mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-22 06:51:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1331 from mjg59/selinux

Browse Source 
Remove calls to host tools during selinux policy build
This commit is contained in:
mjg59 2015-07-01 13:41:07 -07:00
commit f29fae2428
3 changed files with 4 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
sdk_container/src/third_party/coreos-overlay/eclass/selinux-policy-2.eclass vendored
View File

@ -122,7 +122,7 @@ case "${EAPI:-0}" in
*) : ;; *) : ;;
esac esac
EXPORT_FUNCTIONS "src_unpack src_prepare src_compile src_install pkg_postinst pkg_postrm" EXPORT_FUNCTIONS "src_unpack src_prepare src_compile src_install pkg_postrm"
# @FUNCTION: selinux-policy-2_src_unpack # @FUNCTION: selinux-policy-2_src_unpack
# @DESCRIPTION: # @DESCRIPTION:
@ -232,7 +232,7 @@ selinux-policy-2_src_compile() {
# Parallel builds are broken in 2.20140311-r7 and earlier, bug 530178 # Parallel builds are broken in 2.20140311-r7 and earlier, bug 530178
emake -j1 NAME=$i SHAREDIR="${ROOT}/usr/share/selinux" -C "${S}"/${i} || die "${i} compile failed" emake -j1 NAME=$i SHAREDIR="${ROOT}/usr/share/selinux" -C "${S}"/${i} || die "${i} compile failed"
else else
emake NAME=$i SHAREDIR="${ROOT}/usr/share/selinux" -C "${S}"/${i} || die "${i} compile failed" emake NAME=$i BINDIR="${ROOT}/usr/bin" SHAREDIR="${ROOT}/usr/share/selinux" -C "${S}"/${i} || die "${i} compile failed"
fi fi
done done
} }
@ -259,74 +259,6 @@ selinux-policy-2_src_install() {
done done
} }
# @FUNCTION: selinux-policy-2_pkg_postinst
# @DESCRIPTION:
# Install the built .pp files in the SELinux policy stores, effectively
# activating the policy on the system.
selinux-policy-2_pkg_postinst() {
# build up the command in the case of multiple modules
local COMMAND
for i in ${MODS}; do
COMMAND="-i ${i}.pp ${COMMAND}"
done
for i in ${POLICY_TYPES}; do
if [ "${i}" == "strict" ] && [ "${MODS}" = "unconfined" ];
then
einfo "Ignoring loading of unconfined module in strict module store.";
continue;
fi
einfo "Inserting the following modules into the $i module store: ${MODS}"
cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
semodule -s ${i} ${COMMAND}
if [ $? -ne 0 ];
then
ewarn "SELinux module load failed. Trying full reload...";
if [ "${i}" == "targeted" ];
then
semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
else
semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
fi
if [ $? -ne 0 ];
then
ewarn "Failed to reload SELinux policies."
ewarn ""
ewarn "If this is *not* the last SELinux module package being installed,"
ewarn "then you can safely ignore this as the reloads will be retried"
ewarn "with other, recent modules."
ewarn ""
ewarn "If it is the last SELinux module package being installed however,"
ewarn "then it is advised to look at the error above and take appropriate"
ewarn "action since the new SELinux policies are not loaded until the"
ewarn "command finished succesfully."
ewarn ""
ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
ewarn "or"
ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
ewarn "depending on if you need the unconfined domain loaded as well or not."
else
einfo "SELinux modules reloaded succesfully."
fi
else
einfo "SELinux modules loaded succesfully."
fi
done
# Relabel depending packages
PKGSET="";
if [ -x /usr/bin/qdepends ] ; then
PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v "sec-policy/selinux-");
elif [ -x /usr/bin/equery ] ; then
PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v "sec-policy/selinux-");
fi
if [ -n "${PKGSET}" ] ; then
rlpkg ${PKGSET};
fi
}
# @FUNCTION: selinux-policy-2_pkg_postrm # @FUNCTION: selinux-policy-2_pkg_postrm
# @DESCRIPTION: # @DESCRIPTION:
# Uninstall the module(s) from the SELinux policy stores, effectively # Uninstall the module(s) from the SELinux policy stores, effectively

28
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base-policy/selinux-base-policy-2.20141203-r5.ebuild vendored
View File

@ -99,7 +99,7 @@ src_prepare() {
src_compile() { src_compile() {
for i in ${POLICY_TYPES}; do for i in ${POLICY_TYPES}; do
emake SHAREDIR="${ROOT}/usr/share/selinux" NAME=$i -C "${S}"/${i} || die "${i} compile failed" emake BINDIR="${ROOT}/usr/bin" SHAREDIR="${ROOT}/usr/share/selinux" NAME=$i -C "${S}"/${i} || die "${i} compile failed"
done done
} }
@ -115,29 +115,3 @@ src_install() {
done done
} }
pkg_postinst() {
# Override the command from the eclass, we need to load in base as well here
local COMMAND
for i in ${MODS}; do
COMMAND="-i ${i}.pp ${COMMAND}"
done
for i in ${POLICY_TYPES}; do
einfo "Inserting the following modules, with base, into the $i module store: ${MODS}"
cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
semodule -s ${i} -b base.pp ${COMMAND} || die "Failed to load in base and modules ${MODS} in the $i policy store"
done
# Relabel depending packages
local PKGSET="";
if [ -x /usr/bin/qdepends ] ; then
PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
elif [ -x /usr/bin/equery ] ; then
PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
fi
if [ -n "${PKGSET}" ] ; then
rlpkg ${PKGSET};
fi
}

2
sdk_container/src/third_party/coreos-overlay/sec-policy/selinux-base/selinux-base-2.20141203-r5.ebuild vendored
View File

@ -123,7 +123,7 @@ src_compile() {
for i in ${POLICY_TYPES}; do for i in ${POLICY_TYPES}; do
cd "${S}/${i}" cd "${S}/${i}"
emake base || die "${i} compile failed" emake base BINDIR="${ROOT}/usr/bin" || die "${i} compile failed"
if use doc; then if use doc; then
make html || die make html || die
fi fi