# # spec file for package selinux-policy # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} %define _fillupdir /var/adm/fillup-templates %endif # TODO: This turns on distro-specific policies. # There are almost no SUSE specific modifications available in the policy, so we utilize the # ones used by redhat and include also the SUSE specific ones (see sed statement below) %define distro redhat %define polyinstatiate n %define monolithic n %define BUILD_DOC 1 %define BUILD_TARGETED 1 %define BUILD_MINIMUM 1 %if 0%{suse_version} == 1315 && 0%{is_opensuse} == 0 %define BUILD_MLS 0 %else %define BUILD_MLS 1 %endif %if 0%{?suse_version} >= 1330 || ( 0%{?suse_version} == 1315 && 0%{?sle_version} >= 120200 ) %else %endif %define POLICYCOREUTILSVER %(rpm -q --qf %%{version} policycoreutils) %define CHECKPOLICYVER %POLICYCOREUTILSVER %define coreutils_ge() %{lua: if (rpm.vercmp(rpm.expand("%POLICYCOREUTILSVER"), rpm.expand("%1")) >= 0) then print "1" else print "0" end } # conditional stuff depending on policycoreutils version # See https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration %if %{coreutils_ge 2.5} # Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions # It depends on the kernel, but apparently more so on the libsemanage version. %define POLICYVER 30 # macros calling module_store have to be defined using global, not define, and # "lazy" evaluation %global module_store() %{_localstatedir}/lib/selinux/%%{1} %global policy_prio 100 %global module_dir active/modules/%{policy_prio} %global module_disabled() %{module_store %%{1}}/active/modules/disabled/%%{2} %global install_pp() \ (cd %{buildroot}/%{_usr}/share/selinux/%1/ \ /usr/sbin/semodule -s %%{1} -X %{policy_prio} -n -p %{buildroot} -i *.pp \ rm -f *pp*); # FixMe 170315: None of these exist any more. Are they necessary? %global files_base_pp() %nil %global touch_file_contexts() touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local %global files_file_contexts() %nil %global mkdir_other() \ %{__mkdir} -p %{buildroot}%{module_store %%1}/active/modules/disabled %global files_other() \ %dir %{module_store %%1}/active/modules \ %dir %{module_store %%1}/active/modules/disabled \ %{module_disabled %%1 sandbox} %global files_dot_bin() %nil %global rm_selinux_mod() rm -rf %%1 %else # Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions # It depends on the kernel, but apparently more so on the libsemanage version. %define POLICYVER 29 %global module_store() %{_sysconfdir}/selinux/%%{1}/modules %global module_dir active/modules %global module_disabled() %{module_store %%{1}}/active/modules/%%{2}.pp.disabled # FixMe 170315: Why is bzip2 used here rather than semodule -i? %global install_pp() \ (cd %{buildroot}/%{_usr}/share/selinux/%%1/ \ bzip2 -c base.pp > %{buildroot}/%{_sysconfdir}/selinux/%%1/modules/active/base.pp \ rm -f base.pp \ for i in *.pp; do \ bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%%1/modules/active/modules/$i \ done \ rm -f *pp* ); # FixMe 170315: # Why is base.pp installed in a different path than other modules? # Requirement of policycoreutils 2.3 ?? %global files_base_pp() %verify(not md5 size mtime) %{module_store %%{1}}/active/base.pp # FixMe 170315: do we really need these? %global touch_file_contexts() \ touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.local \ touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.homedirs.bin \ touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.bin; %global mkdir_other() %nil # FixMe 170315: do we really need these? %global files_file_contexts() \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/file_contexts.homedirs \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/file_contexts.template # FixMe 170315: do we really need these? %global files_other() \ %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/seusers.final \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/netfilter_contexts %global files_dot_bin() %ghost %{module_store %%{1}}/active/*.bin %global rm_selinux_mod() rm -f %%{1}.pp %endif Summary: SELinux policy configuration License: GPL-2.0-or-later Group: System/Management Name: selinux-policy Version: 20140730 Release: 0 Source: serefpolicy-%{version}.tgz Source1: serefpolicy-contrib-%{version}.tgz Source10: modules-targeted-base.conf Source11: modules-targeted-contrib.conf Source12: modules-mls-base.conf Source13: modules-mls-contrib.conf #Source14: modules-minimum.conf Source20: booleans-targeted.conf Source21: booleans-mls.conf Source22: booleans-minimum.conf Source23: booleans.subs_dist Source30: setrans-targeted.conf Source31: setrans-mls.conf Source32: setrans-minimum.conf Source40: securetty_types-targeted Source41: securetty_types-mls Source42: securetty_types-minimum Source50: users-targeted Source51: users-mls Source52: users-minimum Source60: selinux-policy.conf Source61: selinux-policy.sysconfig Source90: selinux-policy-rpmlintrc Source91: Makefile.devel Source92: customizable_types Source93: config.tgz Source94: file_contexts.subs_dist # base policy patches Patch0001: policy-rawhide-base.patch # The following two patches are a workaround for 812055 Patch0002: type_transition_file_class.patch Patch0003: label_sysconfig.selinux-policy.patch Patch0004: sysconfig_network_scripts.patch Patch0005: allow-local_login_t-read-shadow.patch Patch0006: xconsole.patch Patch0007: useradd-netlink_selinux_socket.patch Patch0008: systemd-tmpfiles.patch Patch0009: label_var_run_rsyslog.patch Patch0010: suse_modifications_unconfined.patch Patch0011: suse_modifications_systemd.patch Patch0012: suse_modifications_unconfineduser.patch Patch0013: suse_modifications_selinuxutil.patch Patch0014: suse_modifications_logging.patch Patch0015: suse_modifications_getty.patch Patch0016: suse_modifications_authlogin.patch Patch0017: suse_modifications_xserver.patch Patch0018: suse_modifications_ssh.patch Patch0019: suse_modifications_usermanage.patch Patch0020: suse_modifications_unprivuser.patch Patch0021: dont_use_xmllint_in_make_conf.patch Patch0022: suse_modifications_staff.patch Patch0023: suse_modifications_ipsec.patch Patch0024: add-overlayfs-as-xattr-capable.patch # contrib patches Patch1000: policy-rawhide-contrib.patch Patch1001: type_transition_contrib.patch Patch1002: suse_modifications_virt.patch Patch1003: suse_modifications_dbus.patch Patch1004: suse_modifications_policykit.patch Patch1005: suse_modifications_postfix.patch Patch1006: suse_modifications_rtkit.patch Patch1007: suse_modifications_apache.patch Patch1008: suse_modifications_ntp.patch Patch1009: suse_modifications_cron.patch Patch1010: suse_additions_sslh.patch Patch1011: suse_additions_obs.patch Patch1012: suse_modifications_glusterfs.patch Patch1013: suse_modifications_passenger.patch Patch1014: suse_modifications_stapserver.patch Url: http://oss.tresys.com/repos/refpolicy/ BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch BuildRequires: %fillup_prereq BuildRequires: %insserv_prereq BuildRequires: bzip2 BuildRequires: checkpolicy BuildRequires: gawk BuildRequires: libxml2-tools BuildRequires: m4 BuildRequires: policycoreutils BuildRequires: policycoreutils-python BuildRequires: python BuildRequires: python-xml #BuildRequires: selinux-policy-devel # we need selinuxenabled Requires(post): selinux-tools Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(post): /bin/awk /usr/bin/sha512sum Recommends: audit Recommends: selinux-tools # for audit2allow Recommends: policycoreutils-python %global makeCmds() \ make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \ make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \ cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ cp -f selinux_config/users-%1 ./policy/users \ #cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ %global makeModulesConf() \ cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ if [ "%3" = "contrib" ];then \ cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ fi; \ %global installCmds() \ make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \ make validate SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \ make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \ make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \ %{__mkdir} -p %{buildroot}/%{module_store %%{1}}/%{module_dir} \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \ %{mkdir_other %%1} \ touch %{buildroot}/%{module_store %%{1}}/semanage.read.LOCK \ touch %{buildroot}/%{module_store %%{1}}/semanage.trans.LOCK \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ %{touch_file_contexts %%1} \ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ touch %{buildroot}%{module_store %%{1}}/active/seusers \ touch %{buildroot}%{module_store %%{1}}/active/nodes.local \ touch %{buildroot}%{module_store %%{1}}/active/users_extra.local \ touch %{buildroot}%{module_store %%{1}}/active/users.local \ cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \ %install_pp %%1 \ touch %{buildroot}%{module_disabled %%1 sandbox} \ /usr/sbin/semodule -s %%1 -n -B -p %{buildroot}; \ /usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern \ ln -sf %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{module_store %%{1}}/active/policy.kern \ %nil %global fileList() \ %defattr(-,root,root) \ %dir %{_usr}/share/selinux/%1 \ %dir %{_sysconfdir}/selinux/%1 \ %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ %dir %{_sysconfdir}/selinux/%1/logins \ %dir %{module_store %%{1}} \ %verify(not md5 size mtime) %{module_store %%{1}}/semanage.read.LOCK \ %verify(not md5 size mtime) %{module_store %%{1}}/semanage.trans.LOCK \ %dir %attr(700,root,root) %dir %{module_store %%{1}}/active \ %dir %{module_store %%{1}}/%{module_dir} \ %verify(not md5 size mtime) %{module_store %%{1}}/active/policy.kern \ %verify(not md5 size mtime) %{module_store %%{1}}/active/commit_num \ %{files_base_pp %%1} \ %verify(not md5 size mtime) %{module_store %%{1}}/active/file_contexts \ %{files_file_contexts %%1} \ %{files_other %%1} \ %config(noreplace) %verify(not md5 size mtime) %{module_store %%{1}}/active/users_extra \ %verify(not md5 size mtime) %{module_store %%{1}}/active/homedir_template \ %{module_store %%{1}}/%{module_dir}/* \ %ghost %{module_store %%{1}}/active/*.local \ %{files_dot_bin %%1} \ %ghost %{module_store %%{1}}/active/seusers \ %dir %{_sysconfdir}/selinux/%1/policy/ \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ %{_sysconfdir}/selinux/%1/.policy.sha512 \ %dir %{_sysconfdir}/selinux/%1/contexts \ %config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ %config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ %dir %{_sysconfdir}/selinux/%1/contexts/files \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ %ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ %{_sysconfdir}/selinux/%1/booleans.subs_dist \ %config %{_sysconfdir}/selinux/%1/contexts/files/media \ %dir %{_sysconfdir}/selinux/%1/contexts/users \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/* %define relabel() \ . %{_sysconfdir}/sysconfig/selinux-policy; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ if selinuxenabled; then \ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ fi; \ /sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null; \ /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null || true; \ fi; %global preInstall() \ if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \ . %{_sysconfdir}/selinux/config; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%%1/contexts/files/file_contexts; \ if [ "${SELINUXTYPE}" = %%1 -a -f ${FILE_CONTEXT} ]; then \ [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ fi; \ touch %{_sysconfdir}/selinux/%%1/.rebuild; \ if [ -e %{_sysconfdir}/selinux/%%1/.policy.sha512 ]; then \ sha512=`sha512sum %{module_store %%{1}}/active/policy.kern | cut -d ' ' -f 1`; \ checksha512=`cat %{_sysconfdir}/selinux/%%1/.policy.sha512`; \ if [ "$sha512" = "$checksha512" ] ; then \ rm %{_sysconfdir}/selinux/%%1/.rebuild; \ fi; \ fi; \ fi; %global postInstall() \ . %{_sysconfdir}/selinux/config; \ if [ -e %{_sysconfdir}/selinux/%%2/.rebuild ]; then \ rm %{_sysconfdir}/selinux/%%2/.rebuild; \ (cd %{module_store %%2}/%{module_dir}; for _mod in shutdown amavis clamav gnomeclock matahari xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor pki-selinux phpfpm consoletype ctdbd fcoemon isnsd l2tp rgmanager corosync aisexec pacemaker; do %{rm_selinux_mod ${_mod}}; done ) \ /usr/sbin/semodule -B -n -s %%2; \ else \ touch %{module_disabled %%2 sandbox} \ fi; \ if [ "${SELINUXTYPE}" = "%2" ]; then \ if selinuxenabled; then \ load_policy; \ else \ # probably a first install of the policy \ true; \ fi; \ fi; \ if selinuxenabled; then \ if [ %1 -eq 1 ]; then \ /sbin/restorecon -R /root /var/log /var/run 2> /dev/null; \ else \ %relabel %2 \ fi; \ else \ # run fixfiles on next boot \ touch /.autorelabel \ fi; %define modulesList() \ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \ if [ -e ./policy/modules-contrib.conf ];then \ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \ fi; %files %defattr(-,root,root,-) %doc COPYING %dir %{_usr}/share/selinux %dir %{_sysconfdir}/selinux %ghost %config(noreplace) %{_sysconfdir}/selinux/config %{_fillupdir}/sysconfig.