Ondrej Mosnáček e0bfe2
# Conditionals for policy types (all built by default)
Ondrej Mosnáček e0bfe2
%bcond targeted 1
Ondrej Mosnáček e0bfe2
%bcond minimum  1
Ondrej Mosnáček e0bfe2
%bcond mls      1
Ondrej Mosnáček e0bfe2
Ondrej Mosnacek 548766
# github repo with selinux-policy sources
Ondrej Mosnacek 548766
%global giturl https://github.com/fedora-selinux/selinux-policy
Zdenek Pytela 814aa8
%global commit d36759478085a582a64e9692e92797d803e37b1a
Ondrej Mosnacek 548766
%global shortcommit %(c=%{commit}; echo ${c:0:7})
Lukas Vrabec 51dc83
Daniel J Walsh 08b890
%define distro redhat
Daniel J Walsh 771686
%define polyinstatiate n
Daniel J Walsh 1580c8
%define monolithic n
Ondrej Mosnáček e0bfe2
Petr Lautrbach e88945
%define POLICYVER 33
Zdenek Pytela e0b2bb
%define POLICYCOREUTILSVER 3.4-1
Petr Lautrbach f38b38
%define CHECKPOLICYVER 3.2
Daniel J Walsh 1580c8
Summary: SELinux policy configuration
Daniel J Walsh 1580c8
Name: selinux-policy
Zdenek Pytela 814aa8
Version: 41.11
Zdenek Pytela 6a2602
Release: 1%{?dist}
Petr Lautrbach 4f5786
License: GPL-2.0-or-later
Ondrej Mosnacek 548766
Source: %{giturl}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
Petr Lautrbach 28bb9a
Source1: modules-targeted.conf
Daniel J Walsh 504da9
Source2: booleans-targeted.conf
Daniel J Walsh 585f82
Source3: Makefile.devel
Daniel J Walsh 504da9
Source4: setrans-targeted.conf
Petr Lautrbach 28bb9a
Source5: modules-mls.conf
Daniel J Walsh 487de6
Source6: booleans-mls.conf
Daniel J Walsh 504da9
Source8: setrans-mls.conf
Daniel J Walsh ee095f
Source14: securetty_types-targeted
Daniel J Walsh ee095f
Source15: securetty_types-mls
Petr Lautrbach 28bb9a
Source16: modules-minimum.lst
Daniel J Walsh 675bba
Source17: booleans-minimum.conf
Daniel J Walsh 675bba
Source18: setrans-minimum.conf
Daniel J Walsh 675bba
Source19: securetty_types-minimum
Daniel J Walsh 80beee
Source20: customizable_types
Daniel J Walsh fc05ac
Source22: users-mls
Daniel J Walsh fc05ac
Source23: users-targeted
Daniel J Walsh fc05ac
Source25: users-minimum
Dan Walsh 86354f
Source26: file_contexts.subs_dist
Dan Walsh bce4ec
Source27: selinux-policy.conf
Lukas Vrabec 7c8404
Source28: permissivedomains.cil
Dan Walsh c39563
Source30: booleans.subs_dist
Lukas Vrabec 8ad346
Lukas Vrabec 8ad346
# Tool helps during policy development, to expand system m4 macros to raw allow rules
Lukas Vrabec 8ad346
# Git repo: https://github.com/fedora-selinux/macro-expander.git
Lukas Vrabec 7d7414
Source33: macro-expander
Lukas Vrabec d395cb
Lukas Vrabec 8ad346
# Include SELinux policy for container from separate container-selinux repo
Lukas Vrabec 8ad346
# Git repo: https://github.com/containers/container-selinux.git
Lukas Vrabec ab3db2
Source35: container-selinux.tgz
Petr Lautrbach be68cc
Ondrej Mosnacek fd6943
Source36: selinux-check-proper-disable.service
Ondrej Mosnacek fd6943
Zdenek Pytela 6dd5c7
# Script to convert /var/run file context entries to /run
Zdenek Pytela 6dd5c7
Source37: varrun-convert.sh
Zdenek Pytela 0a65cc
# Configuration files to dnf-protect targeted and/or mls subpackages
Zdenek Pytela 0a65cc
Source38: selinux-policy-targeted.conf
Zdenek Pytela 0a65cc
Source39: selinux-policy-mls.conf
Zdenek Pytela 6dd5c7
Petr Lautrbach c49229
# Provide rpm macros for packages installing SELinux modules
Petr Lautrbach c49229
Source102: rpm.macros
Petr Lautrbach be68cc
Ondrej Mosnacek 548766
Url: %{giturl}
Daniel J Walsh 1580c8
BuildArch: noarch
Petr Lautrbach d89076
BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2
Petr Lautrbach 0f3b08
BuildRequires: make
Ondrej Mosnacek fd6943
BuildRequires: systemd-rpm-macros
Petr Lautrbach e09911
BuildRequires: groff
Miroslav Grepl a27009
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Miroslav Grepl 4a27ed
Requires(post): /bin/awk /usr/bin/sha512sum
Colin Walters b26304
Requires(meta): (rpm-plugin-selinux if rpm-libs)
Ondrej Mosnacek 4d9a7e
Requires: selinux-policy-any = %{version}-%{release}
Ondrej Mosnacek 4d9a7e
Provides: selinux-policy-base = %{version}-%{release}
Ondrej Mosnacek 4d9a7e
Suggests: selinux-policy-targeted
Daniel J Walsh 1580c8
fe2076
%description
Zdenek Pytela e99b0b
SELinux core policy package.
Zdenek Pytela e99b0b
Originally based off of reference policy,
Zdenek Pytela e99b0b
the policy has been adjusted to provide support for Fedora.
Daniel J Walsh 1335ee
fe2076
%files
Tom Callaway 4abfbc
%{!?_licensedir:%global license %%doc}
Tom Callaway 4abfbc
%license COPYING
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux/packages
Dan Walsh b59d07
%dir %{_sysconfdir}/selinux
Daniel J Walsh 585f82
%ghost %config(noreplace) %{_sysconfdir}/selinux/config
Daniel J Walsh 585f82
%ghost %{_sysconfdir}/sysconfig/selinux
Miroslav Grepl 4a27ed
%{_usr}/lib/tmpfiles.d/selinux-policy.conf
Dan Walsh 26bb0a
%{_rpmconfigdir}/macros.d/macros.selinux-policy
Ondrej Mosnacek fd6943
%{_unitdir}/selinux-check-proper-disable.service
Zdenek Pytela 6dd5c7
%{_libexecdir}/selinux/varrun-convert.sh
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%package sandbox
Zdenek Pytela e99b0b
Summary: SELinux sandbox policy
Dan Walsh 1b0e09
Requires(pre): selinux-policy-base = %{version}-%{release}
Lukas Vrabec c862e9
Requires(pre): selinux-policy-targeted = %{version}-%{release}
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%description sandbox
Zdenek Pytela e99b0b
SELinux sandbox policy for use with the sandbox utility.
