/[gentoo-x86]/eclass/selinux-policy-2.eclass
Gentoo

Contents of /eclass/selinux-policy-2.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.19 - (hide annotations) (download)
Tue May 7 09:25:17 2013 UTC (14 months ago) by swift
Branch: MAIN
Changes since 1.18: +5 -1 lines
Call epatch_user in selinux policy ebuilds

1 swift 1.16 # Copyright 1999-2013 Gentoo Foundation
2 pebenito 1.1 # Distributed under the terms of the GNU General Public License v2
3 swift 1.19 # $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.18 2013/04/28 16:15:33 zmedico Exp $
4 pebenito 1.1
5     # Eclass for installing SELinux policy, and optionally
6 blueness 1.5 # reloading the reference-policy based modules.
7 pebenito 1.1
8 blueness 1.7 # @ECLASS: selinux-policy-2.eclass
9 vapier 1.9 # @MAINTAINER:
10 blueness 1.7 # selinux@gentoo.org
11     # @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
12     # @DESCRIPTION:
13     # The selinux-policy-2.eclass supports deployment of the various SELinux modules
14     # defined in the sec-policy category. It is responsible for extracting the
15     # specific bits necessary for single-module deployment (instead of full-blown
16     # policy rebuilds) and applying the necessary patches.
17 vapier 1.9 #
18 blueness 1.7 # Also, it supports for bundling patches to make the whole thing just a bit more
19     # manageable.
20    
21     # @ECLASS-VARIABLE: MODS
22 vapier 1.9 # @DESCRIPTION:
23 blueness 1.7 # This variable contains the (upstream) module name for the SELinux module.
24     # This name is only the module name, not the category!
25     : ${MODS:="_illegal"}
26    
27     # @ECLASS-VARIABLE: BASEPOL
28     # @DESCRIPTION:
29     # This variable contains the version string of the selinux-base-policy package
30     # that this module build depends on. It is used to patch with the appropriate
31 vapier 1.9 # patch bundle(s) that are part of selinux-base-policy.
32 blueness 1.7 : ${BASEPOL:=""}
33    
34     # @ECLASS-VARIABLE: POLICY_PATCH
35     # @DESCRIPTION:
36     # This variable contains the additional patch(es) that need to be applied on top
37     # of the patchset already contained within the BASEPOL variable. The variable
38     # can be both a simple string (space-separated) or a bash array.
39     : ${POLICY_PATCH:=""}
40    
41 swift 1.12 # @ECLASS-VARIABLE: POLICY_FILES
42     # @DESCRIPTION:
43     # When defined, this contains the files (located in the ebuilds' files/
44     # directory) which should be copied as policy module files into the store.
45     # Generally, users would want to include at least a .te and .fc file, but .if
46     # files are supported as well. The variable can be both a simple string
47     # (space-separated) or a bash array.
48     : ${POLICY_FILES:=""}
49    
50 blueness 1.7 # @ECLASS-VARIABLE: POLICY_TYPES
51     # @DESCRIPTION:
52     # This variable informs the eclass for which SELinux policies the module should
53     # be built. Currently, Gentoo supports targeted, strict, mcs and mls.
54     # This variable is the same POLICY_TYPES variable that we tell SELinux
55 zmedico 1.18 # users to set in make.conf. Therefore, it is not the module that should
56 blueness 1.7 # override it, but the user.
57     : ${POLICY_TYPES:="targeted strict mcs mls"}
58    
59 swift 1.14 extra_eclass=""
60     case ${BASEPOL} in
61     9999) extra_eclass="git-2";
62     EGIT_REPO_URI="git://git.overlays.gentoo.org/proj/hardened-refpolicy.git";
63     EGIT_SOURCEDIR="${WORKDIR}/refpolicy";;
64     esac
65    
66     inherit eutils ${extra_eclass}
67 pebenito 1.1
68     IUSE=""
69    
70     HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
71 swift 1.14 if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
72 blueness 1.7 then
73     SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
74 swift 1.8 http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
75 swift 1.14 elif [[ "${BASEPOL}" != "9999" ]];
76     then
77     SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
78 blueness 1.7 else
79 swift 1.14 SRC_URI=""
80 blueness 1.7 fi
81 pebenito 1.1
82     LICENSE="GPL-2"
83     SLOT="0"
84     S="${WORKDIR}/"
85 blueness 1.7 PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
86 pebenito 1.1
87 blueness 1.7 # Modules should always depend on at least the first release of the
88     # selinux-base-policy for which they are generated.
