From 44bfe0775626f78c5a6667d29009759cc2f2a2e7104ba5a4d715c9e09311d378 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Mon, 10 Aug 2020 12:35:50 +0000 Subject: [PATCH] Accepting request 824841 from home:kukuk:selinux - Cleanup spec file and follow more closely Fedora - Label /sys/kernel/uevent_helper with tmpfiles.d/selinux-policy.conf - Move config to /etc/selinux/config and create during %post install to be compatible with upstream and documentation. - Add RPM macros for SELinux (macros.selinux-policy) - Install booleans.subs_dist - Remove unused macros - Sync make/install macros with Fedora spec file - Introduce sandbox sub-package OBS-URL: https://build.opensuse.org/request/show/824841 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=79 --- macros.selinux-policy | 182 +++++++++++++ selinux-policy.changes | 13 + selinux-policy.conf | 1 + selinux-policy.spec | 540 ++++++++++++++++++++++----------------- selinux-policy.sysconfig | 11 - 5 files changed, 502 insertions(+), 245 deletions(-) create mode 100644 macros.selinux-policy delete mode 100644 selinux-policy.sysconfig diff --git a/macros.selinux-policy b/macros.selinux-policy new file mode 100644 index 0000000..4a21d1e --- /dev/null +++ b/macros.selinux-policy @@ -0,0 +1,182 @@ +# Copyright (C) 2017 Red Hat, Inc. All rights reserved. +# +# Author: Petr Lautrbach +# Author: Lukáš Vrabec +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# RPM macros for packages installing SELinux modules + +%_selinux_policy_version SELINUXPOLICYVERSION + +%_selinux_store_path SELINUXSTOREPATH +%_selinux_store_policy_path %{_selinux_store_path}/${_policytype} + +%_file_context_file %{_sysconfdir}/selinux/${SELINUXTYPE}/contexts/files/file_contexts +%_file_context_file_pre %{_localstatedir}/lib/rpm-state/file_contexts.pre + +%_file_custom_defined_booleans %{_selinux_store_policy_path}/rpmbooleans.custom +%_file_custom_defined_booleans_tmp %{_selinux_store_policy_path}/rpmbooleans.custom.tmp + +# %selinux_requires +%selinux_requires \ +Requires: selinux-policy >= %{_selinux_policy_version} \ +BuildRequires: pkgconfig(systemd) \ +BuildRequires: selinux-policy \ +BuildRequires: selinux-policy-devel \ +Requires(post): selinux-policy-base >= %{_selinux_policy_version} \ +Requires(post): libselinux-utils \ +Requires(post): policycoreutils \ +%if 0%{?fedora} || 0%{?rhel} > 7 || 0%{suse_version} > 1500\ +Requires(post): policycoreutils-python-utils \ +%else \ +Requires(post): policycoreutils-python \ +%endif \ +%{nil} + +# %selinux_modules_install [-s ] [-p ] module [module]... +%selinux_modules_install("s:p:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + %{_sbindir}/semodule -n -s ${_policytype} -X %{!-p:200}%{-p*} -i %* || : \ + %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ +fi \ +%{nil} + +# %selinux_modules_uninstall [-s ] [-p ] module [module]... +%selinux_modules_uninstall("s:p:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ $1 -eq 0 ]; then \ + if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + %{_sbindir}/semodule -n -X %{!-p:200}%{-p*} -s ${_policytype} -r %* &> /dev/null || : \ + %{_sbindir}/selinuxenabled && %{_sbindir}/load_policy || : \ + fi \ +fi \ +%{nil} + +# %selinux_relabel_pre [-s ] +%selinux_relabel_pre("s:") \ +if %{_sbindir}/selinuxenabled; then \ + if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ + fi \ + _policytype=%{-s*} \ + if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ + fi \ + if [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + [ -f %{_file_context_file_pre} ] || cp -f %{_file_context_file} %{_file_context_file_pre} \ + fi \ +fi \ +%{nil} + + +# %selinux_relabel_post [-s ] +%selinux_relabel_post("s:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + if [ -f %{_file_context_file_pre} ]; then \ + %{_sbindir}/fixfiles -C %{_file_context_file_pre} restore &> /dev/null \ + rm -f %{_file_context_file_pre} \ + fi \ +fi \ +%{nil} + +# %selinux_set_booleans [-s ] boolean [boolean]... +%selinux_set_booleans("s:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ -d "%{_selinux_store_policy_path}" ]; then \ + LOCAL_MODIFICATIONS=$(%{_sbindir}/semanage boolean -E) \ + if [ ! -f %_file_custom_defined_booleans ]; then \ + /bin/echo "# This file is managed by macros.selinux-policy. Do not edit it