diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/ChangeLog b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/ChangeLog deleted file mode 100644 index 227af8757c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/ChangeLog +++ /dev/null @@ -1,352 +0,0 @@ -# ChangeLog for sec-policy/selinux-base -# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base/ChangeLog,v 1.73 2015/06/05 16:10:26 perfinion Exp $ - - 05 Jun 2015; Jason Zaman - selinux-base-2.20141203-r5.ebuild: - Stabilize policy 2.20141203-r5 - -*selinux-base-2.20141203-r6 (05 Jun 2015) - - 05 Jun 2015; Jason Zaman - +selinux-base-2.20141203-r6.ebuild: - Release of 2.20141203-r6 - - 25 Apr 2015; Mike Gilbert - selinux-base-2.20140311-r5.ebuild, selinux-base-2.20140311-r6.ebuild, - selinux-base-2.20140311-r7.ebuild, selinux-base-2.20141203-r1.ebuild, - selinux-base-2.20141203-r2.ebuild, selinux-base-2.20141203-r3.ebuild, - selinux-base-2.20141203-r4.ebuild, selinux-base-2.20141203-r5.ebuild: - Replace links pointing at git.overlays.gentoo.org. - - 21 Apr 2015; Jason Zaman selinux-base-9999.ebuild: - update git urls and migrate git-2 -> git-r3 - - 15 Apr 2015; Jason Zaman - selinux-base-2.20141203-r4.ebuild: - Stabilize policy 2.20141203-r4 - -*selinux-base-2.20141203-r5 (15 Apr 2015) - - 15 Apr 2015; Jason Zaman - +selinux-base-2.20141203-r5.ebuild: - Release of 2.20141203-r5 - - 22 Mar 2015; Sven Vermeulen - selinux-base-2.20141203-r3.ebuild: - Stabilize 2.20141203-r3 policies - -*selinux-base-2.20141203-r4 (22 Mar 2015) - - 22 Mar 2015; Sven Vermeulen - +selinux-base-2.20141203-r4.ebuild, selinux-base-9999.ebuild: - Release of 2.20141203-r4 - -*selinux-base-2.20141203-r3 (29 Jan 2015) - - 29 Jan 2015; Jason Zaman - +selinux-base-2.20141203-r3.ebuild, selinux-base-2.20141203-r2.ebuild: - Release of 2.20141203-r3, stable 2.20141203-r2 - - 21 Dec 2014; Sven Vermeulen - -selinux-base-2.20140311-r1.ebuild, -selinux-base-2.20140311-r2.ebuild, - -selinux-base-2.20140311-r3.ebuild, -selinux-base-2.20140311-r4.ebuild: - Remove old ebuilds - - 21 Dec 2014; Sven Vermeulen - selinux-base-2.20141203-r1.ebuild: - Stabilize 2.20141203-r1 - -*selinux-base-2.20141203-r2 (21 Dec 2014) - - 21 Dec 2014; Sven Vermeulen - +selinux-base-2.20141203-r2.ebuild: - Release of 2.20141203-r2 - - 07 Dec 2014; Jason Zaman - selinux-base-2.20140311-r7.ebuild, selinux-base-9999.ebuild: - Stabilize 2.20140311-r7 - -*selinux-base-2.20141203-r1 (07 Dec 2014) - - 07 Dec 2014; Jason Zaman - +selinux-base-2.20141203-r1.ebuild: - Release of 2.20141203-r1 - - 07 Dec 2014; Jason Zaman selinux-base-9999.ebuild: - update SRC_URI - - 07 Dec 2014; Sven Vermeulen selinux-base-9999.ebuild: - Clean up sed commands that are no longer needed (bug 257111 is fixed upstream) - - 05 Dec 2014; Jason Zaman selinux-base-9999.ebuild: - enable parallel build, bug 530178 - - 01 Nov 2014; Sven Vermeulen - selinux-base-2.20140311-r6.ebuild: - Stabilize rev 6 - -*selinux-base-2.20140311-r7 (01 Nov 2014) - - 01 Nov 2014; Sven Vermeulen - +selinux-base-2.20140311-r7.ebuild: - Bump revision r7 of SELinux policies - - 01 Nov 2014; Sven Vermeulen selinux-base-9999.ebuild: - Add KEYWORDS logic in -9999 ebuilds for ease of copying - - 24 Aug 2014; Sven Vermeulen selinux-base-9999.ebuild: - Back to gogo infrastructure - - 23 Aug 2014; Sven Vermeulen selinux-base-9999.ebuild: - Temporarily use github until gogo is back on track - - 22 Aug 2014; Sven Vermeulen - selinux-base-2.20140311-r5.ebuild: - Stabilize r5 policies - -*selinux-base-2.20140311-r6 (21 Aug 2014) - - 21 Aug 2014; Sven Vermeulen - +selinux-base-2.20140311-r6.ebuild: - Release of 2.20140311-r6 - -*selinux-base-2.20140311-r5 (09 Aug 2014) - - 09 Aug 2014; Sven Vermeulen - +selinux-base-2.20140311-r5.ebuild: - Bump towards r5 (fixes duplicate context for hiawatha) - - 08 Aug 2014; Sven Vermeulen selinux-base-9999.ebuild: - Make 9999 ebuilds EAPI=5 and transform to make master for version bumps - - 06 Aug 2014; Sven Vermeulen selinux-base-9999.ebuild: - Supporting the SELINUX_GIT_* variables - - 05 Aug 2014; Sven Vermeulen - -selinux-base-2.20130424-r1.ebuild, -selinux-base-2.20130424-r2.ebuild, - -selinux-base-2.20130424-r3.ebuild, -selinux-base-2.20130424-r4.ebuild: - Remove obsolete ebuilds - -*selinux-base-2.20140311-r4 (01 Aug 2014) - - 01 Aug 2014; Sven Vermeulen - +selinux-base-2.20140311-r4.ebuild, selinux-base-2.20140311-r3.ebuild: - Stabilization of r3, and make r4 available for testing - - 29 May 2014; Sven Vermeulen - selinux-base-2.20140311-r2.ebuild: - Stabilize 2.20140311-r2 - -*selinux-base-2.20140311-r3 (29 May 2014) - - 29 May 2014; Sven Vermeulen - +selinux-base-2.20140311-r3.ebuild: - Bump to 2.20140311-r3 - - 19 Apr 2014; Sven Vermeulen - selinux-base-2.20140311-r1.ebuild: - Stabilize r1 policies - -*selinux-base-2.20140311-r2 (19 Apr 2014) - - 19 Apr 2014; Sven Vermeulen - +selinux-base-2.20140311-r2.ebuild: - Release of 2.20140311-r2 - - 24 Mar 2014; Sven Vermeulen - -selinux-base-2.20120725-r5.ebuild, -selinux-base-2.20120725-r7.ebuild, - -selinux-base-2.20120725-r8.ebuild, -selinux-base-2.20120725-r9.ebuild, - -selinux-base-2.20120725-r10.ebuild, -selinux-base-2.20120725-r11.ebuild, - -selinux-base-2.20120725-r12.ebuild: - Removing older SELinux policies - -*selinux-base-2.20140311-r1 (21 Mar 2014) - - 21 Mar 2014; Sven Vermeulen - +selinux-base-2.20140311-r1.ebuild: - New upstream refpolicy release - - 12 Jan 2014; Sven Vermeulen - selinux-base-2.20130424-r4.ebuild: - Stabilize 2.20130424-r4 - -*selinux-base-2.20130424-r4 (11 Dec 2013) - - 11 Dec 2013; Sven Vermeulen - +selinux-base-2.20130424-r4.ebuild: - Release of 2.20130424-r4 - -*selinux-base-2.20130424-r3 (26 Sep 2013) - - 26 Sep 2013; Sven Vermeulen - +selinux-base-2.20130424-r3.ebuild: - Release 2.20130424-r3, fixing bugs #480628, #482196, #475432, #485304, #480870 - and #428322 - - 15 Aug 2013; Sven Vermeulen selinux-base-9999.ebuild: - Clean up generated cruft before building base policy - see bug 480628 - - 15 Aug 2013; Sven Vermeulen - selinux-base-2.20130424-r2.ebuild: - Stabilize r2 of policies - -*selinux-base-2.20130424-r2 (20 Jul 2013) - - 20 Jul 2013; Sven Vermeulen - +selinux-base-2.20130424-r2.ebuild: - Pushing out rev 2 - - 16 Jun 2013; Sven Vermeulen - selinux-base-2.20130424-r1.ebuild: - Stabilize 20130424 policies - - 07 May 2013; Sven Vermeulen - selinux-base-2.20130424-r1.ebuild, selinux-base-9999.ebuild: - Add in support for epatch_user (to support interface patching) - -*selinux-base-2.20130424-r1 (06 May 2013) - - 06 May 2013; Sven Vermeulen - +selinux-base-2.20130424-r1.ebuild: - Adding 20130424 release - - 11 Apr 2013; Sven Vermeulen - selinux-base-2.20120725-r12.ebuild, selinux-base-9999.ebuild: - Add in support for manual pages - - 29 Mar 2013; Sven Vermeulen - selinux-base-2.20120725-r12.ebuild: - Stabilize r12, fixes 455080, 453724, 461880, 453722, 452166, 458876, 457618, - 456910, 456194, 453990 and 460152 - -*selinux-base-2.20120725-r12 (09 Mar 2013) - - 09 Mar 2013; Sven Vermeulen - +selinux-base-2.20120725-r12.ebuild, selinux-base-9999.ebuild: - Pushing out rev 12 - - 23 Feb 2013; Sven Vermeulen - selinux-base-2.20120725-r11.ebuild: - Stabilization - -*selinux-base-2.20120725-r11 (26 Jan 2013) - - 26 Jan 2013; Sven Vermeulen - +selinux-base-2.20120725-r11.ebuild: - Bumping selinux-base to revision 11 - - 16 Jan 2013; Sven Vermeulen - selinux-base-2.20120725-r10.ebuild: - Stabilizing - -*selinux-base-2.20120725-r10 (16 Jan 2013) - - 16 Jan 2013; Sven Vermeulen - +selinux-base-2.20120725-r10.ebuild: - Bumping with fix for #451128 - - 13 Jan 2013; Sven Vermeulen - selinux-base-2.20120725-r9.ebuild: - Stabilizing r9 - - 30 Dec 2012; Samuli Suominen - selinux-base-2.20120725-r9.ebuild: - Use virtual/udev instead of sys-fs/udev; regression introduced by swift@g.o - 21 Dec 2012 by not using up-to-date ebuild from gentoo-x86 for revision - bumping. - -*selinux-base-2.20120725-r9 (21 Dec 2012) - - 21 Dec 2012; Sven Vermeulen +selinux-base-2.20120725-r9.ebuild: - Bumping to revision 9 - - 17 Dec 2012; Sven Vermeulen -selinux-base-2.20120215-r13.ebuild, - -selinux-base-2.20120215-r14.ebuild, -selinux-base-2.20120215-r15.ebuild, - -selinux-base-2.20120215-r6.ebuild, -selinux-base-2.20120215-r7.ebuild, - -selinux-base-2.20120215-r8.ebuild, -selinux-base-2.20120215-r9.ebuild: - Removing older ebuilds - - 13 Dec 2012; Sven Vermeulen selinux-base-2.20120725-r8.ebuild: - Stabilization - - 11 Dec 2012; Samuli Suominen - selinux-base-2.20120215-r6.ebuild, selinux-base-2.20120215-r7.ebuild, - selinux-base-2.20120215-r8.ebuild, selinux-base-2.20120215-r9.ebuild, - selinux-base-2.20120215-r13.ebuild, selinux-base-2.20120215-r14.ebuild, - selinux-base-2.20120215-r15.ebuild, selinux-base-2.20120725-r5.ebuild, - selinux-base-2.20120725-r7.ebuild, selinux-base-2.20120725-r8.ebuild, - selinux-base-9999.ebuild: - Use virtual/udev instead of sys-fs/udev. - - 04 Dec 2012; Sven Vermeulen selinux-base-9999.ebuild, metadata.xml: - Add in support for unconfined USE flag and fix #445978 - -*selinux-base-2.20120725-r8 (03 Dec 2012) - - 03 Dec 2012; Sven Vermeulen +selinux-base-2.20120725-r8.ebuild: - Bumping to revision 8 - -*selinux-base-2.20120725-r7 (18 Nov 2012) - - 18 Nov 2012; Sven Vermeulen +selinux-base-2.20120725-r7.ebuild: - Pushing out rev 7 - -*selinux-base-9999 (13 Oct 2012) - - 13 Oct 2012; Sven Vermeulen +selinux-base-9999.ebuild: - Adding live ebuild - - 04 Oct 2012; Sven Vermeulen selinux-base-2.20120725-r5.ebuild: - Stabilization - -*selinux-base-2.20120725-r5 (21 Sep 2012) - - 21 Sep 2012; Sven Vermeulen +selinux-base-2.20120725-r5.ebuild: - Introducing policy for 2.20120725, rev5 - - 30 Jul 2012; Sven Vermeulen selinux-base-2.20120215-r14.ebuild: - Stabilization of revision 14 of the SELinux policy modules - -*selinux-base-2.20120215-r15 (26 Jul 2012) - - 26 Jul 2012; Sven Vermeulen +selinux-base-2.20120215-r15.ebuild: - Bump to rev15 - -*selinux-base-2.20120215-r14 (16 Jul 2012) - - 16 Jul 2012; Sven Vermeulen +selinux-base-2.20120215-r14.ebuild: - Bumping to rev14 - -*selinux-base-2.20120215-r13 (27 Jun 2012) - - 27 Jun 2012; Sven Vermeulen +selinux-base-2.20120215-r13.ebuild: - Bump to revision 13 - -*selinux-base-2.20120215-r9 (20 May 2012) - - 20 May 2012; Sven Vermeulen +selinux-base-2.20120215-r9.ebuild: - Bumping to rev 9 - - 29 Apr 2012; Sven Vermeulen selinux-base-2.20120215-r7.ebuild: - Stabilizing rev7 - -*selinux-base-2.20120215-r8 (26 Apr 2012) - - 26 Apr 2012; Sven Vermeulen +selinux-base-2.20120215-r8.ebuild: - Bump to rev8, fix #411719, #411149 and #411943 - -*selinux-base-2.20120215-r7 (22 Apr 2012) - - 22 Apr 2012; Sven Vermeulen +selinux-base-2.20120215-r7.ebuild: - Bumping to rev 7, fixing bugs #401595, #411193 and #403293 - - 31 Mar 2012; Sven Vermeulen +selinux-base-2.20120215-r6.ebuild, - +files/config, +metadata.xml: - Bumping to 2.20120215 policies - -*selinux-base-2.20120215-r6 (31 Mar 2012) - - 31 Mar 2012; Sven Vermeulen +selinux-base-2.20120215-r6.ebuild, - +files/config, +metadata.xml: - Initial base policy package (without additional modules) diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest index 8c79c9abb3..531f9303e2 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest @@ -1,2 +1,4 @@ -DIST patchbundle-selinux-base-policy-2.20141203-r9.tar.bz2 299602 SHA256 e8518004942a6c57170a609683e22b1410c93a2a195829c41dc8fbc703d941b5 SHA512 ce6484fbca1d2d074e50d1a3953392bd3ce0a4617df98fbac37747b469b4f160a9331586dfe1c3ddccb1ccbee24876a2f05ab49e37c8492a48baf83c2d01d140 WHIRLPOOL 1fd7b956e98e95a64c3a713a944d4531259bd156a7feabf6a89c4b5f33ac846377730eede97889e85183be086f282ebd18e860214f6ca3f01b40f2323470ee04 -DIST refpolicy-2.20141203.tar.bz2 680243 SHA256 f438209c430d8a2d4ddcbe4bdd3edb46f6af7dc4913637af0b73c635e40c1522 SHA512 682e4280c5799e4c12ec7594afc1389f67be35055748d2e0dbdc3419159a16c96d4946ca6178daee8370515951f8653b2e452efe8c962b8d7f9bc192f0b15a0c WHIRLPOOL 74bca232534e7af9051bb1ab9f77c1ff6c425781cf4561f781d6e9a40cc5ca0d9add540249ea5493e8782a9372aea296ead6c165c6c440ae1509eb319d151ee5 +DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3 +DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff +DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7 +DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config index 7b66367667..55933ea0e5 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config @@ -12,4 +12,4 @@ SELINUX=permissive # mls - Full SELinux protection with Multi-Level Security # mcs - Full SELinux protection with Multi-Category Security # (mls, but only one sensitivity level) -SELINUXTYPE=mcs +SELINUXTYPE=strict diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/kernel_mcs.diff b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/kernel_mcs.diff deleted file mode 100644 index 8f9cfd7e01..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/kernel_mcs.diff +++ /dev/null @@ -1,13 +0,0 @@ -diff -ur refpolicy.orig/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te ---- refpolicy.orig/policy/modules/kernel/kernel.te 2015-06-24 14:05:01.160318849 -0700 -+++ refpolicy/policy/modules/kernel/kernel.te 2015-06-24 14:06:23.468516424 -0700 -@@ -442,3 +442,9 @@ - #dev_manage_all_dev_nodes(kernel_t) - dev_setattr_generic_chr_files(kernel_t) - ') -+mcs_killall(kernel_t) -+mcs_file_read_all(kernel_t) -+mcs_file_write_all(kernel_t) -+mcs_process_set_categories(kernel_t) -+mcs_ptrace_all(kernel_t) -+allow kernel_t self:capability2 wake_alarm; diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts deleted file mode 100644 index 923a158e28..