89     if [[ -n ${BASEPOL} ]];
90     then
91     RDEPEND=">=sys-apps/policycoreutils-2.0.82
92     >=sec-policy/selinux-base-policy-${BASEPOL}"
93     else
94     RDEPEND=">=sys-apps/policycoreutils-2.0.82
95     >=sec-policy/selinux-base-policy-${PV}"
96     fi
97 pebenito 1.1 DEPEND="${RDEPEND}
98     sys-devel/m4
99 blueness 1.7 >=sys-apps/checkpolicy-2.0.21"
100 pebenito 1.1
101 swift 1.16 SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst pkg_postrm"
102 blueness 1.7 case "${EAPI:-0}" in
103 axs 1.15 2|3|4|5) SELINUX_EXPF+=" src_prepare" ;;
104 blueness 1.7 *) ;;
105     esac
106    
107     EXPORT_FUNCTIONS ${SELINUX_EXPF}
108    
109     # @FUNCTION: selinux-policy-2_src_unpack
110     # @DESCRIPTION:
111     # Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
112     # older than 2, call src_prepare too.
113 pebenito 1.1 selinux-policy-2_src_unpack() {
114 swift 1.14 if [[ "${BASEPOL}" != "9999" ]];
115     then
116     unpack ${A}
117     else
118     git-2_src_unpack
119     fi
120 blueness 1.7
121     # Call src_prepare explicitly for EAPI 0 or 1
122     has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
123     }
124    
125     # @FUNCTION: selinux-policy-2_src_prepare
126     # @DESCRIPTION:
127     # Patch the reference policy sources with our set of enhancements. Start with
128     # the base patchbundle referred to by the ebuilds through the BASEPOL variable,
129     # then apply the additional patches as offered by the ebuild.
130 vapier 1.11 #
131 blueness 1.7 # Next, extract only those files needed for this particular module (i.e. the .te
132     # and .fc files for the given module in the MODS variable).
133 vapier 1.11 #
134 blueness 1.7 # Finally, prepare the build environments for each of the supported SELinux
135     # types (such as targeted or strict), depending on the POLICY_TYPES variable
136     # content.
137     selinux-policy-2_src_prepare() {
138 pebenito 1.2 local modfiles
139 swift 1.12 local add_interfaces=0;
140    
141     # Create 3rd_party location for user-contributed policies
142     cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
143 pebenito 1.2
144 blueness 1.7 # Patch the sources with the base patchbundle
145 swift 1.14 if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
146 blueness 1.7 then
147     cd "${S}"
148 swift 1.10 EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
149     EPATCH_SUFFIX="patch" \
150     EPATCH_SOURCE="${WORKDIR}" \
151     EPATCH_FORCE="yes" \
152     epatch
153 blueness 1.7 fi
154    
155 swift 1.19 # Call in epatch_user. We do this early on as we start moving
156     # files left and right hereafter.
157     epatch_user
158    
159 swift 1.12 # Copy additional files to the 3rd_party/ location
160     if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
161     [[ -n ${POLICY_FILES} ]];
162     then
163     add_interfaces=1;
164     cd "${S}/refpolicy/policy/modules"
165     for POLFILE in ${POLICY_FILES[@]};
166     do
167     cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
168     done
169     fi
170    
171 blueness 1.7 # Apply the additional patches refered to by the module ebuild.
172     # But first some magic to differentiate between bash arrays and strings
173 swift 1.12 if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
174     [[ -n ${POLICY_PATCH} ]];
175 blueness 1.7 then
176     cd "${S}/refpolicy/policy/modules"
177 swift 1.12 for POLPATCH in ${POLICY_PATCH[@]};
178 blueness 1.7 do
179     epatch "${POLPATCH}"
180     done
181     fi
182 pebenito 1.1
183 blueness 1.7 # Collect only those files needed for this particular module
184 pebenito 1.1 for i in ${MODS}; do
185 blueness 1.7 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
186     modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
187 swift 1.12 if [ ${add_interfaces} -eq 1 ];
188     then
189     modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
190     fi
191 pebenito 1.1 done
192    
193     for i in ${POLICY_TYPES}; do
194 blueness 1.7 mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
195     cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
196     || die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
197 kaiowas 1.3
198 blueness 1.7 cp ${modfiles} "${S}"/${i} \
199     || die "Failed to copy the module files to ${S}/${i}"
200 pebenito 1.1 done
201     }
202    
203 blueness 1.7 # @FUNCTION: selinux-policy-2_src_compile
204 vapier 1.9 # @DESCRIPTION:
205 blueness 1.7 # Build the SELinux policy module (.pp file) for just the selected module, and
206     # this for each SELinux policy mentioned in POLICY_TYPES
207 pebenito 1.1 selinux-policy-2_src_compile() {
208     for i in ${POLICY_TYPES}; do
209 blueness 1.7 # Parallel builds are broken, so we need to force -j1 here
210     emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
211 pebenito 1.1 done
212     }
213    
214 blueness 1.7 # @FUNCTION: selinux-policy-2_src_install
215     # @DESCRIPTION:
216     # Install the built .pp files in the correct subdirectory within
217     # /usr/share/selinux.
