Daniel J Walsh 1580c8
%define distro redhat
Daniel J Walsh 1580c8
%define direct_initrc y
Daniel J Walsh 1580c8
%define monolithic n
Daniel J Walsh 1580c8
%define polname1 targeted
Daniel J Walsh d77f56
%define polname2 mls
Daniel J Walsh d77f56
%define polname3 strict
Daniel J Walsh 1580c8
%define POLICYVER 20
Daniel J Walsh 765f81
%define POLICYCOREUTILSVER 1.27.28-3
Daniel J Walsh 765f81
%define CHECKPOLICYVER 1.27.17-7
Daniel J Walsh 1580c8
Summary: SELinux policy configuration
Daniel J Walsh 1580c8
Name: selinux-policy
Daniel J Walsh a03362
Version: 2.0.6
Daniel J Walsh a03362
Release: 1
Daniel J Walsh 1580c8
License: GPL
Daniel J Walsh 1580c8
Group: System Environment/Base
Daniel J Walsh 1580c8
Source: serefpolicy-%{version}.tgz
Daniel J Walsh 1580c8
patch: policy-20051114.patch
Daniel J Walsh d77f56
Source1: modules-%{polname1}.conf
Daniel J Walsh d77f56
Source2: booleans-%{polname1}.conf
Daniel J Walsh d77f56
Source3: seusers-%{polname1}
Daniel J Walsh d77f56
Source4: setrans-%{polname1}.conf
Daniel J Walsh d77f56
Source5: modules-%{polname2}.conf
Daniel J Walsh d77f56
Source6: booleans-%{polname2}.conf
Daniel J Walsh d77f56
Source7: seusers-%{polname2}
Daniel J Walsh d77f56
Source8: setrans-%{polname2}.conf
Daniel J Walsh 3e930b
Daniel J Walsh 1580c8
Url: http://serefpolicy.sourceforge.net
Daniel J Walsh 1580c8
BuildRoot: %{_tmppath}/serefpolicy-buildroot
Daniel J Walsh 1580c8
BuildArch: noarch
Daniel J Walsh 1580c8
BuildRequires: checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER}
Daniel J Walsh 1580c8
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Daniel J Walsh 1580c8
Obsoletes: policy 
Daniel J Walsh 1580c8
Nalin Dahyabhai 46e726
%package %{polname1}
Nalin Dahyabhai 46e726
Summary: SELinux %{polname1} base policy
Nalin Dahyabhai 46e726
Group: System Environment/Base
Nalin Dahyabhai 46e726
Provides: selinux-policy-base
Nalin Dahyabhai 46e726
Obsoletes: selinux-policy-%{polname1}-sources
Nalin Dahyabhai 46e726
Nalin Dahyabhai 46e726
%description %{polname1}
Nalin Dahyabhai 46e726
SELinux Reference policy targeted base module.
Nalin Dahyabhai 46e726
Daniel J Walsh 1580c8
%define installCmds() \
Daniel J Walsh 3e930b
cp -f ${RPM_SOURCE_DIR}/modules-%1.conf  ./policy/modules.conf \
Daniel J Walsh 3e930b
cp -f ${RPM_SOURCE_DIR}/booleans-%1.conf ./policy/booleans.conf \
Daniel J Walsh 3e930b
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} base.pp \
Daniel J Walsh 3e930b
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} modules \
Daniel J Walsh 1580c8
%{__mkdir} -p $RPM_BUILD_ROOT/%{_usr}/share/selinux/%1/ \
Daniel J Walsh 1580c8
%{__cp} *.pp $RPM_BUILD_ROOT/%{_usr}/share/selinux/%1/ \
Daniel J Walsh 1580c8
%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%1/policy \
Daniel J Walsh 1580c8
%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%1/modules/active \
Daniel J Walsh 1580c8
%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%1/contexts/files \
Daniel J Walsh d77f56
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=y DESTDIR=$RPM_BUILD_ROOT install-appconfig \
Daniel J Walsh 598be1
semodule_expand $RPM_BUILD_ROOT/usr/share/selinux/%1/base.pp $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
Daniel J Walsh 1580c8
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/booleans \
Daniel J Walsh 1580c8
touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/config \
Daniel J Walsh 1580c8
touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/seusers \
Daniel J Walsh 1580c8
touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
Daniel J Walsh 1580c8
touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/contexts/files/homedir_template \
