/[gentoo-x86]/eclass/selinux-policy-2.eclass
Gentoo

Contents of /eclass/selinux-policy-2.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.13 - (hide annotations) (download)
Thu Jul 26 12:53:01 2012 UTC (23 months, 2 weeks ago) by swift
Branch: MAIN
Changes since 1.12: +17 -17 lines
Use warnings, not errors for the load failures of SELinux - the failure is not fatal for a system

1 swift 1.12 # Copyright 1999-2012 Gentoo Foundation
2 pebenito 1.1 # Distributed under the terms of the GNU General Public License v2
3 swift 1.13 # $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.12 2012/05/26 14:25:02 swift Exp $
4 pebenito 1.1
5     # Eclass for installing SELinux policy, and optionally
6 blueness 1.5 # reloading the reference-policy based modules.
7 pebenito 1.1
8 blueness 1.7 # @ECLASS: selinux-policy-2.eclass
9 vapier 1.9 # @MAINTAINER:
10 blueness 1.7 # selinux@gentoo.org
11     # @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
12     # @DESCRIPTION:
13     # The selinux-policy-2.eclass supports deployment of the various SELinux modules
14     # defined in the sec-policy category. It is responsible for extracting the
15     # specific bits necessary for single-module deployment (instead of full-blown
16     # policy rebuilds) and applying the necessary patches.
17 vapier 1.9 #
18 blueness 1.7 # Also, it supports for bundling patches to make the whole thing just a bit more
19     # manageable.
20    
21     # @ECLASS-VARIABLE: MODS
22 vapier 1.9 # @DESCRIPTION:
23 blueness 1.7 # This variable contains the (upstream) module name for the SELinux module.
24     # This name is only the module name, not the category!
25     : ${MODS:="_illegal"}
26    
27     # @ECLASS-VARIABLE: BASEPOL
28     # @DESCRIPTION:
29     # This variable contains the version string of the selinux-base-policy package
30     # that this module build depends on. It is used to patch with the appropriate
31 vapier 1.9 # patch bundle(s) that are part of selinux-base-policy.
32 blueness 1.7 : ${BASEPOL:=""}
33    
34     # @ECLASS-VARIABLE: POLICY_PATCH
35     # @DESCRIPTION:
36     # This variable contains the additional patch(es) that need to be applied on top
37     # of the patchset already contained within the BASEPOL variable. The variable
38     # can be both a simple string (space-separated) or a bash array.
39     : ${POLICY_PATCH:=""}
40    
41 swift 1.12 # @ECLASS-VARIABLE: POLICY_FILES
42     # @DESCRIPTION:
43     # When defined, this contains the files (located in the ebuilds' files/
44     # directory) which should be copied as policy module files into the store.
45     # Generally, users would want to include at least a .te and .fc file, but .if
46     # files are supported as well. The variable can be both a simple string
47     # (space-separated) or a bash array.
48     : ${POLICY_FILES:=""}
49    
50 blueness 1.7 # @ECLASS-VARIABLE: POLICY_TYPES
51     # @DESCRIPTION:
52     # This variable informs the eclass for which SELinux policies the module should
53     # be built. Currently, Gentoo supports targeted, strict, mcs and mls.
54     # This variable is the same POLICY_TYPES variable that we tell SELinux
55     # users to set in /etc/make.conf. Therefor, it is not the module that should
56     # override it, but the user.
57     : ${POLICY_TYPES:="targeted strict mcs mls"}
58    
59 pebenito 1.1 inherit eutils
60    
61     IUSE=""
62    
63     HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
64 blueness 1.7 if [[ -n ${BASEPOL} ]];
65     then
66     SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
67 swift 1.8 http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
68 blueness 1.7 else
69     SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
70     fi
71 pebenito 1.1
72     LICENSE="GPL-2"
73     SLOT="0"
74     S="${WORKDIR}/"
75 blueness 1.7 PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
76 pebenito 1.1
77 blueness 1.7 # Modules should always depend on at least the first release of the
78     # selinux-base-policy for which they are generated.
79     if [[ -n ${BASEPOL} ]];
80     then
81     RDEPEND=">=sys-apps/policycoreutils-2.0.82
82     >=sec-policy/selinux-base-policy-${BASEPOL}"
83     else
84     RDEPEND=">=sys-apps/policycoreutils-2.0.82
85     >=sec-policy/selinux-base-policy-${PV}"
86     fi
87 pebenito 1.1 DEPEND="${RDEPEND}
88     sys-devel/m4
89 blueness 1.7 >=sys-apps/checkpolicy-2.0.21"
90 pebenito 1.1
91 blueness 1.7 SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
92     case "${EAPI:-0}" in
93     2|3|4) SELINUX_EXPF+=" src_prepare" ;;
94     *) ;;
95     esac
96    
97     EXPORT_FUNCTIONS ${SELINUX_EXPF}
98    
99     # @FUNCTION: selinux-policy-2_src_unpack
100     # @DESCRIPTION:
101     # Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
102     # older than 2, call src_prepare too.
103 pebenito 1.1 selinux-policy-2_src_unpack() {
104 blueness 1.7 unpack ${A}
105    
106     # Call src_prepare explicitly for EAPI 0 or 1
107     has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
108     }
109    
110     # @FUNCTION: selinux-policy-2_src_prepare
111     # @DESCRIPTION:
112     # Patch the reference policy sources with our set of enhancements. Start with
113     # the base patchbundle referred to by the ebuilds through the BASEPOL variable,
114     # then apply the additional patches as offered by the ebuild.
115 vapier 1.11 #
116 blueness 1.7 # Next, extract only those files needed for this particular module (i.e. the .te
117     # and .fc files for the given module in the MODS variable).
118 vapier 1.11 #
119 blueness 1.7 # Finally, prepare the build environments for each of the supported SELinux
120     # types (such as targeted or strict), depending on the POLICY_TYPES variable
121     # content.
