|
Ondrej Mosnáček |
e0bfe2 |
# Conditionals for policy types (all built by default)
|
|
Ondrej Mosnáček |
e0bfe2 |
%bcond targeted 1
|
|
Ondrej Mosnáček |
e0bfe2 |
%bcond minimum 1
|
|
Ondrej Mosnáček |
e0bfe2 |
%bcond mls 1
|
|
Ondrej Mosnáček |
e0bfe2 |
|
|
Ondrej Mosnacek |
548766 |
# github repo with selinux-policy sources
|
|
Ondrej Mosnacek |
548766 |
%global giturl https://github.com/fedora-selinux/selinux-policy
|
|
Zdenek Pytela |
814aa8 |
%global commit d36759478085a582a64e9692e92797d803e37b1a
|
|
Ondrej Mosnacek |
548766 |
%global shortcommit %(c=%{commit}; echo ${c:0:7})
|
|
Lukas Vrabec |
51dc83 |
|
|
Daniel J Walsh |
08b890 |
%define distro redhat
|
|
Daniel J Walsh |
771686 |
%define polyinstatiate n
|
|
Daniel J Walsh |
1580c8 |
%define monolithic n
|
|
Ondrej Mosnáček |
e0bfe2 |
|
|
Petr Lautrbach |
e88945 |
%define POLICYVER 33
|
|
Zdenek Pytela |
e0b2bb |
%define POLICYCOREUTILSVER 3.4-1
|
|
Petr Lautrbach |
f38b38 |
%define CHECKPOLICYVER 3.2
|
|
Daniel J Walsh |
1580c8 |
Summary: SELinux policy configuration
|
|
Daniel J Walsh |
1580c8 |
Name: selinux-policy
|
|
Zdenek Pytela |
814aa8 |
Version: 41.11
|
|
Zdenek Pytela |
6a2602 |
Release: 1%{?dist}
|
|
Petr Lautrbach |
4f5786 |
License: GPL-2.0-or-later
|
|
Ondrej Mosnacek |
548766 |
Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
|
|
Petr Lautrbach |
28bb9a |
Source1: modules-targeted.conf
|
|
Daniel J Walsh |
504da9 |
Source2: booleans-targeted.conf
|
|
Daniel J Walsh |
585f82 |
Source3: Makefile.devel
|
|
Daniel J Walsh |
504da9 |
Source4: setrans-targeted.conf
|
|
Petr Lautrbach |
28bb9a |
Source5: modules-mls.conf
|
|
Daniel J Walsh |
487de6 |
Source6: booleans-mls.conf
|
|
Daniel J Walsh |
504da9 |
Source8: setrans-mls.conf
|
|
Daniel J Walsh |
ee095f |
Source14: securetty_types-targeted
|
|
Daniel J Walsh |
ee095f |
Source15: securetty_types-mls
|
|
Petr Lautrbach |
28bb9a |
Source16: modules-minimum.lst
|
|
Daniel J Walsh |
675bba |
Source17: booleans-minimum.conf
|
|
Daniel J Walsh |
675bba |
Source18: setrans-minimum.conf
|
|
Daniel J Walsh |
675bba |
Source19: securetty_types-minimum
|
|
Daniel J Walsh |
80beee |
Source20: customizable_types
|
|
Daniel J Walsh |
fc05ac |
Source22: users-mls
|
|
Daniel J Walsh |
fc05ac |
Source23: users-targeted
|
|
Daniel J Walsh |
fc05ac |
Source25: users-minimum
|
|
Dan Walsh |
86354f |
Source26: file_contexts.subs_dist
|
|
Dan Walsh |
bce4ec |
Source27: selinux-policy.conf
|
|
Lukas Vrabec |
7c8404 |
Source28: permissivedomains.cil
|
|
Dan Walsh |
c39563 |
Source30: booleans.subs_dist
|
|
Lukas Vrabec |
8ad346 |
|
|
Lukas Vrabec |
8ad346 |
# Tool helps during policy development, to expand system m4 macros to raw allow rules
|
|
Lukas Vrabec |
8ad346 |
# Git repo: https://github.com/fedora-selinux/macro-expander.git
|
|
Lukas Vrabec |
7d7414 |
Source33: macro-expander
|
|
Lukas Vrabec |
d395cb |
|
|
Lukas Vrabec |
8ad346 |
# Include SELinux policy for container from separate container-selinux repo
|
|
Lukas Vrabec |
8ad346 |
# Git repo: https://github.com/containers/container-selinux.git
|
|
Lukas Vrabec |
ab3db2 |
Source35: container-selinux.tgz
|
|
Petr Lautrbach |
be68cc |
|
|
Ondrej Mosnacek |
fd6943 |
Source36: selinux-check-proper-disable.service
|
|
Ondrej Mosnacek |
fd6943 |
|
|
Zdenek Pytela |
6dd5c7 |
# Script to convert /var/run file context entries to /run
|
|
Zdenek Pytela |
6dd5c7 |
Source37: varrun-convert.sh
|
|
Zdenek Pytela |
0a65cc |
# Configuration files to dnf-protect targeted and/or mls subpackages
|
|
Zdenek Pytela |
0a65cc |
Source38: selinux-policy-targeted.conf
|
|
Zdenek Pytela |
0a65cc |
Source39: selinux-policy-mls.conf
|
|
Zdenek Pytela |
6dd5c7 |
|
|
Petr Lautrbach |
c49229 |
# Provide rpm macros for packages installing SELinux modules
|
|
Petr Lautrbach |
c49229 |
Source102: rpm.macros
|
|
Petr Lautrbach |
be68cc |
|
|
Ondrej Mosnacek |
548766 |
Url: %{giturl}
|
|
Daniel J Walsh |
1580c8 |
BuildArch: noarch
|
|
Petr Lautrbach |
d89076 |
BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
|
|
Petr Lautrbach |
0f3b08 |
BuildRequires: make
|
|
Ondrej Mosnacek |
fd6943 |
BuildRequires: systemd-rpm-macros
|
|
Petr Lautrbach |
e09911 |
BuildRequires: groff
|
|
Miroslav Grepl |
a27009 |
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
|
Miroslav Grepl |
4a27ed |
Requires(post): /bin/awk /usr/bin/sha512sum
|
|
Colin Walters |
b26304 |
Requires(meta): (rpm-plugin-selinux if rpm-libs)
|
|
Ondrej Mosnacek |
4d9a7e |
Requires: selinux-policy-any = %{version}-%{release}
|
|
Ondrej Mosnacek |
4d9a7e |
Provides: selinux-policy-base = %{version}-%{release}
|
|
Ondrej Mosnacek |
4d9a7e |
Suggests: selinux-policy-targeted
|
|
Daniel J Walsh |
1580c8 |
|
|
|
fe2076 |
%description
|
|
Zdenek Pytela |
e99b0b |
SELinux core policy package.
|
|
Zdenek Pytela |
e99b0b |
Originally based off of reference policy,
|
|
Zdenek Pytela |
e99b0b |
the policy has been adjusted to provide support for Fedora.
|
|
Daniel J Walsh |
1335ee |
|
|
|
fe2076 |
%files
|
|
Tom Callaway |
4abfbc |
%{!?_licensedir:%global license %%doc}
|
|
Tom Callaway |
4abfbc |
%license COPYING
|
|
Ondrej Mosnacek |
2a989a |
%dir %{_datadir}/selinux
|
|
Ondrej Mosnacek |
2a989a |
%dir %{_datadir}/selinux/packages
|
|
Dan Walsh |
b59d07 |
%dir %{_sysconfdir}/selinux
|
|
Daniel J Walsh |
585f82 |
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
|
|
Daniel J Walsh |
585f82 |
%ghost %{_sysconfdir}/sysconfig/selinux
|
|
Miroslav Grepl |
4a27ed |
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
|
|
Dan Walsh |
26bb0a |
%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
Ondrej Mosnacek |
fd6943 |
%{_unitdir}/selinux-check-proper-disable.service
|
|
Zdenek Pytela |
6dd5c7 |
%{_libexecdir}/selinux/varrun-convert.sh
|
|
Dan Walsh |
1b0e09 |
|
|
Dan Walsh |
1b0e09 |
%package sandbox
|
|
Zdenek Pytela |
e99b0b |
Summary: SELinux sandbox policy
|
|
Dan Walsh |
1b0e09 |
Requires(pre): selinux-policy-base = %{version}-%{release}
|
|
Lukas Vrabec |
c862e9 |
Requires(pre): selinux-policy-targeted = %{version}-%{release}
|
|
Dan Walsh |
1b0e09 |
|
|
Dan Walsh |
1b0e09 |
%description sandbox
|
|
Zdenek Pytela |
e99b0b |
SELinux sandbox policy for use with the sandbox utility.