218 pebenito 1.1 selinux-policy-2_src_install() {
219 pebenito 1.2 local BASEDIR="/usr/share/selinux"
220 pebenito 1.1
221     for i in ${POLICY_TYPES}; do
222     for j in ${MODS}; do
223 blueness 1.7 einfo "Installing ${i} ${j} policy package"
224 pebenito 1.1 insinto ${BASEDIR}/${i}
225 blueness 1.7 doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
226 swift 1.12
227     if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
228     then
229     insinto ${BASEDIR}/${i}/include/3rd_party
230     doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
231     fi
232 pebenito 1.1 done
233     done
234     }
235    
236 blueness 1.7 # @FUNCTION: selinux-policy-2_pkg_postinst
237     # @DESCRIPTION:
238     # Install the built .pp files in the SELinux policy stores, effectively
239     # activating the policy on the system.
240 pebenito 1.1 selinux-policy-2_pkg_postinst() {
241     # build up the command in the case of multiple modules
242     local COMMAND
243     for i in ${MODS}; do
244     COMMAND="-i ${i}.pp ${COMMAND}"
245     done
246    
247 blueness 1.5 for i in ${POLICY_TYPES}; do
248 swift 1.17 if [ "${i}" == "strict" ] && [ "${MODS}" = "unconfined" ];
249     then
250     einfo "Ignoring loading of unconfined module in strict module store.";
251     continue;
252     fi
253 blueness 1.5 einfo "Inserting the following modules into the $i module store: ${MODS}"
254 pebenito 1.1
255 blueness 1.7 cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
256 swift 1.12 semodule -s ${i} ${COMMAND}
257     if [ $? -ne 0 ];
258     then
259     ewarn "SELinux module load failed. Trying full reload...";
260     if [ "${i}" == "targeted" ];
261     then
262     semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
263     else
264     semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
265     fi
266     if [ $? -ne 0 ];
267     then
268 swift 1.13 ewarn "Failed to reload SELinux policies."
269     ewarn ""
270     ewarn "If this is *not* the last SELinux module package being installed,"
271     ewarn "then you can safely ignore this as the reloads will be retried"
272     ewarn "with other, recent modules."
273     ewarn ""
274     ewarn "If it is the last SELinux module package being installed however,"
275     ewarn "then it is advised to look at the error above and take appropriate"
276     ewarn "action since the new SELinux policies are not loaded until the"
277     ewarn "command finished succesfully."
278     ewarn ""
279     ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
280     ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
281     ewarn "or"
282     ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
283     ewarn "depending on if you need the unconfined domain loaded as well or not."
284 swift 1.12 else
285     einfo "SELinux modules reloaded succesfully."
286     fi
287     else
288     einfo "SELinux modules loaded succesfully."
289     fi
290 blueness 1.5 done
291 pebenito 1.1 }
292    
293 swift 1.16 # @FUNCTION: selinux-policy-2_pkg_postrm
294     # @DESCRIPTION:
295     # Uninstall the module(s) from the SELinux policy stores, effectively
296     # deactivating the policy on the system.
297     selinux-policy-2_pkg_postrm() {
298     # Only if we are not upgrading
299     if [[ "${EAPI}" -lt 4 || -z "${REPLACED_BY_VERSION}" ]];
300     then
301     # build up the command in the case of multiple modules
302     local COMMAND
303     for i in ${MODS}; do
304     COMMAND="-r ${i} ${COMMAND}"
305     done
306    
307     for i in ${POLICY_TYPES}; do
308     einfo "Removing the following modules from the $i module store: ${MODS}"
309    
310     semodule -s ${i} ${COMMAND}
311     if [ $? -ne 0 ];
312     then
313     ewarn "SELinux module unload failed.";
314     else
315     einfo "SELinux modules unloaded succesfully."
316     fi
317     done
318     fi
319     }

  ViewVC Help
Powered by ViewVC 1.1.20