mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-13 16:06:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

eclass: sync selinux-policy-2 with Gentoo

Browse Source 
Commit-Ref: ea4cd1f216
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
This commit is contained in:
Mathieu Tortuyaux 2023-06-14 10:01:35 +02:00
parent bc8261f9c6
commit b0810f46dd
No known key found for this signature in database
GPG Key ID: AC5CCFB52545D9B8
1 changed files with 63 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
sdk_container/src/third_party/portage-stable/eclass/selinux-policy-2.eclass vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2020 Gentoo Authors # Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2 # Distributed under the terms of the GNU General Public License v2
# Eclass for installing SELinux policy, and optionally # Eclass for installing SELinux policy, and optionally
@ -7,7 +7,7 @@
# @ECLASS: selinux-policy-2.eclass # @ECLASS: selinux-policy-2.eclass
# @MAINTAINER: # @MAINTAINER:
# selinux@gentoo.org # selinux@gentoo.org
# @SUPPORTED_EAPIS: 6 7 # @SUPPORTED_EAPIS: 7
# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy # @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
# @DESCRIPTION: # @DESCRIPTION:
# The selinux-policy-2.eclass supports deployment of the various SELinux modules # The selinux-policy-2.eclass supports deployment of the various SELinux modules
@ -18,67 +18,69 @@
# Also, it supports for bundling patches to make the whole thing just a bit more # Also, it supports for bundling patches to make the whole thing just a bit more
# manageable. # manageable.
# @ECLASS-VARIABLE: MODS case ${EAPI} in
7) ;;
*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
esac
if [[ ! ${_SELINUX_POLICY_2_ECLASS} ]]; then
_SELINUX_POLICY_2_ECLASS=1
# @ECLASS_VARIABLE: MODS
# @DESCRIPTION: # @DESCRIPTION:
# This variable contains the (upstream) module name for the SELinux module. # This variable contains the (upstream) module name for the SELinux module.
# This name is only the module name, not the category! # This name is only the module name, not the category!
: ${MODS:="_illegal"} : "${MODS:="_illegal"}"
# @ECLASS-VARIABLE: BASEPOL # @ECLASS_VARIABLE: BASEPOL
# @DESCRIPTION: # @DESCRIPTION:
# This variable contains the version string of the selinux-base-policy package # This variable contains the version string of the selinux-base-policy package
# that this module build depends on. It is used to patch with the appropriate # that this module build depends on. It is used to patch with the appropriate
# patch bundle(s) that are part of selinux-base-policy. # patch bundle(s) that are part of selinux-base-policy.
: ${BASEPOL:=${PVR}} : "${BASEPOL:=${PVR}}"
# @ECLASS-VARIABLE: POLICY_PATCH # @ECLASS_VARIABLE: POLICY_PATCH
# @DESCRIPTION: # @DESCRIPTION:
# This variable contains the additional patch(es) that need to be applied on top # This variable contains the additional patch(es) that need to be applied on top
# of the patchset already contained within the BASEPOL variable. The variable # of the patchset already contained within the BASEPOL variable. The variable
# can be both a simple string (space-separated) or a bash array. # can be both a simple string (space-separated) or a bash array.
: ${POLICY_PATCH:=""} : "${POLICY_PATCH:=""}"
# @ECLASS-VARIABLE: POLICY_FILES # @ECLASS_VARIABLE: POLICY_FILES
# @DESCRIPTION: # @DESCRIPTION:
# When defined, this contains the files (located in the ebuilds' files/ # When defined, this contains the files (located in the ebuilds' files/
# directory) which should be copied as policy module files into the store. # directory) which should be copied as policy module files into the store.
