/[gentoo-x86]/eclass/selinux-policy-2.eclass
Gentoo

Contents of /eclass/selinux-policy-2.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.21 - (show annotations) (download)
Sun Mar 30 09:14:56 2014 UTC (5 months, 3 weeks ago) by swift
Branch: MAIN
Changes since 1.20: +9 -2 lines
Add support for USE triggered policy decisions in SELinux eclass

1 # Copyright 1999-2014 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.20 2013/12/16 14:31:04 swift Exp $
4
5 # Eclass for installing SELinux policy, and optionally
6 # reloading the reference-policy based modules.
7
8 # @ECLASS: selinux-policy-2.eclass
9 # @MAINTAINER:
10 # selinux@gentoo.org
11 # @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
12 # @DESCRIPTION:
13 # The selinux-policy-2.eclass supports deployment of the various SELinux modules
14 # defined in the sec-policy category. It is responsible for extracting the
15 # specific bits necessary for single-module deployment (instead of full-blown
16 # policy rebuilds) and applying the necessary patches.
17 #
18 # Also, it supports for bundling patches to make the whole thing just a bit more
19 # manageable.
20
21 # @ECLASS-VARIABLE: MODS
22 # @DESCRIPTION:
23 # This variable contains the (upstream) module name for the SELinux module.
24 # This name is only the module name, not the category!
25 : ${MODS:="_illegal"}
26
27 # @ECLASS-VARIABLE: BASEPOL
28 # @DESCRIPTION:
29 # This variable contains the version string of the selinux-base-policy package
30 # that this module build depends on. It is used to patch with the appropriate
31 # patch bundle(s) that are part of selinux-base-policy.
32 : ${BASEPOL:=""}
33
34 # @ECLASS-VARIABLE: POLICY_PATCH
35 # @DESCRIPTION:
36 # This variable contains the additional patch(es) that need to be applied on top
37 # of the patchset already contained within the BASEPOL variable. The variable
38 # can be both a simple string (space-separated) or a bash array.
39 : ${POLICY_PATCH:=""}
40
41 # @ECLASS-VARIABLE: POLICY_FILES
42 # @DESCRIPTION:
43 # When defined, this contains the files (located in the ebuilds' files/
44 # directory) which should be copied as policy module files into the store.
45 # Generally, users would want to include at least a .te and .fc file, but .if
46 # files are supported as well. The variable can be both a simple string
47 # (space-separated) or a bash array.
48 : ${POLICY_FILES:=""}
49
50 # @ECLASS-VARIABLE: POLICY_TYPES
51 # @DESCRIPTION:
52 # This variable informs the eclass for which SELinux policies the module should
53 # be built. Currently, Gentoo supports targeted, strict, mcs and mls.
54 # This variable is the same POLICY_TYPES variable that we tell SELinux
55 # users to set in make.conf. Therefore, it is not the module that should
56 # override it, but the user.
57 : ${POLICY_TYPES:="targeted strict mcs mls"}
58
59 extra_eclass=""
60 case ${BASEPOL} in
61 9999) extra_eclass="git-2";
62 EGIT_REPO_URI="git://git.overlays.gentoo.org/proj/hardened-refpolicy.git https://git.overlays.gentoo.org/gitroot/proj/hardened-refpolicy.git";
63 EGIT_SOURCEDIR="${WORKDIR}/refpolicy";;
64 esac
65
66 inherit eutils ${extra_eclass}
67
68 IUSE=""
69
70 HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
71 if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
72 then
73 SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
74 http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
75 elif [[ "${BASEPOL}" != "9999" ]];
76 then
77 SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
78 else
79 SRC_URI=""
80 fi
81
82 LICENSE="GPL-2"
83 SLOT="0"
84 S="${WORKDIR}/"
85 PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
86
87 # Modules should always depend on at least the first release of the
88 # selinux-base-policy for which they are generated.
