mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-20 05:51:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

sec-policy/selinux-base: sync with the upstream

Browse Source 
Signed-off-by: Mathieu Tortuyaux <mathieu@kinvolk.io>
This commit is contained in:
Mathieu Tortuyaux 2021-06-02 15:13:11 +02:00
parent b7419c3548
commit 1219a8ff35
14 changed files with 370 additions and 666 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

352
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/ChangeLog vendored
View File

@ -1,352 +0,0 @@
# ChangeLog for sec-policy/selinux-base
# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base/ChangeLog,v 1.73 2015/06/05 16:10:26 perfinion Exp $
05 Jun 2015; Jason Zaman <perfinion@gentoo.org>
selinux-base-2.20141203-r5.ebuild:
Stabilize policy 2.20141203-r5
*selinux-base-2.20141203-r6 (05 Jun 2015)
05 Jun 2015; Jason Zaman <perfinion@gentoo.org>
+selinux-base-2.20141203-r6.ebuild:
Release of 2.20141203-r6
25 Apr 2015; Mike Gilbert <floppym@gentoo.org>
selinux-base-2.20140311-r5.ebuild, selinux-base-2.20140311-r6.ebuild,
selinux-base-2.20140311-r7.ebuild, selinux-base-2.20141203-r1.ebuild,
selinux-base-2.20141203-r2.ebuild, selinux-base-2.20141203-r3.ebuild,
selinux-base-2.20141203-r4.ebuild, selinux-base-2.20141203-r5.ebuild:
Replace links pointing at git.overlays.gentoo.org.
21 Apr 2015; Jason Zaman <perfinion@gentoo.org> selinux-base-9999.ebuild:
update git urls and migrate git-2 -> git-r3
15 Apr 2015; Jason Zaman <perfinion@gentoo.org>
selinux-base-2.20141203-r4.ebuild:
Stabilize policy 2.20141203-r4
*selinux-base-2.20141203-r5 (15 Apr 2015)
15 Apr 2015; Jason Zaman <perfinion@gentoo.org>
+selinux-base-2.20141203-r5.ebuild:
Release of 2.20141203-r5
22 Mar 2015; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20141203-r3.ebuild:
Stabilize 2.20141203-r3 policies
*selinux-base-2.20141203-r4 (22 Mar 2015)
22 Mar 2015; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20141203-r4.ebuild, selinux-base-9999.ebuild:
Release of 2.20141203-r4
*selinux-base-2.20141203-r3 (29 Jan 2015)
29 Jan 2015; Jason Zaman <perfinion@gentoo.org>
+selinux-base-2.20141203-r3.ebuild, selinux-base-2.20141203-r2.ebuild:
Release of 2.20141203-r3, stable 2.20141203-r2
21 Dec 2014; Sven Vermeulen <swift@gentoo.org>
-selinux-base-2.20140311-r1.ebuild, -selinux-base-2.20140311-r2.ebuild,
-selinux-base-2.20140311-r3.ebuild, -selinux-base-2.20140311-r4.ebuild:
Remove old ebuilds
21 Dec 2014; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20141203-r1.ebuild:
Stabilize 2.20141203-r1
*selinux-base-2.20141203-r2 (21 Dec 2014)
21 Dec 2014; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20141203-r2.ebuild:
Release of 2.20141203-r2
07 Dec 2014; Jason Zaman <perfinion@gentoo.org>
selinux-base-2.20140311-r7.ebuild, selinux-base-9999.ebuild:
Stabilize 2.20140311-r7
*selinux-base-2.20141203-r1 (07 Dec 2014)
07 Dec 2014; Jason Zaman <perfinion@gentoo.org>
+selinux-base-2.20141203-r1.ebuild:
Release of 2.20141203-r1
07 Dec 2014; Jason Zaman <perfinion@gentoo.org> selinux-base-9999.ebuild:
update SRC_URI
07 Dec 2014; Sven Vermeulen <swift@gentoo.org> selinux-base-9999.ebuild:
Clean up sed commands that are no longer needed (bug 257111 is fixed upstream)
05 Dec 2014; Jason Zaman <perfinion@gentoo.org> selinux-base-9999.ebuild:
enable parallel build, bug 530178
01 Nov 2014; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20140311-r6.ebuild:
Stabilize rev 6
*selinux-base-2.20140311-r7 (01 Nov 2014)
01 Nov 2014; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20140311-r7.ebuild:
Bump revision r7 of SELinux policies
01 Nov 2014; Sven Vermeulen <swift@gentoo.org> selinux-base-9999.ebuild:
Add KEYWORDS logic in -9999 ebuilds for ease of copying
24 Aug 2014; Sven Vermeulen <swift@gentoo.org> selinux-base-9999.ebuild:
Back to gogo infrastructure
23 Aug 2014; Sven Vermeulen <swift@gentoo.org> selinux-base-9999.ebuild:
Temporarily use github until gogo is back on track
22 Aug 2014; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20140311-r5.ebuild:
Stabilize r5 policies