%{name} %{_usr}/lib/tmpfiles.d/selinux-policy.conf %description SELinux Reference Policy. A complete SELinux policy that can be used as the system policy for a variety of systems and used as the basis for creating other policies. %prep # contrib modules %setup -n serefpolicy-contrib-%{version} -q -b 1 %patch1000 -p1 %patch1001 -p1 %patch1002 -p1 %patch1003 -p1 %patch1004 -p1 %patch1005 -p1 %patch1006 -p1 %patch1007 -p1 %patch1008 -p1 %patch1009 -p1 %patch1010 -p1 %patch1011 -p1 %patch1012 -p1 %patch1013 -p1 %patch1014 -p1 # base policy contrib_path=`pwd` %setup -n serefpolicy-%{version} -q cp COPYING .. %patch0001 -p1 %patch0002 -p1 %patch0003 -p1 %patch0004 -p1 %patch0005 -p1 %patch0006 -p0 %patch0007 -p1 %patch0008 -p1 %patch0009 -p1 %patch0010 -p1 %patch0011 -p1 %patch0012 -p1 %patch0013 -p1 %patch0014 -p1 %patch0015 -p1 %patch0016 -p1 %patch0017 -p1 %patch0018 -p1 %patch0019 -p1 %patch0020 -p1 %patch0021 -p1 %patch0022 -p1 %patch0023 -p1 %patch0024 -p1 refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib # we use distro=redhat to get all the redhat modifications but we'll still need everything that is defined for suse find "$refpolicy_path" -type f -print0 | xargs -0 sed -i -e 's/ifdef(`distro_suse/ifdef(`distro_redhat/g' %build %install mkdir selinux_config for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE30} %{SOURCE31} %{SOURCE32} %{SOURCE40} %{SOURCE41} %{SOURCE42} %{SOURCE50} %{SOURCE51} %{SOURCE52} %{SOURCE91} %{SOURCE92} %{SOURCE93} %{SOURCE94};do cp $i selinux_config done tar zxvf selinux_config/config.tgz # Build targeted policy %{__rm} -fR %{buildroot} mkdir -p %{buildroot}%{_sysconfdir}/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ cp %{SOURCE60} %{buildroot}%{_usr}/lib/tmpfiles.d/ # Always create policy module package directories mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/ make clean %if %{BUILD_TARGETED} # Build targeted policy mkdir -p %{buildroot}%{_usr}/share/selinux/targeted %makeCmds targeted mcs n allow %makeModulesConf targeted base contrib %installCmds targeted mcs n allow %modulesList targeted %endif %if %{BUILD_MINIMUM} # Build minimum policy mkdir -p %{buildroot}%{_usr}/share/selinux/minimum %makeCmds minimum mcs n allow %makeModulesConf targeted base contrib %installCmds minimum mcs n allow %modulesList minimum %endif %if %{BUILD_MLS} # Build mls policy mkdir -p %{buildroot}%{_usr}/share/selinux/mls %makeCmds mls mls n deny %makeModulesConf mls base contrib %installCmds mls mls n deny %modulesList mls %endif # Install devel mkdir -p %{buildroot}%{_mandir} cp -R man/* %{buildroot}%{_mandir} make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers mkdir %{buildroot}%{_usr}/share/selinux/devel/ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include chmod +x %{buildroot}%{_usr}/share/selinux/devel/include/support/segenxml.py install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/ rm -rf selinux_config # fillup sysconfig mkdir -p %{buildroot}%{_fillupdir} cp %{SOURCE61} %{buildroot}%{_fillupdir}/sysconfig.%{name} %clean %post %{fillup_only} if [ ! -s %{_sysconfdir}/selinux/config ]; then # new install ln -sf %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : else . %{_sysconfdir}/sysconfig/selinux-policy # if first time update booleans.local needs to be copied to sandbox [ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local ] && mv %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local %{module_store targeted}/active/ [ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers ] && cp -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers %{module_store ${SELINUXTYPE}}/active/seusers fi exit 0 %postun if [ $1 = 0 ]; then setenforce 0 2> /dev/null