gentoo-x86/eclass/selinux-policy-2.eclass

# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.7 2011/08/07 10:47:00 blueness Exp $

# Eclass for installing SELinux policy, and optionally
# reloading the reference-policy based modules.

# @ECLASS: selinux-policy-2.eclass
# @MAINTAINER: 
# selinux@gentoo.org
# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
# @DESCRIPTION:
# The selinux-policy-2.eclass supports deployment of the various SELinux modules
# defined in the sec-policy category. It is responsible for extracting the
# specific bits necessary for single-module deployment (instead of full-blown
# policy rebuilds) and applying the necessary patches.
# 
# Also, it supports for bundling patches to make the whole thing just a bit more
# manageable.

# @ECLASS-VARIABLE: MODS
# @DESCRIPTION: 
# This variable contains the (upstream) module name for the SELinux module.
# This name is only the module name, not the category!
: ${MODS:="_illegal"}

# @ECLASS-VARIABLE: BASEPOL
# @DESCRIPTION:
# This variable contains the version string of the selinux-base-policy package
# that this module build depends on. It is used to patch with the appropriate
# patch bundle(s) that are part of selinux-base-policy. 
: ${BASEPOL:=""}

# @ECLASS-VARIABLE: POLICY_PATCH
# @DESCRIPTION:
# This variable contains the additional patch(es) that need to be applied on top
# of the patchset already contained within the BASEPOL variable. The variable
# can be both a simple string (space-separated) or a bash array.
: ${POLICY_PATCH:=""}

# @ECLASS-VARIABLE: POLICY_TYPES
# @DESCRIPTION:
# This variable informs the eclass for which SELinux policies the module should
# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
# This variable is the same POLICY_TYPES variable that we tell SELinux
# users to set in /etc/make.conf. Therefor, it is not the module that should
# override it, but the user.
: ${POLICY_TYPES:="targeted strict mcs mls"}

inherit eutils

IUSE=""

HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
if [[ -n ${BASEPOL} ]];
then
        SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
                http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
else
        SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
fi

LICENSE="GPL-2"
SLOT="0"
S="${WORKDIR}/"
PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"

# Modules should always depend on at least the first release of the
# selinux-base-policy for which they are generated.
if [[ -n ${BASEPOL} ]];
then
        RDEPEND=">=sys-apps/policycoreutils-2.0.82
                >=sec-policy/selinux-base-policy-${BASEPOL}"
else
        RDEPEND=">=sys-apps/policycoreutils-2.0.82
                >=sec-policy/selinux-base-policy-${PV}"
fi
DEPEND="${RDEPEND}
        sys-devel/m4
        >=sys-apps/checkpolicy-2.0.21"

SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
case "${EAPI:-0}" in
        2|3|4) SELINUX_EXPF+=" src_prepare" ;;
        *) ;;
esac

EXPORT_FUNCTIONS ${SELINUX_EXPF}

# @FUNCTION: selinux-policy-2_src_unpack
# @DESCRIPTION:
# Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
# older than 2, call src_prepare too.
selinux-policy-2_src_unpack() {
        unpack ${A}

        # Call src_prepare explicitly for EAPI 0 or 1
        has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
}

# @FUNCTION: selinux-policy-2_src_prepare
# @DESCRIPTION:
# Patch the reference policy sources with our set of enhancements. Start with
# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
# then apply the additional patches as offered by the ebuild.
# 
# Next, extract only those files needed for this particular module (i.e. the .te
# and .fc files for the given module in the MODS variable).
# 
# Finally, prepare the build environments for each of the supported SELinux
# types (such as targeted or strict), depending on the POLICY_TYPES variable
# content.
selinux-policy-2_src_prepare() {
        local modfiles

        # Patch the sources with the base patchbundle
        if [[ -n ${BASEPOL} ]];
        then
                cd "${S}"
                epatch "${PATCHBUNDLE}"
        fi

        # Apply the additional patches refered to by the module ebuild.
        # But first some magic to differentiate between bash arrays and strings
        if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]];
        then
                cd "${S}/refpolicy/policy/modules"
                for POLPATCH in "${POLICY_PATCH[@]}";
                do
                        epatch "${POLPATCH}"
                done
        else
                if [[ -n ${POLICY_PATCH} ]];
                then
                        cd "${S}/refpolicy/policy/modules"
                        for POLPATCH in ${POLICY_PATCH};
                        do
                                epatch "${POLPATCH}"
                        done
                fi
        fi

        # Collect only those files needed for this particular module
        for i in ${MODS}; do
                modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
                modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
        done

        for i in ${POLICY_TYPES}; do
                mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
                cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
                        || die "Failed to copy Makefile.example to ${S}/${i}/Makefile"

                cp ${modfiles} "${S}"/${i} \
                        || die "Failed to copy the module files to ${S}/${i}"
        done
}