|
|
Dan Walsh |
1b0e09 |
|
|
Dan Walsh |
1b0e09 |
%files sandbox
|
|
Ondrej Mosnacek |
2a989a |
%verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp
|
|
Dan Walsh |
1b0e09 |
|
|
Dan Walsh |
1b0e09 |
%post sandbox
|
|
Ondrej Mosnacek |
2a989a |
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
|
|
Petr Lautrbach |
a345bb |
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp
|
|
Ondrej Mosnacek |
2a989a |
if %{_sbindir}/selinuxenabled ; then
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/load_policy
|
|
Dan Walsh |
1b0e09 |
fi;
|
|
Dan Walsh |
1b0e09 |
exit 0
|
|
Dan Walsh |
1b0e09 |
|
|
Dan Walsh |
1b0e09 |
%preun sandbox
|
|
Michael Scherer |
c8b7cd |
if [ $1 -eq 0 ] ; then
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/semodule -n -d sandbox 2>/dev/null
|
|
Ondrej Mosnacek |
2a989a |
if %{_sbindir}/selinuxenabled ; then
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/load_policy
|
|
Michael Scherer |
c8b7cd |
fi;
|
|
Michael Scherer |
c8b7cd |
fi;
|
|
Michael Scherer |
c8b7cd |
exit 0
|
|
Miroslav Grepl |
4a27ed |
|
|
Miroslav Grepl |
4a27ed |
%package devel
|
|
Zdenek Pytela |
e99b0b |
Summary: SELinux policy development files
|
|
Miroslav Grepl |
4a27ed |
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Lukas Vrabec |
610d03 |
Requires: selinux-policy = %{version}-%{release}
|
|
Miroslav Grepl |
a27009 |
Requires: m4 checkpolicy >= %{CHECKPOLICYVER}
|
|
Miroslav Grepl |
a27009 |
Requires: /usr/bin/make
|
|
Dan Walsh |
9f52d7 |
Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
|
|
Miroslav Grepl |
4a27ed |
|
|
Miroslav Grepl |
4a27ed |
%description devel
|
|
Zdenek Pytela |
e99b0b |
SELinux policy development package.
|
|
Zdenek Pytela |
e99b0b |
This package contains:
|
|
Zdenek Pytela |
e99b0b |
- interfaces, macros, and patterns for policy development
|
|
Zdenek Pytela |
e99b0b |
- a policy example
|
|
Zdenek Pytela |
e99b0b |
- the macro-expander utility
|
|
Zdenek Pytela |
e99b0b |
and some additional files.
|
|
Miroslav Grepl |
4a27ed |
|
|
Miroslav Grepl |
4a27ed |
%files devel
|
|
Lukas Vrabec |
7d7414 |
%{_bindir}/macro-expander
|
|
Ondrej Mosnacek |
2a989a |
%dir %{_datadir}/selinux/devel
|
|
Ondrej Mosnacek |
2a989a |
%dir %{_datadir}/selinux/devel/include
|
|
Ondrej Mosnacek |
2a989a |
%{_datadir}/selinux/devel/include/*
|
|
Zdenek Pytela |
17a6cf |
%exclude %{_datadir}/selinux/devel/include/contrib/container.if
|
|
Ondrej Mosnacek |
2a989a |
%dir %{_datadir}/selinux/devel/html
|
|
Ondrej Mosnacek |
2a989a |
%{_datadir}/selinux/devel/html/*html
|
|
Ondrej Mosnacek |
2a989a |
%{_datadir}/selinux/devel/html/*css
|
|
Ondrej Mosnacek |
2a989a |
%{_datadir}/selinux/devel/Makefile
|
|
Ondrej Mosnacek |
2a989a |
%{_datadir}/selinux/devel/example.*
|
|
Ondrej Mosnacek |
2a989a |
%{_datadir}/selinux/devel/policy.*
|
|
|
193d30 |
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info
|
|
Daniel J Walsh |
412570 |
|
|
Dan Walsh |
9f52d7 |
%post devel
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null
|
|
Dan Walsh |
859a10 |
exit 0
|
|
Dan Walsh |
9f52d7 |
|
|
Daniel J Walsh |
412570 |
%package doc
|
|
Daniel J Walsh |
412570 |
Summary: SELinux policy documentation
|
|
Daniel J Walsh |
412570 |
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Lukas Vrabec |
610d03 |
Requires: selinux-policy = %{version}-%{release}
|
|
Daniel J Walsh |
412570 |
|
|
Daniel J Walsh |
412570 |
%description doc
|
|
Zdenek Pytela |
e99b0b |
SELinux policy documentation package.
|
|
Zdenek Pytela |
e99b0b |
This package contains manual pages and documentation of the policy modules.
|
|
Daniel J Walsh |
412570 |
|
|
Daniel J Walsh |
412570 |
%files doc
|
|
Lukas Vrabec |
d6fa25 |
%{_mandir}/man*/*
|
|
Lukas Vrabec |
d6fa25 |
%{_mandir}/ru/*/*
|
|
Zdenek Pytela |
995ad0 |
%exclude %{_mandir}/man8/container_selinux.8.gz
|
|
Ondrej Mosnacek |
2a989a |
%doc %{_datadir}/doc/%{name}
|
|
Daniel J Walsh |
1335ee |
|
|
Ondrej Mosnacek |
f76a9d |
%define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
|
|
Ondrej Mosnacek |
f76a9d |
|
|
Daniel J Walsh |
487de6 |
%define makeCmds() \
|
|
Ondrej Mosnacek |
f76a9d |
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
|
|
Ondrej Mosnacek |
f76a9d |
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
|
|
Daniel J Walsh |
487de6 |
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
|
|
Daniel J Walsh |
487de6 |
cp -f selinux_config/users-%1 ./policy/users \
|
|
Miroslav Grepl |
a27009 |
#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \
|
|
Miroslav Grepl |
a27009 |
|
|
Miroslav Grepl |
a27009 |
%define makeModulesConf() \
|
|
Petr Lautrbach |
28bb9a |
cp -f selinux_config/modules-%1.conf ./policy/modules.conf
|
|
Daniel J Walsh |
998737 |
|
|
Daniel J Walsh |
de82d8 |
%define installCmds() \
|
|
Ondrej Mosnacek |
f76a9d |
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
|
|
Ondrej Mosnacek |
f76a9d |
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \
|
|
Ondrej Mosnacek |
f76a9d |
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \
|
|
Ondrej Mosnacek |
f76a9d |
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \
|
|
Ondrej Mosnacek |
2a989a |
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
|
|
Ondrej Mosnacek |
2a989a |
%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
|
|
Dan Walsh |
86354f |
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
|
|
Daniel J Walsh |
487de6 |
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
|
Dan Walsh |
86354f |
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
|
|
Daniel J Walsh |
487de6 |
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
|
|
Daniel J Walsh |
487de6 |
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
|
Petr Lautrbach |
dba350 |
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
|
|
Petr Lautrbach |
a345bb |
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
|
|
Lukas Vrabec |
7c8404 |
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
|
|
Dan Walsh |
c39563 |
cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \
|
|
Ondrej Mosnacek |
2a989a |
rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \
|
|
Ondrej Mosnacek |
2a989a |
%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
|
|
Miroslav Grepl |
4a27ed |
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \
|
|
Dan Walsh |
3fc099 |
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
|
|
Petr Lautrbach |
3332d5 |
rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
|
|
Daniel J Walsh |
3e930b |
%nil
|
|
Daniel J Walsh |
1580c8 |
|
|
Daniel J Walsh |
1580c8 |
%define fileList() \
|
|
Daniel J Walsh |
1580c8 |
%defattr(-,root,root) \
|
|
Daniel J Walsh |
1580c8 |
%dir %{_sysconfdir}/selinux/%1 \
|
|
Daniel J Walsh |
1580c8 |
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
|
|
Dan Walsh |
042e3a |
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
|
|
Miroslav Grepl |
4a27ed |
%dir %{_sysconfdir}/selinux/%1/logins \
|
|
Petr Lautrbach |
a345bb |
%dir %{_sharedstatedir}/selinux/%1/active \
|
|
Petr Lautrbach |
a345bb |
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \
|
|
Petr Lautrbach |
a345bb |
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
|
|
Petr Lautrbach |
a345bb |
%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \
|
|
Petr Lautrbach |
a345bb |
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
|
|
Daniel J Walsh |
1580c8 |
%dir %{_sysconfdir}/selinux/%1/policy/ \
|
|
Dan Walsh |
042e3a |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
|
|
Miroslav Grepl |
4a27ed |
%{_sysconfdir}/selinux/%1/.policy.sha512 \
|
|
Daniel J Walsh |
1580c8 |
%dir %{_sysconfdir}/selinux/%1/contexts \
|
|
Daniel J Walsh |
d2c260 |
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
|
|
Daniel J Walsh |
ee095f |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
|
|
Daniel J Walsh |
1580c8 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
|
|
Daniel J Walsh |
5ca2ff |
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
|
|
Daniel J Walsh |
7c94e8 |
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
|
|
Daniel J Walsh |
487de6 |
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
