mirror of
https://github.com/flatcar/scripts.git
synced 2025-08-12 15:36:58 +02:00
eclass: sync selinux-policy-2 with Gentoo
Commit-Ref: ea4cd1f216
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
This commit is contained in:
Mathieu Tortuyaux
parent
bc8261f9c6
commit
b0810f46dd
@ -1,4 +1,4 @@
|
||||
# Copyright 1999-2020 Gentoo Authors
|
||||
# Copyright 1999-2023 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
# Eclass for installing SELinux policy, and optionally
|
||||
@ -7,7 +7,7 @@
|
||||
# @ECLASS: selinux-policy-2.eclass
|
||||
# @MAINTAINER:
|
||||
# selinux@gentoo.org
|
||||
# @SUPPORTED_EAPIS: 6 7
|
||||
# @SUPPORTED_EAPIS: 7
|
||||
# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
|
||||
# @DESCRIPTION:
|
||||
# The selinux-policy-2.eclass supports deployment of the various SELinux modules
|
||||
@ -18,67 +18,69 @@
|
||||
# Also, it supports for bundling patches to make the whole thing just a bit more
|
||||
# manageable.
|
||||
|
||||
# @ECLASS-VARIABLE: MODS
|
||||
case ${EAPI} in
|
||||
7) ;;
|
||||
*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
|
||||
esac
|
||||
|
||||
if [[ ! ${_SELINUX_POLICY_2_ECLASS} ]]; then
|
||||
_SELINUX_POLICY_2_ECLASS=1
|
||||
|
||||
# @ECLASS_VARIABLE: MODS
|
||||
# @DESCRIPTION:
|
||||
# This variable contains the (upstream) module name for the SELinux module.
|
||||
# This name is only the module name, not the category!
|
||||
: ${MODS:="_illegal"}
|
||||
: "${MODS:="_illegal"}"
|
||||
|
||||
# @ECLASS-VARIABLE: BASEPOL
|
||||
# @ECLASS_VARIABLE: BASEPOL
|
||||
# @DESCRIPTION:
|
||||
# This variable contains the version string of the selinux-base-policy package
|
||||
# that this module build depends on. It is used to patch with the appropriate
|
||||
# patch bundle(s) that are part of selinux-base-policy.
|
||||
: ${BASEPOL:=${PVR}}
|
||||
: "${BASEPOL:=${PVR}}"
|
||||
|
||||
# @ECLASS-VARIABLE: POLICY_PATCH
|
||||
# @ECLASS_VARIABLE: POLICY_PATCH
|
||||
# @DESCRIPTION:
|
||||
# This variable contains the additional patch(es) that need to be applied on top
|
||||
# of the patchset already contained within the BASEPOL variable. The variable
|
||||
# can be both a simple string (space-separated) or a bash array.
|
||||
: ${POLICY_PATCH:=""}
|
||||
: "${POLICY_PATCH:=""}"
|
||||
|
||||
# @ECLASS-VARIABLE: POLICY_FILES
|
||||
# @ECLASS_VARIABLE: POLICY_FILES
|
||||
# @DESCRIPTION:
|
||||
# When defined, this contains the files (located in the ebuilds' files/
|
||||
# directory) which should be copied as policy module files into the store.
|
||||
# Generally, users would want to include at least a .te and .fc file, but .if
|
||||
# files are supported as well. The variable can be both a simple string
|
||||
# (space-separated) or a bash array.
|
||||
: ${POLICY_FILES:=""}
|
||||
: "${POLICY_FILES:=""}"
|
||||
|
||||
# @ECLASS-VARIABLE: POLICY_TYPES
|
||||
# @ECLASS_VARIABLE: POLICY_TYPES
|
||||
# @DESCRIPTION:
|
||||
# This variable informs the eclass for which SELinux policies the module should
|
||||
# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
|
||||
# This variable is the same POLICY_TYPES variable that we tell SELinux
|
||||
# users to set in make.conf. Therefore, it is not the module that should
|
||||
# override it, but the user.
|
||||
: ${POLICY_TYPES:="targeted strict mcs mls"}
|
||||
: "${POLICY_TYPES:="targeted strict mcs mls"}"