*selinux-base-2.20140311-r6 (21 Aug 2014)
21 Aug 2014; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20140311-r6.ebuild:
Release of 2.20140311-r6
*selinux-base-2.20140311-r5 (09 Aug 2014)
09 Aug 2014; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20140311-r5.ebuild:
Bump towards r5 (fixes duplicate context for hiawatha)
08 Aug 2014; Sven Vermeulen <swift@gentoo.org> selinux-base-9999.ebuild:
Make 9999 ebuilds EAPI=5 and transform to make master for version bumps
06 Aug 2014; Sven Vermeulen <swift@gentoo.org> selinux-base-9999.ebuild:
Supporting the SELINUX_GIT_* variables
05 Aug 2014; Sven Vermeulen <swift@gentoo.org>
-selinux-base-2.20130424-r1.ebuild, -selinux-base-2.20130424-r2.ebuild,
-selinux-base-2.20130424-r3.ebuild, -selinux-base-2.20130424-r4.ebuild:
Remove obsolete ebuilds
*selinux-base-2.20140311-r4 (01 Aug 2014)
01 Aug 2014; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20140311-r4.ebuild, selinux-base-2.20140311-r3.ebuild:
Stabilization of r3, and make r4 available for testing
29 May 2014; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20140311-r2.ebuild:
Stabilize 2.20140311-r2
*selinux-base-2.20140311-r3 (29 May 2014)
29 May 2014; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20140311-r3.ebuild:
Bump to 2.20140311-r3
19 Apr 2014; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20140311-r1.ebuild:
Stabilize r1 policies
*selinux-base-2.20140311-r2 (19 Apr 2014)
19 Apr 2014; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20140311-r2.ebuild:
Release of 2.20140311-r2
24 Mar 2014; Sven Vermeulen <swift@gentoo.org>
-selinux-base-2.20120725-r5.ebuild, -selinux-base-2.20120725-r7.ebuild,
-selinux-base-2.20120725-r8.ebuild, -selinux-base-2.20120725-r9.ebuild,
-selinux-base-2.20120725-r10.ebuild, -selinux-base-2.20120725-r11.ebuild,
-selinux-base-2.20120725-r12.ebuild:
Removing older SELinux policies
*selinux-base-2.20140311-r1 (21 Mar 2014)
21 Mar 2014; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20140311-r1.ebuild:
New upstream refpolicy release
12 Jan 2014; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20130424-r4.ebuild:
Stabilize 2.20130424-r4
*selinux-base-2.20130424-r4 (11 Dec 2013)
11 Dec 2013; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20130424-r4.ebuild:
Release of 2.20130424-r4
*selinux-base-2.20130424-r3 (26 Sep 2013)
26 Sep 2013; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20130424-r3.ebuild:
Release 2.20130424-r3, fixing bugs #480628, #482196, #475432, #485304, #480870
and #428322
15 Aug 2013; Sven Vermeulen <swift@gentoo.org> selinux-base-9999.ebuild:
Clean up generated cruft before building base policy - see bug 480628
15 Aug 2013; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20130424-r2.ebuild:
Stabilize r2 of policies
*selinux-base-2.20130424-r2 (20 Jul 2013)
20 Jul 2013; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20130424-r2.ebuild:
Pushing out rev 2
16 Jun 2013; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20130424-r1.ebuild:
Stabilize 20130424 policies
07 May 2013; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20130424-r1.ebuild, selinux-base-9999.ebuild:
Add in support for epatch_user (to support interface patching)
*selinux-base-2.20130424-r1 (06 May 2013)
06 May 2013; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20130424-r1.ebuild:
Adding 20130424 release
11 Apr 2013; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20120725-r12.ebuild, selinux-base-9999.ebuild:
Add in support for manual pages
29 Mar 2013; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20120725-r12.ebuild:
Stabilize r12, fixes 455080, 453724, 461880, 453722, 452166, 458876, 457618,
456910, 456194, 453990 and 460152
*selinux-base-2.20120725-r12 (09 Mar 2013)
09 Mar 2013; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20120725-r12.ebuild, selinux-base-9999.ebuild:
Pushing out rev 12
23 Feb 2013; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20120725-r11.ebuild:
Stabilization
*selinux-base-2.20120725-r11 (26 Jan 2013)
26 Jan 2013; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20120725-r11.ebuild:
Bumping selinux-base to revision 11
16 Jan 2013; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20120725-r10.ebuild:
Stabilizing
*selinux-base-2.20120725-r10 (16 Jan 2013)
16 Jan 2013; Sven Vermeulen <swift@gentoo.org>
+selinux-base-2.20120725-r10.ebuild:
Bumping with fix for #451128
13 Jan 2013; Sven Vermeulen <swift@gentoo.org>
selinux-base-2.20120725-r9.ebuild:
Stabilizing r9
30 Dec 2012; Samuli Suominen <ssuominen@gentoo.org>
selinux-base-2.20120725-r9.ebuild:
Use virtual/udev instead of sys-fs/udev; regression introduced by swift@g.o
21 Dec 2012 by not using up-to-date ebuild from gentoo-x86 for revision
bumping.
*selinux-base-2.20120725-r9 (21 Dec 2012)
21 Dec 2012; Sven Vermeulen <swift@gentoo.org> +selinux-base-2.20120725-r9.ebuild:
Bumping to revision 9
17 Dec 2012; Sven Vermeulen <swift@gentoo.org> -selinux-base-2.20120215-r13.ebuild,
-selinux-base-2.20120215-r14.ebuild, -selinux-base-2.20120215-r15.ebuild,
-selinux-base-2.20120215-r6.ebuild, -selinux-base-2.20120215-r7.ebuild,
-selinux-base-2.20120215-r8.ebuild, -selinux-base-2.20120215-r9.ebuild:
Removing older ebuilds
13 Dec 2012; Sven Vermeulen <swift@gentoo.org> selinux-base-2.20120725-r8.ebuild:
Stabilization
11 Dec 2012; Samuli Suominen <ssuominen@gentoo.org>
selinux-base-2.20120215-r6.ebuild, selinux-base-2.20120215-r7.ebuild,
selinux-base-2.20120215-r8.ebuild, selinux-base-2.20120215-r9.ebuild,
selinux-base-2.20120215-r13.ebuild, selinux-base-2.20120215-r14.ebuild,
selinux-base-2.20120215-r15.ebuild, selinux-base-2.20120725-r5.ebuild,
selinux-base-2.20120725-r7.ebuild, selinux-base-2.20120725-r8.ebuild,
selinux-base-9999.ebuild:
Use virtual/udev instead of sys-fs/udev.
04 Dec 2012; Sven Vermeulen <swift@gentoo.org> selinux-base-9999.ebuild, metadata.xml:
Add in support for unconfined USE flag and fix #445978
*selinux-base-2.20120725-r8 (03 Dec 2012)
03 Dec 2012; Sven Vermeulen <swift@gentoo.org> +selinux-base-2.20120725-r8.ebuild:
Bumping to revision 8
*selinux-base-2.20120725-r7 (18 Nov 2012)
18 Nov 2012; Sven Vermeulen <swift@gentoo.org> +selinux-base-2.20120725-r7.ebuild:
Pushing out rev 7
*selinux-base-9999 (13 Oct 2012)
13 Oct 2012; Sven Vermeulen <swift@gentoo.org> +selinux-base-9999.ebuild:
Adding live ebuild
04 Oct 2012; Sven Vermeulen <swift@gentoo.org> selinux-base-2.20120725-r5.ebuild:
Stabilization
*selinux-base-2.20120725-r5 (21 Sep 2012)
21 Sep 2012; Sven Vermeulen <swift@gentoo.org> +selinux-base-2.20120725-r5.ebuild:
Introducing policy for 2.20120725, rev5
30 Jul 2012; Sven Vermeulen <swift@gentoo.org> selinux-base-2.20120215-r14.ebuild:
Stabilization of revision 14 of the SELinux policy modules
*selinux-base-2.20120215-r15 (26 Jul 2012)
26 Jul 2012; Sven Vermeulen <swift@gentoo.org> +selinux-base-2.20120215-r15.ebuild:
Bump to rev15
*selinux-base-2.20120215-r14 (16 Jul 2012)
16 Jul 2012; Sven Vermeulen <swift@gentoo.org> +selinux-base-2.20120215-r14.ebuild:
Bumping to rev14
*selinux-base-2.20120215-r13 (27 Jun 2012)
27 Jun 2012; Sven Vermeulen <swift@gentoo.org> +selinux-base-2.20120215-r13.ebuild:
Bump to revision 13
*selinux-base-2.20120215-r9 (20 May 2012)
20 May 2012; Sven Vermeulen <swift@gentoo.org> +selinux-base-2.20120215-r9.ebuild:
Bumping to rev 9
29 Apr 2012; Sven Vermeulen <swift@gentoo.org> selinux-base-2.20120215-r7.ebuild:
Stabilizing rev7
*selinux-base-2.20120215-r8 (26 Apr 2012)
26 Apr 2012; Sven Vermeulen <swift@gentoo.org> +selinux-base-2.20120215-r8.ebuild:
Bump to rev8, fix #411719, #411149 and #411943
*selinux-base-2.20120215-r7 (22 Apr 2012)
22 Apr 2012; Sven Vermeulen <swift@gentoo.org> +selinux-base-2.20120215-r7.ebuild:
Bumping to rev 7, fixing bugs #401595, #411193 and #403293
31 Mar 2012; Sven Vermeulen <swift@gentoo.org> +selinux-base-2.20120215-r6.ebuild,
+files/config, +metadata.xml:
Bumping to 2.20120215 policies
*selinux-base-2.20120215-r6 (31 Mar 2012)
31 Mar 2012; Sven Vermeulen <swift@gentoo.org> +selinux-base-2.20120215-r6.ebuild,
+files/config, +metadata.xml:
Initial base policy package (without additional modules)