|
|
Daniel J Walsh |
487de6 |
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
|
|
Miroslav Grepl |
4a27ed |
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
|
|
Miroslav Grepl |
d4e55c |
%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
|
|
Miroslav Grepl |
a34c78 |
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
|
|
Dan Walsh |
f1ed4e |
%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
|
|
Lukas Vrabec |
c3183a |
%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
|
|
Daniel J Walsh |
1580c8 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
|
|
Daniel J Walsh |
1580c8 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
|
|
Daniel J Walsh |
1580c8 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
|
|
Daniel J Walsh |
1580c8 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
|
|
Daniel J Walsh |
1580c8 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
|
|
Daniel J Walsh |
1580c8 |
%dir %{_sysconfdir}/selinux/%1/contexts/files \
|
|
Dan Walsh |
042e3a |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
|
|
Petr Lautrbach |
dba350 |
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
|
|
Lukas Vrabec |
dd88f3 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
|
|
Lukas Vrabec |
673096 |
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \
|
|
Lukas Vrabec |
ad3add |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
|
|
Lukas Vrabec |
673096 |
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
|
|
Dan Walsh |
e1f17e |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
|
|
Dan Walsh |
c39563 |
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
|
|
Dan Walsh |
c39563 |
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
|
|
Daniel J Walsh |
d19b68 |
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
|
|
Daniel J Walsh |
da0829 |
%dir %{_sysconfdir}/selinux/%1/contexts/users \
|
|
Daniel J Walsh |
a4ec9b |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
|
|
Daniel J Walsh |
a4ec9b |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
|
|
Daniel J Walsh |
a80e7a |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
|
|
Daniel J Walsh |
a4ec9b |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
|
|
Lukas Vrabec |
2f9313 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
|
|
Michael Scherer |
a56317 |
%dir %{_datadir}/selinux/%1 \
|
|
Ondrej Mosnacek |
e4f809 |
%{_datadir}/selinux/%1/base.lst \
|
|
Petr Lautrbach |
28bb9a |
%{_datadir}/selinux/%1/modules.lst \
|
|
Ondrej Mosnacek |
e4f809 |
%{_datadir}/selinux/%1/nonbasemodules.lst \
|
|
Michael Scherer |
a56317 |
%dir %{_sharedstatedir}/selinux/%1 \
|
|
Zdenek Pytela |
ce671c |
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \
|
|
Zdenek Pytela |
ce671c |
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \
|
|
Zdenek Pytela |
ce671c |
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \
|
|
Zdenek Pytela |
ce671c |
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \
|
|
Zdenek Pytela |
ce671c |
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \
|
|
Zdenek Pytela |
ce671c |
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \
|
|
Petr Lautrbach |
3332d5 |
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
|
|
Petr Lautrbach |
3332d5 |
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
|
|
Petr Lautrbach |
3332d5 |
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
|
|
Petr Lautrbach |
9e91a2 |
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
|
|
Zdenek Pytela |
a3ac25 |
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \
|
|
Zdenek Pytela |
dc43ab |
%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
|
|
Zdenek Pytela |
dc43ab |
%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil \
|
|
Zdenek Pytela |
dc43ab |
%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/lang_ext \
|
|
Lukas Vrabec |
2f9313 |
%nil
|
|
Daniel J Walsh |
1580c8 |
|
|
Daniel J Walsh |
1580c8 |
%define relabel() \
|
|
Adam Williamson |
69200e |
if [ -s %{_sysconfdir}/selinux/config ]; then \
|
|
Adam Williamson |
69200e |
. %{_sysconfdir}/selinux/config &> /dev/null || true; \
|
|
Adam Williamson |
69200e |
fi; \
|
|
Daniel J Walsh |
1580c8 |
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
|
Ondrej Mosnacek |
2a989a |
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
|
|
Daniel J Walsh |
487de6 |
rm -f ${FILE_CONTEXT}.pre; \
|
|
Dan Walsh |
5eea0f |
fi; \
|
|
Zdenek Pytela |
40faa1 |
# rebuilding the rpm database still can sometimes result in an incorrect context \
|
|
Zdenek Pytela |
b10879 |
%{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \
|
|
Zbigniew Jędrzejewski-Szmek |
187a2b |
# In some scenarios, /usr/bin/httpd is labelled incorrectly after sbin merge. \
|
|
Zbigniew Jędrzejewski-Szmek |
187a2b |
# Relabel all files under /usr/bin, in case they got installed before policy \
|
|
Zbigniew Jędrzejewski-Szmek |
187a2b |
# was updated and the labels were incorrect. \
|
|
Zbigniew Jędrzejewski-Szmek |
acac91 |
%{_sbindir}/restorecon -R /usr/bin /usr/sbin \
|
|
Ondrej Mosnacek |
2a989a |
if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
|
|
Miroslav Grepl |
d61e0b |
continue; \
|
|
|
ee6e28 |
fi;
|
|
Dan Walsh |
8a78e8 |
|
|
Dan Walsh |
8a78e8 |
%define preInstall() \
|
|
Ondrej Mosnacek |
2a989a |
if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
|
|
Zdenek Pytela |
8bda53 |
for MOD_NAME in ganesha ipa_custodia kdbus; do \
|
|
|
53368f |
if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \
|
|
|
53368f |
%{_sbindir}/semodule -n -d $MOD_NAME; \
|
|
|
53368f |
fi; \
|
|
|
53368f |
done; \
|
|
Dan Walsh |
8a78e8 |
. %{_sysconfdir}/selinux/config; \
|
|
Dan Walsh |
8a78e8 |
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
|
|
Dan Walsh |
8a78e8 |
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
|
|
Dan Walsh |
8a78e8 |
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
|
|
Dan Walsh |
8a78e8 |
fi; \
|
|
Ondrej Mosnacek |
2a989a |
touch %{_sysconfdir}/selinux/%1/.rebuild; \
|
|
Ondrej Mosnacek |
2a989a |
if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
|
|
Ondrej Mosnacek |
2a989a |
POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \
|
|
Dan Walsh |
26bb0a |
sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
|
|
Ondrej Mosnacek |
2a989a |
checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \
|
|
Miroslav Grepl |
4a27ed |
if [ "$sha512" == "$checksha512" ] ; then \
|
|
Ondrej Mosnacek |
2a989a |
rm %{_sysconfdir}/selinux/%1/.rebuild; \
|
|
Dan Walsh |
8a78e8 |
fi; \
|
|
Dan Walsh |
8a78e8 |
fi; \
|
|
Dan Walsh |
8a78e8 |
fi;
|
|
Daniel J Walsh |
1580c8 |
|
|
Dan Walsh |
857c81 |
%define postInstall() \
|
|
Adam Williamson |
69200e |
if [ -s %{_sysconfdir}/selinux/config ]; then \
|
|
Adam Williamson |
69200e |
. %{_sysconfdir}/selinux/config &> /dev/null || true; \
|
|
Adam Williamson |
69200e |
fi; \
|
|
Ondrej Mosnacek |
2a989a |
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
|
|
Ondrej Mosnacek |
2a989a |
rm %{_sysconfdir}/selinux/%2/.rebuild; \
|
|
Dan Walsh |
857c81 |
fi; \
|
|
Zdenek Pytela |
cb08cc |
%{_sbindir}/semodule -B -n -s %2; \
|
|
Ondrej Mosnacek |
2a989a |
[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \
|
|
Dan Walsh |
857c81 |
if [ %1 -eq 1 ]; then \
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
|
|
Dan Walsh |
857c81 |
else \
|
|
Dan Walsh |
857c81 |
%relabel %2 \
|
|
Dan Walsh |
857c81 |
fi;
|
|
Dan Walsh |
857c81 |
|
|
Miroslav Grepl |
50f07b |
%define modulesList() \
|
|
Petr Lautrbach |
28bb9a |
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/modules.lst \
|
|
Petr Lautrbach |
28bb9a |
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
|
|
Miroslav Grepl |
50f07b |
|
|
Miroslav Grepl |
c04c31 |
%define nonBaseModulesList() \
|
|
Petr Lautrbach |
28bb9a |
modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \
|
|
Petr Lautrbach |
28bb9a |
for i in $modules; do \
|
|
Petr Lautrbach |
a345bb |
if [ $i != "sandbox" ];then \
|
|
Ondrej Mosnacek |
2a989a |
echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
|
|
Miroslav Grepl |
c04c31 |
fi; \
|
|
Petr Lautrbach |
be68cc |
done;