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts +++ /dev/null @@ -1,4 +0,0 @@ -process = "system_u:system_r:svirt_lxc_net_t:s0" -content = "system_u:object_r:virt_var_lib_t:s0" -file = "system_u:object_r:svirt_lxc_file_t:s0" - diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_create.diff b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_create.diff deleted file mode 100644 index 64b823577d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_create.diff +++ /dev/null @@ -1,21 +0,0 @@ -diff -ur work.orig/refpolicy/policy/mcs work/refpolicy/policy/mcs ---- refpolicy/policy/mcs 2015-12-18 13:41:18.655947448 +0000 -+++ refpolicy/policy/mcs 2015-12-18 13:42:40.364890957 +0000 -@@ -100,14 +100,14 @@ - # New filesystem object labels must be dominated by the relabeling subject - # clearance, also the objects are single-level. - mlsconstrain file { create relabelto } -- (( h1 dom h2 ) and ( l2 eq h2 )); -+ ((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall)); - - # new file labels must be dominated by the relabeling subject clearance - mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom } -- ( h1 dom h2 ); -+ (( h1 dom h2 ) or (t1 == mcswriteall)); - - mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto } -- (( h1 dom h2 ) and ( l2 eq h2 )); -+ ((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall)); - - mlsconstrain process { transition dyntransition } - (( h1 dom h2 ) or ( t1 == mcssetcats )); diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_range_target.diff b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_range_target.diff deleted file mode 100644 index 1c16ab7fdb..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_range_target.diff +++ /dev/null @@ -1,9 +0,0 @@ -diff -ur mcs.orig/policy/mcs mcs/policy/mcs ---- refpolicy.orig/policy/mcs 2015-09-14 11:32:38.155721902 -0700 -+++ refpolicy/policy/mcs 2015-09-14 11:36:08.055490569 -0700 -@@ -1,4 +1,5 @@ - ifdef(`enable_mcs',` -+default_range dir_file_class_set target low-high; - # - # Define sensitivities - # diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/selinux.conf b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/selinux.conf new file mode 100644 index 0000000000..77d379e812 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/selinux.conf @@ -0,0 +1,4 @@ +# Rebuild all selinux policy modules +[selinux-rebuild] +class = portage.sets.dbapi.OwnerSet +files = /usr/share/selinux/ diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf deleted file mode 100644 index d5023d851b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf +++ /dev/null @@ -1,3 +0,0 @@ -d /etc/selinux/ - - - - - -L /etc/selinux/config - - - - ../../usr/lib/selinux/config -L /etc/selinux/mcs - - - - ../../usr/lib/selinux/mcs diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/metadata.xml index 39f2415871..e59a87405f 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/metadata.xml @@ -1,15 +1,17 @@ - selinux + + selinux@gentoo.org + SELinux Team + Gentoo SELinux base policy. This contains policy for a system at the end of system installation. There is no extra policy in this package. - Enable the labeled networking peer permissions (SELinux policy capability). - Enable the open permissions for file object classes (SELinux policy capability). - Enable User Based Access Control (UBAC) in the SELinux policy - Enable support for the unconfined SELinux module + Enable User Based Access Control (UBAC) in the SELinux policy + Enable support for the unconfined SELinux module + Default allow unknown classes in kernels newer than the policy (SELinux policy capability). diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r14.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r14.ebuild deleted file mode 100644 index 3661151504..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r14.ebuild +++ /dev/null @@ -1,188 +0,0 @@ -# Copyright 1999-2015 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild,v 1.3 2015/06/05 16:10:26 perfinion Exp $ -EAPI="5" - -inherit eutils systemd - -if [[ ${PV} == 9999* ]]; then - EGIT_REPO_URI="${SELINUX_GIT_REPO:-git://anongit.gentoo.org/proj/hardened-refpolicy.git https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" - EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}" - EGIT_SOURCEDIR="${WORKDIR}/refpolicy" - - inherit git-2 - - KEYWORDS="" -else - SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2 - http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-2.20141203-r9.tar.bz2" - - KEYWORDS="amd64 x86" -fi - -IUSE="+peer_perms +open_perms +ubac +unconfined doc" - -DESCRIPTION="Gentoo base policy for SELinux" -HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/" -LICENSE="GPL-2" -SLOT="0" - -RDEPEND=">=sys-apps/policycoreutils-2.3 - virtual/udev - !