6
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/Manifest vendored
View File

@ -1,2 +1,4 @@
DIST patchbundle-selinux-base-policy-2.20141203-r9.tar.bz2 299602 SHA256 e8518004942a6c57170a609683e22b1410c93a2a195829c41dc8fbc703d941b5 SHA512 ce6484fbca1d2d074e50d1a3953392bd3ce0a4617df98fbac37747b469b4f160a9331586dfe1c3ddccb1ccbee24876a2f05ab49e37c8492a48baf83c2d01d140 WHIRLPOOL 1fd7b956e98e95a64c3a713a944d4531259bd156a7feabf6a89c4b5f33ac846377730eede97889e85183be086f282ebd18e860214f6ca3f01b40f2323470ee04 DIST patchbundle-selinux-base-policy-2.20200818-r2.tar.bz2 433623 BLAKE2B f0655c45c50347faf1217e5861298dce822e4b726c0b4489d4c70c4815842f7c17ac1b0a302ae5482a3ad25d1d5b6c4c3b6395194e79005f31560d103ad0fce6 SHA512 9fd22683ecd602a429b2d489f7b8c2936409fa060046255b72a4b95c9fdefa2455ba7655945278dc972c22f3ade6617898ed169e22001aaaaded4b47ca51b0c3
DIST refpolicy-2.20141203.tar.bz2 680243 SHA256 f438209c430d8a2d4ddcbe4bdd3edb46f6af7dc4913637af0b73c635e40c1522 SHA512 682e4280c5799e4c12ec7594afc1389f67be35055748d2e0dbdc3419159a16c96d4946ca6178daee8370515951f8653b2e452efe8c962b8d7f9bc192f0b15a0c WHIRLPOOL 74bca232534e7af9051bb1ab9f77c1ff6c425781cf4561f781d6e9a40cc5ca0d9add540249ea5493e8782a9372aea296ead6c165c6c440ae1509eb319d151ee5 DIST patchbundle-selinux-base-policy-2.20210203-r1.tar.bz2 298116 BLAKE2B 50c5523a8b758652af6aa59d548e9499b899898b58f52f74f1667a0c552f2b2d0ed5a44352e59245c7f0ebd199e2391400168d6ab27b4160d726fccded0c56f2 SHA512 ddb877ec3e2883f57e54e7380dd449d4d89a0769a1fb87141786e5de741ac21b2ead60362fd17c25888eb1334c68f71da561f4f29f406f0d4b5d13d378f6baff
DIST refpolicy-2.20200818.tar.bz2 570896 BLAKE2B 502c00fec39e1b81e42de3f7f942623f8b3fbdeac19f9f01126722a368b7d4f70427d6e4a574754c4f2fa551e4bc75c912dbc515c004f0dcd5eb28ab416498f6 SHA512 e4b527bb7a87b9359fc42eb111d5008103f57c37128998ea0e21ec7b0b8607ffe3f67697450e4c51a0db172ece69083335b279bacef4b1bd0b7748b58caa99a7
DIST refpolicy-2.20210203.tar.bz2 564099 BLAKE2B a94a11ebb78890ba2c98714be2fe9054fdb8ccaf5154f47b881a9575a4a6865e8df475805550d7bba8039b4230c6a0c9f5c6130bf8c35a26bc7c473d550fb40d SHA512 a6ffe718626dd6121023b4cbc424c933d44ca8b662bd708baad307cf6284be0d80fef40cdc8b37f6f17ecb3636fd8d6c1d5d4072c17d835b7f500e17a3acd9fc

2
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/config vendored
View File

@ -12,4 +12,4 @@ SELINUX=permissive
# mls - Full SELinux protection with Multi-Level Security # mls - Full SELinux protection with Multi-Level Security
# mcs - Full SELinux protection with Multi-Category Security # mcs - Full SELinux protection with Multi-Category Security
# (mls, but only one sensitivity level) # (mls, but only one sensitivity level)
SELINUXTYPE=mcs SELINUXTYPE=strict

13
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/kernel_mcs.diff vendored
View File

@ -1,13 +0,0 @@
diff -ur refpolicy.orig/policy/modules/kernel/kernel.te refpolicy/policy/modules/kernel/kernel.te
--- refpolicy.orig/policy/modules/kernel/kernel.te 2015-06-24 14:05:01.160318849 -0700
+++ refpolicy/policy/modules/kernel/kernel.te 2015-06-24 14:06:23.468516424 -0700
@@ -442,3 +442,9 @@
#dev_manage_all_dev_nodes(kernel_t)
dev_setattr_generic_chr_files(kernel_t)
')
+mcs_killall(kernel_t)
+mcs_file_read_all(kernel_t)
+mcs_file_write_all(kernel_t)
+mcs_process_set_categories(kernel_t)
+mcs_ptrace_all(kernel_t)
+allow kernel_t self:capability2 wake_alarm;

4
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/lxc_contexts vendored
View File

@ -1,4 +0,0 @@
process = "system_u:system_r:svirt_lxc_net_t:s0"
content = "system_u:object_r:virt_var_lib_t:s0"
file = "system_u:object_r:svirt_lxc_file_t:s0"

21
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_create.diff vendored
View File

@ -1,21 +0,0 @@
diff -ur work.orig/refpolicy/policy/mcs work/refpolicy/policy/mcs
--- refpolicy/policy/mcs 2015-12-18 13:41:18.655947448 +0000
+++ refpolicy/policy/mcs 2015-12-18 13:42:40.364890957 +0000
@@ -100,14 +100,14 @@
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
+ ((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall));
# new file labels must be dominated by the relabeling subject clearance
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
- ( h1 dom h2 );
+ (( h1 dom h2 ) or (t1 == mcswriteall));
mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
- (( h1 dom h2 ) and ( l2 eq h2 ));
+ ((( h1 dom h2 ) and ( l2 eq h2 )) or (t1 == mcswriteall));
mlsconstrain process { transition dyntransition }
(( h1 dom h2 ) or ( t1 == mcssetcats ));

9
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/mcs_range_target.diff vendored
View File