|
|
Petr Lautrbach |
be68cc |
|
|
Lukas Vrabec |
2e12c9 |
# Make sure the config is consistent with what packages are installed in the system
|
|
Lukas Vrabec |
2e12c9 |
# this covers cases when system is installed with selinux-policy-{mls,minimal}
|
|
Lukas Vrabec |
2e12c9 |
# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not
|
|
Lukas Vrabec |
2e12c9 |
# been rebooted yet.
|
|
Lukas Vrabec |
2e12c9 |
# The macro should be called at the beginning of "post" (to make sure load_policy does not fail)
|
|
Lukas Vrabec |
2e12c9 |
# and in "posttrans" (to make sure that the store is consistent when all package transitions are done)
|
|
Lukas Vrabec |
2e12c9 |
# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable)
|
|
Lukas Vrabec |
2e12c9 |
# Steps:
|
|
Lukas Vrabec |
2e12c9 |
# * load values from config and its backup
|
|
Lukas Vrabec |
2e12c9 |
# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so
|
|
Lukas Vrabec |
2e12c9 |
# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used
|
|
Lukas Vrabec |
2e12c9 |
# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't
|
|
Lukas Vrabec |
2e12c9 |
%define checkConfigConsistency() \
|
|
Lukas Vrabec |
2e12c9 |
if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \
|
|
|
ee6e28 |
. %{_sysconfdir}/selinux/.config_backup; \
|
|
Lukas Vrabec |
2e12c9 |
else \
|
|
|
ee6e28 |
BACKUP_SELINUXTYPE=targeted; \
|
|
Lukas Vrabec |
2e12c9 |
fi; \
|
|
|
ee6e28 |
if [ -s %{_sysconfdir}/selinux/config ]; then \
|
|
|
ee6e28 |
. %{_sysconfdir}/selinux/config; \
|
|
|
ee6e28 |
if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \
|
|
|
ee6e28 |
if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \
|
|
|
ee6e28 |
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \
|
|
|
ee6e28 |
fi; \
|
|
|
ee6e28 |
elif [ "%1" = "targeted" ]; then \
|
|
|
ee6e28 |
if [ "%1" != "$SELINUXTYPE" ]; then \
|
|
|
ee6e28 |
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
|
|
|
ee6e28 |
fi; \
|
|
|
ee6e28 |
elif ! ls %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \
|
|
|
ee6e28 |
if [ "%1" != "$SELINUXTYPE" ]; then \
|
|
|
ee6e28 |
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
|
|
|
ee6e28 |
fi; \
|
|
|
ee6e28 |
fi; \
|
|
Lukas Vrabec |
2e12c9 |
fi;
|
|
Lukas Vrabec |
2e12c9 |
|
|
Lukas Vrabec |
2e12c9 |
# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names
|
|
Lukas Vrabec |
2e12c9 |
# of variables inside so that they are easy to use later
|
|
Lukas Vrabec |
2e12c9 |
# This should be done in "pretrans" because config content can change during RPM operations
|
|
Lukas Vrabec |
2e12c9 |
# The macro has to be used in a script slot with "-p <lua>"
|
|
Lukas Vrabec |
2e12c9 |
%define backupConfigLua() \
|
|
Lukas Vrabec |
2e12c9 |
local sysconfdir = rpm.expand("%{_sysconfdir}") \
|
|
Lukas Vrabec |
2e12c9 |
local config_file = sysconfdir .. "/selinux/config" \
|
|
Lukas Vrabec |
2e12c9 |
local config_backup = sysconfdir .. "/selinux/.config_backup" \
|
|
Lukas Vrabec |
2e12c9 |
os.remove(config_backup) \
|
|
Lukas Vrabec |
2e12c9 |
if posix.stat(config_file) then \
|
|
Lukas Vrabec |
2e12c9 |
local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \
|
|
Lukas Vrabec |
2e12c9 |
local content = f:read("*all") \
|
|
Lukas Vrabec |
2e12c9 |
f:close() \
|
|
Lukas Vrabec |
2e12c9 |
local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \
|
|
Lukas Vrabec |
2e12c9 |
local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \
|
|
Lukas Vrabec |
2e12c9 |
bf:write(backup) \
|
|
Lukas Vrabec |
2e12c9 |
bf:close() \
|
|
Lukas Vrabec |
2e12c9 |
end
|
|
Lukas Vrabec |
2e12c9 |
|
|
Zdenek Pytela |
1297d6 |
# Remove the local_varrun SELinux module
|
|
Zdenek Pytela |
1297d6 |
%define removeVarrunModuleLua() \
|
|
Zdenek Pytela |
1297d6 |
if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil", "r") then \
|
|
Zdenek Pytela |
1297d6 |
os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \
|
|
Zdenek Pytela |
1297d6 |
end
|
|
Zdenek Pytela |
1297d6 |
|
|
Daniel J Walsh |
d83af2 |
%build
|
|
Daniel J Walsh |
d83af2 |
|
|
|
fe2076 |
%prep
|
|
Ondrej Mosnáček |
66b983 |
%autosetup -p 1 -n %{name}-%{commit}
|
|
Ondrej Mosnacek |
548766 |
tar -C policy/modules/contrib -xf %{SOURCE35}
|
|
Daniel J Walsh |
add957 |
|
|
Daniel J Walsh |
487de6 |
mkdir selinux_config
|
|
Petr Lautrbach |
28bb9a |
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26};do
|
|
Daniel J Walsh |
487de6 |
cp $i selinux_config
|
|
Daniel J Walsh |
487de6 |
done
|
|
Petr Lautrbach |
a345bb |
|
|
Petr Lautrbach |
a345bb |
%install
|
|
Daniel J Walsh |
e56873 |
# Build targeted policy
|
|
Daniel J Walsh |
ca8bc2 |
%{__rm} -fR %{buildroot}
|
|
Daniel J Walsh |
ca8bc2 |
mkdir -p %{buildroot}%{_sysconfdir}/selinux
|
|
Daniel J Walsh |
ca8bc2 |
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
|
|
Daniel J Walsh |
ca8bc2 |
touch %{buildroot}%{_sysconfdir}/selinux/config
|
|
Daniel J Walsh |
ca8bc2 |
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
|
|
Dan Walsh |
bce4ec |
mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
|
|
Dan Walsh |
bce4ec |
cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
|
|
Lukas Vrabec |
7d7414 |
mkdir -p %{buildroot}%{_bindir}
|
|
Lukas Vrabec |
4a9509 |
install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/
|
|
Zdenek Pytela |