# @FUNCTION: selinux-policy-2_src_compile
# @DESCRIPTION: 
# Build the SELinux policy module (.pp file) for just the selected module, and
# this for each SELinux policy mentioned in POLICY_TYPES
selinux-policy-2_src_compile() {
        for i in ${POLICY_TYPES}; do
                # Parallel builds are broken, so we need to force -j1 here
                emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
        done
}

# @FUNCTION: selinux-policy-2_src_install
# @DESCRIPTION:
# Install the built .pp files in the correct subdirectory within
# /usr/share/selinux.
selinux-policy-2_src_install() {
        local BASEDIR="/usr/share/selinux"

        for i in ${POLICY_TYPES}; do
                for j in ${MODS}; do
                        einfo "Installing ${i} ${j} policy package"
                        insinto ${BASEDIR}/${i}
                        doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
                done
        done
}

# @FUNCTION: selinux-policy-2_pkg_postinst
# @DESCRIPTION:
# Install the built .pp files in the SELinux policy stores, effectively
# activating the policy on the system.
selinux-policy-2_pkg_postinst() {
        # build up the command in the case of multiple modules
        local COMMAND
        for i in ${MODS}; do
                COMMAND="-i ${i}.pp ${COMMAND}"
        done

        for i in ${POLICY_TYPES}; do
                einfo "Inserting the following modules into the $i module store: ${MODS}"

                cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
                semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store"
        done
}