|
||||
|
||||
# @ECLASS-VARIABLE: SELINUX_GIT_REPO
|
||||
# @ECLASS_VARIABLE: SELINUX_GIT_REPO
|
||||
# @DESCRIPTION:
|
||||
# When defined, this variable overrides the default repository URL as used by
|
||||
# this eclass. It allows end users to point to a different policy repository
|
||||
# using a single variable, rather than having to set the packagename_LIVE_REPO
|
||||
# variable for each and every SELinux policy module package they want to install.
|
||||
# The default value is Gentoo's hardened-refpolicy repository.
|
||||
: ${SELINUX_GIT_REPO:="https://anongit.gentoo.org/git/proj/hardened-refpolicy.git"};
|
||||
: "${SELINUX_GIT_REPO:="https://anongit.gentoo.org/git/proj/hardened-refpolicy.git"}"
|
||||
|
||||
# @ECLASS-VARIABLE: SELINUX_GIT_BRANCH
|
||||
# @ECLASS_VARIABLE: SELINUX_GIT_BRANCH
|
||||
# @DESCRIPTION:
|
||||
# When defined, this variable sets the Git branch to use of the repository. This
|
||||
# allows for users and developers to use a different branch for the entire set of
|
||||
# SELinux policy packages, rather than having to override them one by one with the
|
||||
# packagename_LIVE_BRANCH variable.
|
||||
# The default value is the 'master' branch.
|
||||
: ${SELINUX_GIT_BRANCH:="master"};
|
||||
|
||||
case "${EAPI:-0}" in
|
||||
0|1|2|3|4|5) die "EAPI<6 is not supported";;
|
||||
6|7) : ;;
|
||||
*) die "unknown EAPI" ;;
|
||||
esac
|
||||
: "${SELINUX_GIT_BRANCH:="master"}"
|
||||
|
||||
case ${BASEPOL} in
|
||||
9999) inherit git-r3
|
||||
@ -113,17 +115,12 @@ else
|
||||
RDEPEND=">=sys-apps/policycoreutils-2.0.82
|
||||
>=sec-policy/selinux-base-policy-${PV}"
|
||||
fi
|
||||
if [[ ${EAPI} == 6 ]]; then
|
||||
DEPEND="${RDEPEND}
|
||||
sys-devel/m4
|
||||
>=sys-apps/checkpolicy-2.0.21"
|
||||
else
|
||||
DEPEND="${RDEPEND}"
|
||||
BDEPEND="sys-devel/m4
|
||||
>=sys-apps/checkpolicy-2.0.21"
|
||||
fi
|
||||
|
||||
EXPORT_FUNCTIONS src_unpack src_prepare src_compile src_install pkg_postinst pkg_postrm
|
||||
DEPEND="${RDEPEND}"
|
||||
BDEPEND="
|
||||
sys-devel/m4
|
||||
>=sys-apps/checkpolicy-2.0.21
|
||||
"
|
||||
|
||||
# @FUNCTION: selinux-policy-2_src_unpack
|
||||
# @DESCRIPTION:
|
||||
@ -159,7 +156,7 @@ selinux-policy-2_src_prepare() {
|
||||
if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]]; then
|
||||
cd "${S}"
|
||||
einfo "Applying SELinux policy updates ... "
|
||||
eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
|
||||
eapply -p0 -- "${WORKDIR}/0001-full-patch-against-stable-release.patch"
|
||||
fi
|
||||
|
||||
# Call in eapply_user. We do this early on as we start moving
|
||||
@ -169,7 +166,7 @@ selinux-policy-2_src_prepare() {
|
||||
# Copy additional files to the 3rd_party/ location
|
||||
if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
|
||||
[[ -n ${POLICY_FILES} ]]; then
|
||||
add_interfaces=1;
|
||||
add_interfaces=1;
|
||||
cd "${S}/refpolicy/policy/modules"
|
||||
for POLFILE in ${POLICY_FILES[@]};