6dd5c7 |
mkdir -p %{buildroot}%{_libexecdir}/selinux
|
|
Zdenek Pytela |
6dd5c7 |
install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
|
|
Daniel J Walsh |
1335ee |
|
|
Daniel J Walsh |
b4cab5 |
# Always create policy module package directories
|
|
Ondrej Mosnacek |
2a989a |
mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
|
|
Petr Lautrbach |
a345bb |
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
|
|
Petr Lautrbach |
a345bb |
|
|
Ondrej Mosnacek |
2a989a |
mkdir -p %{buildroot}%{_datadir}/selinux/packages
|
|
Daniel J Walsh |
b4cab5 |
|
|
Zdenek Pytela |
0a65cc |
mkdir -p %{buildroot}%{_sysconfdir}/dnf/protected.d/
|
|
Zdenek Pytela |
0a65cc |
|
|
Daniel J Walsh |
d19b68 |
# Install devel
|
|
Daniel J Walsh |
d19b68 |
make clean
|
|
Ondrej Mosnáček |
e0bfe2 |
%if %{with targeted}
|
|
Daniel J Walsh |
129ba1 |
# Build targeted policy
|
|
Ondrej Mosnacek |
f76a9d |
%makeCmds targeted mcs allow
|
|
Petr Lautrbach |
28bb9a |
%makeModulesConf targeted
|
|
Ondrej Mosnacek |
f76a9d |
%installCmds targeted mcs allow
|
|
Lukas Vrabec |
7c8404 |
# install permissivedomains.cil
|
|
Ondrej Mosnacek |
167b05 |
%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28}
|
|
Petr Lautrbach |
a345bb |
# recreate sandbox.pp
|
|
Petr Lautrbach |
a345bb |
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
|
|
Ondrej Mosnacek |
f76a9d |
%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp
|
|
Ondrej Mosnacek |
2a989a |
mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
|
|
Petr Lautrbach |
be68cc |
%modulesList targeted
|
|
Miroslav Grepl |
c04c31 |
%nonBaseModulesList targeted
|
|
Petr Lautrbach |
249fe8 |
install -m 644 %{SOURCE38} %{buildroot}%{_sysconfdir}/dnf/protected.d/
|
|
Daniel J Walsh |
bd3f0e |
%endif
|
|
Daniel J Walsh |
3e930b |
|
|
Ondrej Mosnáček |
e0bfe2 |
%if %{with minimum}
|
|
Daniel J Walsh |
675bba |
# Build minimum policy
|
|
Ondrej Mosnacek |
f76a9d |
%makeCmds minimum mcs allow
|
|
Petr Lautrbach |
28bb9a |
%makeModulesConf targeted
|
|
Ondrej Mosnacek |
f76a9d |
%installCmds minimum mcs allow
|
|
Petr Lautrbach |
a345bb |
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
|
|
Petr Lautrbach |
28bb9a |
install -m 644 %{SOURCE16} %{buildroot}%{_datadir}/selinux/minimum/modules-enabled.lst
|
|
Miroslav Grepl |
50f07b |
%modulesList minimum
|
|
Miroslav Grepl |
c04c31 |
%nonBaseModulesList minimum
|
|
Daniel J Walsh |
675bba |
%endif
|
|
Daniel J Walsh |
675bba |
|
|
Ondrej Mosnáček |
e0bfe2 |
%if %{with mls}
|
|
Daniel J Walsh |
129ba1 |
# Build mls policy
|
|
Ondrej Mosnacek |
f76a9d |
%makeCmds mls mls deny
|
|
Petr Lautrbach |
28bb9a |
%makeModulesConf mls
|
|
Ondrej Mosnacek |
f76a9d |
%installCmds mls mls deny
|
|
Miroslav Grepl |
a27009 |
%modulesList mls
|
|
Miroslav Grepl |
c04c31 |
%nonBaseModulesList mls
|
|
Petr Lautrbach |
249fe8 |
install -m 644 %{SOURCE39} %{buildroot}%{_sysconfdir}/dnf/protected.d/
|
|
Daniel J Walsh |
a4ec9b |
%endif
|
|
Daniel J Walsh |
a4ec9b |
|
|
Petr Lautrbach |
b73fcb |
# remove leftovers when save-previous=true (semanage.conf) is used
|
|
Petr Lautrbach |
b73fcb |
rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous
|
|
Petr Lautrbach |
b73fcb |
|
|
Miroslav Grepl |
4a27ed |
mkdir -p %{buildroot}%{_mandir}
|
|
Miroslav Grepl |
4a27ed |
cp -R man/* %{buildroot}%{_mandir}
|
|
Ondrej Mosnacek |
7579dc |
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs
|
|
Ondrej Mosnacek |
7579dc |
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
|
|
Ondrej Mosnacek |
2a989a |
mkdir %{buildroot}%{_datadir}/selinux/devel/
|
|
Ondrej Mosnacek |
2a989a |
mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
|
|
Ondrej Mosnacek |
2a989a |
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
|
|
Ondrej Mosnacek |
2a989a |
install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
|
|
Ondrej Mosnacek |
2a989a |
install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
|
|
Ondrej Mosnacek |
2a989a |
%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
|
|
Ondrej Mosnacek |
2a989a |
mkdir %{buildroot}%{_datadir}/selinux/devel/html
|
|
Ondrej Mosnacek |
2a989a |
mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
|
|
Ondrej Mosnacek |
2a989a |
mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
|
|
Dan Walsh |
1b0e09 |
|
|
Dan Walsh |
1b0e09 |
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
|
|
Petr Lautrbach |
c49229 |
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
Yaakov Selkowitz |
e46b92 |
sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
Lukas Vrabec |
42d22b |
sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
|
|
Miroslav Grepl |
4a27ed |
|
|
Ondrej Mosnacek |
fd6943 |
mkdir -p %{buildroot}%{_unitdir}
|
|
Ondrej Mosnacek |
fd6943 |
install -m 644 %{SOURCE36} %{buildroot}%{_unitdir}
|
|
Petr Lautrbach |
a345bb |
|
|
Daniel J Walsh |
487de6 |
rm -rf selinux_config
|
|
Ondrej Mosnacek |
fd6943 |
|
|
Daniel J Walsh |
9c64bb |
%post
|
|
Ondrej Mosnacek |
fd6943 |
%systemd_post selinux-check-proper-disable.service
|
|
Ondrej Mosnacek |
2a989a |
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
Daniel J Walsh |
487de6 |
#
|
|
Daniel J Walsh |
487de6 |
# New install so we will default to targeted policy
|
|
Daniel J Walsh |
487de6 |
#
|
|
Daniel J Walsh |
487de6 |
echo "