manually" > %_file_custom_defined_booleans \ + fi \ + semanage_import='' \ + for boolean in %*; do \ + boolean_name=${boolean%=*} \ + boolean_value=${boolean#*=} \ + boolean_local_string=$(grep "$boolean_name\$" <<<$LOCAL_MODIFICATIONS) \ + if [ -n "$boolean_local_string" ]; then \ + semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ + boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ + if [ -n "$boolean_customized_string" ]; then \ + /bin/echo $boolean_customized_string >> %_file_custom_defined_booleans \ + else \ + /bin/echo $boolean_local_string >> %_file_custom_defined_booleans \ + fi \ + else \ + semanage_import="${semanage_import}\\nboolean -m -$boolean_value $boolean_name" \ + boolean_default_value=$(LC_ALL=C %{_sbindir}/semanage boolean -l | grep "^$boolean_name " | sed 's/[^(]*([^,]*, *\\(on\\|off\\).*/\\1/') \ + /bin/echo "boolean -m --$boolean_default_value $boolean_name" >> %_file_custom_defined_booleans \ + fi \ + done; \ + if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ + elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \ + fi \ +fi \ +%{nil} + +# %selinux_unset_booleans [-s ] boolean [boolean]... +%selinux_unset_booleans("s:") \ +if [ -e /etc/selinux/config ]; then \ + . /etc/selinux/config \ +fi \ +_policytype=%{-s*} \ +if [ -z "${_policytype}" ]; then \ + _policytype="targeted" \ +fi \ +if [ -d "%{_selinux_store_policy_path}" ]; then \ + semanage_import='' \ + for boolean in %*; do \ + boolean_name=${boolean%=*} \ + boolean_customized_string=$(grep "$boolean_name\$" %_file_custom_defined_booleans | tail -n 1) \ + if [ -n "$boolean_customized_string" ]; then \ + awk "/$boolean_customized_string/ && !f{f=1; next} 1" %_file_custom_defined_booleans > %_file_custom_defined_booleans_tmp && mv %_file_custom_defined_booleans_tmp %_file_custom_defined_booleans \ + if ! grep -q "$boolean_name\$" %_file_custom_defined_booleans; then \ + semanage_import="${semanage_import}\\n${boolean_customized_string}" \ + fi \ + fi \ + done; \ + if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" \ + elif test -d /usr/share/selinux/"${_policytype}"/base.lst; then \ + /bin/echo -e "$semanage_import" | %{_sbindir}/semanage import -S "${_policytype}" -N \ + fi \ +fi \ +%{nil} diff --git a/selinux-policy.changes b/selinux-policy.changes index d94dbec..5764214 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Wed Aug 5 11:29:05 UTC 2020 - Thorsten Kukuk + +- Cleanup spec file and follow more closely Fedora +- Label /sys/kernel/uevent_helper with tmpfiles.d/selinux-policy.conf +- Move config to /etc/selinux/config and create during %post install + to be compatible with upstream and documentation. +- Add RPM macros for SELinux (macros.selinux-policy) +- Install booleans.subs_dist +- Remove unused macros +- Sync make/install macros with Fedora spec file +- Introduce sandbox sub-package + ------------------------------------------------------------------- Wed Jul 29 13:47:57 UTC 2020 - Thorsten Kukuk diff --git a/selinux-policy.conf b/selinux-policy.conf index 0aaca6b..9c7256f 100644 --- a/selinux-policy.conf +++ b/selinux-policy.conf @@ -1,2 +1,3 @@ z /sys/devices/system/cpu/online - - - Z /sys/class/net - - - +z /sys/kernel/uevent_helper - - - diff --git a/selinux-policy.spec b/selinux-policy.spec index 830e92c..36dad51 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -15,12 +15,6 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # - -#Compat macro for new _fillupdir macro introduced in Nov 2017 -%if ! %{defined _fillupdir} - %define _fillupdir /var/adm/fillup-templates -%endif - # TODO: This turns on distro-specific policies. # There are almost no SUSE specific modifications available in the policy, so we utilize the # ones used by redhat and include also the SUSE specific ones (see sed statement below) @@ -28,7 +22,6 @@ %define ubac n %define polyinstatiate n %define monolithic n -%define BUILD_DOC 1 %define BUILD_TARGETED 1 %define BUILD_MINIMUM 1 %define BUILD_MLS 1 @@ -36,32 +29,6 @@ %define POLICYCOREUTILSVER %(rpm -q --qf %%{version} policycoreutils) %define CHECKPOLICYVER %POLICYCOREUTILSVER -%define coreutils_ge() %{lua: if (rpm.vercmp(rpm.expand("%POLICYCOREUTILSVER"), rpm.expand("%1")) >= 0) then print "1" else print "0" end } - -# macros calling module_store have to be defined using global, not define, and -# "lazy" evaluation -%global module_store() %{_localstatedir}/lib/selinux/%%{1} -%global policy_prio 100 -%global module_dir active/modules/%{policy_prio} -%global module_disabled() %{module_store %%{1}}/active/modules/disabled/%%{2} - -%global install_pp() \ - (cd %{buildroot}/%{_usr}/share/selinux/%1/ \ - /usr/sbin/semodule -s %%{1} -X %{policy_prio} -n -p %{buildroot} -i *.pp \ - rm -f *pp*); - -# FixMe 170315: None of these exist any more. Are they necessary? -%global files_base_pp() %nil -%global touch_file_contexts() touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local -%global files_file_contexts() %nil -%global mkdir_other() \ - %{__mkdir} -p %{buildroot}%{module_store %%1}/active/modules/disabled -%global files_other() \ - %dir %{module_store %%1}/active/modules \ - %dir %{module_store %%1}/active/modules/disabled \ - %{module_disabled %%1 sandbox} -%global files_dot_bin() %nil - Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management @@ -69,6 +36,7 @@ Name: selinux-policy Version: 20200717 Release: 0 Source: fedora-policy.%{version}.tar.bz2 +Source1: selinux-policy-rpmlintrc Source10: modules-targeted-base.conf Source11: modules-targeted-contrib.conf @@ -81,6 +49,7 @@ Source18: modules-minimum-disable.lst Source20: booleans-targeted.conf Source21: booleans-mls.conf Source22: booleans-minimum.conf +Source23: booleans.subs_dist Source30: setrans-targeted.conf Source31: setrans-mls.conf @@ -95,13 +64,13 @@ Source51: users-mls Source52: users-minimum Source60: selinux-policy.conf -Source61: selinux-policy.sysconfig Source90: selinux-policy-rpmlintrc Source91: Makefile.devel Source92: customizable_types #Source93: config.tgz Source94: file_contexts.subs_dist +Source95: https://raw.githubusercontent.com/fedora-selinux/selinux-policy-macros/master/macros.selinux-policy Source120: packagekit.te Source121: packagekit.if @@ -166,9 +135,6 @@ Patch100: sedoctool.patch Url: https://github.com/fedora-selinux/selinux-policy.git BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch -BuildRequires: %fillup_prereq -BuildRequires: %insserv_prereq -BuildRequires: bzip2 BuildRequires: checkpolicy BuildRequires: gawk BuildRequires: libxml2-tools @@ -184,86 +150,70 @@ Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): pam-config Requires(post): pam-config Requires(post): selinux-tools -Requires(post): /bin/awk /usr/bin/sha512sum +Requires(post): /usr/bin/sha512sum Recommends: audit Recommends: selinux-tools # for audit2allow Recommends: python3-policycoreutils Recommends: policycoreutils-python-utils -%global makeConfig() \ -make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \ -make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \ +%define common_params DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 + +%define makeCmds() \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \ cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ cp -f selinux_config/users-%1 ./policy/users \ -cp -f selinux_config/modules-%1-base.conf ./policy/modules-base.conf \ -cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ -if [ "%5" = "contrib" ];then \ - cp selinux_config/modules-%1-%5.conf ./policy/modules-contrib.conf; \ - cat selinux_config/modules-%1-%5.conf >> ./policy/modules.conf; \ +#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ + +%define makeModulesConf() \ +cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ +cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ +if [ %3 == "contrib" ];then \ + cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ + cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ fi; \ -%global installCmds() \ -make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 base.pp \ -make %{?_smp_mflags} validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \ -make %{?