From 7d9e123f97313b9f2b061c4b0f286b3ad5567021 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Wed, 1 Jul 2015 11:56:40 -0700 Subject: [PATCH] Remove calls to host tools during selinux policy build SELinux policies were attempting to run the host checkmodule and semodule commands. The former is easy to fix via pointing them at the build root, the latter we skip entirely because we don't want to install the policy at this point - we'll do that during image build. --- .../eclass/selinux-policy-2.eclass | 72 +------------------ .../selinux-base-policy-2.20141203-r5.ebuild | 28 +------- .../selinux-base-2.20141203-r5.ebuild | 2 +- 3 files changed, 4 insertions(+), 98 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/eclass/selinux-policy-2.eclass b/sdk_container/src/third_party/coreos-overlay/eclass/selinux-policy-2.eclass index 4f7ed94795..aef0e1b419 100644 --- a/sdk_container/src/third_party/coreos-overlay/eclass/selinux-policy-2.eclass +++ b/sdk_container/src/third_party/coreos-overlay/eclass/selinux-policy-2.eclass @@ -122,7 +122,7 @@ case "${EAPI:-0}" in *) : ;; esac -EXPORT_FUNCTIONS "src_unpack src_prepare src_compile src_install pkg_postinst pkg_postrm" +EXPORT_FUNCTIONS "src_unpack src_prepare src_compile src_install pkg_postrm" # @FUNCTION: selinux-policy-2_src_unpack # @DESCRIPTION: @@ -232,7 +232,7 @@ selinux-policy-2_src_compile() { # Parallel builds are broken in 2.20140311-r7 and earlier, bug 530178 emake -j1 NAME=$i SHAREDIR="${ROOT}/usr/share/selinux" -C "${S}"/${i} || die "${i} compile failed" else - emake NAME=$i SHAREDIR="${ROOT}/usr/share/selinux" -C "${S}"/${i} || die "${i} compile failed" + emake NAME=$i BINDIR="${ROOT}/usr/bin" SHAREDIR="${ROOT}/usr/share/selinux" -C "${S}"/${i} || die "${i} compile failed" fi done } @@ -259,74 +259,6 @@ selinux-policy-2_src_install() { done } -# @FUNCTION: selinux-policy-2_pkg_postinst -# @DESCRIPTION: -# Install the built .pp files in the SELinux policy stores, effectively -# activating the policy on the system. -selinux-policy-2_pkg_postinst() { - # build up the command in the case of multiple modules - local COMMAND - for i in ${MODS}; do - COMMAND="-i ${i}.pp ${COMMAND}" - done - - for i in ${POLICY_TYPES}; do - if [ "${i}" == "strict" ] && [ "${MODS}" = "unconfined" ]; - then - einfo "Ignoring loading of unconfined module in strict module store."; - continue; - fi - einfo "Inserting the following modules into the $i module store: ${MODS}" - - cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}" - semodule -s ${i} ${COMMAND} - if [ $? -ne 0 ]; - then - ewarn "SELinux module load failed. Trying full reload..."; - if [ "${i}" == "targeted" ]; - then - semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp); - else - semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp); - fi - if [ $? -ne 0 ]; - then - ewarn "Failed to reload SELinux policies." - ewarn "" - ewarn "If this is *not* the last SELinux module package being installed," - ewarn "then you can safely ignore this as the reloads will be retried" - ewarn "with other, recent modules." - ewarn "" - ewarn "If it is the last SELinux module package being installed however," - ewarn "then it is advised to look at the error above and take appropriate" - ewarn "action since the new SELinux policies are not loaded until the" - ewarn "command finished succesfully." - ewarn "" - ewarn "To reload, run the following command from within /usr/share/selinux/${i}:" - ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)" - ewarn "or" - ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)" - ewarn "depending on if you need the unconfined domain loaded as well or not." - else - einfo "SELinux modules reloaded succesfully." - fi - else - einfo "SELinux modules loaded succesfully." - fi - done - - # Relabel depending packages - PKGSET=""; - if [ -x /usr/bin/qdepends ] ; then - PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v "sec-policy/selinux-"); - elif [ -x /usr/bin/equery ] ; then - PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v "sec-policy/selinux-"); - fi - if [ -n "${PKGSET}" ] ; then - rlpkg ${PKGSET}; - fi -} - # @FUNCTION: selinux-policy-2_pkg_postrm # @DESCRIPTION: # Uninstall the module(s) from the SELinux policy stores, effectively diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r5.ebuild index 7ea9eee154..6e0b7b78db 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r5.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r5.ebuild @@ -99,7 +99,7 @@ src_prepare() { src_compile() { for i in ${POLICY_TYPES}; do - emake SHAREDIR="${ROOT}/usr/share/selinux" NAME=$i -C "${S}"/${i} || die "${i} compile failed" + emake BINDIR="${ROOT}/usr/bin" SHAREDIR="${ROOT}/usr/share/selinux" NAME=$i -C "${S}"/${i} || die "${i} compile failed" done } @@ -115,29 +115,3 @@ src_install() { done } -pkg_postinst() { - # Override the command from the eclass, we need to load in base as well here - local COMMAND - for i in ${MODS}; do - COMMAND="-i ${i}.pp ${COMMAND}" - done - - for i in ${POLICY_TYPES}; do - einfo "Inserting the following modules, with base, into the $i module store: ${MODS}" - - cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}" - - semodule -s ${i} -b base.pp ${COMMAND} || die "Failed to load in base and modules ${MODS} in the $i policy store" - done - - # Relabel depending packages - local PKGSET=""; - if [ -x /usr/bin/qdepends ] ; then - PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-'); - elif [ -x /usr/bin/equery ] ; then - PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-'); - fi - if [ -n "${PKGSET}" ] ; then - rlpkg ${PKGSET}; - fi -} diff --git a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild index 4683dcd6b1..eaa64ca17a 100644 --- a/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild @@ -123,7 +123,7 @@ src_compile() { for i in ${POLICY_TYPES}; do cd "${S}/${i}" - emake base || die "${i} compile failed" + emake base BINDIR="${ROOT}/usr/bin" || die "${i} compile failed" if use doc; then make html || die fi