|
|
Nalin Dahyabhai |
af6090 |
# This file controls the state of SELinux on the system.
|
|
Nalin Dahyabhai |
af6090 |
# SELINUX= can take one of these three values:
|
|
Daniel J Walsh |
487de6 |
# enforcing - SELinux security policy is enforced.
|
|
Daniel J Walsh |
487de6 |
# permissive - SELinux prints warnings instead of enforcing.
|
|
Daniel J Walsh |
487de6 |
# disabled - No SELinux policy is loaded.
|
|
Ondrej Mosnacek |
4cdd6f |
# See also:
|
|
Ondrej Mosnacek |
4cdd6f |
# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes
|
|
Ondrej Mosnacek |
4cdd6f |
#
|
|
Ondrej Mosnacek |
4cdd6f |
# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also
|
|
Ondrej Mosnacek |
4cdd6f |
# fully disable SELinux during boot. If you need a system with SELinux
|
|
Ondrej Mosnacek |
4cdd6f |
# fully disabled instead of SELinux running with no policy loaded, you
|
|
Ondrej Mosnacek |
4cdd6f |
# need to pass selinux=0 to the kernel command line. You can use grubby
|
|
Ondrej Mosnacek |
4cdd6f |
# to persistently set the bootloader to boot with selinux=0:
|
|
Ondrej Mosnacek |
4cdd6f |
#
|
|
Ondrej Mosnacek |
4cdd6f |
# grubby --update-kernel ALL --args selinux=0
|
|
Ondrej Mosnacek |
4cdd6f |
#
|
|
Ondrej Mosnacek |
4cdd6f |
# To revert back to SELinux enabled:
|
|
Ondrej Mosnacek |
4cdd6f |
#
|
|
Ondrej Mosnacek |
4cdd6f |
# grubby --update-kernel ALL --remove-args selinux
|
|
Ondrej Mosnacek |
4cdd6f |
#
|
|
Nalin Dahyabhai |
af6090 |
SELINUX=enforcing
|
|
Miroslav Grepl |
3dc79f |
# SELINUXTYPE= can take one of these three values:
|
|
Daniel J Walsh |
487de6 |
# targeted - Targeted processes are protected,
|
|
|
fe2076 |
# minimum - Modification of targeted policy. Only selected processes are protected.
|
|
Daniel J Walsh |
487de6 |
# mls - Multi Level Security protection.
|
|
Colin Walters |
5fdac7 |
SELINUXTYPE=targeted
|
|
Nalin Dahyabhai |
af6090 |
|
|
Ondrej Mosnacek |
2a989a |
" > %{_sysconfdir}/selinux/config
|
|
Nalin Dahyabhai |
af6090 |
|
|
|
fe2076 |
ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
|
|
Nalin Dahyabhai |
af6090 |
else
|
|
Ondrej Mosnacek |
2a989a |
. %{_sysconfdir}/selinux/config
|
|
Nalin Dahyabhai |
af6090 |
fi
|
|
Daniel J Walsh |
081b6a |
exit 0
|
|
Daniel J Walsh |
9c64bb |
|
|
Ondrej Mosnacek |
fd6943 |
%preun
|
|
Ondrej Mosnacek |
fd6943 |
%systemd_preun selinux-check-proper-disable.service
|
|
Ondrej Mosnacek |
fd6943 |
|
|
Daniel J Walsh |
5ff36d |
%postun
|
|
Ondrej Mosnacek |
fd6943 |
%systemd_postun selinux-check-proper-disable.service
|
|
Daniel J Walsh |
bbaa1f |
if [ $1 = 0 ]; then
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/setenforce 0 2> /dev/null
|
|
Ondrej Mosnacek |
2a989a |
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
Ondrej Mosnacek |
2a989a |
echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
|
|
Daniel J Walsh |
487de6 |
else
|
|
Ondrej Mosnacek |
2a989a |
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
|
|
Daniel J Walsh |
487de6 |
fi
|
|
Daniel J Walsh |
5ff36d |
fi
|
|
Daniel J Walsh |
a4ec9b |
exit 0
|
|
Daniel J Walsh |
5ff36d |
|
|
Ondrej Mosnáček |
e0bfe2 |
%if %{with targeted}
|
|
Daniel J Walsh |
bd3f0e |
%package targeted
|
|
Zdenek Pytela |
e99b0b |
Summary: SELinux targeted policy
|
|
Zdenek Pytela |
4e04fa |
Provides: selinux-policy-any = %{version}-%{release}
|
|
Daniel J Walsh |
d83af2 |
Obsoletes: selinux-policy-targeted-sources < 2
|
|
Daniel J Walsh |
23e708 |
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
|
Daniel J Walsh |
d83af2 |
Requires(pre): coreutils
|
|
Daniel J Walsh |
d83af2 |
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Daniel J Walsh |
3b5466 |
Requires: selinux-policy = %{version}-%{release}
|
|
Daniel J Walsh |
b4cab5 |
Conflicts: audispd-plugins <= 1.7.7-1
|
|
Daniel J Walsh |
487de6 |
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
|
|
Daniel J Walsh |
bc4089 |
Obsoletes: cachefilesd-selinux <= 0.10-1
|
|
Daniel J Walsh |
6b7b0c |
Conflicts: seedit
|
|
Dan Walsh |
fc9bf2 |
Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12
|
|
Lukas Vrabec |
ab3db2 |
Conflicts: container-selinux < 2:1.12.1-22
|
|
Daniel J Walsh |
bd3f0e |
|
|
Daniel J Walsh |
bd3f0e |
%description targeted
|
|
Zdenek Pytela |
e99b0b |
SELinux targeted policy package.
|
|
Daniel J Walsh |
bd3f0e |
|
|
Lukas Vrabec |
2e12c9 |
%pretrans targeted -p <lua>
|
|
Lukas Vrabec |
2e12c9 |
%backupConfigLua
|
|
Zdenek Pytela |
1297d6 |
%removeVarrunModuleLua targeted
|
|
Lukas Vrabec |
2e12c9 |
|
|
Daniel J Walsh |
bd3f0e |
%pre targeted
|
|
Dan Walsh |
8a78e8 |
%preInstall targeted
|
|
Daniel J Walsh |
bd3f0e |
|
|
Daniel J Walsh |
9c64bb |
%post targeted
|
|
Lukas Vrabec |
2e12c9 |
%checkConfigConsistency targeted
|
|
Daniel J Walsh |
e080bb |
exit 0
|
|
Daniel J Walsh |
d83af2 |
|
|
Lukas Vrabec |
2e12c9 |
%posttrans targeted
|
|
Lukas Vrabec |
2e12c9 |
%checkConfigConsistency targeted
|
|
Zdenek Pytela |
6dd5c7 |
%{_libexecdir}/selinux/varrun-convert.sh targeted
|
|
Petr Lautrbach |
563cc5 |
%postInstall $1 targeted
|
|
Zdenek Pytela |
7104f7 |
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
|
|
Lukas Vrabec |
2e12c9 |
|
|
Petr Lautrbach |
7f4032 |
%postun targeted
|
|
Petr Lautrbach |
7f4032 |
if [ $1 = 0 ]; then
|
|
Adam Williamson |
69200e |
if [ -s %{_sysconfdir}/selinux/config ]; then
|
|
Adam Williamson |
69200e |
source %{_sysconfdir}/selinux/config &> /dev/null || true
|
|
Adam Williamson |
69200e |
fi
|
|
Petr Lautrbach |
7f4032 |
if [ "$SELINUXTYPE" = "targeted" ]; then
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/setenforce 0 2> /dev/null
|
|
|
ee6e28 |
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
|
ee6e28 |
echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
|
|
Petr Lautrbach |
7f4032 |
else
|
|
|
ee6e28 |
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
|
|
Petr Lautrbach |
7f4032 |
fi
|
|
Petr Lautrbach |
7f4032 |
fi
|
|
Petr Lautrbach |
7f4032 |
fi
|
|
Petr Lautrbach |
7f4032 |
exit 0
|
|
Petr Lautrbach |
7f4032 |
|
|
Petr Lautrbach |
7f4032 |
|
|
Petr Lautrbach |
b15718 |
%triggerin -- pcre2
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
|
|
Dan Walsh |
7c810a |
exit 0
|
|
Dan Walsh |
7c810a |
|
|
Petr Lautrbach |
5e25a1 |
%triggerprein -p <lua> -- container-selinux
|
|
Petr Lautrbach |
5e25a1 |
%removeVarrunModuleLua targeted
|
|
Zdenek Pytela |
1297d6 |
|
|
Petr Lautrbach |
5e25a1 |
%triggerprein -p <lua> -- pcp-selinux
|
|
Petr Lautrbach |
5e25a1 |
%removeVarrunModuleLua targeted