# Generally, users would want to include at least a .te and .fc file, but .if # Generally, users would want to include at least a .te and .fc file, but .if
# files are supported as well. The variable can be both a simple string # files are supported as well. The variable can be both a simple string
# (space-separated) or a bash array. # (space-separated) or a bash array.
: ${POLICY_FILES:=""} : "${POLICY_FILES:=""}"
# @ECLASS-VARIABLE: POLICY_TYPES # @ECLASS_VARIABLE: POLICY_TYPES
# @DESCRIPTION: # @DESCRIPTION:
# This variable informs the eclass for which SELinux policies the module should # This variable informs the eclass for which SELinux policies the module should
# be built. Currently, Gentoo supports targeted, strict, mcs and mls. # be built. Currently, Gentoo supports targeted, strict, mcs and mls.
# This variable is the same POLICY_TYPES variable that we tell SELinux # This variable is the same POLICY_TYPES variable that we tell SELinux
# users to set in make.conf. Therefore, it is not the module that should # users to set in make.conf. Therefore, it is not the module that should
# override it, but the user. # override it, but the user.
: ${POLICY_TYPES:="targeted strict mcs mls"} : "${POLICY_TYPES:="targeted strict mcs mls"}"
# @ECLASS-VARIABLE: SELINUX_GIT_REPO # @ECLASS_VARIABLE: SELINUX_GIT_REPO
# @DESCRIPTION: # @DESCRIPTION:
# When defined, this variable overrides the default repository URL as used by # When defined, this variable overrides the default repository URL as used by
# this eclass. It allows end users to point to a different policy repository # this eclass. It allows end users to point to a different policy repository
# using a single variable, rather than having to set the packagename_LIVE_REPO # using a single variable, rather than having to set the packagename_LIVE_REPO
# variable for each and every SELinux policy module package they want to install. # variable for each and every SELinux policy module package they want to install.
# The default value is Gentoo's hardened-refpolicy repository. # The default value is Gentoo's hardened-refpolicy repository.
: ${SELINUX_GIT_REPO:="https://anongit.gentoo.org/git/proj/hardened-refpolicy.git"}; : "${SELINUX_GIT_REPO:="https://anongit.gentoo.org/git/proj/hardened-refpolicy.git"}"
# @ECLASS-VARIABLE: SELINUX_GIT_BRANCH # @ECLASS_VARIABLE: SELINUX_GIT_BRANCH
# @DESCRIPTION: # @DESCRIPTION:
# When defined, this variable sets the Git branch to use of the repository. This # When defined, this variable sets the Git branch to use of the repository. This
# allows for users and developers to use a different branch for the entire set of # allows for users and developers to use a different branch for the entire set of
# SELinux policy packages, rather than having to override them one by one with the # SELinux policy packages, rather than having to override them one by one with the
# packagename_LIVE_BRANCH variable. # packagename_LIVE_BRANCH variable.
# The default value is the 'master' branch. # The default value is the 'master' branch.
: ${SELINUX_GIT_BRANCH:="master"}; : "${SELINUX_GIT_BRANCH:="master"}"
case "${EAPI:-0}" in
0|1|2|3|4|5) die "EAPI<6 is not supported";;
6|7) : ;;
*) die "unknown EAPI" ;;
esac
case ${BASEPOL} in case ${BASEPOL} in
9999) inherit git-r3 9999) inherit git-r3
@ -113,17 +115,12 @@ else
RDEPEND=">=sys-apps/policycoreutils-2.0.82 RDEPEND=">=sys-apps/policycoreutils-2.0.82
>=sec-policy/selinux-base-policy-${PV}" >=sec-policy/selinux-base-policy-${PV}"
fi fi
if [[ ${EAPI} == 6 ]]; then
DEPEND="${RDEPEND}
sys-devel/m4
>=sys-apps/checkpolicy-2.0.21"
else
DEPEND="${RDEPEND}"
BDEPEND="sys-devel/m4
>=sys-apps/checkpolicy-2.0.21"
fi