_smp_mflags} UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \ -mkdir -p %{buildroot}/var/lib/selinux/%1 \ -/usr/sbin/semodule -s %%1 -n -B -p %{buildroot}; \ -%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \ -%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \ -%{__mkdir} -p %{buildroot}/%{module_store %%{1}}/%{module_dir} \ -%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \ -%{mkdir_other %%1} \ -touch %{buildroot}/%{module_store %%{1}}/semanage.read.LOCK \ -touch %{buildroot}/%{module_store %%{1}}/semanage.trans.LOCK \ -rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \ +%define installCmds() \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ +%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ -%{touch_file_contexts %%1} \ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ -touch %{buildroot}%{module_store %%{1}}/active/seusers \ -touch %{buildroot}%{module_store %%{1}}/active/nodes.local \ -touch %{buildroot}%{module_store %%{1}}/active/users_extra.local \ -touch %{buildroot}%{module_store %%{1}}/active/users.local \ -%install_pp %%1 \ -touch %{buildroot}%{module_disabled %%1 sandbox} \ -/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ +cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \ +rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \ +%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.* | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ +rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %nil -%global fileList() \ +%define fileList() \ %defattr(-,root,root) \ -%dir %{_usr}/share/selinux/%1 \ -%{_usr}/share/selinux/%1/* \ %dir %{_sysconfdir}/selinux/%1 \ %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ %dir %{_sysconfdir}/selinux/%1/logins \ -%dir %{module_store %%{1}} \ -%verify(not md5 size mtime) %{module_store %%{1}}/semanage.read.LOCK \ -%verify(not md5 size mtime) %{module_store %%{1}}/semanage.trans.LOCK \ -%dir %attr(700,root,root) %dir %{module_store %%{1}}/active \ -%dir %{module_store %%{1}}/%{module_dir} \ -%verify(not md5 size mtime) %{module_store %%{1}}/active/policy.kern \ -%verify(not md5 size mtime) %{module_store %%{1}}/active/commit_num \ -%{files_base_pp %%1} \ -%verify(not md5 size mtime) %{module_store %%{1}}/active/file_contexts \ -%{files_file_contexts %%1} \ -%{files_other %%1} \ -%config(noreplace) %verify(not md5 size mtime) %{module_store %%{1}}/active/users_extra \ -%verify(not md5 size mtime) %{module_store %%{1}}/active/homedir_template \ -%{module_store %%{1}}/%{module_dir}/* \ -%ghost %{module_store %%{1}}/active/*.local \ -%{module_store %%{1}}/active/*.linked \ -%{module_store %%{1}}/active/*.homedirs \ -%{files_dot_bin %%1} \ -%ghost %{module_store %%{1}}/active/seusers \ +%dir %{_sharedstatedir}/selinux/%1/active \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ +%dir %attr(700,root,root) %{_sharedstatedir}/selinux/%1/active/modules \ +%dir %{_sharedstatedir}/selinux/%1/active/modules/100 \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ %dir %{_sysconfdir}/selinux/%1/policy/ \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.* \ %{_sysconfdir}/selinux/%1/.policy.sha512 \ %dir %{_sysconfdir}/selinux/%1/contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ @@ -271,101 +221,169 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ %config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/customizable_types \ %dir %{_sysconfdir}/selinux/%1/contexts/files \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ -%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ +%{_sysconfdir}/selinux/%1/booleans.subs_dist \ %config %{_sysconfdir}/selinux/%1/contexts/files/media \ %dir %{_sysconfdir}/selinux/%1/contexts/users \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/* +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ +%dir %{_datadir}/selinux/%1 \ +%{_datadir}/selinux/%1/base.lst \ +%{_datadir}/selinux/%1/modules-base.lst \ +%{_datadir}/selinux/%1/modules-contrib.lst \ +%{_datadir}/selinux/%1/nonbasemodules.lst \ +%dir %{_sharedstatedir}/selinux/%1 \ +%{_sharedstatedir}/selinux/%1/active/commit_num \ +%{_sharedstatedir}/selinux/%1/active/users_extra \ +%{_sharedstatedir}/selinux/%1/active/homedir_template \ +%{_sharedstatedir}/selinux/%1/active/seusers \ +%{_sharedstatedir}/selinux/%1/active/file_contexts \ +%{_sharedstatedir}/selinux/%1/active/policy.kern \ +%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ +%nil %define relabel() \ . %{_sysconfdir}/selinux/config; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ if selinuxenabled; then \ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ - /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \ + %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ fi; \ - /sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null; \ - /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null || true; \ + if /sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null;then \ + continue; \ + fi; \ fi; -%global preInstall() \ +%define preInstall() \ if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \ - . %{_sysconfdir}/selinux/config; \ - FILE_CONTEXT=%{_sysconfdir}/selinux/%%1/contexts/files/file_contexts; \ - if [ "${SELINUXTYPE}" = %%1 -a -f ${FILE_CONTEXT} ]; then \ - [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ - fi; \ - touch %{_sysconfdir}/selinux/%%1/.rebuild; \ - if [ -e %{_sysconfdir}/selinux/%%1/.policy.sha512 ]; then \ - sha512=`sha512sum %{module_store %%{1}}/active/policy.kern | cut -d ' ' -f 1`; \ - checksha512=`cat %{_sysconfdir}/selinux/%%1/.policy.sha512`; \ - if [ "$sha512" = "$checksha512" ] ; then \ - rm %{_sysconfdir}/selinux/%%1/.rebuild; \ - fi; \ - fi; \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ + [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ + fi; \ + touch %{_sysconfdir}/selinux/%1/.rebuild; \ + if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \ + POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \ + sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \ + checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \ + if [ "$sha512" == "$checksha512" ] ; then \ + rm %{_sysconfdir}/selinux/%1/.rebuild; \ + fi; \ + fi; \ fi; -%global postInstall() \ +%define postInstall() \ . %{_sysconfdir}/selinux/config; \ if [ -e %{_sysconfdir}/selinux/%%2/.rebuild ]; then \ rm %{_sysconfdir}/selinux/%%2/.rebuild; \ /usr/sbin/semodule -B -n -s %%2; \ -else \ - touch %{module_disabled %%2 sandbox} \ fi; \ -if [ "${SELINUXTYPE}" = "%2" ]; then \ +if [ -n "${TRANSACTIONAL_UPDATE}" ]; then \ + touch /etc/selinux/.autorelabel \ +else \ + if [ "${SELINUXTYPE}" = "%2" ]; then \ + if selinuxenabled; then \ + load_policy; \ + else \ + # probably a first install of the policy \ + true; \ + fi; \ + fi; \ if selinuxenabled; then \ - load_policy; \ + if [ %1 -eq 1 ]; then \ + /sbin/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ + else \ + %relabel %2 \ + fi; \ else \ - # probably a first install of the policy \ - true; \ + # run fixfiles on next boot \ + touch /.autorelabel \ fi; \ -fi; \ -if selinuxenabled; then \ - if [ %1 -eq 1 ]; then \ - /sbin/restorecon -R /root /var/log /var/run 2> /dev/null; \ - else \ - %relabel %2 \ - fi; \ -else \ - # run fixfiles on next boot \ - touch /.autorelabel \ fi; %define modulesList() \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ if [ -e ./policy/modules-contrib.conf ];then \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \ + awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \ fi; +%define nonBaseModulesList() \ +contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \ +base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \ +for i in $contrib_modules $base_modules; do \ + if [ $i != "sandbox" ];then \ + echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \ + fi; \ +done; + +%description +SELinux Reference Policy. A complete SELinux policy that can be used +as the system policy for a variety of systems and used as the basis for +creating other policies. + %files %defattr(-,root,root,-) %doc COPYING -%dir %{_usr}/share/selinux +%dir %{_datadir}/selinux +%dir %{_datadir}/selinux/packages %dir %{_sysconfdir}/selinux %ghost %config(noreplace) %{_sysconfdir}/selinux/config -%{_fillupdir}/sysconfig.%{name} -%{_usr}/lib/tmpfiles.d/selinux-policy.conf +#%ghost %{_sysconfdir}/sysconfig/selinux-policy +%{_tmpfilesdir}/selinux-policy.conf +%{_rpmconfigdir}/macros.d/macros.selinux-policy -%description -SELinux Reference Policy. A complete SELinux policy that can be used as the system policy for a variety of -systems and used as the basis for creating other policies. +%package sandbox +Summary: SELinux policy sandbox +Requires(pre): selinux-policy-targeted = %{version}-%{release} + +%description sandbox +SELinux sandbox policy used for the policycoreutils-sandbox package + +%files sandbox +%verify(not md5 size mtime) %{_datadir}/selinux/packages/sandbox.pp + +%post sandbox +rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null +rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null +%{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp +if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy +fi; +exit 0 + +%preun sandbox +if [ $1 -eq 0 ] ; then + %{_sbindir}/semodule -n -d sandbox 2>/dev/null + if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy + fi; +fi; +exit 0 %prep %setup -n fedora-policy @@ -424,18 +442,30 @@ find . -type f -exec sed -i -e "s/distro_suse/distro_redhat/" \{\} \; %build %install +mkdir -p %{buildroot}%{_sysconfdir}/selinux +touch %{buildroot}%{_sysconfdir}/selinux/config +#mkdir -p %{buildroot}%{_sysconfdir}/sysconfig +#touch %{buildroot}%{_sysconfdir}/sysconfig/selinux-policy +mkdir -p %{buildroot}%{_tmpfilesdir} +cp %{SOURCE60} %{buildroot}%{_tmpfilesdir} + +# Adjust and install RPM macro file +mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d +install -m 644 %{SOURCE95} %{buildroot}%{_rpmconfigdir}/macros.d/ +sed -i 's|SELINUXPOLICYVERSION|%{version}-%{release}|' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +sed -i 's|SELINUXSTOREPATH|%{_sharedstatedir}/selinux|' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy + +# Always create policy module package directories +mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ +mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ + +mkdir -p %{buildroot}%{_datadir}/selinux/packages + + mkdir selinux_config for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE94};do cp $i selinux_config done -#tar zxvf selinux_config/config.tgz -%{__rm} -fR %{buildroot} -mkdir -p %{buildroot}%{_sysconfdir}/selinux -mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ -cp %{SOURCE60} %{buildroot}%{_usr}/lib/tmpfiles.d/ - -# Always create policy module package directories -mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/ for i in %{SOURCE120} %{SOURCE121} %{SOURCE122} %{SOURCE123} %{SOURCE124} %{SOURCE125} %{SOURCE126} %{SOURCE127} %{SOURCE128}; do cp $i policy/modules/contrib @@ -443,75 +473,114 @@ done make clean %if %{BUILD_TARGETED} -%makeConfig targeted mcs n deny contrib -%installCmds targeted mcs n allow +%makeCmds targeted mcs allow +%makeModulesConf targeted base contrib +%installCmds targeted mcs allow +# recreate sandbox.pp +rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox +%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp +mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp %modulesList targeted -%endif - -%if %{BUILD_MLS} -%makeConfig mls mls n deny contrib -%installCmds mls mls n deny -%modulesList mls +%nonBaseModulesList targeted %endif %if %{BUILD_MINIMUM} -%makeConfig minimum mcs n deny contrib -%installCmds minimum mcs n allow -install -m0644 %{SOURCE18} %{buildroot}/usr/share/selinux/minimum/modules-minimum-disable.lst \ +%makeCmds minimum mcs allow +%makeModulesConf targeted base contrib +%installCmds minimum mcs allow +install -m0644 %{SOURCE18} %{buildroot}%{_datadir}/selinux/minimum/modules-minimum-disable.lst +# Sandbox is only targeted +rm -f %{buildroot}%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp +rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox %modulesList minimum +%nonBaseModulesList minimum %endif +%if %{BUILD_MLS} +%makeCmds mls mls deny +%makeModulesConf mls base contrib +%installCmds mls mls deny +%modulesList mls +%nonBaseModulesList mls +%endif # Install devel mkdir -p %{buildroot}%{_mandir} cp -R man/* %{buildroot}%{_mandir} -make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs -make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=%{ubac} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers -mkdir %{buildroot}%{_usr}/share/selinux/devel/ -mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include -chmod +x %{buildroot}%{_usr}/share/selinux/devel/include/support/segenxml.py -install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile -install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/ -install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/ - -rm -rf selinux_config -# fillup sysconfig -mkdir -p %{buildroot}%{_fillupdir} -cp %{SOURCE61} %{buildroot}%{_fillupdir}/sysconfig.%{name} - -%clean +make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs +make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers +mkdir %{buildroot}%{_datadir}/selinux/devel/ +mv %{buildroot}%{_datadir}/selinux/targeted/include %{buildroot}%{_datadir}/selinux/devel/include +install -m 644 selinux_config/Makefile.devel %{buildroot}%{_datadir}/selinux/devel/Makefile +install -m 644 doc/example.