122     selinux-policy-2_src_prepare() {
123 pebenito 1.2 local modfiles
124 swift 1.12 local add_interfaces=0;
125    
126     # Create 3rd_party location for user-contributed policies
127     cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
128 pebenito 1.2
129 blueness 1.7 # Patch the sources with the base patchbundle
130     if [[ -n ${BASEPOL} ]];
131     then
132     cd "${S}"
133 swift 1.10 EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
134     EPATCH_SUFFIX="patch" \
135     EPATCH_SOURCE="${WORKDIR}" \
136     EPATCH_FORCE="yes" \
137     epatch
138 blueness 1.7 fi
139    
140 swift 1.12 # Copy additional files to the 3rd_party/ location
141     if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
142     [[ -n ${POLICY_FILES} ]];
143     then
144     add_interfaces=1;
145     cd "${S}/refpolicy/policy/modules"
146     for POLFILE in ${POLICY_FILES[@]};
147     do
148     cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
149     done
150     fi
151    
152 blueness 1.7 # Apply the additional patches refered to by the module ebuild.
153     # But first some magic to differentiate between bash arrays and strings
154 swift 1.12 if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
155     [[ -n ${POLICY_PATCH} ]];
156 blueness 1.7 then
157     cd "${S}/refpolicy/policy/modules"
158 swift 1.12 for POLPATCH in ${POLICY_PATCH[@]};
159 blueness 1.7 do
160     epatch "${POLPATCH}"
161     done
162     fi
163 pebenito 1.1
164 blueness 1.7 # Collect only those files needed for this particular module
165 pebenito 1.1 for i in ${MODS}; do
166 blueness 1.7 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
167     modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
168 swift 1.12 if [ ${add_interfaces} -eq 1 ];
169     then
170     modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
171     fi
172 pebenito 1.1 done
173    
174     for i in ${POLICY_TYPES}; do
175 blueness 1.7 mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
176     cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
177     || die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
178 kaiowas 1.3
179 blueness 1.7 cp ${modfiles} "${S}"/${i} \
180     || die "Failed to copy the module files to ${S}/${i}"
181 pebenito 1.1 done
182     }
183    
184 blueness 1.7 # @FUNCTION: selinux-policy-2_src_compile
185 vapier 1.9 # @DESCRIPTION:
186 blueness 1.7 # Build the SELinux policy module (.pp file) for just the selected module, and
187     # this for each SELinux policy mentioned in POLICY_TYPES
188 pebenito 1.1 selinux-policy-2_src_compile() {
189     for i in ${POLICY_TYPES}; do
190 blueness 1.7 # Parallel builds are broken, so we need to force -j1 here
191     emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
192 pebenito 1.1 done
193     }
194    
195 blueness 1.7 # @FUNCTION: selinux-policy-2_src_install
196     # @DESCRIPTION:
197     # Install the built .pp files in the correct subdirectory within
198     # /usr/share/selinux.
199 pebenito 1.1 selinux-policy-2_src_install() {
200 pebenito 1.2 local BASEDIR="/usr/share/selinux"
201 pebenito 1.1
202     for i in ${POLICY_TYPES}; do
203     for j in ${MODS}; do
204 blueness 1.7 einfo "Installing ${i} ${j} policy package"
205 pebenito 1.1 insinto ${BASEDIR}/${i}
206 blueness 1.7 doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
207 swift 1.12
208     if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
209     then
210     insinto ${BASEDIR}/${i}/include/3rd_party
211     doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
212     fi
213 pebenito 1.1 done
214     done
215     }
216    
217 blueness 1.7 # @FUNCTION: selinux-policy-2_pkg_postinst
218     # @DESCRIPTION:
219     # Install the built .pp files in the SELinux policy stores, effectively
220     # activating the policy on the system.
221 pebenito 1.1 selinux-policy-2_pkg_postinst() {
222     # build up the command in the case of multiple modules
223     local COMMAND
224     for i in ${MODS}; do
225     COMMAND="-i ${i}.pp ${COMMAND}"
226     done
227    
228 blueness 1.5 for i in ${POLICY_TYPES}; do
229     einfo "Inserting the following modules into the $i module store: ${MODS}"
230 pebenito 1.1
231 blueness 1.7 cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
232 swift 1.12 semodule -s ${i} ${COMMAND}
233     if [ $? -ne 0 ];
234     then
235     ewarn "SELinux module load failed. Trying full reload...";
236     if [ "${i}" == "targeted" ];
237     then
238     semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
239     else
240     semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
241     fi
242     if [ $? -ne 0 ];
243     then
244 swift 1.13 ewarn "Failed to reload SELinux policies."
245     ewarn ""
246     ewarn "If this is *not* the last SELinux module package being installed,"
247     ewarn "then you can safely ignore this as the reloads will be retried"
248     ewarn "with other, recent modules."
249     ewarn ""
250     ewarn "If it is the last SELinux module package being installed however,"
251     ewarn "then it is advised to look at the error above and take appropriate"
252     ewarn "action since the new SELinux policies are not loaded until the"
253     ewarn "command finished succesfully."
254     ewarn ""
255     ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
256     ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
257     ewarn "or"
258     ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
259     ewarn "depending on if you need the unconfined domain loaded as well or not."
260 swift 1.12 else
261     einfo "SELinux modules reloaded succesfully."
262     fi
263     else
264     einfo "SELinux modules loaded succesfully."
265     fi
266 blueness 1.5 done
267 pebenito 1.1 }

  ViewVC Help
Powered by ViewVC 1.1.20