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%files sandbox
Ondrej Mosnacek 2a989a
%verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%post sandbox
Ondrej Mosnacek 2a989a
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
Petr Lautrbach a345bb
rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null
Ondrej Mosnacek 2a989a
%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
    %{_sbindir}/load_policy
Dan Walsh 1b0e09
fi;
Dan Walsh 1b0e09
exit 0
Dan Walsh 1b0e09
Dan Walsh 1b0e09
%preun sandbox
Michael Scherer c8b7cd
if [ $1 -eq 0 ] ; then
Ondrej Mosnacek 2a989a
    %{_sbindir}/semodule -n -d sandbox 2>/dev/null
Ondrej Mosnacek 2a989a
    if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/load_policy
Michael Scherer c8b7cd
    fi;
Michael Scherer c8b7cd
fi;
Michael Scherer c8b7cd
exit 0
Miroslav Grepl 4a27ed
Miroslav Grepl 4a27ed
%package devel
Zdenek Pytela e99b0b
Summary: SELinux policy development files
Miroslav Grepl 4a27ed
Requires(pre): selinux-policy = %{version}-%{release}
Lukas Vrabec 610d03
Requires: selinux-policy = %{version}-%{release}
Miroslav Grepl a27009
Requires: m4 checkpolicy >= %{CHECKPOLICYVER}
Miroslav Grepl a27009
Requires: /usr/bin/make
Dan Walsh 9f52d7
Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER}
Miroslav Grepl 4a27ed
Miroslav Grepl 4a27ed
%description devel
Zdenek Pytela e99b0b
SELinux policy development package.
Zdenek Pytela e99b0b
This package contains:
Zdenek Pytela e99b0b
- interfaces, macros, and patterns for policy development
Zdenek Pytela e99b0b
- a policy example
Zdenek Pytela e99b0b
- the macro-expander utility
Zdenek Pytela e99b0b
and some additional files.
Miroslav Grepl 4a27ed
Miroslav Grepl 4a27ed
%files devel
Lukas Vrabec 7d7414
%{_bindir}/macro-expander
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux/devel
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux/devel/include
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/include/*
Zdenek Pytela 17a6cf
%exclude %{_datadir}/selinux/devel/include/contrib/container.if
Ondrej Mosnacek 2a989a
%dir %{_datadir}/selinux/devel/html
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/html/*html
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/html/*css
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/Makefile
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/example.*
Ondrej Mosnacek 2a989a
%{_datadir}/selinux/devel/policy.*
193d30
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info
Daniel J Walsh 412570
Dan Walsh 9f52d7
%post devel
Ondrej Mosnacek 2a989a
%{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null
Dan Walsh 859a10
exit 0
Dan Walsh 9f52d7
Daniel J Walsh 412570
%package doc
Daniel J Walsh 412570
Summary: SELinux policy documentation
Daniel J Walsh 412570
Requires(pre): selinux-policy = %{version}-%{release}
Lukas Vrabec 610d03
Requires: selinux-policy = %{version}-%{release}
Daniel J Walsh 412570
Daniel J Walsh 412570
%description doc
Zdenek Pytela e99b0b
SELinux policy documentation package.
Zdenek Pytela e99b0b
This package contains manual pages and documentation of the policy modules.
Daniel J Walsh 412570
Daniel J Walsh 412570
%files doc
Lukas Vrabec d6fa25
%{_mandir}/man*/*
Lukas Vrabec d6fa25
%{_mandir}/ru/*/*
Zdenek Pytela 995ad0
%exclude %{_mandir}/man8/container_selinux.8.gz
Ondrej Mosnacek 2a989a
%doc %{_datadir}/doc/%{name}
Daniel J Walsh 1335ee
Ondrej Mosnacek f76a9d
%define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024
Ondrej Mosnacek f76a9d
Daniel J Walsh 487de6
%define makeCmds() \
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \
Daniel J Walsh 487de6
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \
Daniel J Walsh 487de6
cp -f selinux_config/users-%1 ./policy/users \
Miroslav Grepl a27009
#cp -f selinux_config/modules-%1-base.conf  ./policy/modules.conf \
Miroslav Grepl a27009
Miroslav Grepl a27009
%define makeModulesConf() \
Petr Lautrbach 28bb9a
cp -f selinux_config/modules-%1.conf  ./policy/modules.conf
Daniel J Walsh 998737
Daniel J Walsh de82d8
%define installCmds() \
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \
Ondrej Mosnacek f76a9d
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \
Ondrej Mosnacek f76a9d
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \
Ondrej Mosnacek 2a989a
make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \
Ondrej Mosnacek 2a989a
%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \
Dan Walsh 86354f
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
Daniel J Walsh 487de6
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \
Dan Walsh 86354f
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \
Daniel J Walsh 487de6
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \
Daniel J Walsh 487de6
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \
Petr Lautrbach dba350
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
Petr Lautrbach a345bb
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
Lukas Vrabec 7c8404
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
Dan Walsh c39563
cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \
Ondrej Mosnacek 2a989a
rm -f %{buildroot}%{_datadir}/selinux/%1/*pp*  \
Ondrej Mosnacek 2a989a
%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
Miroslav Grepl 4a27ed
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
Dan Walsh 3fc099
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
Petr Lautrbach 3332d5
rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \
Daniel J Walsh 3e930b
%nil
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%define fileList() \
Daniel J Walsh 1580c8
%defattr(-,root,root) \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1 \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
Dan Walsh 042e3a
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \
Miroslav Grepl 4a27ed
%dir %{_sysconfdir}/selinux/%1/logins \
Petr Lautrbach a345bb
%dir %{_sharedstatedir}/selinux/%1/active \
Petr Lautrbach a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \
Petr Lautrbach a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \
Petr Lautrbach a345bb
%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \
Petr Lautrbach a345bb
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1/policy/ \
Dan Walsh 042e3a
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
Miroslav Grepl 4a27ed
%{_sysconfdir}/selinux/%1/.policy.sha512 \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1/contexts \
Daniel J Walsh d2c260
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \
Daniel J Walsh ee095f
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
Daniel J Walsh 5ca2ff
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \
Daniel J Walsh 7c94e8
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \
Daniel J Walsh 487de6
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \
Daniel J Walsh 487de6
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \
Miroslav Grepl 4a27ed
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \
Miroslav Grepl d4e55c
%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \
Miroslav Grepl a34c78
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \
Dan Walsh f1ed4e
%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \
Lukas Vrabec c3183a
%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1/contexts/files \
Dan Walsh 042e3a
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
Petr Lautrbach dba350
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
Lukas Vrabec dd88f3
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
Lukas Vrabec 673096
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \
Lukas Vrabec ad3add
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
Lukas Vrabec 673096
%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
Dan Walsh e1f17e
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
Dan Walsh c39563
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
Dan Walsh c39563
%{_sysconfdir}/selinux/%1/booleans.subs_dist \
Daniel J Walsh d19b68
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
Daniel J Walsh da0829
%dir %{_sysconfdir}/selinux/%1/contexts/users \
Daniel J Walsh a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \
Daniel J Walsh a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
Daniel J Walsh a80e7a
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
Daniel J Walsh a4ec9b
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
Lukas Vrabec 2f9313
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \
Michael Scherer a56317
%dir %{_datadir}/selinux/%1 \
Ondrej Mosnacek e4f809
%{_datadir}/selinux/%1/base.lst \
Petr Lautrbach 28bb9a
%{_datadir}/selinux/%1/modules.lst \
Ondrej Mosnacek e4f809
%{_datadir}/selinux/%1/nonbasemodules.lst \
Michael Scherer a56317
%dir %{_sharedstatedir}/selinux/%1 \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \
Zdenek Pytela ce671c
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \
Petr Lautrbach 3332d5
%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \
Petr Lautrbach 3332d5
%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \
Petr Lautrbach 3332d5
%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \
Petr Lautrbach 9e91a2
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \
Zdenek Pytela a3ac25
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \
Zdenek Pytela dc43ab
%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \
Zdenek Pytela dc43ab
%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil \
Zdenek Pytela dc43ab
%ghost %verify(not mode md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/lang_ext \
Lukas Vrabec 2f9313
%nil
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%define relabel() \
Adam Williamson 69200e
if [ -s %{_sysconfdir}/selinux/config ]; then \
Adam Williamson 69200e
    . %{_sysconfdir}/selinux/config &> /dev/null || true; \
Adam Williamson 69200e
fi; \
Daniel J Walsh 1580c8
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \
Ondrej Mosnacek 2a989a
     %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \
Daniel J Walsh 487de6
     rm -f ${FILE_CONTEXT}.pre; \
Dan Walsh 5eea0f
fi; \
Zdenek Pytela 40faa1
# rebuilding the rpm database still can sometimes result in an incorrect context \
Zdenek Pytela b10879
%{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \
Zbigniew Jędrzejewski-Szmek 187a2b
# In some scenarios, /usr/bin/httpd is labelled incorrectly after sbin merge. \
Zbigniew Jędrzejewski-Szmek 187a2b
# Relabel all files under /usr/bin, in case they got installed before policy \
Zbigniew Jędrzejewski-Szmek 187a2b
# was updated and the labels were incorrect. \
Zbigniew Jędrzejewski-Szmek acac91
%{_sbindir}/restorecon -R /usr/bin /usr/sbin \
Ondrej Mosnacek 2a989a
if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
Miroslav Grepl d61e0b
    continue; \
ee6e28
fi;
Dan Walsh 8a78e8
Dan Walsh 8a78e8
%define preInstall() \
Ondrej Mosnacek 2a989a
if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \
Zdenek Pytela 8bda53
     for MOD_NAME in ganesha ipa_custodia kdbus; do \
53368f
        if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \
53368f
           %{_sbindir}/semodule -n -d $MOD_NAME; \
53368f
        fi; \
53368f
     done; \
Dan Walsh 8a78e8
     . %{_sysconfdir}/selinux/config; \
Dan Walsh 8a78e8
     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
Dan Walsh 8a78e8
     if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
Dan Walsh 8a78e8
        [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
Dan Walsh 8a78e8
     fi; \
Ondrej Mosnacek 2a989a
     touch %{_sysconfdir}/selinux/%1/.rebuild; \
Ondrej Mosnacek 2a989a
     if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \
Ondrej Mosnacek 2a989a
        POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \
Dan Walsh 26bb0a
        sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \
Ondrej Mosnacek 2a989a
	checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \
Miroslav Grepl 4a27ed
	if [ "$sha512" == "$checksha512" ] ; then \
Ondrej Mosnacek 2a989a
		rm %{_sysconfdir}/selinux/%1/.rebuild; \
Dan Walsh 8a78e8
	fi; \
Dan Walsh 8a78e8
   fi; \
Dan Walsh 8a78e8
fi;
Daniel J Walsh 1580c8
Dan Walsh 857c81
%define postInstall() \
Adam Williamson 69200e
if [ -s %{_sysconfdir}/selinux/config ]; then \
Adam Williamson 69200e
    . %{_sysconfdir}/selinux/config &> /dev/null || true; \
Adam Williamson 69200e
fi; \
Ondrej Mosnacek 2a989a
if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \
Ondrej Mosnacek 2a989a
   rm %{_sysconfdir}/selinux/%2/.rebuild; \
Dan Walsh 857c81
fi; \
Zdenek Pytela cb08cc
%{_sbindir}/semodule -B -n -s %2; \
Ondrej Mosnacek 2a989a
[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \
Dan Walsh 857c81
if [ %1 -eq 1 ]; then \
Ondrej Mosnacek 2a989a
   %{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \
Dan Walsh 857c81
else \
Dan Walsh 857c81
%relabel %2 \
Dan Walsh 857c81
fi;
Dan Walsh 857c81
Miroslav Grepl 50f07b
%define modulesList() \
Petr Lautrbach 28bb9a
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/modules.lst \
Petr Lautrbach 28bb9a
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \
Miroslav Grepl 50f07b
Miroslav Grepl c04c31
%define nonBaseModulesList() \
Petr Lautrbach 28bb9a
modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \
Petr Lautrbach 28bb9a
for i in $modules; do \
Petr Lautrbach a345bb
    if [ $i != "sandbox" ];then \
Ondrej Mosnacek 2a989a
        echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
Miroslav Grepl c04c31
    fi; \
Petr Lautrbach be68cc
done;
