From bce4ec2b6e77f4d9562f40d8dab39d711a197586 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Dec 20 2011 17:20:23 +0000 Subject: Update to handle labeling on /sys using systemd-tmpfiles, also support default_range transition rules --- diff --git a/default_trans.patch b/default_trans.patch index 231f341..b2dfb27 100644 --- a/default_trans.patch +++ b/default_trans.patch @@ -8,38 +8,3 @@ diff -up serefpolicy-3.10.0/policy/mcs.trans serefpolicy-3.10.0/policy/mcs # # Define sensitivities # -diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc -index 26c13f2..2354089 100644 ---- a/policy/modules/kernel/devices.fc -+++ b/policy/modules/kernel/devices.fc -@@ -205,6 +205,7 @@ ifdef(`distro_redhat',` - # /sys - # - /sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0) -+/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0) - - /usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0) - /usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) -diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 112bebb..8f727be 100644 ---- a/policy/modules/kernel/devices.te -+++ b/policy/modules/kernel/devices.te -@@ -226,8 +226,8 @@ fs_type(sysfs_t) - genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0) - - type cpu_online_t; --allow cpu_online_t sysfs_t:filesystem associate; --genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0) -+files_type(cpu_online_t) -+dev_associate_sysfs(cpu_online_t) - - # - # Type for /dev/tpm -diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc -index 7be4ddf..f7021a0 100644 ---- a/policy/modules/kernel/kernel.fc -+++ b/policy/modules/kernel/kernel.fc -@@ -1 +1,2 @@ --# This module currently does not have any file contexts. -+ -+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0) diff --git a/selinux-policy.conf b/selinux-policy.conf new file mode 100644 index 0000000..f884d05 --- /dev/null +++ b/selinux-policy.conf @@ -0,0 +1,2 @@ +z /sys/devices/system/cpu/online - - - +Z /sys/class/net - - - diff --git a/selinux-policy.spec b/selinux-policy.spec index 6b3082c..478f7d9 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -10,10 +10,9 @@ %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} %define BUILD_MLS 1 %endif -%define POLICYVER 26 -%define libsepolver 2.0.44-2 -%define POLICYCOREUTILSVER 2.0.86-12 -%define CHECKPOLICYVER 2.1.5-2 +%define POLICYVER 27 +%define POLICYCOREUTILSVER 2.1.9-4 +%define CHECKPOLICYVER 2.1.7-2 Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 @@ -23,8 +22,6 @@ Group: System Environment/Base Source: serefpolicy-%{version}.tgz patch: policy-F16.patch patch1: unconfined_permissive.patch -patch2: thumb.patch -patch3: default_trans.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -44,6 +41,7 @@ Source22: users-mls Source23: users-targeted Source25: users-minimum Source26: file_contexts.subs_dist +Source27: selinux-policy.conf Url: http://oss.tresys.com/repos/refpolicy/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -74,6 +72,7 @@ SELinux Base package %{_usr}/share/selinux/devel/Makefile %{_usr}/share/selinux/devel/example.* %{_usr}/share/selinux/devel/policy.* +%{_usr}/lib/tmpfiles.d/selinux-policy.conf %package doc Summary: SELinux policy documentation @@ -239,8 +238,6 @@ Based off of reference policy: Checked out revision 2.20091117 %setup -n serefpolicy-%{version} -q %patch -p1 %patch1 -p1 -b .unconfined -%patch2 -p1 -b .thumb -#%patch3 -p1 -b .trans %install mkdir selinux_config @@ -256,6 +253,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/selinux mkdir -p %{buildroot}%{_sysconfdir}/sysconfig touch %{buildroot}%{_sysconfdir}/selinux/config touch %{buildroot}%{_sysconfdir}/sysconfig/selinux +mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ +cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ # Always create policy module package directories mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/