@ -1,9 +0,0 @@
diff -ur mcs.orig/policy/mcs mcs/policy/mcs
--- refpolicy.orig/policy/mcs 2015-09-14 11:32:38.155721902 -0700
+++ refpolicy/policy/mcs 2015-09-14 11:36:08.055490569 -0700
@@ -1,4 +1,5 @@
ifdef(`enable_mcs',`
+default_range dir_file_class_set target low-high;
#
# Define sensitivities
#

4
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/selinux.conf vendored Normal file
View File

@ -0,0 +1,4 @@
# Rebuild all selinux policy modules
[selinux-rebuild]
class = portage.sets.dbapi.OwnerSet
files = /usr/share/selinux/

3
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/files/tmpfiles.d/selinux-base.conf vendored
View File

@ -1,3 +0,0 @@
d /etc/selinux/ - - - - -
L /etc/selinux/config - - - - ../../usr/lib/selinux/config
L /etc/selinux/mcs - - - - ../../usr/lib/selinux/mcs

12
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/metadata.xml vendored
View File

@ -1,15 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata> <pkgmetadata>
<herd>selinux</herd> <maintainer type="project">
<email>selinux@gentoo.org</email>
<name>SELinux Team</name>
</maintainer>
<longdescription> <longdescription>
Gentoo SELinux base policy. This contains policy for a system at the end of system installation. Gentoo SELinux base policy. This contains policy for a system at the end of system installation.
There is no extra policy in this package. There is no extra policy in this package.
</longdescription> </longdescription>
<use> <use>
<flag name='peer_perms'>Enable the labeled networking peer permissions (SELinux policy capability).</flag> <flag name="ubac">Enable User Based Access Control (UBAC) in the SELinux policy</flag>
<flag name='open_perms'>Enable the open permissions for file object classes (SELinux policy capability).</flag> <flag name="unconfined">Enable support for the unconfined SELinux module</flag>
<flag name='ubac'>Enable User Based Access Control (UBAC) in the SELinux policy</flag> <flag name="unknown-perms">Default allow unknown classes in kernels newer than the policy (SELinux policy capability).</flag>
<flag name='unconfined'>Enable support for the unconfined SELinux module</flag>
</use> </use>
</pkgmetadata> </pkgmetadata>

188
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r14.ebuild vendored
View File

@ -1,188 +0,0 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild,v 1.3 2015/06/05 16:10:26 perfinion Exp $
EAPI="5"
inherit eutils systemd
if [[ ${PV} == 9999* ]]; then
EGIT_REPO_URI="${SELINUX_GIT_REPO:-git://anongit.gentoo.org/proj/hardened-refpolicy.git https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
EGIT_SOURCEDIR="${WORKDIR}/refpolicy"
inherit git-2
KEYWORDS=""
else
SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-2.20141203-r9.tar.bz2"
KEYWORDS="amd64 x86"
fi
IUSE="+peer_perms +open_perms +ubac +unconfined doc"
DESCRIPTION="Gentoo base policy for SELinux"
HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
LICENSE="GPL-2"
SLOT="0"
RDEPEND=">=sys-apps/policycoreutils-2.3
virtual/udev
!<=sec-policy/selinux-base-policy-2.20120725"
DEPEND="${RDEPEND}
sys-devel/m4
>=sys-apps/checkpolicy-2.3"
S=${WORKDIR}/
#src_unpack() {
# git-2_src_unpack
#}
src_prepare() {
if [[ ${PV} != 9999* ]]; then
# Apply the gentoo patches to the policy. These patches are only necessary
# for base policies, or for interface changes on modules.
EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
EPATCH_SUFFIX="patch" \
EPATCH_SOURCE="${WORKDIR}" \
EPATCH_FORCE="yes" \
epatch
fi
epatch "${FILESDIR}/kernel_mcs.diff"
epatch "${FILESDIR}/mcs_create.diff"
epatch "${FILESDIR}/mcs_range_target.diff"
cd "${S}/refpolicy"
make bare
epatch_user
}
src_configure() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
# Update the SELinux refpolicy capabilities based on the users' USE flags.
if ! use peer_perms; then
sed -i -e '/network_peer_controls/d' \
"${S}/refpolicy/policy/policy_capabilities"
fi
if ! use open_perms; then
sed -i -e '/open_perms/d' \
"${S}/refpolicy/policy/policy_capabilities"
fi
if ! use ubac; then
sed -i -e '/^UBAC/s/y/n/' "${S}/refpolicy/build.conf" \
|| die "Failed to disable User Based Access Control"
fi
echo "DISTRO = gentoo" >> "${S}/refpolicy/build.conf"
# Prepare initial configuration
cd "${S}/refpolicy";
make conf || die "Make conf failed"
# Setup the policies based on the types delivered by the end user.
# These types can be "targeted", "strict", "mcs" and "mls".
for i in ${POLICY_TYPES}; do
cp -a "${S}/refpolicy" "${S}/${i}"
cd "${S}/${i}";
#cp "${FILESDIR}/modules-2.20120215.conf" "${S}/${i}/policy/modules.conf"
sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf"
sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \
"${S}/${i}/build.conf" || die "build.conf setup failed."
if [[ "${i}" == "mls" ]] || [[ "${i}" == "mcs" ]];
then
# MCS/MLS require additional settings
sed -i -e "/^TYPE/s/standard/${i}/" "${S}/${i}/build.conf" \
|| die "failed to set type to mls"
fi
if [ "${i}" == "targeted" ]; then
sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \
"${S}/${i}/config/appconfig-standard/seusers" \
|| die "targeted seusers setup failed."
fi
if [ "${i}" != "targeted" ] && [ "${i}" != "strict" ] && use unconfined; then
sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \
"${S}/${i}/config/appconfig-${i}/seusers" \
|| die "policy seusers setup failed."
fi
done
}
src_compile() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
for i in ${POLICY_TYPES}; do
cd "${S}/${i}"
emake base UNK_PERMS=allow BINDIR="${ROOT}/usr/bin" || die "${i} compile failed"
if use doc; then
make html || die
fi
done
}
src_install() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
for i in ${POLICY_TYPES}; do
cd "${S}/${i}"
make DESTDIR="${D}" install \
|| die "${i} install failed."
make DESTDIR="${D}" install-headers \
|| die "${i} headers install failed."
echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type"
echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types"
cp "${FILESDIR}/booleans" "${D}/etc/selinux/${i}/booleans"
# libsemanage won't make this on its own
keepdir "/etc/selinux/${i}/policy"
if use doc; then
dohtml doc/html/*;
fi
insinto /usr/share/selinux/devel;
doins doc/policy.xml;
done
systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/selinux-base.conf"
systemd-tmpfiles --root="${D}" --create selinux-base.conf
dodoc doc/Makefile.example doc/example.{te,fc,if}
doman man/man8/*.8;
insinto /usr/lib/selinux
doins "${FILESDIR}/config"
insinto /etc/selinux/mcs/contexts
doins "${FILESDIR}/lxc_contexts"
mkdir -p "${D}/usr/lib/selinux"
for i in ${POLICY_TYPES}; do
mv "${D}/etc/selinux/${i}" "${D}/usr/lib/selinux"
dosym "../../usr/lib/selinux/${i}" "/etc/selinux/${i}"
done
}
pkg_preinst() {
has_version "<${CATEGORY}/${PN}-2.20101213-r13"
previous_less_than_r13=$?
}