Petr Lautrbach be68cc
Lukas Vrabec 2e12c9
# Make sure the config is consistent with what packages are installed in the system
Lukas Vrabec 2e12c9
# this covers cases when system is installed with selinux-policy-{mls,minimal}
Lukas Vrabec 2e12c9
# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not
Lukas Vrabec 2e12c9
# been rebooted yet.
Lukas Vrabec 2e12c9
# The macro should be called at the beginning of "post" (to make sure load_policy does not fail)
Lukas Vrabec 2e12c9
# and in "posttrans" (to make sure that the store is consistent when all package transitions are done)
Lukas Vrabec 2e12c9
# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable)
Lukas Vrabec 2e12c9
# Steps:
Lukas Vrabec 2e12c9
# * load values from config and its backup
Lukas Vrabec 2e12c9
# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so
Lukas Vrabec 2e12c9
# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used
Lukas Vrabec 2e12c9
# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't
Lukas Vrabec 2e12c9
%define checkConfigConsistency() \
Lukas Vrabec 2e12c9
if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \
ee6e28
    . %{_sysconfdir}/selinux/.config_backup; \
Lukas Vrabec 2e12c9
else \
ee6e28
    BACKUP_SELINUXTYPE=targeted; \
Lukas Vrabec 2e12c9
fi; \
ee6e28
if [ -s %{_sysconfdir}/selinux/config ]; then \
ee6e28
    . %{_sysconfdir}/selinux/config; \
ee6e28
    if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \
ee6e28
        if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \
ee6e28
            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \
ee6e28
        fi; \
ee6e28
    elif [ "%1" = "targeted" ]; then \
ee6e28
        if [ "%1" != "$SELINUXTYPE" ]; then \
ee6e28
            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
ee6e28
        fi; \
ee6e28
    elif ! ls  %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \
ee6e28
        if [ "%1" != "$SELINUXTYPE" ]; then \
ee6e28
            sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
ee6e28
        fi; \
ee6e28
    fi; \
Lukas Vrabec 2e12c9
fi;
Lukas Vrabec 2e12c9
Lukas Vrabec 2e12c9
# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names
Lukas Vrabec 2e12c9
# of variables inside so that they are easy to use later
Lukas Vrabec 2e12c9
# This should be done in "pretrans" because config content can change during RPM operations
Lukas Vrabec 2e12c9
# The macro has to be used in a script slot with "-p <lua>"
Lukas Vrabec 2e12c9
%define backupConfigLua() \
Lukas Vrabec 2e12c9
local sysconfdir = rpm.expand("%{_sysconfdir}") \
Lukas Vrabec 2e12c9
local config_file = sysconfdir .. "/selinux/config" \
Lukas Vrabec 2e12c9
local config_backup = sysconfdir .. "/selinux/.config_backup" \
Lukas Vrabec 2e12c9
os.remove(config_backup) \
Lukas Vrabec 2e12c9
if posix.stat(config_file) then \
Lukas Vrabec 2e12c9
    local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \
Lukas Vrabec 2e12c9
    local content = f:read("*all") \
Lukas Vrabec 2e12c9
    f:close() \
Lukas Vrabec 2e12c9
    local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \
Lukas Vrabec 2e12c9
    local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \
Lukas Vrabec 2e12c9
    bf:write(backup) \
Lukas Vrabec 2e12c9
    bf:close() \
Lukas Vrabec 2e12c9
end
Lukas Vrabec 2e12c9
Zdenek Pytela 1297d6
# Remove the local_varrun SELinux module
Zdenek Pytela 1297d6
%define removeVarrunModuleLua() \
Zdenek Pytela 1297d6
if posix.access ("%{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun/cil", "r") then \
Zdenek Pytela 1297d6
  os.execute ("%{_bindir}/rm -rf %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun") \
Zdenek Pytela 1297d6
end
Zdenek Pytela 1297d6
Daniel J Walsh d83af2
%build
Daniel J Walsh d83af2
fe2076
%prep
Ondrej Mosnáček 66b983
%autosetup -p 1 -n %{name}-%{commit}
Ondrej Mosnacek 548766
tar -C policy/modules/contrib -xf %{SOURCE35}
Daniel J Walsh add957
Daniel J Walsh 487de6
mkdir selinux_config
Petr Lautrbach 28bb9a
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26};do
Daniel J Walsh 487de6
 cp $i selinux_config
Daniel J Walsh 487de6
done
Petr Lautrbach a345bb
Petr Lautrbach a345bb
%install
Daniel J Walsh e56873
# Build targeted policy
Daniel J Walsh ca8bc2
%{__rm} -fR %{buildroot}
Daniel J Walsh ca8bc2
mkdir -p %{buildroot}%{_sysconfdir}/selinux
Daniel J Walsh ca8bc2
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
Daniel J Walsh ca8bc2
touch %{buildroot}%{_sysconfdir}/selinux/config
Daniel J Walsh ca8bc2
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
Dan Walsh bce4ec
mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/
Dan Walsh bce4ec
cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/
Lukas Vrabec 7d7414
mkdir -p %{buildroot}%{_bindir}
Lukas Vrabec 4a9509