<=sec-policy/selinux-base-policy-2.20120725" -DEPEND="${RDEPEND} - sys-devel/m4 - >=sys-apps/checkpolicy-2.3" - -S=${WORKDIR}/ - -#src_unpack() { -# git-2_src_unpack -#} - -src_prepare() { - if [[ ${PV} != 9999* ]]; then - # Apply the gentoo patches to the policy. These patches are only necessary - # for base policies, or for interface changes on modules. - EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \ - EPATCH_SUFFIX="patch" \ - EPATCH_SOURCE="${WORKDIR}" \ - EPATCH_FORCE="yes" \ - epatch - fi - - epatch "${FILESDIR}/kernel_mcs.diff" - epatch "${FILESDIR}/mcs_create.diff" - epatch "${FILESDIR}/mcs_range_target.diff" - - cd "${S}/refpolicy" - make bare - - epatch_user -} - -src_configure() { - [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" - - # Update the SELinux refpolicy capabilities based on the users' USE flags. - - if ! use peer_perms; then - sed -i -e '/network_peer_controls/d' \ - "${S}/refpolicy/policy/policy_capabilities" - fi - - if ! use open_perms; then - sed -i -e '/open_perms/d' \ - "${S}/refpolicy/policy/policy_capabilities" - fi - - if ! use ubac; then - sed -i -e '/^UBAC/s/y/n/' "${S}/refpolicy/build.conf" \ - || die "Failed to disable User Based Access Control" - fi - - echo "DISTRO = gentoo" >> "${S}/refpolicy/build.conf" - - # Prepare initial configuration - cd "${S}/refpolicy"; - make conf || die "Make conf failed" - - # Setup the policies based on the types delivered by the end user. - # These types can be "targeted", "strict", "mcs" and "mls". - for i in ${POLICY_TYPES}; do - cp -a "${S}/refpolicy" "${S}/${i}" - cd "${S}/${i}"; - - #cp "${FILESDIR}/modules-2.20120215.conf" "${S}/${i}/policy/modules.conf" - sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" - - sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \ - "${S}/${i}/build.conf" || die "build.conf setup failed." - - if [[ "${i}" == "mls" ]] || [[ "${i}" == "mcs" ]]; - then - # MCS/MLS require additional settings - sed -i -e "/^TYPE/s/standard/${i}/" "${S}/${i}/build.conf" \ - || die "failed to set type to mls" - fi - - if [ "${i}" == "targeted" ]; then - sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \ - "${S}/${i}/config/appconfig-standard/seusers" \ - || die "targeted seusers setup failed." - fi - - if [ "${i}" != "targeted" ] && [ "${i}" != "strict" ] && use unconfined; then - sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \ - "${S}/${i}/config/appconfig-${i}/seusers" \ - || die "policy seusers setup failed." - fi - done -} - -src_compile() { - [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" - - for i in ${POLICY_TYPES}; do - cd "${S}/${i}" - emake base UNK_PERMS=allow BINDIR="${ROOT}/usr/bin" || die "${i} compile failed" - if use doc; then - make html || die - fi - done -} - -src_install() { - [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" - - for i in ${POLICY_TYPES}; do - cd "${S}/${i}" - - - make DESTDIR="${D}" install \ - || die "${i} install failed." - - make DESTDIR="${D}" install-headers \ - || die "${i} headers install failed." - - echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type" - - echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types" - cp "${FILESDIR}/booleans" "${D}/etc/selinux/${i}/booleans" - - # libsemanage won't make this on its own - keepdir "/etc/selinux/${i}/policy" - - if use doc; then - dohtml doc/html/*; - fi - - insinto /usr/share/selinux/devel; - doins doc/policy.xml; - - done - - systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/selinux-base.conf" - systemd-tmpfiles --root="${D}" --create selinux-base.conf - - dodoc doc/Makefile.example doc/example.