|
|
Zdenek Pytela |
1297d6 |
|
|
Dan Walsh |
1b0e09 |
%triggerpostun -- selinux-policy-targeted < 3.12.1-74
|
|
Ondrej Mosnacek |
2a989a |
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
|
|
Dan Walsh |
1b0e09 |
exit 0
|
|
Dan Walsh |
1b0e09 |
|
|
Zdenek Pytela |
1297d6 |
%triggerpostun -- pcp-selinux
|
|
Zdenek Pytela |
1297d6 |
%{_libexecdir}/selinux/varrun-convert.sh targeted
|
|
Zdenek Pytela |
1297d6 |
exit 0
|
|
Zdenek Pytela |
1297d6 |
|
|
Zdenek Pytela |
1297d6 |
%triggerpostun -- container-selinux
|
|
Zdenek Pytela |
1297d6 |
%{_libexecdir}/selinux/varrun-convert.sh targeted
|
|
Zdenek Pytela |
1297d6 |
exit 0
|
|
Zdenek Pytela |
1297d6 |
|
|
Miroslav Grepl |
57b06e |
%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138
|
|
Miroslav Grepl |
57b06e |
CR=$'\n'
|
|
Miroslav Grepl |
57b06e |
INPUT=""
|
|
Ondrej Mosnacek |
2a989a |
for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*disabled`; do
|
|
Miroslav Grepl |
57b06e |
module=`basename $i | sed 's/.pp.disabled//'`
|
|
Ondrej Mosnacek |
2a989a |
if [ -d %{_sharedstatedir}/selinux/targeted/active/modules/100/$module ]; then
|
|
Ondrej Mosnacek |
2a989a |
touch %{_sharedstatedir}/selinux/targeted/active/modules/disabled/$p
|
|
Miroslav Grepl |
57b06e |
fi
|
|
Petr Lautrbach |
a345bb |
done
|
|
Ondrej Mosnacek |
2a989a |
for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*.pp`; do
|
|
Miroslav Grepl |
57b06e |
INPUT="${INPUT}${CR}module -N -a $i"
|
|
Petr Lautrbach |
a345bb |
done
|
|
Ondrej Mosnacek |
2a989a |
for i in $(find %{_sysconfdir}/selinux/targeted/modules/active -name \*.local); do
|
|
Ondrej Mosnacek |
2a989a |
cp $i %{_sharedstatedir}/selinux/targeted/active
|
|
Miroslav Grepl |
982e48 |
done
|
|
Miroslav Grepl |
57b06e |
echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N
|
|
Ondrej Mosnacek |
2a989a |
if %{_sbindir}/selinuxenabled ; then
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/load_policy
|
|
Miroslav Grepl |
57b06e |
fi
|
|
Petr Lautrbach |
a345bb |
exit 0
|
|
Petr Lautrbach |
a345bb |
|
|
Ondrej Mosnacek |
2a989a |
%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst
|
|
Zdenek Pytela |
0a65cc |
%config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-targeted.conf
|
|
Daniel J Walsh |
4d59c2 |
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
|
|
|
fe2076 |
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
|
|
Daniel J Walsh |
4d59c2 |
%fileList targeted
|
|
Lukas Vrabec |
7c8404 |
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains
|
|
Daniel J Walsh |
a4ec9b |
%endif
|
|
Daniel J Walsh |
a4ec9b |
|
|
Ondrej Mosnáček |
e0bfe2 |
%if %{with minimum}
|
|
Daniel J Walsh |
675bba |
%package minimum
|
|
Zdenek Pytela |
e99b0b |
Summary: SELinux minimum policy
|
|
Zdenek Pytela |
4e04fa |
Provides: selinux-policy-any = %{version}-%{release}
|
|
Miroslav Grepl |
2fc3e7 |
Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
|
|
Daniel J Walsh |
675bba |
Requires(pre): coreutils
|
|
Daniel J Walsh |
675bba |
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Daniel J Walsh |
3b5466 |
Requires: selinux-policy = %{version}-%{release}
|
|
Daniel J Walsh |
6b7b0c |
Conflicts: seedit
|
|
Lukas Vrabec |
ab3db2 |
Conflicts: container-selinux <= 1.9.0-9
|
|
Daniel J Walsh |
675bba |
|
|
Daniel J Walsh |
675bba |
%description minimum
|
|
Zdenek Pytela |
e99b0b |
SELinux minimum policy package.
|
|
Daniel J Walsh |
675bba |
|
|
Lukas Vrabec |
2e12c9 |
%pretrans minimum -p <lua>
|
|
Lukas Vrabec |
2e12c9 |
%backupConfigLua
|
|
Lukas Vrabec |
2e12c9 |
|
|
Daniel J Walsh |
675bba |
%pre minimum
|
|
Dan Walsh |
8a78e8 |
%preInstall minimum
|
|
Dan Walsh |
857c81 |
if [ $1 -ne 1 ]; then
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
|
|
Dan Walsh |
857c81 |
fi
|
|
Daniel J Walsh |
675bba |
|
|
Daniel J Walsh |
675bba |
%post minimum
|
|
Lukas Vrabec |
2e12c9 |
%checkConfigConsistency minimum
|
|
Petr Lautrbach |
28bb9a |
modules=`cat %{_datadir}/selinux/minimum/modules.lst`
|
|
Petr Lautrbach |
28bb9a |
basemodules=`cat %{_datadir}/selinux/minimum/base.lst`
|
|
Petr Lautrbach |
28bb9a |
enabledmodules=`cat %{_datadir}/selinux/minimum/modules-enabled.lst`
|
|
Ondrej Mosnacek |
2a989a |
if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then
|
|
Ondrej Mosnacek |
2a989a |
mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled
|
|
Miroslav Grepl |
57b06e |
fi
|
|
Daniel J Walsh |
0e31a0 |
if [ $1 -eq 1 ]; then
|
|
Petr Lautrbach |
28bb9a |
for p in $modules; do
|
|
Ondrej Mosnacek |
2a989a |
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
Dan Walsh |
857c81 |
done
|
|
Petr Lautrbach |
28bb9a |
for p in $basemodules $enabledmodules; do
|
|
Ondrej Mosnacek |
2a989a |
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
Dan Walsh |
857c81 |
done
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/semanage import -S minimum -f - << __eof
|
|
Daniel J Walsh |
675bba |
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
|
|
Daniel J Walsh |
675bba |
login -m -s unconfined_u -r s0-s0:c0.c1023 root
|
|
Daniel J Walsh |
675bba |
__eof
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/semodule -B -s minimum
|
|
Daniel J Walsh |
675bba |
else
|
|
Ondrej Mosnacek |
2a989a |
instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
|
|
Petr Lautrbach |
28bb9a |
for p in $packages; do
|
|
Ondrej Mosnacek |
2a989a |
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
Dan Walsh |
857c81 |
done
|
|
Miroslav Grepl |
a27009 |
for p in $instpackages apache dbus inetd kerberos mta nis; do
|
|
Ondrej Mosnacek |
2a989a |
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
Dan Walsh |
857c81 |
done
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/semodule -B -s minimum
|
|
Daniel J Walsh |
675bba |
%relabel minimum
|
|
Daniel J Walsh |
675bba |
fi
|
|
Daniel J Walsh |
675bba |
exit 0
|
|
Daniel J Walsh |
675bba |
|
|
Lukas Vrabec |
2e12c9 |
%posttrans minimum
|
|
Lukas Vrabec |
2e12c9 |
%checkConfigConsistency minimum
|
|
Zdenek Pytela |
6dd5c7 |
%{_libexecdir}/selinux/varrun-convert.sh minimum
|
|
Zdenek Pytela |
0f27d9 |
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
|
|
Lukas Vrabec |
2e12c9 |
|
|
Petr Lautrbach |
7f4032 |
%postun minimum
|
|
Petr Lautrbach |
7f4032 |
if [ $1 = 0 ]; then
|
|
Adam Williamson |
69200e |
if [ -s %{_sysconfdir}/selinux/config ]; then
|
|
Adam Williamson |
69200e |
source %{_sysconfdir}/selinux/config &> /dev/null || true
|
|
Adam Williamson |
69200e |
fi
|
|
Petr Lautrbach |