install -m 755  %{SOURCE33} %{buildroot}%{_bindir}/
Zdenek Pytela 6dd5c7
mkdir -p %{buildroot}%{_libexecdir}/selinux
Zdenek Pytela 6dd5c7
install -m 755  %{SOURCE37} %{buildroot}%{_libexecdir}/selinux
Daniel J Walsh 1335ee
Daniel J Walsh b4cab5
# Always create policy module package directories
Ondrej Mosnacek 2a989a
mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/
Petr Lautrbach a345bb
mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/
Petr Lautrbach a345bb
Ondrej Mosnacek 2a989a
mkdir -p %{buildroot}%{_datadir}/selinux/packages
Daniel J Walsh b4cab5
Zdenek Pytela 0a65cc
mkdir -p %{buildroot}%{_sysconfdir}/dnf/protected.d/
Zdenek Pytela 0a65cc
Daniel J Walsh d19b68
# Install devel
Daniel J Walsh d19b68
make clean
Ondrej Mosnáček e0bfe2
%if %{with targeted}
Daniel J Walsh 129ba1
# Build targeted policy
Ondrej Mosnacek f76a9d
%makeCmds targeted mcs allow
Petr Lautrbach 28bb9a
%makeModulesConf targeted
Ondrej Mosnacek f76a9d
%installCmds targeted mcs allow
Lukas Vrabec 7c8404
# install permissivedomains.cil
Ondrej Mosnacek 167b05
%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28}
Petr Lautrbach a345bb
# recreate sandbox.pp
Petr Lautrbach a345bb
rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox
Ondrej Mosnacek f76a9d
%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp
Ondrej Mosnacek 2a989a
mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp
Petr Lautrbach be68cc
%modulesList targeted
Miroslav Grepl c04c31
%nonBaseModulesList targeted
Petr Lautrbach 249fe8
install -m 644 %{SOURCE38} %{buildroot}%{_sysconfdir}/dnf/protected.d/
Daniel J Walsh bd3f0e
%endif
Daniel J Walsh 3e930b
Ondrej Mosnáček e0bfe2
%if %{with minimum}
Daniel J Walsh 675bba
# Build minimum policy
Ondrej Mosnacek f76a9d
%makeCmds minimum mcs allow
Petr Lautrbach 28bb9a
%makeModulesConf targeted
Ondrej Mosnacek f76a9d
%installCmds minimum mcs allow
Petr Lautrbach a345bb
rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox
Petr Lautrbach 28bb9a
install -m 644 %{SOURCE16} %{buildroot}%{_datadir}/selinux/minimum/modules-enabled.lst
Miroslav Grepl 50f07b
%modulesList minimum
Miroslav Grepl c04c31
%nonBaseModulesList minimum
Daniel J Walsh 675bba
%endif
Daniel J Walsh 675bba
Ondrej Mosnáček e0bfe2
%if %{with mls}
Daniel J Walsh 129ba1
# Build mls policy
Ondrej Mosnacek f76a9d
%makeCmds mls mls deny
Petr Lautrbach 28bb9a
%makeModulesConf mls
Ondrej Mosnacek f76a9d
%installCmds mls mls deny
Miroslav Grepl a27009
%modulesList mls
Miroslav Grepl c04c31
%nonBaseModulesList mls
Petr Lautrbach 249fe8
install -m 644 %{SOURCE39} %{buildroot}%{_sysconfdir}/dnf/protected.d/
Daniel J Walsh a4ec9b
%endif
Daniel J Walsh a4ec9b
Petr Lautrbach b73fcb
# remove leftovers when save-previous=true (semanage.conf) is used
Petr Lautrbach b73fcb
rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous
Petr Lautrbach b73fcb
Miroslav Grepl 4a27ed
mkdir -p %{buildroot}%{_mandir}
Miroslav Grepl 4a27ed
cp -R  man/* %{buildroot}%{_mandir}
Ondrej Mosnacek 7579dc
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs
Ondrej Mosnacek 7579dc
make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers
Ondrej Mosnacek 2a989a
mkdir %{buildroot}%{_datadir}/selinux/devel/
Ondrej Mosnacek 2a989a
mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include
Ondrej Mosnacek 2a989a
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile
Ondrej Mosnacek 2a989a
install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/
Ondrej Mosnacek 2a989a
install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/
Ondrej Mosnacek 2a989a
%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot}
Ondrej Mosnacek 2a989a
mkdir %{buildroot}%{_datadir}/selinux/devel/html
Ondrej Mosnacek 2a989a
mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html
Ondrej Mosnacek 2a989a
mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html
Dan Walsh 1b0e09
Dan Walsh 1b0e09
mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
Petr Lautrbach c49229
install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
Yaakov Selkowitz e46b92
sed -i 's/SELINUXPOLICYVERSION/%{version}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
Lukas Vrabec 42d22b
sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy
Miroslav Grepl 4a27ed
Ondrej Mosnacek fd6943
mkdir -p %{buildroot}%{_unitdir}
Ondrej Mosnacek fd6943
install -m 644 %{SOURCE36} %{buildroot}%{_unitdir}
Petr Lautrbach a345bb
Daniel J Walsh 487de6
rm -rf selinux_config
Ondrej Mosnacek fd6943
Daniel J Walsh 9c64bb
%post
Ondrej Mosnacek fd6943
%systemd_post selinux-check-proper-disable.service
Ondrej Mosnacek 2a989a
if [ ! -s %{_sysconfdir}/selinux/config ]; then
Daniel J Walsh 487de6
#
Daniel J Walsh 487de6
#     New install so we will default to targeted policy
Daniel J Walsh 487de6
#
Daniel J Walsh 487de6
echo "