|
||||
do
|
||||
@ -177,22 +174,21 @@ selinux-policy-2_src_prepare() {
|
||||
done
|
||||
fi
|
||||
|
||||
# Apply the additional patches refered to by the module ebuild.
|
||||
# Apply the additional patches referred to by the module ebuild.
|
||||
# But first some magic to differentiate between bash arrays and strings
|
||||
cd "${S}/refpolicy/policy/modules"
|
||||
for POLPATCH in ${POLICY_PATCH[@]};
|
||||
do
|
||||
einfo "Installing ${POLPATCH}"
|
||||
eapply -p0 "${POLPATCH}"
|
||||
done
|
||||
if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]]; then
|
||||
[[ -n ${POLICY_PATCH[*]} ]] && eapply -d "${S}/refpolicy/policy/modules" -- "${POLICY_PATCH[@]}"
|
||||
else
|
||||
[[ -n ${POLICY_PATCH} ]] && eapply -d "${S}/refpolicy/policy/modules" -- ${POLICY_PATCH}
|
||||
fi
|
||||
|
||||
# Collect only those files needed for this particular module
|
||||
for i in ${MODS}; do
|
||||
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
|
||||
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
|
||||
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.cil) $modfiles"
|
||||
modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.te) $modfiles"
|
||||
modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.fc) $modfiles"
|
||||
modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.cil) $modfiles"
|
||||
if [[ ${add_interfaces} -eq 1 ]]; then
|
||||
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
|
||||
modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.if) $modfiles"
|
||||
fi
|
||||
done
|
||||
|
||||
@ -220,7 +216,7 @@ selinux-policy-2_src_compile() {
|
||||
for i in ${POLICY_TYPES}; do
|
||||
# Support USE flags in builds
|
||||
export M4PARAM="${makeuse}"
|
||||
emake NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux -C "${S}"/${i} || die "${i} compile failed"
|
||||
emake NAME=$i SHAREDIR="${EPREFIX}"/usr/share/selinux -C "${S}"/${i}
|
||||
done
|
||||
}
|
||||
|
||||
@ -256,21 +252,26 @@ selinux-policy-2_src_install() {
|
||||
selinux-policy-2_pkg_postinst() {
|
||||
# Set root path and don't load policy into the kernel when cross compiling
|
||||
local root_opts=""
|
||||
if [[ "${ROOT%/}" != "" ]]; then
|
||||
root_opts="-p ${ROOT%/} -n"
|
||||
if [[ -n ${ROOT} ]]; then
|
||||
root_opts="-p ${ROOT} -n"
|
||||
fi
|
||||
|
||||
# build up the command in the case of multiple modules
|
||||
local COMMAND
|
||||
|
||||
for i in ${POLICY_TYPES}; do
|
||||
if [[ "${i}" == "strict" ]] && [[ "${MODS}" = "unconfined" ]]; then
|
||||
einfo "Ignoring loading of unconfined module in strict module store.";
|
||||
continue;
|
||||
if [[ "${MODS}" = "unconfined" ]]; then
|
||||
case ${i} in
|
||||
strict|mcs|mls)
|
||||
einfo "Ignoring loading of unconfined module in ${i} module store.";
|
||||
continue
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
einfo "Inserting the following modules into the $i module store: ${MODS}"
|
||||
|
||||
cd "${ROOT%/}/usr/share/selinux/${i}" || die "Could not enter /usr/share/selinux/${i}"
|
||||
cd "${ROOT}/usr/share/selinux/${i}" || die "Could not enter /usr/share/selinux/${i}"
|
||||
for j in ${MODS} ; do
|
||||
if [[ -f "${j}.pp" ]] ; then
|
||||
COMMAND="${j}.pp ${COMMAND}"
|
||||
@ -302,7 +303,7 @@ selinux-policy-2_pkg_postinst() {
|
||||
ewarn "If it is the last SELinux module package being installed however,"
|
||||
ewarn "then it is advised to look at the error above and take appropriate"
|
||||
ewarn "action since the new SELinux policies are not loaded until the"
|
||||
ewarn "command finished succesfully."
|
||||
ewarn "command finished successfully."
|
||||
ewarn ""
|
||||
ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
|
||||
ewarn " semodule ${COMMAND_base} -i \$(ls *.pp | grep -v base.pp)"
|
||||
@ -310,16 +311,16 @@ selinux-policy-2_pkg_postinst() {
|
||||
ewarn " semodule ${COMMAND_base} -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
|
||||
ewarn "depending on if you need the unconfined domain loaded as well or not."
|
||||
else
|
||||
einfo "SELinux modules reloaded succesfully."
|
||||
einfo "SELinux modules reloaded successfully."
|
||||
fi
|
||||
else
|
||||
einfo "SELinux modules loaded succesfully."
|
||||
einfo "SELinux modules loaded successfully."
|
||||
fi
|
||||
COMMAND="";
|
||||
done
|
||||
|
||||
# Don't relabel when cross compiling
|
||||
if [[ "${ROOT%/}" == "" ]]; then
|
||||
if [[ -z ${ROOT} ]]; then
|
||||
# Relabel depending packages
|
||||
local PKGSET="";
|
||||
if [[ -x /usr/bin/qdepends ]] ; then
|
||||
@ -342,8 +343,8 @@ selinux-policy-2_pkg_postrm() {
|
||||
if [[ -z "${REPLACED_BY_VERSION}" ]]; then
|
||||
# Set root path and don't load policy into the kernel when cross compiling
|
||||
local root_opts=""
|
||||
if [[ "${ROOT%/}" != "" ]]; then
|
||||
root_opts="-p ${ROOT%/} -n"
|
||||
if [[ -n ${ROOT} ]]; then
|
||||
root_opts="-p ${ROOT} -n"
|
||||
fi
|
||||
|
||||
# build up the command in the case of multiple modules
|
||||
@ -359,9 +360,12 @@ selinux-policy-2_pkg_postrm() {
|
||||
if [[ $? -ne 0 ]]; then
|
||||
ewarn "SELinux module unload failed.";
|
||||
else
|
||||
einfo "SELinux modules unloaded succesfully."
|
||||
einfo "SELinux modules unloaded successfully."
|
||||
fi
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
fi
|
||||
|
||||
EXPORT_FUNCTIONS src_unpack src_prepare src_compile src_install pkg_postinst pkg_postrm
|
||||
|
||||
Loading…
Reference in New Issue
Block a user