7f4032 |
if [ "$SELINUXTYPE" = "minimum" ]; then
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/setenforce 0 2> /dev/null
|
|
|
ee6e28 |
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
|
ee6e28 |
echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
|
|
Petr Lautrbach |
7f4032 |
else
|
|
|
ee6e28 |
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
|
|
Petr Lautrbach |
7f4032 |
fi
|
|
Petr Lautrbach |
7f4032 |
fi
|
|
Petr Lautrbach |
7f4032 |
fi
|
|
Petr Lautrbach |
7f4032 |
exit 0
|
|
Petr Lautrbach |
7f4032 |
|
|
Miroslav Grepl |
57b06e |
%triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138
|
|
Ondrej Mosnacek |
2a989a |
if [ `ls -A %{_sharedstatedir}/selinux/minimum/active/modules/disabled/` ]; then
|
|
Ondrej Mosnacek |
2a989a |
rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/*
|
|
Miroslav Grepl |
57b06e |
fi
|
|
Miroslav Grepl |
57b06e |
CR=$'\n'
|
|
Miroslav Grepl |
57b06e |
INPUT=""
|
|
Ondrej Mosnacek |
2a989a |
for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*disabled`; do
|
|
Miroslav Grepl |
57b06e |
module=`basename $i | sed 's/.pp.disabled//'`
|
|
Ondrej Mosnacek |
2a989a |
if [ -d %{_sharedstatedir}/selinux/minimum/active/modules/100/$module ]; then
|
|
Ondrej Mosnacek |
2a989a |
touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
|
|
Miroslav Grepl |
57b06e |
fi
|
|
Miroslav Grepl |
57b06e |
done
|
|
Ondrej Mosnacek |
2a989a |
for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*.pp`; do
|
|
Miroslav Grepl |
57b06e |
INPUT="${INPUT}${CR}module -N -a $i"
|
|
Miroslav Grepl |
57b06e |
done
|
|
Miroslav Grepl |
57b06e |
echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N
|
|
Ondrej Mosnacek |
2a989a |
if %{_sbindir}/selinuxenabled ; then
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/load_policy
|
|
Miroslav Grepl |
57b06e |
fi
|
|
Miroslav Grepl |
57b06e |
exit 0
|
|
Miroslav Grepl |
57b06e |
|
|
Ondrej Mosnacek |
2a989a |
%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
|
|
Daniel J Walsh |
675bba |
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
|
|
|
fe2076 |
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
|
|
Daniel J Walsh |
675bba |
%fileList minimum
|
|
Petr Lautrbach |
28bb9a |
%{_datadir}/selinux/minimum/modules-enabled.lst
|
|
Daniel J Walsh |
675bba |
%endif
|
|
Daniel J Walsh |
675bba |
|
|
Ondrej Mosnáček |
e0bfe2 |
%if %{with mls}
|
|
|
fe2076 |
%package mls
|
|
Zdenek Pytela |
e99b0b |
Summary: SELinux MLS policy
|
|
Zdenek Pytela |
4e04fa |
Provides: selinux-policy-any = %{version}-%{release}
|
|
Daniel J Walsh |
d83af2 |
Obsoletes: selinux-policy-mls-sources < 2
|
|
Daniel J Walsh |
c77aca |
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
|
|
Daniel J Walsh |
23e708 |
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
|
|
Daniel J Walsh |
d83af2 |
Requires(pre): coreutils
|
|
Daniel J Walsh |
d83af2 |
Requires(pre): selinux-policy = %{version}-%{release}
|
|
Daniel J Walsh |
3b5466 |
Requires: selinux-policy = %{version}-%{release}
|
|
Daniel J Walsh |
6b7b0c |
Conflicts: seedit
|
|
Lukas Vrabec |
ab3db2 |
Conflicts: container-selinux <= 1.9.0-9
|
|
Daniel J Walsh |
1580c8 |
|
|
|
fe2076 |
%description mls
|
|
Zdenek Pytela |
e99b0b |
SELinux MLS (Multi Level Security) policy package.
|
|
Daniel J Walsh |
1580c8 |
|
|
Lukas Vrabec |
2e12c9 |
%pretrans mls -p <lua>
|
|
Lukas Vrabec |
2e12c9 |
%backupConfigLua
|
|
Lukas Vrabec |
2e12c9 |
|
|
|
fe2076 |
%pre mls
|
|
Dan Walsh |
8a78e8 |
%preInstall mls
|
|
Daniel J Walsh |
1580c8 |
|
|
|
fe2076 |
%post mls
|
|
Lukas Vrabec |
2e12c9 |
%checkConfigConsistency mls
|
|
Lukas Vrabec |
6a9935 |
exit 0
|
|
Miroslav Grepl |
57b06e |
|
|
Lukas Vrabec |
2e12c9 |
%posttrans mls
|
|
Lukas Vrabec |
2e12c9 |
%checkConfigConsistency mls
|
|
Zdenek Pytela |
6dd5c7 |
%{_libexecdir}/selinux/varrun-convert.sh mls
|
|
Petr Lautrbach |
563cc5 |
%postInstall $1 mls
|
|
Zdenek Pytela |
0f27d9 |
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
|
|
Lukas Vrabec |
2e12c9 |
|
|
Petr Lautrbach |
7f4032 |
%postun mls
|
|
Petr Lautrbach |
7f4032 |
if [ $1 = 0 ]; then
|
|
Adam Williamson |
69200e |
if [ -s %{_sysconfdir}/selinux/config ]; then
|
|
Adam Williamson |
69200e |
source %{_sysconfdir}/selinux/config &> /dev/null || true
|
|
Adam Williamson |
69200e |
fi
|
|
Petr Lautrbach |
7f4032 |
if [ "$SELINUXTYPE" = "mls" ]; then
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/setenforce 0 2> /dev/null
|
|
|
ee6e28 |
if [ ! -s %{_sysconfdir}/selinux/config ]; then
|
|
|
ee6e28 |
echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
|
|
Petr Lautrbach |
7f4032 |
else
|
|
|
ee6e28 |
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
|
|
Petr Lautrbach |
7f4032 |
fi
|
|
Petr Lautrbach |
7f4032 |
fi
|
|
Petr Lautrbach |
7f4032 |
fi
|
|
Petr Lautrbach |
7f4032 |
exit 0
|
|
Petr Lautrbach |
7f4032 |
|
|
Miroslav Grepl |
57b06e |
%triggerpostun mls -- selinux-policy-mls < 3.13.1-138
|
|
Miroslav Grepl |
57b06e |
CR=$'\n'
|
|
Miroslav Grepl |
57b06e |
INPUT=""
|
|
Ondrej Mosnacek |
2a989a |
for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*disabled`; do
|
|
Miroslav Grepl |
57b06e |
module=`basename $i | sed 's/.pp.disabled//'`
|
|
Ondrej Mosnacek |
2a989a |
if [ -d %{_sharedstatedir}/selinux/mls/active/modules/100/$module ]; then
|
|
Ondrej Mosnacek |
2a989a |
touch %{_sharedstatedir}/selinux/mls/active/modules/disabled/$p
|
|
Miroslav Grepl |
57b06e |
fi
|
|
Miroslav Grepl |
57b06e |
done
|
|
Ondrej Mosnacek |
2a989a |
for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*.pp`; do
|
|
Miroslav Grepl |
57b06e |
INPUT="${INPUT}${CR}module -N -a $i"
|
|
Miroslav Grepl |
57b06e |
done
|
|
Miroslav Grepl |
57b06e |
echo "$INPUT" | %{_sbindir}/semanage import -S mls -N
|
|
Ondrej Mosnacek |
2a989a |
if %{_sbindir}/selinuxenabled ; then
|
|
Ondrej Mosnacek |
2a989a |
%{_sbindir}/load_policy
|
|
Miroslav Grepl |
57b06e |
fi
|
|
Miroslav Grepl |
57b06e |
exit 0
|
|
Miroslav Grepl |
57b06e |
|
|
Miroslav Grepl |
57b06e |
|
|
Ondrej Mosnacek |
2a989a |
%files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst
|
|
Zdenek Pytela |
0a65cc |
%config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-mls.conf
|
|
Daniel J Walsh |
57ae10 |
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
|
|
Daniel J Walsh |
504da9 |
%fileList mls
|
|
Daniel J Walsh |
bd3f0e |
%endif
|
|
Daniel J Walsh |
bd3f0e |
|
|
Daniel J Walsh |
56187c |
%changelog
|
|
Petr Lautrbach |
cd2c1d |
%autochangelog
|