Daniel J Walsh 3e930b
touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
Daniel J Walsh 3e930b
install -m0644 ${RPM_SOURCE_DIR}/seusers-%1 ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/%1/modules/active/seusers \
Daniel J Walsh 3e930b
install -m0644 ${RPM_SOURCE_DIR}/setrans-%1.conf ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/%1/setrans.conf \
Daniel J Walsh 3e930b
%nil
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%define fileList() \
Daniel J Walsh 1580c8
%defattr(-,root,root) \
Daniel J Walsh 1580c8
%dir %{_usr}/share/selinux \
Daniel J Walsh 1580c8
%dir %{_usr}/share/selinux/%1 \
Daniel J Walsh 1580c8
%config %{_usr}/share/selinux/%1/base.pp \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux \
Daniel J Walsh 1580c8
%ghost %config(noreplace) %{_sysconfdir}/selinux/config \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1 \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
Daniel J Walsh 1580c8
%ghost %{_sysconfdir}/selinux/%1/seusers \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1/modules \
Daniel J Walsh 21dea1
%attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \
Daniel J Walsh 21dea1
%verify(not md5 size mtime) %attr(600,root,root) %config(noreplace) %{_sysconfdir}/selinux/%1/modules/active/seusers \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1/policy/ \
Daniel J Walsh 21dea1
%verify(not md5 size mtime) %attr(600,root,root) %config(noreplace) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1/contexts \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/customizable_types \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_contexts \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \
Daniel J Walsh 1580c8
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \
Daniel J Walsh 1580c8
%dir %{_sysconfdir}/selinux/%1/contexts/files \
Daniel J Walsh 1580c8
%ghost %config %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
Daniel J Walsh 1580c8
%ghost %config %{_sysconfdir}/selinux/%1/contexts/files/homedir_template \
Daniel J Walsh 1580c8
%ghost %config %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
Daniel J Walsh 1580c8
%config %{_sysconfdir}/selinux/%1/contexts/files/media
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%define saveFileContext() \
Daniel J Walsh 1580c8
. %{_sysconfdir}/selinux/config; \
Daniel J Walsh 1580c8
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
Daniel J Walsh 1580c8
if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \
Daniel J Walsh 1580c8
	cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
Daniel J Walsh 1580c8
fi 
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%define rebuildpolicy() \
Daniel J Walsh 1580c8
semodule -b /usr/share/selinux/%1/base.pp -s %1 \
Daniel J Walsh 1580c8
for file in $(ls /usr/share/selinux/%1 | grep -v base.pp) \
Daniel J Walsh 1580c8
do \
Daniel J Walsh 1580c8
	semodule -i /usr/share/selinux/%1/$file -s %1;\
Daniel J Walsh 598be1
done; \
Daniel J Walsh 598be1
rm -f %{_sysconfdir}/selinux/%1/policy/policy.*.rpmnew
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%define relabel() \
Daniel J Walsh 1580c8
. %{_sysconfdir}/selinux/config; \
Daniel J Walsh 1580c8
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
Daniel J Walsh 1580c8
if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.pre ]; then \
Daniel J Walsh 1580c8
	fixfiles -C ${FILE_CONTEXT}.pre restore; \
Daniel J Walsh 1580c8
	rm -f ${FILE_CONTEXT}.pre; \
Daniel J Walsh 1580c8
fi; 
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%description
Daniel J Walsh 1580c8
SELinux Reference Policy - modular.