{te,fc,if} - - doman man/man8/*.8; - - insinto /usr/lib/selinux - doins "${FILESDIR}/config" - - insinto /etc/selinux/mcs/contexts - doins "${FILESDIR}/lxc_contexts" - - mkdir -p "${D}/usr/lib/selinux" - for i in ${POLICY_TYPES}; do - mv "${D}/etc/selinux/${i}" "${D}/usr/lib/selinux" - dosym "../../usr/lib/selinux/${i}" "/etc/selinux/${i}" - done -} - -pkg_preinst() { - has_version "<${CATEGORY}/${PN}-2.20101213-r13" - previous_less_than_r13=$? -} diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild new file mode 100644 index 0000000000..9eaddb863d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild @@ -0,0 +1,153 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +if [[ ${PV} == 9999* ]]; then + EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" + EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}" + EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy" + + inherit git-r3 +else + SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2 + https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2" + + KEYWORDS="amd64 -arm ~arm64 ~mips x86" +fi + +IUSE="doc +unknown-perms systemd +ubac +unconfined" + +DESCRIPTION="Gentoo base policy for SELinux" +HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux" +LICENSE="GPL-2" +SLOT="0" + +RDEPEND=">=sys-apps/policycoreutils-2.8" +DEPEND="${RDEPEND}" +BDEPEND=" + >=sys-apps/checkpolicy-2.8 + sys-devel/m4" + +S=${WORKDIR}/ + +src_prepare() { + if [[ ${PV} != 9999* ]]; then + einfo "Applying SELinux policy updates ... " + eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch" + fi + + eapply_user + + cd "${S}/refpolicy" || die + emake bare +} + +src_configure() { + [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" + + # Update the SELinux refpolicy capabilities based on the users' USE flags. + if use unknown-perms; then + sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/build.conf" \ + || die "Failed to allow Unknown Permissions Handling" + sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/Makefile" \ + || die "Failed to allow Unknown Permissions Handling" + fi + + if ! use ubac; then + sed -i -e '/^UBAC/s/y/n/' "${S}/refpolicy/build.conf" \ + || die "Failed to disable User Based Access Control" + fi + + if use systemd; then + sed -i -e '/^SYSTEMD/s/n/y/' "${S}/refpolicy/build.conf" \ + || die "Failed to enable SystemD" + fi + + echo "DISTRO = gentoo" >> "${S}/refpolicy/build.conf" || die + + # Prepare initial configuration + cd "${S}/refpolicy" || die + emake conf + + # Setup the policies based on the types delivered by the end user. + # These types can be "targeted", "strict", "mcs" and "mls". + for i in ${POLICY_TYPES}; do + cp -a "${S}/refpolicy" "${S}/${i}" || die + cd "${S}/${i}" || die + + sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die + + sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \ + "${S}/${i}/build.conf" || die "build.conf setup failed." + + if [[ "${i}" == "mls" ]] || [[ "${i}" == "mcs" ]]; + then + # MCS/MLS require additional settings + sed -i -e "/^TYPE/s/standard/${i}/" "${S}/${i}/build.conf" \ + || die "failed to set type to mls" + fi + + if [ "${i}" == "targeted" ]; then + sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \ + "${S}/${i}/config/appconfig-standard/seusers" \ + || die "targeted seusers setup failed." + fi + + if [ "${i}" != "targeted" ] && [ "${i}" != "strict" ] && use unconfined; then + sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \ + "${S}/${i}/config/appconfig-${i}/seusers" \ + || die "policy seusers setup failed." + fi + done +} + +src_compile() { + [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" + + for i in ${POLICY_TYPES}; do + cd "${S}/${i}" || die + emake base + if use doc; then + emake html + fi + done +} + +src_install() { + [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" + + for i in ${POLICY_TYPES}; do + cd "${S}/${i}" || die + + emake DESTDIR="${D}" install + emake DESTDIR="${D}" install-headers + + echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type" || die + + echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types" || die + + # libsemanage won't make this on its own + keepdir "/etc/selinux/${i}/policy" + + if use doc; then + docinto ${i}/html + dodoc -r doc/html/*; + fi + + insinto /usr/share/selinux/devel; + doins doc/policy.xml; + + done + + docinto / + dodoc doc/Makefile.example doc/example.{te,fc,if} + + doman man/man8/*.8; + + insinto /etc/selinux + doins "${FILESDIR}/config" + + insinto /usr/share/portage/config/sets + doins "${FILESDIR}/selinux.conf" +} diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild new file mode 100644 index 0000000000..3ea875afca --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild @@ -0,0 +1,153 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +if [[ ${PV} == 9999* ]]; then + EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" + EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}" + EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy" + + inherit git-r3 +else + SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2 + https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2" + + KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" +fi + +IUSE="doc +unknown-perms systemd +ubac +unconfined" + +DESCRIPTION="Gentoo base policy for SELinux" +HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux" +LICENSE="GPL-2" +SLOT="0" + +RDEPEND=">=sys-apps/policycoreutils-2.8" +DEPEND="${RDEPEND}" +BDEPEND=" + >=sys-apps/checkpolicy-2.8 + sys-devel/m4" + +S=${WORKDIR}/ + +src_prepare() { + if [[ ${PV} != 9999* ]]; then + einfo "Applying SELinux policy updates ... " + eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch" + fi + + eapply_user + + cd "${S}/refpolicy" || die + emake bare +} + +src_configure() { + [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" + + # Update the SELinux refpolicy capabilities based on the users' USE flags. + if use unknown-perms; then + sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/build.conf" \ + || die "Failed to allow Unknown Permissions Handling" + sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/Makefile" \ + || die "Failed to allow Unknown Permissions Handling" + fi + + if ! use ubac; then + sed -i -e '/^UBAC/s/y/n/' "${S}/refpolicy/build.conf" \ + || die "Failed to disable User Based Access Control" + fi + + if use systemd; then + sed -i -e '/^SYSTEMD/s/n/y/' "${S}/refpolicy/build.conf" \ + || die "Failed to enable SystemD" + fi + + echo "DISTRO = gentoo" >> "${S}/refpolicy/build.conf" || die + + # Prepare initial configuration + cd "${S}/refpolicy" || die + emake conf + + # Setup the policies based on the types delivered by the end user. + # These types can be "targeted", "strict", "mcs" and "mls". + for i in ${POLICY_TYPES}; do + cp -a "${S}/refpolicy" "${S}/${i}" || die + cd "${S}/${i}" || die + + sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die + + sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \ + "${S}/${i}/build.conf" || die "build.conf setup failed." + + if [[ "${i}" == "mls" ]] || [[ "${i}" == "mcs" ]]; + then + # MCS/MLS require additional settings + sed -i -e "/^TYPE/s/standard/${i}/" "${S}/${i}/build.conf" \ + || die "failed to set type to mls" + fi + + if [ "${i}" == "targeted" ]; then + sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \ + "${S}/${i}/config/appconfig-standard/seusers" \ + || die "targeted seusers setup failed." + fi + + if [ "${i}" != "targeted" ] && [ "${i}" != "strict" ] && use unconfined; then + sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \ + "${S}/${i}/config/appconfig-${i}/seusers" \ + || die "policy seusers setup failed." + fi + done +} + +src_compile() { + [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" + + for i in ${POLICY_TYPES}; do + cd "${S}/${i}" || die + emake base + if use doc; then + emake html + fi + done +} + +src_install() { + [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" + + for i in ${POLICY_TYPES}; do + cd "${S}/${i}" || die + + emake DESTDIR="${D}" install + emake DESTDIR="${D}" install-headers + + echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type" || die + + echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types" || die + + # libsemanage won't make this on its own + keepdir "/etc/selinux/${i}/policy" + + if use doc; then + docinto ${i}/html + dodoc -r doc/html/*; + fi + + insinto /usr/share/selinux/devel; + doins doc/policy.xml; + + done + + docinto / + dodoc doc/Makefile.example doc/example.{te,fc,if} + + doman man/man8/*.8; + + insinto /etc/selinux + doins "${FILESDIR}/config" + + insinto /usr/share/portage/config/sets + doins "${FILESDIR}/selinux.conf" +} diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild index 12f53be9eb..3be921e88d 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild @@ -1,75 +1,57 @@ -# Copyright 1999-2015 Gentoo Foundation +# Copyright 1999-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base/selinux-base-9999.ebuild,v 1.18 2015/04/21 10:34:30 perfinion Exp $ -EAPI="5" -inherit eutils +EAPI="7" if [[ ${PV} == 9999* ]]; then - EGIT_REPO_URI="${SELINUX_GIT_REPO:-git://anongit.gentoo.org/proj/hardened-refpolicy.git https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" + EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}" EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy" inherit git-r3 - - KEYWORDS="" else - SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2 - http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2" + SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2 + https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2" - KEYWORDS="~amd64 ~x86" + KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86" fi -IUSE="+peer_perms +open_perms +ubac +unconfined doc" +IUSE="doc +unknown-perms systemd +ubac +unconfined" DESCRIPTION="Gentoo base policy for SELinux" -HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/" +HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux" LICENSE="GPL-2" SLOT="0" -RDEPEND=">=sys-apps/policycoreutils-2.3 - virtual/udev - !