Nalin Dahyabhai af6090
# This file controls the state of SELinux on the system.
Nalin Dahyabhai af6090
# SELINUX= can take one of these three values:
Daniel J Walsh 487de6
#     enforcing - SELinux security policy is enforced.
Daniel J Walsh 487de6
#     permissive - SELinux prints warnings instead of enforcing.
Daniel J Walsh 487de6
#     disabled - No SELinux policy is loaded.
Ondrej Mosnacek 4cdd6f
# See also:
Ondrej Mosnacek 4cdd6f
# https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes
Ondrej Mosnacek 4cdd6f
#
Ondrej Mosnacek 4cdd6f
# NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also
Ondrej Mosnacek 4cdd6f
# fully disable SELinux during boot. If you need a system with SELinux
Ondrej Mosnacek 4cdd6f
# fully disabled instead of SELinux running with no policy loaded, you
Ondrej Mosnacek 4cdd6f
# need to pass selinux=0 to the kernel command line. You can use grubby
Ondrej Mosnacek 4cdd6f
# to persistently set the bootloader to boot with selinux=0:
Ondrej Mosnacek 4cdd6f
#
Ondrej Mosnacek 4cdd6f
#    grubby --update-kernel ALL --args selinux=0
Ondrej Mosnacek 4cdd6f
#
Ondrej Mosnacek 4cdd6f
# To revert back to SELinux enabled:
Ondrej Mosnacek 4cdd6f
#
Ondrej Mosnacek 4cdd6f
#    grubby --update-kernel ALL --remove-args selinux
Ondrej Mosnacek 4cdd6f
#
Nalin Dahyabhai af6090
SELINUX=enforcing
Miroslav Grepl 3dc79f
# SELINUXTYPE= can take one of these three values:
Daniel J Walsh 487de6
#     targeted - Targeted processes are protected,
fe2076
#     minimum - Modification of targeted policy. Only selected processes are protected.
Daniel J Walsh 487de6
#     mls - Multi Level Security protection.
Colin Walters 5fdac7
SELINUXTYPE=targeted
Nalin Dahyabhai af6090
Ondrej Mosnacek 2a989a
" > %{_sysconfdir}/selinux/config
Nalin Dahyabhai af6090
fe2076
     ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux
Ondrej Mosnacek 2a989a
     %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || :
Nalin Dahyabhai af6090
else
Ondrej Mosnacek 2a989a
     . %{_sysconfdir}/selinux/config
Nalin Dahyabhai af6090
fi
Daniel J Walsh 081b6a
exit 0
Daniel J Walsh 9c64bb
Ondrej Mosnacek fd6943
%preun
Ondrej Mosnacek fd6943
%systemd_preun selinux-check-proper-disable.service
Ondrej Mosnacek fd6943
Daniel J Walsh 5ff36d
%postun
Ondrej Mosnacek fd6943
%systemd_postun selinux-check-proper-disable.service
Daniel J Walsh bbaa1f
if [ $1 = 0 ]; then
Ondrej Mosnacek 2a989a
     %{_sbindir}/setenforce 0 2> /dev/null
Ondrej Mosnacek 2a989a
     if [ ! -s %{_sysconfdir}/selinux/config ]; then
Ondrej Mosnacek 2a989a
          echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
Daniel J Walsh 487de6
     else
Ondrej Mosnacek 2a989a
          sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
Daniel J Walsh 487de6
     fi
Daniel J Walsh 5ff36d
fi
Daniel J Walsh a4ec9b
exit 0
Daniel J Walsh 5ff36d
Ondrej Mosnáček e0bfe2
%if %{with targeted}
Daniel J Walsh bd3f0e
%package targeted
Zdenek Pytela e99b0b
Summary: SELinux targeted policy
Zdenek Pytela 4e04fa
Provides: selinux-policy-any = %{version}-%{release}
Daniel J Walsh d83af2
Obsoletes: selinux-policy-targeted-sources < 2
Daniel J Walsh 23e708
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Daniel J Walsh d83af2
Requires(pre): coreutils
Daniel J Walsh d83af2
Requires(pre): selinux-policy = %{version}-%{release}
Daniel J Walsh 3b5466
Requires: selinux-policy = %{version}-%{release}
Daniel J Walsh b4cab5
Conflicts:  audispd-plugins <= 1.7.7-1
Daniel J Walsh 487de6
Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
Daniel J Walsh bc4089
Obsoletes: cachefilesd-selinux <= 0.10-1
Daniel J Walsh 6b7b0c
Conflicts:  seedit
Dan Walsh fc9bf2
Conflicts:  389-ds-base < 1.2.7, 389-admin < 1.1.12
Lukas Vrabec ab3db2
Conflicts: container-selinux < 2:1.12.1-22
Daniel J Walsh bd3f0e
Daniel J Walsh bd3f0e
%description targeted
Zdenek Pytela e99b0b
SELinux targeted policy package.
Daniel J Walsh bd3f0e
Lukas Vrabec 2e12c9
%pretrans targeted -p <lua>
Lukas Vrabec 2e12c9
%backupConfigLua
Zdenek Pytela 1297d6
%removeVarrunModuleLua targeted
Lukas Vrabec 2e12c9
Daniel J Walsh bd3f0e
%pre targeted
Dan Walsh 8a78e8
%preInstall targeted
Daniel J Walsh bd3f0e
Daniel J Walsh 9c64bb
%post targeted
Lukas Vrabec 2e12c9
%checkConfigConsistency targeted
Daniel J Walsh e080bb
exit 0
Daniel J Walsh d83af2
Lukas Vrabec 2e12c9
%posttrans targeted
Lukas Vrabec 2e12c9
%checkConfigConsistency targeted
Zdenek Pytela 6dd5c7
%{_libexecdir}/selinux/varrun-convert.sh targeted
Petr Lautrbach 563cc5
%postInstall $1 targeted
Zdenek Pytela 7104f7
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
Lukas Vrabec 2e12c9
Petr Lautrbach 7f4032
%postun targeted
Petr Lautrbach 7f4032
if [ $1 = 0 ]; then
Adam Williamson 69200e
    if [ -s %{_sysconfdir}/selinux/config ]; then
Adam Williamson 69200e
        source %{_sysconfdir}/selinux/config &> /dev/null || true
Adam Williamson 69200e
    fi
Petr Lautrbach 7f4032
    if [ "$SELINUXTYPE" = "targeted" ]; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/setenforce 0 2> /dev/null
ee6e28
        if [ ! -s %{_sysconfdir}/selinux/config ]; then
ee6e28
            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        else
ee6e28
            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        fi
Petr Lautrbach 7f4032
    fi
Petr Lautrbach 7f4032
fi
Petr Lautrbach 7f4032
exit 0
Petr Lautrbach 7f4032
Petr Lautrbach 7f4032
Petr Lautrbach b15718
%triggerin -- pcre2
Ondrej Mosnacek 2a989a
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
Dan Walsh 7c810a
exit 0
Dan Walsh 7c810a
Petr Lautrbach 5e25a1
%triggerprein -p <lua> -- container-selinux
Petr Lautrbach 5e25a1
%removeVarrunModuleLua targeted