Daniel J Walsh 1580c8
Daniel J Walsh 3e930b
%prep 
Daniel J Walsh 1580c8
%setup -q -n serefpolicy-%{version}
Daniel J Walsh 3e930b
%patch0 -p1 
Daniel J Walsh 3e930b
	
Daniel J Walsh 1580c8
%install
Daniel J Walsh e56873
Daniel J Walsh e56873
# Build targeted policy
Daniel J Walsh 3e930b
make conf
Daniel J Walsh 1580c8
%{__rm} -fR $RPM_BUILD_ROOT
Daniel J Walsh d77f56
%installCmds %{polname1} targeted-mcs %{direct_initrc}
Daniel J Walsh 3e930b
Daniel J Walsh e56873
# Build mls policy
Daniel J Walsh 3e930b
make clean
Daniel J Walsh 3e930b
make conf
Daniel J Walsh d77f56
%installCmds %{polname2} strict-mls n
Daniel J Walsh d77f56
Daniel J Walsh 3e930b
Daniel J Walsh d77f56
# Build strict policy
Daniel J Walsh d77f56
# Commented out because only targeted ref policy currently builds
Daniel J Walsh d77f56
# make clean
Daniel J Walsh d77f56
# make conf
Daniel J Walsh d77f56
#%#installCmds %{polname3} strict-mcs %{direct_initrc}
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%clean
Daniel J Walsh 1580c8
%{__rm} -fR $RPM_BUILD_ROOT
Daniel J Walsh 1580c8
Nalin Dahyabhai af6090
%files %{polname1}
Nalin Dahyabhai af6090
%fileList %{polname1}
Nalin Dahyabhai af6090
Nalin Dahyabhai af6090
%pre %{polname1}
Nalin Dahyabhai af6090
%saveFileContext %{polname1}
Nalin Dahyabhai af6090
Nalin Dahyabhai af6090
%post %{polname1}
Nalin Dahyabhai af6090
if [ ! -s /etc/selinux/config ]; then
Nalin Dahyabhai af6090
	#
Nalin Dahyabhai af6090
	#	New install so we will default to targeted policy
Nalin Dahyabhai af6090
	#
Nalin Dahyabhai af6090
	echo "
Nalin Dahyabhai af6090
# This file controls the state of SELinux on the system.
Nalin Dahyabhai af6090
# SELINUX= can take one of these three values:
Nalin Dahyabhai af6090
#	enforcing - SELinux security policy is enforced.
Nalin Dahyabhai af6090
#	permissive - SELinux prints warnings instead of enforcing.
Nalin Dahyabhai af6090
#	disabled - No SELinux policy is loaded.
Nalin Dahyabhai af6090
SELINUX=enforcing
Nalin Dahyabhai af6090
# SELINUXTYPE= can take one of these two values:
Nalin Dahyabhai af6090
#	targeted - Only targeted network daemons are protected.
Nalin Dahyabhai af6090
#	strict - Full SELinux protection.
Nalin Dahyabhai af6090
#	mls - Multi Level Security protection.
Nalin Dahyabhai af6090
SELINUXTYPE=targeted 
Nalin Dahyabhai af6090
# SETLOCALDEFS= Check local definition changes
Nalin Dahyabhai af6090
SETLOCALDEFS=0 
Nalin Dahyabhai af6090
Nalin Dahyabhai af6090
" > /etc/selinux/config
Nalin Dahyabhai af6090
Nalin Dahyabhai af6090
	ln -sf /etc/selinux/config /etc/sysconfig/selinux 
Nalin Dahyabhai af6090
	restorecon /etc/selinux/config 2> /dev/null
Nalin Dahyabhai af6090
else
Nalin Dahyabhai af6090
	# if first time update booleans.local needs to be copied to sandbox
Nalin Dahyabhai af6090
	[ -f /etc/selinux/%{polname1}/booleans.local ] && mv /etc/selinux/%{polname1}/booleans.local /etc/selinux/%{polname1}/modules/active/
Nalin Dahyabhai af6090
	[ -f /etc/selinux/%{polname1}/seusers ] && cp -f /etc/selinux/%{polname1}/seusers /etc/selinux/%{polname1}/modules/active/seusers
Nalin Dahyabhai af6090
	grep -q "^SETLOCALDEFS" /etc/selinux/config || echo -n "
Nalin Dahyabhai af6090
# SETLOCALDEFS= Check local definition changes
Nalin Dahyabhai af6090
SETLOCALDEFS=0 
Nalin Dahyabhai af6090
">> /etc/selinux/config
Nalin Dahyabhai af6090
fi
Nalin Dahyabhai af6090
%rebuildpolicy %{polname1}
Nalin Dahyabhai af6090
%relabel %{polname1}
Nalin Dahyabhai af6090
Nalin Dahyabhai af6090
%triggerpostun %{polname1} -- selinux-policy-%{polname1} <= 2.0.0
Nalin Dahyabhai af6090
%rebuildpolicy %{polname1}
Nalin Dahyabhai af6090
Daniel J Walsh 1580c8
%package %{polname2} 
Daniel J Walsh 1580c8
Summary: SELinux %{polname2} base policy
Daniel J Walsh 1580c8
Group: System Environment/Base
Daniel J Walsh 1580c8
Provides: selinux-policy-base
Daniel J Walsh be926a
Obsoletes: selinux-policy-%{polname2}-sources
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%description %{polname2} 
Daniel J Walsh 1580c8
SELinux Reference policy %{polname2} base module.