153
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20200818-r2.ebuild vendored Normal file
View File

@ -0,0 +1,153 @@
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
if [[ ${PV} == 9999* ]]; then
EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy"
inherit git-r3
else
SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2"
KEYWORDS="amd64 -arm ~arm64 ~mips x86"
fi
IUSE="doc +unknown-perms systemd +ubac +unconfined"
DESCRIPTION="Gentoo base policy for SELinux"
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
LICENSE="GPL-2"
SLOT="0"
RDEPEND=">=sys-apps/policycoreutils-2.8"
DEPEND="${RDEPEND}"
BDEPEND="
>=sys-apps/checkpolicy-2.8
sys-devel/m4"
S=${WORKDIR}/
src_prepare() {
if [[ ${PV} != 9999* ]]; then
einfo "Applying SELinux policy updates ... "
eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
fi
eapply_user
cd "${S}/refpolicy" || die
emake bare
}
src_configure() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
# Update the SELinux refpolicy capabilities based on the users' USE flags.
if use unknown-perms; then
sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/build.conf" \
|| die "Failed to allow Unknown Permissions Handling"
sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/Makefile" \
|| die "Failed to allow Unknown Permissions Handling"
fi
if ! use ubac; then
sed -i -e '/^UBAC/s/y/n/' "${S}/refpolicy/build.conf" \
|| die "Failed to disable User Based Access Control"
fi
if use systemd; then
sed -i -e '/^SYSTEMD/s/n/y/' "${S}/refpolicy/build.conf" \
|| die "Failed to enable SystemD"
fi
echo "DISTRO = gentoo" >> "${S}/refpolicy/build.conf" || die
# Prepare initial configuration
cd "${S}/refpolicy" || die
emake conf
# Setup the policies based on the types delivered by the end user.
# These types can be "targeted", "strict", "mcs" and "mls".
for i in ${POLICY_TYPES}; do
cp -a "${S}/refpolicy" "${S}/${i}" || die
cd "${S}/${i}" || die
sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die
sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \
"${S}/${i}/build.conf" || die "build.conf setup failed."
if [[ "${i}" == "mls" ]] || [[ "${i}" == "mcs" ]];
then
# MCS/MLS require additional settings
sed -i -e "/^TYPE/s/standard/${i}/" "${S}/${i}/build.conf" \
|| die "failed to set type to mls"
fi
if [ "${i}" == "targeted" ]; then
sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \
"${S}/${i}/config/appconfig-standard/seusers" \
|| die "targeted seusers setup failed."
fi
if [ "${i}" != "targeted" ] && [ "${i}" != "strict" ] && use unconfined; then
sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \
"${S}/${i}/config/appconfig-${i}/seusers" \
|| die "policy seusers setup failed."
fi
done
}
src_compile() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
for i in ${POLICY_TYPES}; do
cd "${S}/${i}" || die
emake base
if use doc; then
emake html
fi
done
}
src_install() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
for i in ${POLICY_TYPES}; do
cd "${S}/${i}" || die
emake DESTDIR="${D}" install
emake DESTDIR="${D}" install-headers
echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type" || die
echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types" || die
# libsemanage won't make this on its own
keepdir "/etc/selinux/${i}/policy"
if use doc; then
docinto ${i}/html
dodoc -r doc/html/*;
fi
insinto /usr/share/selinux/devel;
doins doc/policy.xml;
done
docinto /
dodoc doc/Makefile.example doc/example.{te,fc,if}
doman man/man8/*.8;
insinto /etc/selinux
doins "${FILESDIR}/config"
insinto /usr/share/portage/config/sets
doins "${FILESDIR}/selinux.conf"
}