Zdenek Pytela 1297d6
Petr Lautrbach 5e25a1
%triggerprein -p <lua> -- pcp-selinux
Petr Lautrbach 5e25a1
%removeVarrunModuleLua targeted
Zdenek Pytela 1297d6
Dan Walsh 1b0e09
%triggerpostun -- selinux-policy-targeted < 3.12.1-74
Ondrej Mosnacek 2a989a
rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
Dan Walsh 1b0e09
exit 0
Dan Walsh 1b0e09
Zdenek Pytela 1297d6
%triggerpostun -- pcp-selinux
Zdenek Pytela 1297d6
%{_libexecdir}/selinux/varrun-convert.sh targeted
Zdenek Pytela 1297d6
exit 0
Zdenek Pytela 1297d6
Zdenek Pytela 1297d6
%triggerpostun -- container-selinux
Zdenek Pytela 1297d6
%{_libexecdir}/selinux/varrun-convert.sh targeted
Zdenek Pytela 1297d6
exit 0
Zdenek Pytela 1297d6
Miroslav Grepl 57b06e
%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138
Miroslav Grepl 57b06e
CR=$'\n'
Miroslav Grepl 57b06e
INPUT=""
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*disabled`; do
Miroslav Grepl 57b06e
    module=`basename $i | sed 's/.pp.disabled//'`
Ondrej Mosnacek 2a989a
    if [ -d %{_sharedstatedir}/selinux/targeted/active/modules/100/$module ]; then
Ondrej Mosnacek 2a989a
        touch %{_sharedstatedir}/selinux/targeted/active/modules/disabled/$p
Miroslav Grepl 57b06e
    fi
Petr Lautrbach a345bb
done
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*.pp`; do
Miroslav Grepl 57b06e
    INPUT="${INPUT}${CR}module -N -a $i"
Petr Lautrbach a345bb
done
Ondrej Mosnacek 2a989a
for i in $(find %{_sysconfdir}/selinux/targeted/modules/active -name \*.local); do
Ondrej Mosnacek 2a989a
    cp $i %{_sharedstatedir}/selinux/targeted/active
Miroslav Grepl 982e48
done
Miroslav Grepl 57b06e
echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/load_policy
Miroslav Grepl 57b06e
fi
Petr Lautrbach a345bb
exit 0
Petr Lautrbach a345bb
Ondrej Mosnacek 2a989a
%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst
Zdenek Pytela 0a65cc
%config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-targeted.conf
Daniel J Walsh 4d59c2
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
fe2076
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u
Daniel J Walsh 4d59c2
%fileList targeted
Lukas Vrabec 7c8404
%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains
Daniel J Walsh a4ec9b
%endif
Daniel J Walsh a4ec9b
Ondrej Mosnáček e0bfe2
%if %{with minimum}
Daniel J Walsh 675bba
%package minimum
Zdenek Pytela e99b0b
Summary: SELinux minimum policy
Zdenek Pytela 4e04fa
Provides: selinux-policy-any = %{version}-%{release}
Miroslav Grepl 2fc3e7
Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER}
Daniel J Walsh 675bba
Requires(pre): coreutils
Daniel J Walsh 675bba
Requires(pre): selinux-policy = %{version}-%{release}
Daniel J Walsh 3b5466
Requires: selinux-policy = %{version}-%{release}
Daniel J Walsh 6b7b0c
Conflicts:  seedit
Lukas Vrabec ab3db2
Conflicts: container-selinux <= 1.9.0-9
Daniel J Walsh 675bba
Daniel J Walsh 675bba
%description minimum
Zdenek Pytela e99b0b
SELinux minimum policy package.
Daniel J Walsh 675bba
Lukas Vrabec 2e12c9
%pretrans minimum -p <lua>
Lukas Vrabec 2e12c9
%backupConfigLua
Lukas Vrabec 2e12c9
Daniel J Walsh 675bba
%pre minimum
Dan Walsh 8a78e8
%preInstall minimum
Dan Walsh 857c81
if [ $1 -ne 1 ]; then
Ondrej Mosnacek 2a989a
    %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst
Dan Walsh 857c81
fi
Daniel J Walsh 675bba
Daniel J Walsh 675bba
%post minimum
Lukas Vrabec 2e12c9
%checkConfigConsistency minimum
Petr Lautrbach 28bb9a
modules=`cat %{_datadir}/selinux/minimum/modules.lst`
Petr Lautrbach 28bb9a
basemodules=`cat %{_datadir}/selinux/minimum/base.lst`
Petr Lautrbach 28bb9a
enabledmodules=`cat %{_datadir}/selinux/minimum/modules-enabled.lst`
Ondrej Mosnacek 2a989a
if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then
Ondrej Mosnacek 2a989a
    mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled
Miroslav Grepl 57b06e
fi
Daniel J Walsh 0e31a0
if [ $1 -eq 1 ]; then
Petr Lautrbach 28bb9a
for p in $modules; do
Ondrej Mosnacek 2a989a
    touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Dan Walsh 857c81
done
Petr Lautrbach 28bb9a
for p in $basemodules $enabledmodules; do
Ondrej Mosnacek 2a989a
    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Dan Walsh 857c81
done
Ondrej Mosnacek 2a989a
%{_sbindir}/semanage import -S minimum -f - << __eof
Daniel J Walsh 675bba
login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
Daniel J Walsh 675bba
login -m  -s unconfined_u -r s0-s0:c0.c1023 root
Daniel J Walsh 675bba
__eof
Ondrej Mosnacek 2a989a
%{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null
Ondrej Mosnacek 2a989a
%{_sbindir}/semodule -B -s minimum
Daniel J Walsh 675bba
else
Ondrej Mosnacek 2a989a
instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst`
Petr Lautrbach 28bb9a
for p in $packages; do
Ondrej Mosnacek 2a989a
    touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Dan Walsh 857c81
done
Miroslav Grepl a27009
for p in $instpackages apache dbus inetd kerberos mta nis; do
Ondrej Mosnacek 2a989a
    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Dan Walsh 857c81
done
Ondrej Mosnacek 2a989a
%{_sbindir}/semodule -B -s minimum
Daniel J Walsh 675bba
%relabel minimum
Daniel J Walsh 675bba
fi
Daniel J Walsh 675bba
exit 0
Daniel J Walsh 675bba
Lukas Vrabec 2e12c9
%posttrans minimum
Lukas Vrabec 2e12c9
%checkConfigConsistency minimum
Zdenek Pytela 6dd5c7
%{_libexecdir}/selinux/varrun-convert.sh minimum
Zdenek Pytela 0f27d9
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
Lukas Vrabec 2e12c9
Petr Lautrbach 7f4032
%postun minimum
Petr Lautrbach 7f4032
if [ $1 = 0 ]; then
Adam Williamson 69200e
    if [ -s %{_sysconfdir}/selinux/config ]; then
