum /etc/selinux/targeted/policy/policy.%{POLICYVER}` +checkmd5=`cat /etc/selinux/targeted/policy/policy.%{POLICYVER}.md5sum` +if [ "$md5" != "$checkmd5" ] ; then + if [ $1 -ne 1 ]; then + semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null + fi + semodule -B -s targeted +else + [ "${SELINUXTYPE}" == "targeted" ] && [ selinuxenabled ] && load_policy +fi + if [ $1 -eq 1 ]; then - %loadpolicy targeted $packages - restorecon -R /root /var/log /var/run 2> /dev/null + restorecon -R /root /var/log /var/run 2> /dev/null else - semodule -n -s targeted -r moilscanner mailscanner gamin audio_entropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal 2>/dev/null - %loadpolicy targeted $packages - %relabel targeted + %relabel targeted fi exit 0 @@ -383,7 +376,7 @@ SELinux Reference policy minimum base module. %post minimum packages="execmem.pp.bz2 unconfined.pp.bz2 unconfineduser.pp.bz2 application.pp.bz2 userdomain.pp.bz2 authlogin.pp.bz2 logging.pp.bz2 selinuxutil.pp.bz2 init.pp.bz2 systemd.pp.bz2 sysnetwork.pp.bz2 miscfiles.pp.bz2 libraries.pp.bz2 modutils.pp.bz2 sysadm.pp.bz2 locallogin.pp.bz2 dbus.pp.bz2 rpm.pp.bz2 mount.pp.bz2 fstools.pp.bz2 usermanage.pp.bz2 mta.pp.bz2" -%loadpolicy minimum $packages +semodule -B -s minimum if [ $1 -eq 1 ]; then semanage -S minimum -i - << __eof login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ @@ -401,38 +394,6 @@ exit 0 %fileList minimum %endif -%if %{BUILD_OLPC} -%package olpc -Summary: SELinux olpc base policy -Group: System Environment/Base -Provides: selinux-policy-base = %{version}-%{release} -Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} -Requires(pre): coreutils -Requires(pre): selinux-policy = %{version}-%{release} -Requires: selinux-policy = %{version}-%{release} -Conflicts: seedit - -%description olpc -SELinux Reference policy olpc base module. - -%pre olpc -%saveFileContext olpc - -%post olpc -packages=`cat /usr/share/selinux/olpc/modules.lst` -%loadpolicy olpc $packages - -if [ $1 -ne 1 ]; then -%relabel olpc -fi -exit 0 - -%files olpc -%defattr(-,root,root,-) -%fileList olpc - -%endif - %if %{BUILD_MLS} %package mls Summary: SELinux mls base policy @@ -454,13 +415,12 @@ SELinux Reference policy mls base module. %post mls semodule -n -s mls -r mailscanner polkit ModemManager telepathysofiasip ethereal 2>/dev/null -packages=`cat /usr/share/selinux/mls/modules.lst` -%loadpolicy mls $packages +semodule -B -s mls if [ $1 -eq 1 ]; then restorecon -R /root /var/log /var/run 2> /dev/null else -%relabel mls + %relabel mls fi exit 0 @@ -472,6 +432,9 @@ exit 0 %endif %changelog +* Thu Jun 2 2011 Dan Walsh 3.9.16-25.1 +- Add policy.26 to the payload + * Thu Jun 2 2011 Miroslav Grepl 3.9.16-25 - Fixes for sanlock policy - Fixes for colord policy