From a345bb5a250d7d745d1e1c9e9bd2c0b9c711d013 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Jul 15 2015 12:26:46 +0000 Subject: Prepare selinux-policy package for SELinux store migration --- diff --git a/selinux-policy.spec b/selinux-policy.spec index cfcbbbf..841af6d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -14,12 +14,12 @@ %define BUILD_MLS 1 %endif %define POLICYVER 29 -%define POLICYCOREUTILSVER 2.1.14-74 -%define CHECKPOLICYVER 2.1.12-3 +%define POLICYCOREUTILSVER 2.4-0 +%define CHECKPOLICYVER 2.4-0 Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 137%{?dist} +Release: 137%{?dist}.1 License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -95,6 +95,7 @@ SELinux sandbox policy used for the policycoreutils-sandbox package %post sandbox rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null +rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null semodule -n -i /usr/share/selinux/packages/sandbox.pp if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy @@ -170,37 +171,21 @@ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOL make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ +make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 SEMODULE="semodule -p %{buildroot} -X 100 " load \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \ -%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \ -%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \ -%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \ -touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \ -touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \ -rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/seusers \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.local \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/nodes.local \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/users_extra.local \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/users.local \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs.bin \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.bin \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/file_contexts.homedirs.bin \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/file_contexts.bin \ cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ -bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \ -rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \ -for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \ rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \ -mkdir -p %{buildroot}%{_usr}/share/selinux/packages \ -/usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \ /usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ -ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ %nil %define fileList() \ @@ -210,24 +195,12 @@ ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/se %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ %dir %{_sysconfdir}/selinux/%1/logins \ -%dir %{_sysconfdir}/selinux/%1/modules \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \ -%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \ -%dir %{_sysconfdir}/selinux/%1/modules/active/modules \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/base.pp \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.template \ -%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/seusers.final \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/netfilter_contexts \ -%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/users_extra \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/homedir_template \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \ -%ghost %{_sysconfdir}/selinux/%1/modules/active/*.local \ -%ghost %{_sysconfdir}/selinux/%1/modules/active/*.bin \ -%ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \ +%dir %{_sharedstatedir}/selinux/%1/active \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ +%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ +%ghost %{_sysconfdir}/selinux/%1/*.bin \ %dir %{_sysconfdir}/selinux/%1/policy/ \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ %{_sysconfdir}/selinux/%1/.policy.sha512 \ @@ -250,9 +223,10 @@ ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/se %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ %dir %{_sysconfdir}/selinux/%1/contexts/files \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ -%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs* \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +# %ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ %{_sysconfdir}/selinux/%1/booleans.subs_dist \ @@ -312,18 +286,18 @@ else \ fi; %define modulesList() \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s.pp ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/base.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/base.lst \ if [ -e ./policy/modules-contrib.conf ];then \ - awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \ + awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \ fi; %define nonBaseModulesList() \ contrib_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst` \ base_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst` \ for i in $contrib_modules $base_modules; do \ - if [ $i != "sandbox.pp" ];then \ - echo "%verify(not md5 size mtime) /etc/selinux/%1/modules/active/modules/$i" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \ + if [ $i != "sandbox" ];then \ + echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \ fi; \ done @@ -339,12 +313,13 @@ contrib_path=`pwd` refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib -%install mkdir selinux_config for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do cp $i selinux_config done tar zxvf selinux_config/config.tgz + +%install # Build targeted policy %{__rm} -fR %{buildroot} mkdir -p %{buildroot}%{_sysconfdir}/selinux @@ -356,18 +331,23 @@ cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ # Always create policy module package directories mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/ +mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ + +mkdir -p %{buildroot}%{_usr}/share/selinux/packages # Install devel make clean %if %{BUILD_TARGETED} # Build targeted policy # Commented out because only targeted ref policy currently builds -mkdir -p %{buildroot}%{_usr}/share/selinux/targeted cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/targeted %makeCmds targeted mcs n allow %makeModulesConf targeted base contrib %installCmds targeted mcs n allow -mv %{buildroot}/%{_sysconfdir}/selinux/targeted/modules/active/modules/sandbox.pp %{buildroot}/usr/share/selinux/packages +# recreate sandbox.pp +rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox +make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 sandbox.pp +mv sandbox.pp %{buildroot}/usr/share/selinux/packages/sandbox.pp %modulesList targeted %nonBaseModulesList targeted %endif @@ -381,6 +361,7 @@ cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum %makeModulesConf targeted base contrib %installCmds minimum mcs n allow rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp +rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox %modulesList minimum %nonBaseModulesList minimum %endif @@ -413,6 +394,7 @@ mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinu mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d echo '%%_selinux_policy_version %{version}-%{release}' > %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy + rm -rf selinux_config %clean %{__rm} -fR %{buildroot} @@ -441,9 +423,6 @@ SELINUXTYPE=targeted restorecon /etc/selinux/config 2> /dev/null || : else . /etc/selinux/config - # if first time update booleans.local needs to be copied to sandbox - [ -f /etc/selinux/${SELINUXTYPE}/booleans.local ] && mv /etc/selinux/${SELINUXTYPE}/booleans.local /etc/selinux/targeted/modules/active/ - [ -f /etc/selinux/${SELINUXTYPE}/seusers ] && cp -f /etc/selinux/${SELINUXTYPE}/seusers /etc/selinux/${SELINUXTYPE}/modules/active/seusers fi exit 0 @@ -496,16 +475,30 @@ exit 0 restorecon -R -p /home exit 0 +%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-137.1 +set -x +for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*disabled`; do + module=`basename $i | sed 's/.pp.disabled//'` + if [ -d /var/lib/selinux/targeted/active/modules/100/$module ]; then + semodule -d $module + fi +done +for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*.pp`; do + semodule -i $i +done +exit 0 + %files targeted -f %{buildroot}/%{_usr}/share/selinux/targeted/nonbasemodules.lst %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u %fileList targeted -%verify(not md5 size mtime) %{_sysconfdir}/selinux/targeted/modules/active/modules/permissivedomains.pp +# %verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains %{_usr}/share/selinux/targeted/base.lst %{_usr}/share/selinux/targeted/modules-base.lst %{_usr}/share/selinux/targeted/modules-contrib.lst %{_usr}/share/selinux/targeted/nonbasemodules.lst +%{_sharedstatedir}/selinux/targeted/active/commit_num %endif %if %{BUILD_MINIMUM} @@ -562,11 +555,12 @@ exit 0 %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u %fileList minimum -%verify(not md5 size mtime) %{_sysconfdir}/selinux/minimum/modules/active/modules/permissivedomains.pp +# %verify(not md5 size mtime) %{_sysconfdir}/selinux/minimum/modules/active/modules/permissivedomains.pp %{_usr}/share/selinux/minimum/base.lst %{_usr}/share/selinux/minimum/modules-base.lst %{_usr}/share/selinux/minimum/modules-contrib.lst %{_usr}/share/selinux/minimum/nonbasemodules.lst +%{_sharedstatedir}/selinux/minimum/active/commit_num %endif %if %{BUILD_MLS} @@ -599,6 +593,7 @@ SELinux Reference policy mls base module. %{_usr}/share/selinux/mls/modules-base.lst %{_usr}/share/selinux/mls/modules-contrib.lst %{_usr}/share/selinux/mls/nonbasemodules.lst +%{_sharedstatedir}/selinux/mls/active/commit_num %endif %changelog