* %{buildroot}%{_datadir}/selinux/devel/ +install -m 644 doc/policy.* %{buildroot}%{_datadir}/selinux/devel/ +#XXX what's missing for html? +#%{_bindir}/sepolicy manpage -a -p %{buildroot}%{_datadir}/man/man8/ -w -r %{buildroot} +#mkdir %{buildroot}%{_datadir}/selinux/devel/html +#mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel/html +#mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html %post -%{fillup_only} if [ ! -s %{_sysconfdir}/selinux/config ]; then - # new install - ln -sf %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config - restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : -else - . %{_sysconfdir}/sysconfig/selinux-policy - # if first time update booleans.local needs to be copied to sandbox - [ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local ] && mv %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local %{module_store targeted}/active/ - [ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers ] && cp -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers %{module_store ${SELINUXTYPE}}/active/seusers + # new install, use old sysconfig file if that exists, + # else create new one. + if [ -f %{_sysconfdir}/sysconfig/selinux-policy ]; then + mv %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config + else + # XXX right default for SELINUXTYPE? + echo " +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=disabled +# SELINUXTYPE= can take one of these three values: +# targeted - Targeted processes are protected, +# minimum - Modification of targeted policy. Only selected processes are protected. +# mls - Multi Level Security protection. +SELINUXTYPE=targeted + +" > %{_sysconfdir}/selinux/config + fi + ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux-policy + %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : fi %tmpfiles_create %_tmpfilesdir/selinux-policy.conf -if [ $1 -eq 1 ]; then +if [ $1 -eq 1 ]; then pam-config -a --selinux fi exit 0 -%global post_un() \ -# disable selinux if we uninstall a policy \ +%define post_un() \ +# disable selinux if we uninstall a policy and it's the used one \ if [ $1 -eq 0 ]; then \ - setenforce 0 2> /dev/null \ if [ -s %{_sysconfdir}/selinux/config ]; then \ - sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config \ + source %{_sysconfdir}/selinux/config &> /dev/null || true \ + fi \ + if [ "$SELINUXTYPE" = "$2" ]; then \ + %{_sbindir}/setenforce 0 2> /dev/null \ + if [ -s %{_sysconfdir}/selinux/config ]; then \ + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config \ + else \ + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config \ + fi \ fi \ pam-config -d --selinux \ fi \ exit 0 %postun -%post_un $1 +if [ $1 = 0 ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi +fi +exit 0 + %package devel Summary: SELinux policy devel @@ -526,12 +595,12 @@ SELinux policy development and man page package %files devel %defattr(-,root,root,-) -%doc /usr/share/man/ru/man8/* -%dir %{_usr}/share/selinux/devel -%dir %{_usr}/share/selinux/devel/include -%{_usr}/share/selinux/devel/include/* -%{_usr}/share/selinux/devel/Makefile -%{_usr}/share/selinux/devel/example.* +%doc %{_datadir}/man/ru/man8/* +%dir %{_datadir}/selinux/devel +%dir %{_datadir}/selinux/devel/include +%{_datadir}/selinux/devel/include/* +%{_datadir}/selinux/devel/Makefile +%{_datadir}/selinux/devel/example.* %package doc Summary: SELinux policy documentation @@ -544,15 +613,14 @@ SELinux policy documentation package %files doc %defattr(-,root,root,-) -%doc %{_usr}/share/doc/%{name}-%{version} -%{_usr}/share/selinux/devel/policy.* +%doc %{_datadir}/doc/%{name} +%{_datadir}/selinux/devel/policy.