Adam Williamson 69200e
        source %{_sysconfdir}/selinux/config &> /dev/null || true
Adam Williamson 69200e
    fi
Petr Lautrbach 7f4032
    if [ "$SELINUXTYPE" = "minimum" ]; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/setenforce 0 2> /dev/null
ee6e28
        if [ ! -s %{_sysconfdir}/selinux/config ]; then
ee6e28
            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        else
ee6e28
            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        fi
Petr Lautrbach 7f4032
    fi
Petr Lautrbach 7f4032
fi
Petr Lautrbach 7f4032
exit 0
Petr Lautrbach 7f4032
Miroslav Grepl 57b06e
%triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138
Ondrej Mosnacek 2a989a
if [ `ls -A %{_sharedstatedir}/selinux/minimum/active/modules/disabled/` ]; then
Ondrej Mosnacek 2a989a
    rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/*
Miroslav Grepl 57b06e
fi
Miroslav Grepl 57b06e
CR=$'\n'
Miroslav Grepl 57b06e
INPUT=""
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*disabled`; do
Miroslav Grepl 57b06e
    module=`basename $i | sed 's/.pp.disabled//'`
Ondrej Mosnacek 2a989a
    if [ -d %{_sharedstatedir}/selinux/minimum/active/modules/100/$module ]; then
Ondrej Mosnacek 2a989a
        touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p
Miroslav Grepl 57b06e
    fi
Miroslav Grepl 57b06e
done
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*.pp`; do
Miroslav Grepl 57b06e
    INPUT="${INPUT}${CR}module -N -a $i"
Miroslav Grepl 57b06e
done
Miroslav Grepl 57b06e
echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
    %{_sbindir}/load_policy
Miroslav Grepl 57b06e
fi
Miroslav Grepl 57b06e
exit 0
Miroslav Grepl 57b06e
Ondrej Mosnacek 2a989a
%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst
Daniel J Walsh 675bba
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
fe2076
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
Daniel J Walsh 675bba
%fileList minimum
Petr Lautrbach 28bb9a
%{_datadir}/selinux/minimum/modules-enabled.lst
Daniel J Walsh 675bba
%endif
Daniel J Walsh 675bba
Ondrej Mosnáček e0bfe2
%if %{with mls}
fe2076
%package mls
Zdenek Pytela e99b0b
Summary: SELinux MLS policy
Zdenek Pytela 4e04fa
Provides: selinux-policy-any = %{version}-%{release}
Daniel J Walsh d83af2
Obsoletes: selinux-policy-mls-sources < 2
Daniel J Walsh c77aca
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
Daniel J Walsh 23e708
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Daniel J Walsh d83af2
Requires(pre): coreutils
Daniel J Walsh d83af2
Requires(pre): selinux-policy = %{version}-%{release}
Daniel J Walsh 3b5466
Requires: selinux-policy = %{version}-%{release}
Daniel J Walsh 6b7b0c
Conflicts:  seedit
Lukas Vrabec ab3db2
Conflicts: container-selinux <= 1.9.0-9
Daniel J Walsh 1580c8
fe2076
%description mls
Zdenek Pytela e99b0b
SELinux MLS (Multi Level Security) policy package.
Daniel J Walsh 1580c8
Lukas Vrabec 2e12c9
%pretrans mls -p <lua>
Lukas Vrabec 2e12c9
%backupConfigLua
Lukas Vrabec 2e12c9
fe2076
%pre mls
Dan Walsh 8a78e8
%preInstall mls
Daniel J Walsh 1580c8
fe2076
%post mls
Lukas Vrabec 2e12c9
%checkConfigConsistency mls
Lukas Vrabec 6a9935
exit 0
Miroslav Grepl 57b06e
Lukas Vrabec 2e12c9
%posttrans mls
Lukas Vrabec 2e12c9
%checkConfigConsistency mls
Zdenek Pytela 6dd5c7
%{_libexecdir}/selinux/varrun-convert.sh mls
Petr Lautrbach 563cc5
%postInstall $1 mls
Zdenek Pytela 0f27d9
%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm
Lukas Vrabec 2e12c9
Petr Lautrbach 7f4032
%postun mls
Petr Lautrbach 7f4032
if [ $1 = 0 ]; then
Adam Williamson 69200e
    if [ -s %{_sysconfdir}/selinux/config ]; then
Adam Williamson 69200e
        source %{_sysconfdir}/selinux/config &> /dev/null || true
Adam Williamson 69200e
    fi
Petr Lautrbach 7f4032
    if [ "$SELINUXTYPE" = "mls" ]; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/setenforce 0 2> /dev/null
ee6e28
        if [ ! -s %{_sysconfdir}/selinux/config ]; then
ee6e28
            echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        else
ee6e28
            sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config
Petr Lautrbach 7f4032
        fi
Petr Lautrbach 7f4032
    fi
Petr Lautrbach 7f4032
fi
Petr Lautrbach 7f4032
exit 0
Petr Lautrbach 7f4032
Miroslav Grepl 57b06e
%triggerpostun mls -- selinux-policy-mls < 3.13.1-138
Miroslav Grepl 57b06e
CR=$'\n'
Miroslav Grepl 57b06e
INPUT=""
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*disabled`; do
Miroslav Grepl 57b06e
    module=`basename $i | sed 's/.pp.disabled//'`
Ondrej Mosnacek 2a989a
    if [ -d %{_sharedstatedir}/selinux/mls/active/modules/100/$module ]; then
Ondrej Mosnacek 2a989a
        touch %{_sharedstatedir}/selinux/mls/active/modules/disabled/$p
Miroslav Grepl 57b06e
    fi
Miroslav Grepl 57b06e
done
Ondrej Mosnacek 2a989a
for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*.pp`; do
Miroslav Grepl 57b06e
    INPUT="${INPUT}${CR}module -N -a $i"
Miroslav Grepl 57b06e
done
Miroslav Grepl 57b06e
echo "$INPUT" | %{_sbindir}/semanage import -S mls -N
Ondrej Mosnacek 2a989a
if %{_sbindir}/selinuxenabled ; then
Ondrej Mosnacek 2a989a
        %{_sbindir}/load_policy
Miroslav Grepl 57b06e
fi
Miroslav Grepl 57b06e
exit 0
Miroslav Grepl 57b06e
Miroslav Grepl 57b06e
Ondrej Mosnacek 2a989a
%files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst
Zdenek Pytela 0a65cc
%config(noreplace) %{_sysconfdir}/dnf/protected.d/selinux-policy-mls.conf
Daniel J Walsh 57ae10
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u
Daniel J Walsh 504da9
%fileList mls
Daniel J Walsh bd3f0e
%endif
Daniel J Walsh bd3f0e
Daniel J Walsh 56187c
%changelog
Petr Lautrbach cd2c1d
%autochangelog