89 if [[ -n ${BASEPOL} ]];
90 then
91 RDEPEND=">=sys-apps/policycoreutils-2.0.82
92 >=sec-policy/selinux-base-policy-${BASEPOL}"
93 else
94 RDEPEND=">=sys-apps/policycoreutils-2.0.82
95 >=sec-policy/selinux-base-policy-${PV}"
96 fi
97 DEPEND="${RDEPEND}
98 sys-devel/m4
99 >=sys-apps/checkpolicy-2.0.21"
100
101 SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst pkg_postrm"
102 case "${EAPI:-0}" in
103 2|3|4|5) SELINUX_EXPF+=" src_prepare" ;;
104 *) ;;
105 esac
106
107 EXPORT_FUNCTIONS ${SELINUX_EXPF}
108
109 # @FUNCTION: selinux-policy-2_src_unpack
110 # @DESCRIPTION:
111 # Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
112 # older than 2, call src_prepare too.
113 selinux-policy-2_src_unpack() {
114 if [[ "${BASEPOL}" != "9999" ]];
115 then
116 unpack ${A}
117 else
118 git-2_src_unpack
119 fi
120
121 # Call src_prepare explicitly for EAPI 0 or 1
122 has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
123 }
124
125 # @FUNCTION: selinux-policy-2_src_prepare
126 # @DESCRIPTION:
127 # Patch the reference policy sources with our set of enhancements. Start with
128 # the base patchbundle referred to by the ebuilds through the BASEPOL variable,
129 # then apply the additional patches as offered by the ebuild.
130 #
131 # Next, extract only those files needed for this particular module (i.e. the .te
132 # and .fc files for the given module in the MODS variable).
133 #
134 # Finally, prepare the build environments for each of the supported SELinux
135 # types (such as targeted or strict), depending on the POLICY_TYPES variable
136 # content.
137 selinux-policy-2_src_prepare() {
138 local modfiles
139 local add_interfaces=0;
140
141 # Create 3rd_party location for user-contributed policies
142 cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
143
144 # Patch the sources with the base patchbundle
145 if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
146 then
147 cd "${S}"
148 EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
149 EPATCH_SUFFIX="patch" \
150 EPATCH_SOURCE="${WORKDIR}" \
151 EPATCH_FORCE="yes" \
152 epatch
153 fi
154
155 # Call in epatch_user. We do this early on as we start moving
156 # files left and right hereafter.
157 epatch_user
158
159 # Copy additional files to the 3rd_party/ location
160 if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
161 [[ -n ${POLICY_FILES} ]];
162 then
163 add_interfaces=1;
164 cd "${S}/refpolicy/policy/modules"
165 for POLFILE in ${POLICY_FILES[@]};
166 do
167 cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
168 done
169 fi
170
171 # Apply the additional patches refered to by the module ebuild.
172 # But first some magic to differentiate between bash arrays and strings
173 if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
174 [[ -n ${POLICY_PATCH} ]];
175 then
176 cd "${S}/refpolicy/policy/modules"
177 for POLPATCH in ${POLICY_PATCH[@]};
178 do
179 epatch "${POLPATCH}"
180 done
181 fi
182
183 # Collect only those files needed for this particular module
184 for i in ${MODS}; do
185 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
186 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
187 if [ ${add_interfaces} -eq 1 ];
188 then
189 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
190 fi
191 done
192
193 for i in ${POLICY_TYPES}; do
194 mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
195 cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
196 || die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
197
198 cp ${modfiles} "${S}"/${i} \
199 || die "Failed to copy the module files to ${S}/${i}"
200 done
201 }
202
203 # @FUNCTION: selinux-policy-2_src_compile
204 # @DESCRIPTION:
205 # Build the SELinux policy module (.pp file) for just the selected module, and
206 # this for each SELinux policy mentioned in POLICY_TYPES
207 selinux-policy-2_src_compile() {
208 local makeuse=""
209 for useflag in ${IUSE};
210 do
211 use ${useflag} && makeuse="${makeuse} -D use_${useflag}"
212 done
213 for i in ${POLICY_TYPES}; do
214 # Support USE flags in builds
215 export M4PARAM="${makeuse}"
216 # Parallel builds are broken, so we need to force -j1 here
217 emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
218 done
219 }
220
221 # @FUNCTION: selinux-policy-2_src_install
222 # @DESCRIPTION:
223 # Install the built .pp files in the correct subdirectory within
224 # /usr/share/selinux.