<=sec-policy/selinux-base-policy-2.20120725" -DEPEND="${RDEPEND} - sys-devel/m4 - >=sys-apps/checkpolicy-2.3" +RDEPEND=">=sys-apps/policycoreutils-2.8" +DEPEND="${RDEPEND}" +BDEPEND=" + >=sys-apps/checkpolicy-2.8 + sys-devel/m4" S=${WORKDIR}/ -#src_unpack() { -# git-2_src_unpack -#} - src_prepare() { if [[ ${PV} != 9999* ]]; then - # Apply the gentoo patches to the policy. These patches are only necessary - # for base policies, or for interface changes on modules. - EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \ - EPATCH_SUFFIX="patch" \ - EPATCH_SOURCE="${WORKDIR}" \ - EPATCH_FORCE="yes" \ - epatch + einfo "Applying SELinux policy updates ... " + eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch" fi - cd "${S}/refpolicy" - make bare + eapply_user - epatch_user + cd "${S}/refpolicy" || die + emake bare } src_configure() { [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" # Update the SELinux refpolicy capabilities based on the users' USE flags. - - if ! use peer_perms; then - sed -i -e '/network_peer_controls/d' \ - "${S}/refpolicy/policy/policy_capabilities" - fi - - if ! use open_perms; then - sed -i -e '/open_perms/d' \ - "${S}/refpolicy/policy/policy_capabilities" + if use unknown-perms; then + sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/build.conf" \ + || die "Failed to allow Unknown Permissions Handling" + sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/Makefile" \ + || die "Failed to allow Unknown Permissions Handling" fi if ! use ubac; then @@ -77,20 +59,24 @@ src_configure() { || die "Failed to disable User Based Access Control" fi - echo "DISTRO = gentoo" >> "${S}/refpolicy/build.conf" + if use systemd; then + sed -i -e '/^SYSTEMD/s/n/y/' "${S}/refpolicy/build.conf" \ + || die "Failed to enable SystemD" + fi + + echo "DISTRO = gentoo" >> "${S}/refpolicy/build.conf" || die # Prepare initial configuration - cd "${S}/refpolicy"; - make conf || die "Make conf failed" + cd "${S}/refpolicy" || die + emake conf # Setup the policies based on the types delivered by the end user. # These types can be "targeted", "strict", "mcs" and "mls". for i in ${POLICY_TYPES}; do - cp -a "${S}/refpolicy" "${S}/${i}" - cd "${S}/${i}"; + cp -a "${S}/refpolicy" "${S}/${i}" || die + cd "${S}/${i}" || die - #cp "${FILESDIR}/modules-2.20120215.conf" "${S}/${i}/policy/modules.conf" - sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" + sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \ "${S}/${i}/build.conf" || die "build.conf setup failed." @@ -120,10 +106,10 @@ src_compile() { [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" for i in ${POLICY_TYPES}; do - cd "${S}/${i}" - emake base || die "${i} compile failed" + cd "${S}/${i}" || die + emake base if use doc; then - make html || die + emake html fi done } @@ -132,23 +118,21 @@ src_install() { [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" for i in ${POLICY_TYPES}; do - cd "${S}/${i}" + cd "${S}/${i}" || die - make DESTDIR="${D}" install \ - || die "${i} install failed." + emake DESTDIR="${D}" install + emake DESTDIR="${D}" install-headers - make DESTDIR="${D}" install-headers \ - || die "${i} headers install failed." + echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type" || die - echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type" - - echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types" + echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types" || die # libsemanage won't make this on its own keepdir "/etc/selinux/${i}/policy" if use doc; then - dohtml doc/html/*; + docinto ${i}/html + dodoc -r doc/html/*; fi insinto /usr/share/selinux/devel; @@ -156,18 +140,14 @@ src_install() { done - systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/selinux-base.conf" - systemd-tmpfiles --root="${D}" --create selinux-base.conf - + docinto / dodoc doc/Makefile.example doc/example.{te,fc,if} doman man/man8/*.8; - insinto /usr/lib/selinux + insinto /etc/selinux doins "${FILESDIR}/config" -} -pkg_preinst() { - has_version "<${CATEGORY}/${PN}-2.20101213-r13" - previous_less_than_r13=$? + insinto /usr/share/portage/config/sets + doins "${FILESDIR}/selinux.conf" }