153
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20210203-r1.ebuild vendored Normal file
View File

@ -0,0 +1,153 @@
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
if [[ ${PV} == 9999* ]]; then
EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy"
inherit git-r3
else
SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2"
KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
fi
IUSE="doc +unknown-perms systemd +ubac +unconfined"
DESCRIPTION="Gentoo base policy for SELinux"
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
LICENSE="GPL-2"
SLOT="0"
RDEPEND=">=sys-apps/policycoreutils-2.8"
DEPEND="${RDEPEND}"
BDEPEND="
>=sys-apps/checkpolicy-2.8
sys-devel/m4"
S=${WORKDIR}/
src_prepare() {
if [[ ${PV} != 9999* ]]; then
einfo "Applying SELinux policy updates ... "
eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
fi
eapply_user
cd "${S}/refpolicy" || die
emake bare
}
src_configure() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
# Update the SELinux refpolicy capabilities based on the users' USE flags.
if use unknown-perms; then
sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/build.conf" \
|| die "Failed to allow Unknown Permissions Handling"
sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/Makefile" \
|| die "Failed to allow Unknown Permissions Handling"
fi
if ! use ubac; then
sed -i -e '/^UBAC/s/y/n/' "${S}/refpolicy/build.conf" \
|| die "Failed to disable User Based Access Control"
fi
if use systemd; then
sed -i -e '/^SYSTEMD/s/n/y/' "${S}/refpolicy/build.conf" \
|| die "Failed to enable SystemD"
fi
echo "DISTRO = gentoo" >> "${S}/refpolicy/build.conf" || die
# Prepare initial configuration
cd "${S}/refpolicy" || die
emake conf
# Setup the policies based on the types delivered by the end user.
# These types can be "targeted", "strict", "mcs" and "mls".
for i in ${POLICY_TYPES}; do
cp -a "${S}/refpolicy" "${S}/${i}" || die
cd "${S}/${i}" || die
sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die
sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \
"${S}/${i}/build.conf" || die "build.conf setup failed."
if [[ "${i}" == "mls" ]] || [[ "${i}" == "mcs" ]];
then
# MCS/MLS require additional settings
sed -i -e "/^TYPE/s/standard/${i}/" "${S}/${i}/build.conf" \
|| die "failed to set type to mls"
fi
if [ "${i}" == "targeted" ]; then
sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \
"${S}/${i}/config/appconfig-standard/seusers" \
|| die "targeted seusers setup failed."
fi
if [ "${i}" != "targeted" ] && [ "${i}" != "strict" ] && use unconfined; then
sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \
"${S}/${i}/config/appconfig-${i}/seusers" \
|| die "policy seusers setup failed."
fi
done
}
src_compile() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
for i in ${POLICY_TYPES}; do
cd "${S}/${i}" || die
emake base
if use doc; then
emake html
fi
done
}
src_install() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
for i in ${POLICY_TYPES}; do
cd "${S}/${i}" || die
emake DESTDIR="${D}" install
emake DESTDIR="${D}" install-headers
echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type" || die
echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types" || die
# libsemanage won't make this on its own
keepdir "/etc/selinux/${i}/policy"
if use doc; then
docinto ${i}/html
dodoc -r doc/html/*;
fi
insinto /usr/share/selinux/devel;
doins doc/policy.xml;
done
docinto /
dodoc doc/Makefile.example doc/example.{te,fc,if}
doman man/man8/*.8;
insinto /etc/selinux
doins "${FILESDIR}/config"
insinto /usr/share/portage/config/sets
doins "${FILESDIR}/selinux.conf"
}

116
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-9999.ebuild vendored
View File