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%pre %{polname2} 
Daniel J Walsh 1580c8
%saveFileContext %{polname2}
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%post %{polname2} 
Daniel J Walsh 1580c8
%rebuildpolicy %{polname2} 
Daniel J Walsh d77f56
%relabel %{polname2}
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%triggerpostun %{polname2} -- %{polname2} <= 2.0.0
Daniel J Walsh 1580c8
%{rebuildpolicy} %{polname2} 
Daniel J Walsh 1580c8
Daniel J Walsh 1580c8
%files %{polname2}
Daniel J Walsh d77f56
%fileList %{polname2}
Daniel J Walsh 3e930b
Daniel J Walsh d77f56
%if 0
Daniel J Walsh 3e930b
%package %{polname3} 
Daniel J Walsh 3e930b
Summary: SELinux %{polname3} base policy
Daniel J Walsh 3e930b
Group: System Environment/Base
Daniel J Walsh 3e930b
Provides: selinux-policy-base
Daniel J Walsh 3e930b
Obsoletes: selinux-policy-%{polname3}-sources
Daniel J Walsh 3e930b
Daniel J Walsh 3e930b
%description %{polname3} 
Daniel J Walsh 3e930b
SELinux Reference policy %{polname3} base module.
Daniel J Walsh 3e930b
Daniel J Walsh 3e930b
%pre %{polname3} 
Daniel J Walsh 3e930b
%saveFileContext %{polname3}
Daniel J Walsh 3e930b
Daniel J Walsh 3e930b
%post %{polname3} 
Daniel J Walsh 3e930b
%rebuildpolicy %{polname3} 
Daniel J Walsh d77f56
%relabel %{polname3}
Daniel J Walsh 3e930b
Daniel J Walsh 3e930b
%triggerpostun %{polname3} -- %{polname3} <= 2.0.0
Daniel J Walsh 3e930b
%{rebuildpolicy} %{polname3} 
Daniel J Walsh 3e930b
Daniel J Walsh 3e930b
%files %{polname3}
Daniel J Walsh d77f56
#%#fileList %{polname3}
Daniel J Walsh d77f56
%endif
Daniel J Walsh 3e930b
Daniel J Walsh 3e930b
Daniel J Walsh 1580c8
%changelog
Daniel J Walsh c1b022
* Wed Nov 23 2003 Dan Walsh <dwalsh@redhat.com> 2.0.5-4
Daniel J Walsh 21dea1
- Cleanup pegasus and named 
Daniel J Walsh 21dea1
- Fix spec file
Daniel J Walsh c1b022
- Fix up passwd changing applications
Daniel J Walsh 21dea1
Daniel J Walsh e38dc4
* Tue Nov 21 2003 Dan Walsh <dwalsh@redhat.com> 2.0.5-1
Daniel J Walsh e38dc4
-Update to latest from upstream
Daniel J Walsh e38dc4
Daniel J Walsh b33f08
* Tue Nov 21 2003 Dan Walsh <dwalsh@redhat.com> 2.0.4-1
Daniel J Walsh 765f81
- Add rules for pegasus and avahi
Daniel J Walsh 765f81
Daniel J Walsh a32f66
* Mon Nov 21 2003 Dan Walsh <dwalsh@redhat.com> 2.0.2-2
Daniel J Walsh a32f66
- Start building MLS Policy
Daniel J Walsh a32f66
Daniel J Walsh 1a0a25
* Fri Nov 18 2003 Dan Walsh <dwalsh@redhat.com> 2.0.2-1
Daniel J Walsh 1a0a25
- Update to upstream
Daniel J Walsh 1a0a25
Daniel J Walsh 205d3f
* Wed Nov 9 2003 Dan Walsh <dwalsh@redhat.com> 2.0.1-2
Daniel J Walsh 205d3f
- Turn on bash
Daniel J Walsh 205d3f
Daniel J Walsh 205d3f
* Wed Nov 9 2003 Dan Walsh <dwalsh@redhat.com> 2.0.1-1
Daniel J Walsh 1580c8
- Initial version