if [ -s %{_sysconfdir}/selinux/config ]; then sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config fi fi exit 0 %package devel Summary: SELinux policy devel Group: System/Management Requires(pre): selinux-policy = %{version}-%{release} Requires: /usr/bin/make Requires: checkpolicy >= %{CHECKPOLICYVER} Requires: m4 %description devel SELinux policy development and man page package %files devel %defattr(-,root,root,-) %{_mandir}/ru/man8/ftpd_selinux.8.gz %{_mandir}/ru/man8/httpd_selinux.8.gz %{_mandir}/ru/man8/kerberos_selinux.8.gz %{_mandir}/ru/man8/named_selinux.8.gz %{_mandir}/ru/man8/nfs_selinux.8.gz %{_mandir}/ru/man8/rsync_selinux.8.gz %{_mandir}/ru/man8/samba_selinux.8.gz %{_mandir}/ru/man8/ypbind_selinux.8.gz %dir %{_usr}/share/selinux/devel %dir %{_usr}/share/selinux/devel/include %{_usr}/share/selinux/devel/include/* %{_usr}/share/selinux/devel/Makefile %{_usr}/share/selinux/devel/example.* %package doc Summary: SELinux policy documentation Group: System/Management Requires(pre): selinux-policy = %{version}-%{release} Requires: /usr/bin/xdg-open %description doc SELinux policy documentation package %files doc %defattr(-,root,root,-) %doc %{_usr}/share/doc/%{name}-%{version} %{_usr}/share/selinux/devel/policy.* %if %{BUILD_TARGETED} %package targeted Summary: SELinux targeted base policy Group: System/Management Provides: selinux-policy-base = %{version}-%{release} Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} %description targeted SELinux Reference policy targeted base module. %pre targeted %preInstall targeted %post targeted %postInstall $1 targeted exit 0 %files targeted %defattr(-,root,root,-) %fileList targeted %{_usr}/share/selinux/targeted/modules-base.lst %{_usr}/share/selinux/targeted/modules-contrib.lst %endif %if %{BUILD_MINIMUM} %package minimum Summary: SELinux minimum base policy Group: System/Management Provides: selinux-policy-base = %{version}-%{release} Requires(post): policycoreutils-python = %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} Conflicts: seedit %description minimum SELinux Reference policy minimum base module. %pre minimum %preInstall minimum if [ $1 -ne 1 ]; then /usr/sbin/semodule -s minimum -l 2>/dev/null | awk '{ if ($3 != "Disabled") print $1; }' > /usr/share/selinux/minimum/instmodules.lst fi %post minimum contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst` basepackages=`cat /usr/share/selinux/minimum/modules-base.lst` if [ $1 -eq 1 ]; then for p in $contribpackages; do touch %{module_disabled minimum $p} done # this is temporarily needed to make minimum policy work without errors. Will be included # into the proper places later on for p in $basepackages plymouthd postfix apache dbus inetd kerberos mta nis nscd cron; do rm -f %{module_disabled minimum $p} done # those are default anyway # /usr/sbin/semanage -S minimum -i - << __eof # login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ # login -m -s unconfined_u -r s0-s0:c0.c1023 root # __eof /sbin/restorecon -R /root /var/log /var/run 2> /dev/null /usr/sbin/semodule -B -s minimum else instpackages=`cat /usr/share/selinux/minimum/instmodules.lst` for p in $contribpackages; do touch %{module_disabled minimum $p} done for p in $instpackages apache dbus inetd kerberos mta nis; do rm -f %{module_disabled minimum $p} done /usr/sbin/semodule -B -s minimum %relabel minimum fi exit 0 %files minimum %defattr(-,root,root,-) %fileList minimum %{_usr}/share/selinux/minimum/modules-base.lst %{_usr}/share/selinux/minimum/modules-contrib.lst %endif %if %{BUILD_MLS} %package mls Summary: SELinux mls base policy Group: System/Management Provides: selinux-policy-base = %{version}-%{release} Obsoletes: selinux-policy-mls-sources < 2 Requires: policycoreutils-newrole = %{POLICYCOREUTILSVER} Requires: setransd Requires(pre): policycoreutils = %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} Conflicts: seedit %description mls SELinux Reference policy mls base module. %pre mls %preInstall mls %post mls %postInstall $1 mls %files mls %defattr(-,root,root,-) %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u %fileList mls %{_usr}/share/selinux/mls/modules-base.lst %{_usr}/share/selinux/mls/modules-contrib.lst %endif %changelog