@ -1,75 +1,57 @@
# Copyright 1999-2015 Gentoo Foundation # Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2 # Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base/selinux-base-9999.ebuild,v 1.18 2015/04/21 10:34:30 perfinion Exp $
EAPI="5"
inherit eutils EAPI="7"
if [[ ${PV} == 9999* ]]; then if [[ ${PV} == 9999* ]]; then
EGIT_REPO_URI="${SELINUX_GIT_REPO:-git://anongit.gentoo.org/proj/hardened-refpolicy.git https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}" EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy" EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy"
inherit git-r3 inherit git-r3
KEYWORDS=""
else else
SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2 SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2" https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2"
KEYWORDS="~amd64 ~x86" KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
fi fi
IUSE="+peer_perms +open_perms +ubac +unconfined doc" IUSE="doc +unknown-perms systemd +ubac +unconfined"
DESCRIPTION="Gentoo base policy for SELinux" DESCRIPTION="Gentoo base policy for SELinux"
HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/" HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
LICENSE="GPL-2" LICENSE="GPL-2"
SLOT="0" SLOT="0"
RDEPEND=">=sys-apps/policycoreutils-2.3 RDEPEND=">=sys-apps/policycoreutils-2.8"
virtual/udev DEPEND="${RDEPEND}"
!<=sec-policy/selinux-base-policy-2.20120725" BDEPEND="
DEPEND="${RDEPEND} >=sys-apps/checkpolicy-2.8
sys-devel/m4 sys-devel/m4"
>=sys-apps/checkpolicy-2.3"
S=${WORKDIR}/ S=${WORKDIR}/
#src_unpack() {
# git-2_src_unpack
#}
src_prepare() { src_prepare() {
if [[ ${PV} != 9999* ]]; then if [[ ${PV} != 9999* ]]; then
# Apply the gentoo patches to the policy. These patches are only necessary einfo "Applying SELinux policy updates ... "
# for base policies, or for interface changes on modules. eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
EPATCH_SUFFIX="patch" \
EPATCH_SOURCE="${WORKDIR}" \
EPATCH_FORCE="yes" \
epatch
fi fi
cd "${S}/refpolicy" eapply_user
make bare
epatch_user cd "${S}/refpolicy" || die
emake bare
} }
src_configure() { src_configure() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
# Update the SELinux refpolicy capabilities based on the users' USE flags. # Update the SELinux refpolicy capabilities based on the users' USE flags.
if use unknown-perms; then
if ! use peer_perms; then sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/build.conf" \
sed -i -e '/network_peer_controls/d' \ || die "Failed to allow Unknown Permissions Handling"
"${S}/refpolicy/policy/policy_capabilities" sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/Makefile" \
fi || die "Failed to allow Unknown Permissions Handling"
if ! use open_perms; then
sed -i -e '/open_perms/d' \
"${S}/refpolicy/policy/policy_capabilities"
fi fi
if ! use ubac; then if ! use ubac; then
@ -77,20 +59,24 @@ src_configure() {
|| die "Failed to disable User Based Access Control" || die "Failed to disable User Based Access Control"
fi fi
echo "DISTRO = gentoo" >> "${S}/refpolicy/build.conf" if use systemd; then
sed -i -e '/^SYSTEMD/s/n/y/' "${S}/refpolicy/build.conf" \
|| die "Failed to enable SystemD"
fi
echo "DISTRO = gentoo" >> "${S}/refpolicy/build.conf" || die
# Prepare initial configuration # Prepare initial configuration
cd "${S}/refpolicy"; cd "${S}/refpolicy" || die
make conf || die "Make conf failed" emake conf
# Setup the policies based on the types delivered by the end user. # Setup the policies based on the types delivered by the end user.
# These types can be "targeted", "strict", "mcs" and "mls". # These types can be "targeted", "strict", "mcs" and "mls".
for i in ${POLICY_TYPES}; do for i in ${POLICY_TYPES}; do
cp -a "${S}/refpolicy" "${S}/${i}" cp -a "${S}/refpolicy" "${S}/${i}" || die
cd "${S}/${i}"; cd "${S}/${i}" || die
#cp "${FILESDIR}/modules-2.20120215.conf" "${S}/${i}/policy/modules.conf" sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die
sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf"
sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \ sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \
"${S}/${i}/build.conf" || die "build.conf setup failed." "${S}/${i}/build.conf" || die "build.conf setup failed."
@ -120,10 +106,10 @@ src_compile() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
for i in ${POLICY_TYPES}; do for i in ${POLICY_TYPES}; do
cd "${S}/${i}" cd "${S}/${i}" || die
emake base || die "${i} compile failed" emake base
if use doc; then if use doc; then
make html || die emake html
fi fi
done done
} }
@ -132,23 +118,21 @@ src_install() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
for i in ${POLICY_TYPES}; do for i in ${POLICY_TYPES}; do
cd "${S}/${i}" cd "${S}/${i}" || die
make DESTDIR="${D}" install \ emake DESTDIR="${D}" install
|| die "${i} install failed." emake DESTDIR="${D}" install-headers
make DESTDIR="${D}" install-headers \ echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type" || die
|| die "${i} headers install failed."
echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type" echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types" || die
echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types"
# libsemanage won't make this on its own # libsemanage won't make this on its own
keepdir "/etc/selinux/${i}/policy" keepdir "/etc/selinux/${i}/policy"
if use doc; then if use doc; then
dohtml doc/html/*; docinto ${i}/html
dodoc -r doc/html/*;
fi fi
insinto /usr/share/selinux/devel; insinto /usr/share/selinux/devel;
@ -156,18 +140,14 @@ src_install() {
done done
systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/selinux-base.conf" docinto /
systemd-tmpfiles --root="${D}" --create selinux-base.conf
dodoc doc/Makefile.example doc/example.{te,fc,if} dodoc doc/Makefile.example doc/example.{te,fc,if}
doman man/man8/*.8; doman man/man8/*.8;
insinto /usr/lib/selinux insinto /etc/selinux
doins "${FILESDIR}/config" doins "${FILESDIR}/config"
}
pkg_preinst() { insinto /usr/share/portage/config/sets
has_version "<${CATEGORY}/${PN}-2.20101213-r13" doins "${FILESDIR}/selinux.conf"
previous_less_than_r13=$?
} }