EXPORT_FUNCTIONS src_unpack src_prepare src_compile src_install pkg_postinst pkg_postrm DEPEND="${RDEPEND}"
BDEPEND="
sys-devel/m4
>=sys-apps/checkpolicy-2.0.21
"
# @FUNCTION: selinux-policy-2_src_unpack # @FUNCTION: selinux-policy-2_src_unpack
# @DESCRIPTION: # @DESCRIPTION:
@ -159,7 +156,7 @@ selinux-policy-2_src_prepare() {
if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]]; then if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]]; then
cd "${S}" cd "${S}"
einfo "Applying SELinux policy updates ... " einfo "Applying SELinux policy updates ... "
eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch" eapply -p0 -- "${WORKDIR}/0001-full-patch-against-stable-release.patch"
fi fi
# Call in eapply_user. We do this early on as we start moving # Call in eapply_user. We do this early on as we start moving
@ -169,7 +166,7 @@ selinux-policy-2_src_prepare() {
# Copy additional files to the 3rd_party/ location # Copy additional files to the 3rd_party/ location
if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] || if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
[[ -n ${POLICY_FILES} ]]; then [[ -n ${POLICY_FILES} ]]; then
add_interfaces=1; add_interfaces=1;
cd "${S}/refpolicy/policy/modules" cd "${S}/refpolicy/policy/modules"
for POLFILE in ${POLICY_FILES[@]}; for POLFILE in ${POLICY_FILES[@]};
do do
@ -177,22 +174,21 @@ selinux-policy-2_src_prepare() {
done done
fi fi
# Apply the additional patches refered to by the module ebuild. # Apply the additional patches referred to by the module ebuild.
# But first some magic to differentiate between bash arrays and strings # But first some magic to differentiate between bash arrays and strings
cd "${S}/refpolicy/policy/modules" if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]]; then
for POLPATCH in ${POLICY_PATCH[@]}; [[ -n ${POLICY_PATCH[*]} ]] && eapply -d "${S}/refpolicy/policy/modules" -- "${POLICY_PATCH[@]}"
do else
einfo "Installing ${POLPATCH}" [[ -n ${POLICY_PATCH} ]] && eapply -d "${S}/refpolicy/policy/modules" -- ${POLICY_PATCH}
eapply -p0 "${POLPATCH}" fi
done
# Collect only those files needed for this particular module # Collect only those files needed for this particular module
for i in ${MODS}; do for i in ${MODS}; do
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles" modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.te) $modfiles"
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles" modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.fc) $modfiles"
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.cil) $modfiles" modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.cil) $modfiles"
if [[ ${add_interfaces} -eq 1 ]]; then if [[ ${add_interfaces} -eq 1 ]]; then
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles" modfiles="$(find "${S}/refpolicy/policy/modules" -iname $i.if) $modfiles"
fi fi
done done
@ -220,7 +216,7 @@ selinux-policy-2_src_compile() {
for i in ${POLICY_TYPES}; do for i in ${POLICY_TYPES}; do
# Support USE flags in builds # Support USE flags in builds
export M4PARAM="${makeuse}" export M4PARAM="${makeuse}"
emake NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux -C "${S}"/${i} || die "${i} compile failed" emake NAME=$i SHAREDIR="${EPREFIX}"/usr/share/selinux -C "${S}"/${i}
done done
} }
@ -256,21 +252,26 @@ selinux-policy-2_src_install() {
selinux-policy-2_pkg_postinst() { selinux-policy-2_pkg_postinst() {
# Set root path and don't load policy into the kernel when cross compiling # Set root path and don't load policy into the kernel when cross compiling
local root_opts="" local root_opts=""
if [[ "${ROOT%/}" != "" ]]; then if [[ -n ${ROOT} ]]; then
root_opts="-p ${ROOT%/} -n" root_opts="-p ${ROOT} -n"
fi fi