1	blueness	1.7	# Copyright 1999-2011 Gentoo Foundation
2	pebenito	1.1	# Distributed under the terms of the GNU General Public License v2
3	swift	1.8	# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.7 2011/08/07 10:47:00 blueness Exp $
4	pebenito	1.1
5			# Eclass for installing SELinux policy, and optionally
6	blueness	1.5	# reloading the reference-policy based modules.
7	pebenito	1.1
8	blueness	1.7	# @ECLASS: selinux-policy-2.eclass
9			# @MAINTAINER:
10			# selinux@gentoo.org
11			# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
12			# @DESCRIPTION:
13			# The selinux-policy-2.eclass supports deployment of the various SELinux modules
14			# defined in the sec-policy category. It is responsible for extracting the
15			# specific bits necessary for single-module deployment (instead of full-blown
16			# policy rebuilds) and applying the necessary patches.
17			#
18			# Also, it supports for bundling patches to make the whole thing just a bit more
19			# manageable.
20
21			# @ECLASS-VARIABLE: MODS
22			# @DESCRIPTION:
23			# This variable contains the (upstream) module name for the SELinux module.
24			# This name is only the module name, not the category!
25			: ${MODS:="_illegal"}
26
27			# @ECLASS-VARIABLE: BASEPOL
28			# @DESCRIPTION:
29			# This variable contains the version string of the selinux-base-policy package
30			# that this module build depends on. It is used to patch with the appropriate
31			# patch bundle(s) that are part of selinux-base-policy.
32			: ${BASEPOL:=""}
33
34			# @ECLASS-VARIABLE: POLICY_PATCH
35			# @DESCRIPTION:
36			# This variable contains the additional patch(es) that need to be applied on top
37			# of the patchset already contained within the BASEPOL variable. The variable
38			# can be both a simple string (space-separated) or a bash array.
39			: ${POLICY_PATCH:=""}
40
41			# @ECLASS-VARIABLE: POLICY_TYPES
42			# @DESCRIPTION:
43			# This variable informs the eclass for which SELinux policies the module should
44			# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
45			# This variable is the same POLICY_TYPES variable that we tell SELinux
46			# users to set in /etc/make.conf. Therefor, it is not the module that should
47			# override it, but the user.
48			: ${POLICY_TYPES:="targeted strict mcs mls"}
49
50	pebenito	1.1	inherit eutils
51
52			IUSE=""
53
54			HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
55	blueness	1.7	if [[ -n ${BASEPOL} ]];
56			then
57			SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
58	swift	1.8	http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
59	blueness	1.7	else
60			SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
61			fi
62	pebenito	1.1
63			LICENSE="GPL-2"
64			SLOT="0"
65			S="${WORKDIR}/"
66	blueness	1.7	PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
67	pebenito	1.1
68	blueness	1.7	# Modules should always depend on at least the first release of the
69			# selinux-base-policy for which they are generated.
70			if [[ -n ${BASEPOL} ]];
71			then
72			RDEPEND=">=sys-apps/policycoreutils-2.0.82
73			>=sec-policy/selinux-base-policy-${BASEPOL}"
74			else
75			RDEPEND=">=sys-apps/policycoreutils-2.0.82
76			>=sec-policy/selinux-base-policy-${PV}"
77			fi
78	pebenito	1.1	DEPEND="${RDEPEND}
79			sys-devel/m4
80	blueness	1.7	>=sys-apps/checkpolicy-2.0.21"
81	pebenito	1.1
82	blueness	1.7	SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
83			case "${EAPI:-0}" in
84			2\|3\|4) SELINUX_EXPF+=" src_prepare" ;;
85			*) ;;
86			esac
87
88			EXPORT_FUNCTIONS ${SELINUX_EXPF}
89
90			# @FUNCTION: selinux-policy-2_src_unpack
91			# @DESCRIPTION:
92			# Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
93			# older than 2, call src_prepare too.
94	pebenito	1.1	selinux-policy-2_src_unpack() {
95	blueness	1.7	unpack ${A}
96
97			# Call src_prepare explicitly for EAPI 0 or 1
98			has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
99			}
100
101			# @FUNCTION: selinux-policy-2_src_prepare
102			# @DESCRIPTION:
103			# Patch the reference policy sources with our set of enhancements. Start with
104			# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
105			# then apply the additional patches as offered by the ebuild.
106			#
107			# Next, extract only those files needed for this particular module (i.e. the .te
108			# and .fc files for the given module in the MODS variable).
109			#
110			# Finally, prepare the build environments for each of the supported SELinux
111			# types (such as targeted or strict), depending on the POLICY_TYPES variable
112			# content.
113			selinux-policy-2_src_prepare() {
114	pebenito	1.2	local modfiles
115
116	blueness	1.7	# Patch the sources with the base patchbundle
117			if [[ -n ${BASEPOL} ]];
118			then
119			cd "${S}"
120			epatch "${PATCHBUNDLE}"
121			fi
122
123			# Apply the additional patches refered to by the module ebuild.
124			# But first some magic to differentiate between bash arrays and strings
125			if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]];
126			then
127			cd "${S}/refpolicy/policy/modules"
128			for POLPATCH in "${POLICY_PATCH[@]}";
129			do
130			epatch "${POLPATCH}"
131			done
132			else
133			if [[ -n ${POLICY_PATCH} ]];
134			then
135			cd "${S}/refpolicy/policy/modules"
136			for POLPATCH in ${POLICY_PATCH};
137			do
138			epatch "${POLPATCH}"
139			done
140			fi
141			fi
142	pebenito	1.1
143	blueness	1.7	# Collect only those files needed for this particular module
144	pebenito	1.1	for i in ${MODS}; do
145	blueness	1.7	modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
146			modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
147	pebenito	1.1	done
148
149			for i in ${POLICY_TYPES}; do
150	blueness	1.7	mkdir "${S}"/${i} \|\| die "Failed to create directory ${S}/${i}"
151			cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
152			\|\| die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
153	kaiowas	1.3
154	blueness	1.7	cp ${modfiles} "${S}"/${i} \
155			\|\| die "Failed to copy the module files to ${S}/${i}"
156	pebenito	1.1	done
157			}
158
159	blueness	1.7	# @FUNCTION: selinux-policy-2_src_compile
160			# @DESCRIPTION:
161			# Build the SELinux policy module (.pp file) for just the selected module, and
162			# this for each SELinux policy mentioned in POLICY_TYPES
163	pebenito	1.1	selinux-policy-2_src_compile() {
164			for i in ${POLICY_TYPES}; do
165	blueness	1.7	# Parallel builds are broken, so we need to force -j1 here
166			emake -j1 NAME=$i -C "${S}"/${i} \|\| die "${i} compile failed"
167	pebenito	1.1	done
168			}
169
170	blueness	1.7	# @FUNCTION: selinux-policy-2_src_install
171			# @DESCRIPTION:
172			# Install the built .pp files in the correct subdirectory within
173			# /usr/share/selinux.
174	pebenito	1.1	selinux-policy-2_src_install() {
175	pebenito	1.2	local BASEDIR="/usr/share/selinux"
176	pebenito	1.1
177			for i in ${POLICY_TYPES}; do
178			for j in ${MODS}; do
179	blueness	1.7	einfo "Installing ${i} ${j} policy package"
180	pebenito	1.1	insinto ${BASEDIR}/${i}
181	blueness	1.7	doins "${S}"/${i}/${j}.pp \|\| die "Failed to add ${j}.pp to ${i}"
182	pebenito	1.1	done
183			done
184			}
185
186	blueness	1.7	# @FUNCTION: selinux-policy-2_pkg_postinst
187			# @DESCRIPTION:
188			# Install the built .pp files in the SELinux policy stores, effectively
189			# activating the policy on the system.
190	pebenito	1.1	selinux-policy-2_pkg_postinst() {
191			# build up the command in the case of multiple modules
192			local COMMAND
193			for i in ${MODS}; do
194			COMMAND="-i ${i}.pp ${COMMAND}"
195			done
196
197	blueness	1.5	for i in ${POLICY_TYPES}; do
198			einfo "Inserting the following modules into the $i module store: ${MODS}"
199	pebenito	1.1
200	blueness	1.7	cd /usr/share/selinux/${i} \|\| die "Could not enter /usr/share/selinux/${i}"
201	blueness	1.6	semodule -s ${i} ${COMMAND} \|\| die "Failed to load in modules ${MODS} in the $i policy store"
202	blueness	1.5	done
203	pebenito	1.1	}
204