225 selinux-policy-2_src_install() {
226 local BASEDIR="/usr/share/selinux"
227
228 for i in ${POLICY_TYPES}; do
229 for j in ${MODS}; do
230 einfo "Installing ${i} ${j} policy package"
231 insinto ${BASEDIR}/${i}
232 doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
233
234 if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
235 then
236 insinto ${BASEDIR}/${i}/include/3rd_party
237 doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
238 fi
239 done
240 done
241 }
242
243 # @FUNCTION: selinux-policy-2_pkg_postinst
244 # @DESCRIPTION:
245 # Install the built .pp files in the SELinux policy stores, effectively
246 # activating the policy on the system.
247 selinux-policy-2_pkg_postinst() {
248 # build up the command in the case of multiple modules
249 local COMMAND
250 for i in ${MODS}; do
251 COMMAND="-i ${i}.pp ${COMMAND}"
252 done
253
254 for i in ${POLICY_TYPES}; do
255 if [ "${i}" == "strict" ] && [ "${MODS}" = "unconfined" ];
256 then
257 einfo "Ignoring loading of unconfined module in strict module store.";
258 continue;
259 fi
260 einfo "Inserting the following modules into the $i module store: ${MODS}"
261
262 cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
263 semodule -s ${i} ${COMMAND}
264 if [ $? -ne 0 ];
265 then
266 ewarn "SELinux module load failed. Trying full reload...";
267 if [ "${i}" == "targeted" ];
268 then
269 semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
270 else
271 semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
272 fi
273 if [ $? -ne 0 ];
274 then
275 ewarn "Failed to reload SELinux policies."
276 ewarn ""
277 ewarn "If this is *not* the last SELinux module package being installed,"
278 ewarn "then you can safely ignore this as the reloads will be retried"
279 ewarn "with other, recent modules."
280 ewarn ""
281 ewarn "If it is the last SELinux module package being installed however,"
282 ewarn "then it is advised to look at the error above and take appropriate"
283 ewarn "action since the new SELinux policies are not loaded until the"
284 ewarn "command finished succesfully."
285 ewarn ""
286 ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
287 ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
288 ewarn "or"
289 ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
290 ewarn "depending on if you need the unconfined domain loaded as well or not."
291 else
292 einfo "SELinux modules reloaded succesfully."
293 fi
294 else
295 einfo "SELinux modules loaded succesfully."
296 fi
297 done
298 }
299
300 # @FUNCTION: selinux-policy-2_pkg_postrm
301 # @DESCRIPTION:
302 # Uninstall the module(s) from the SELinux policy stores, effectively
303 # deactivating the policy on the system.
304 selinux-policy-2_pkg_postrm() {
305 # Only if we are not upgrading
306 if [[ "${EAPI}" -lt 4 || -z "${REPLACED_BY_VERSION}" ]];
307 then
308 # build up the command in the case of multiple modules
309 local COMMAND
310 for i in ${MODS}; do
311 COMMAND="-r ${i} ${COMMAND}"
312 done
313
314 for i in ${POLICY_TYPES}; do
315 einfo "Removing the following modules from the $i module store: ${MODS}"
316
317 semodule -s ${i} ${COMMAND}
318 if [ $? -ne 0 ];
319 then
320 ewarn "SELinux module unload failed.";
321 else
322 einfo "SELinux modules unloaded succesfully."
323 fi
324 done
325 fi
326 }

  ViewVC Help
Powered by ViewVC 1.1.20