# build up the command in the case of multiple modules # build up the command in the case of multiple modules
local COMMAND local COMMAND
for i in ${POLICY_TYPES}; do for i in ${POLICY_TYPES}; do
if [[ "${i}" == "strict" ]] && [[ "${MODS}" = "unconfined" ]]; then if [[ "${MODS}" = "unconfined" ]]; then
einfo "Ignoring loading of unconfined module in strict module store."; case ${i} in
continue; strict|mcs|mls)
einfo "Ignoring loading of unconfined module in ${i} module store.";
continue
;;
esac
fi fi
einfo "Inserting the following modules into the $i module store: ${MODS}" einfo "Inserting the following modules into the $i module store: ${MODS}"
cd "${ROOT%/}/usr/share/selinux/${i}" || die "Could not enter /usr/share/selinux/${i}" cd "${ROOT}/usr/share/selinux/${i}" || die "Could not enter /usr/share/selinux/${i}"
for j in ${MODS} ; do for j in ${MODS} ; do
if [[ -f "${j}.pp" ]] ; then if [[ -f "${j}.pp" ]] ; then
COMMAND="${j}.pp ${COMMAND}" COMMAND="${j}.pp ${COMMAND}"
@ -302,7 +303,7 @@ selinux-policy-2_pkg_postinst() {
ewarn "If it is the last SELinux module package being installed however," ewarn "If it is the last SELinux module package being installed however,"
ewarn "then it is advised to look at the error above and take appropriate" ewarn "then it is advised to look at the error above and take appropriate"
ewarn "action since the new SELinux policies are not loaded until the" ewarn "action since the new SELinux policies are not loaded until the"
ewarn "command finished succesfully." ewarn "command finished successfully."
ewarn "" ewarn ""
ewarn "To reload, run the following command from within /usr/share/selinux/${i}:" ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
ewarn " semodule ${COMMAND_base} -i \$(ls *.pp | grep -v base.pp)" ewarn " semodule ${COMMAND_base} -i \$(ls *.pp | grep -v base.pp)"
@ -310,16 +311,16 @@ selinux-policy-2_pkg_postinst() {
ewarn " semodule ${COMMAND_base} -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)" ewarn " semodule ${COMMAND_base} -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
ewarn "depending on if you need the unconfined domain loaded as well or not." ewarn "depending on if you need the unconfined domain loaded as well or not."
else else
einfo "SELinux modules reloaded succesfully." einfo "SELinux modules reloaded successfully."
fi fi
else else
einfo "SELinux modules loaded succesfully." einfo "SELinux modules loaded successfully."
fi fi
COMMAND=""; COMMAND="";
done done
# Don't relabel when cross compiling # Don't relabel when cross compiling
if [[ "${ROOT%/}" == "" ]]; then if [[ -z ${ROOT} ]]; then
# Relabel depending packages # Relabel depending packages
local PKGSET=""; local PKGSET="";
if [[ -x /usr/bin/qdepends ]] ; then if [[ -x /usr/bin/qdepends ]] ; then
@ -342,8 +343,8 @@ selinux-policy-2_pkg_postrm() {
if [[ -z "${REPLACED_BY_VERSION}" ]]; then if [[ -z "${REPLACED_BY_VERSION}" ]]; then
# Set root path and don't load policy into the kernel when cross compiling # Set root path and don't load policy into the kernel when cross compiling
local root_opts="" local root_opts=""
if [[ "${ROOT%/}" != "" ]]; then if [[ -n ${ROOT} ]]; then
root_opts="-p ${ROOT%/} -n" root_opts="-p ${ROOT} -n"
fi fi
# build up the command in the case of multiple modules # build up the command in the case of multiple modules
@ -359,9 +360,12 @@ selinux-policy-2_pkg_postrm() {
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
ewarn "SELinux module unload failed."; ewarn "SELinux module unload failed.";
else else
einfo "SELinux modules unloaded succesfully." einfo "SELinux modules unloaded successfully."
fi fi
done done
fi fi
} }
fi
EXPORT_FUNCTIONS src_unpack src_prepare src_compile src_install pkg_postinst pkg_postrm