diff --git a/macro-expander.sh b/macro-expander.sh new file mode 100755 index 0000000..61bd347 --- /dev/null +++ b/macro-expander.sh @@ -0,0 +1,81 @@ +#!/bin/bash + +function usage { + echo "Usage: $0 [ -c | -t [ -M ] ] " + echo "Options: + -c generate CIL output + -t generate standard policy source format (.te) allow rules - this is default + -M generate complete module .te output +" +} + +function cleanup { + rm -rf $TEMP_STORE +} + +while getopts "chMt" opt; do + case $opt in + c) GENCIL=1 + ;; + t) GENTE=1 + ;; + M) GENTEMODULE=1 + ;; + h) usage + exit 0 + ;; + \?) usage + exit 1 + ;; + esac +done + +shift $((OPTIND-1)) + +SELINUX_MACRO=$1 + +if [ -z "$SELINUX_MACRO" ] +then + exit 1 +fi + +TEMP_STORE="$(mktemp -d)" +cd $TEMP_STORE + +IFS="(" +set $1 +SELINUX_DOMAIN="${2::-1}" + +echo -e "policy_module(expander, 1.0.0) \n" \ + "gen_require(\`\n" \ + "type $SELINUX_DOMAIN ; \n" \ + "')" > expander.te + +echo "$SELINUX_MACRO" >> expander.te + +make -f /usr/share/selinux/devel/Makefile tmp/all_interfaces.conf &> /dev/null + +if [ "x$GENCIL" = "x1" ]; then + + make -f /usr/share/selinux/devel/Makefile expander.pp &> /dev/null + MAKE_RESULT=$? + + if [ $MAKE_RESULT -ne 2 ] + then + /usr/libexec/selinux/hll/pp < $TEMP_STORE/expander.pp > $TEMP_STORE/expander.cil 2> /dev/null + grep -v "cil_gen_require" $TEMP_STORE/expander.cil | sort -u + fi +fi + +if [ "$GENTE" = "1" -o "x$GENCIL" != "x1" ]; then + m4 -D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024 -s /usr/share/selinux/devel/include/support/file_patterns.spt /usr/share/selinux/devel/include/support/ipc_patterns.spt /usr/share/selinux/devel/include/support/obj_perm_sets.spt /usr/share/selinux/devel/include/support/misc_patterns.spt /usr/share/selinux/devel/include/support/misc_macros.spt /usr/share/selinux/devel/include/support/all_perms.spt /usr/share/selinux/devel/include/support/mls_mcs_macros.spt /usr/share/selinux/devel/include/support/loadable_module.spt tmp/all_interfaces.conf expander.te > expander.tmp 2> /dev/null + if [ "x$GENTEMODULE" = "x1" ]; then + # sed '/^#.*$/d;/^\s*$/d;/^\s*class .*/d;/^\s*category .*/d;s/^\s*//' expander.tmp + sed '/^#.*$/d;/^\s*$/d;/^\s*category .*/d;s/^\s*//' expander.tmp + else + grep '^\s*allow' expander.tmp | sed 's/^\s*//' + fi +fi + +cd - > /dev/null +cleanup diff --git a/selinux-policy.spec b/selinux-policy.spec index 138d794..02c2d63 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -57,6 +57,7 @@ Source26: file_contexts.subs_dist Source27: selinux-policy.conf Source28: permissivedomains.cil Source30: booleans.subs_dist +Source33: macro-expander Source35: container-selinux.tgz @@ -134,6 +135,7 @@ Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER} SELinux policy development and man page package %files devel +%{_bindir}/macro-expander %dir %{_usr}/share/selinux/devel %dir %{_usr}/share/selinux/devel/include %{_usr}/share/selinux/devel/include/* @@ -363,6 +365,8 @@ touch %{buildroot}%{_sysconfdir}/selinux/config touch %{buildroot}%{_sysconfdir}/sysconfig/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ +mkdir -p %{buildroot}%{_bindir} +cp %{SOURCE33} %{buildroot}%{_bindir}/ # Always create policy module package directories mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/