* %if %{BUILD_TARGETED} %package targeted Summary: SELinux targeted base policy Group: System/Management Provides: selinux-policy-base = %{version}-%{release} -Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} @@ -567,12 +635,13 @@ SELinux Reference policy targeted base module. %postInstall $1 targeted exit 0 -%files targeted -%defattr(-,root,root,-) -%fileList targeted - %postun targeted -%post_un $1 +%post_un $1 targeted + +%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u +%fileList targeted %endif %if %{BUILD_MINIMUM} @@ -580,11 +649,13 @@ exit 0 Summary: SELinux minimum base policy Group: System/Management Provides: selinux-policy-base = %{version}-%{release} -Requires(post): python3-policycoreutils >= %{POLICYCOREUTILSVER} +Requires(post): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils +Requires(pre): /usr/bin/awk Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} -Conflicts: seedit + %description minimum SELinux Reference policy minimum base module. @@ -592,45 +663,47 @@ SELinux Reference policy minimum base module. %pre minimum %preInstall minimum if [ $1 -ne 1 ]; then - /usr/sbin/semodule -s minimum -l 2>/dev/null | awk '{ if ($3 != "Disabled") print $1; }' > /usr/share/selinux/minimum/instmodules.lst + %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst fi %post minimum -contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst` -basepackages=`cat /usr/share/selinux/minimum/modules-base.lst` -mkdir -p /var/lib/selinux/minimum/active/modules/disabled 2>/dev/null +contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst` +basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst` +mkdir -p %{_sharedstatedir}/selinux/minimum/active/modules/disabled 2>/dev/null if [ $1 -eq 1 ]; then -for p in $contribpackages; do - touch /var/lib/selinux/minimum/active/modules/disabled/$p -done -for p in $basepackages snapper dbus kerberos nscd rpm rtkit; do - rm -f /var/lib/selinux/minimum/active/modules/disabled/$p -done -/usr/sbin/semanage import -S minimum -f - << __eof + for p in $contribpackages; do + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + done + for p in $basepackages snapper dbus kerberos nscd rpm rtkit; do + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + done + %{_sbindir}/semanage import -S minimum -f - << __eof login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ login -m -s unconfined_u -r s0-s0:c0.c1023 root __eof -/sbin/restorecon -R /root /var/log /var/run 2> /dev/null -/usr/sbin/semodule -B -s minimum + /sbin/restorecon -R /root /var/log /var/run 2> /dev/null + %{_sbindir}/semodule -B -s minimum else -instpackages=`cat /usr/share/selinux/minimum/instmodules.lst` -for p in $contribpackages; do - touch /var/lib/selinux/minimum/active/modules/disabled/$p -done -for p in $instpackages snapper dbus kerberos nscd rtkit; do - rm -f /var/lib/selinux/minimum/active/modules/disabled/$p -done -/usr/sbin/semodule -B -s minimum -%relabel minimum + instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst` + for p in $contribpackages; do + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + done + for p in $instpackages snapper dbus kerberos nscd rtkit; do + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + done + %{_sbindir}/semodule -B -s minimum + %relabel minimum fi exit 0 -%files minimum -%defattr(-,root,root,-) -%fileList minimum - %postun minimum -%post_un $1 +%post_un $1 minimum + +%files minimum -f %{buildroot}%{_datadir}/selinux/minimum/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u +%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u +%{_datadir}/selinux/minimum/modules-minimum-disable.lst +%fileList minimum %endif %if %{BUILD_MLS} @@ -644,7 +717,6 @@ Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} -Conflicts: seedit %description mls SELinux Reference policy mls base module. @@ -655,12 +727,12 @@ SELinux Reference policy mls base module. %post mls %postInstall $1 mls -%files mls -%defattr(-,root,root,-) -%fileList mls - %postun mls -%post_un $1 +%post_un $1 mls + +%files mls -f %{buildroot}%{_datadir}/selinux/mls/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u +%fileList mls %endif %changelog diff --git a/selinux-policy.sysconfig b/selinux-policy.sysconfig deleted file mode 100644 index 92a2945..0000000 --- a/selinux-policy.sysconfig +++ /dev/null @@ -1,11 +0,0 @@ -# This file controls the state of SELinux on the system. -# SELINUX= can take one of these three values: -# enforcing - SELinux security policy is enforced. -# permissive - SELinux prints warnings instead of enforcing. -# disabled - No SELinux policy is loaded. -SELINUX=disabled -# SELINUXTYPE= can take one of these two values: -# targeted - Targeted processes are protected, -# mls - Multi Level Security protection. -# minimum - Modification of targeted policy. Only selected processes are protected. -SELINUXTYPE=minimum