From 36c356d432cbfba95a864a5187bb866ab02b413b Mon Sep 17 00:00:00 2001 From: Davide Cavalca Date: Apr 01 2021 01:09:16 +0000 Subject: Add selinux subpackage --- diff --git a/SOURCES/Makefile.selinux b/SOURCES/Makefile.selinux new file mode 100644 index 0000000..bc159a5 --- /dev/null +++ b/SOURCES/Makefile.selinux @@ -0,0 +1,16 @@ +TARGETS ?= systemd_hs +SHARE ?= /usr/share +MODULES ?= ${TARGETS:=.pp.bz2} + +all: ${TARGETS:=.pp.bz2} + +%.pp.bz2: %.pp + @echo Compressing $^ -\ $@ + bzip2 -9 $^ + +%.pp: %.te + make -f ${SHARE}/selinux/devel/Makefile $@ + +clean: + rm -f *~ *.tc *.pp *.pp.bz2 + rm -rf tmp diff --git a/SOURCES/systemd_hs.te b/SOURCES/systemd_hs.te new file mode 100644 index 0000000..5498233 --- /dev/null +++ b/SOURCES/systemd_hs.te @@ -0,0 +1,39 @@ +policy_module(systemd_hs,0.0.1) + +# systemd overrides for 247 +gen_require(` + type avahi_t; + type init_t; + type init_var_run_t; + type kmsg_device_t; + type policykit_auth_t; + type policykit_t; + type proc_kmsg_t; + type system_dbusd_t; + type systemd_hostnamed_t; + type systemd_localed_t; + type systemd_logind_t; + type systemd_machined_t; + type security_t; + type syslogd_t; + type user_tmp_t; + type xdm_t; +') + +allow avahi_t init_var_run_t:dir read; +allow init_t kmsg_device_t:chr_file mounton; +allow init_t proc_kmsg_t:file { getattr mounton }; +allow init_t systemd_machined_t:unix_stream_socket connectto; +allow policykit_auth_t init_var_run_t:dir read; +allow policykit_auth_t systemd_machined_t:unix_stream_socket connectto; +allow policykit_t systemd_machined_t:unix_stream_socket connectto; +allow syslogd_t user_tmp_t:lnk_file read; +allow system_dbusd_t systemd_machined_t:unix_stream_socket connectto; +allow systemd_hostnamed_t security_t:file map; +allow systemd_localed_t security_t:file map; +allow systemd_logind_t self:netlink_selinux_socket create; +allow systemd_logind_t self:netlink_selinux_socket bind; +allow systemd_logind_t security_t:file map; +allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto; +allow systemd_machined_t init_var_run_t:sock_file create; +allow xdm_t systemd_machined_t:unix_stream_socket connectto; diff --git a/SPECS/systemd.spec b/SPECS/systemd.spec index 859e47d..b45e60c 100644 --- a/SPECS/systemd.spec +++ b/SPECS/systemd.spec @@ -17,11 +17,16 @@ %bcond_with bootstrap %bcond_without tests %bcond_with lto +%if 0%{?facebook} +%bcond_with selinux +%else +%bcond_without selinux +%endif Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 247.3 -Release: 4%{?dist} +Release: 5%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -57,6 +62,10 @@ Source22: sysusers.attr Source23: sysusers.prov Source24: sysusers.generate-pre.sh +# Needed for selinux subpackage +Source100: Makefile.selinux +Source101: systemd_hs.te + %if 0 GIT_DIR=../../src/systemd/.git git format-patch-ab --no-signature -M -N v235..v235-stable i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done|xclip @@ -195,6 +204,11 @@ Recommends: libpwquality.so.1()(64bit) Recommends: libpwquality.so.1(LIBPWQUALITY_1.0)(64bit) Recommends: libqrencode.so.4()(64bit) +%if %{with selinux} +# Force the SELinux module to be installed +Requires: %{name}-selinux = %{version}-%{release} +%endif + %description systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization @@ -345,9 +359,33 @@ License: LGPLv2+ "Installed tests" that are usually run as part of the build system. They can be useful to test systemd internals. +%if %{with selinux} +%package selinux +Summary: SELinux module for systemd +BuildArch: noarch +BuildRequires: bzip2 +BuildRequires: make +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +Requires(post): selinux-policy-base >= %{_selinux_policy_version} +Requires(post): policycoreutils +Requires(post): policycoreutils-python-utils +Requires(pre): libselinux-utils +Requires(post): libselinux-utils + +%description selinux +This package provides the SELinux policy module to ensure systemd +runs properly under an environment with SELinux enabled. +%endif + %prep %autosetup -n %{?commit:%{name}%{?stable:-stable}-%{commit}}%{!?commit:%{name}%{?stable:-stable}-%{github_version}} -p1 +%if %{with selinux} +mkdir selinux +cp %SOURCE100 %SOURCE101 selinux +%endif + %build %define ntpvendor %(source /etc/os-release; echo ${ID}) %{!?ntpvendor: echo 'NTP vendor zone is not set!'; exit 1} @@ -457,6 +495,11 @@ export LC_ALL=en_US.UTF-8 %meson "${CONFIGURE_OPTS[@]}" %meson_build +%if %{with selinux} +cd selinux +%{__make} -f Makefile.selinux SHARE="%{_datadir}" TARGETS="systemd_hs" +%endif + %install export LANG=en_US.UTF-8 export LC_ALL=en_US.UTF-8 @@ -592,6 +635,13 @@ python3 %{SOURCE2} %buildroot < - 247.3-5 +- Add selinux subpackage + * Wed Mar 17 2021 Anita Zhang - 247.3-4 - Backport PR #18955 (Fixes fstab parsing) - FB only backport PR #18886 (systemd-shutdown logs to /dev/console not stderr)