/[gentoo-x86]/eclass/selinux-policy-2.eclass
Gentoo

Diff of /eclass/selinux-policy-2.eclass

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.11 Revision 1.12
1# Copyright 1999-2011 Gentoo Foundation 1# Copyright 1999-2012 Gentoo Foundation
2# Distributed under the terms of the GNU General Public License v2 2# Distributed under the terms of the GNU General Public License v2
3# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.11 2011/08/29 01:28:10 vapier Exp $ 3# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.12 2012/05/26 14:25:02 swift Exp $
4 4
5# Eclass for installing SELinux policy, and optionally 5# Eclass for installing SELinux policy, and optionally
6# reloading the reference-policy based modules. 6# reloading the reference-policy based modules.
7 7
8# @ECLASS: selinux-policy-2.eclass 8# @ECLASS: selinux-policy-2.eclass
35# @DESCRIPTION: 35# @DESCRIPTION:
36# This variable contains the additional patch(es) that need to be applied on top 36# This variable contains the additional patch(es) that need to be applied on top
37# of the patchset already contained within the BASEPOL variable. The variable 37# of the patchset already contained within the BASEPOL variable. The variable
38# can be both a simple string (space-separated) or a bash array. 38# can be both a simple string (space-separated) or a bash array.
39: ${POLICY_PATCH:=""} 39: ${POLICY_PATCH:=""}
40
41# @ECLASS-VARIABLE: POLICY_FILES
42# @DESCRIPTION:
43# When defined, this contains the files (located in the ebuilds' files/
44# directory) which should be copied as policy module files into the store.
45# Generally, users would want to include at least a .te and .fc file, but .if
46# files are supported as well. The variable can be both a simple string
47# (space-separated) or a bash array.
48: ${POLICY_FILES:=""}
40 49
41# @ECLASS-VARIABLE: POLICY_TYPES 50# @ECLASS-VARIABLE: POLICY_TYPES
42# @DESCRIPTION: 51# @DESCRIPTION:
43# This variable informs the eclass for which SELinux policies the module should 52# This variable informs the eclass for which SELinux policies the module should
44# be built. Currently, Gentoo supports targeted, strict, mcs and mls. 53# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
110# Finally, prepare the build environments for each of the supported SELinux 119# Finally, prepare the build environments for each of the supported SELinux
111# types (such as targeted or strict), depending on the POLICY_TYPES variable 120# types (such as targeted or strict), depending on the POLICY_TYPES variable
112# content. 121# content.
113selinux-policy-2_src_prepare() { 122selinux-policy-2_src_prepare() {
114 local modfiles 123 local modfiles
124 local add_interfaces=0;
125
126 # Create 3rd_party location for user-contributed policies
127 cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
115 128
116 # Patch the sources with the base patchbundle 129 # Patch the sources with the base patchbundle
117 if [[ -n ${BASEPOL} ]]; 130 if [[ -n ${BASEPOL} ]];
118 then 131 then
119 cd "${S}" 132 cd "${S}"
122 EPATCH_SOURCE="${WORKDIR}" \ 135 EPATCH_SOURCE="${WORKDIR}" \
123 EPATCH_FORCE="yes" \ 136 EPATCH_FORCE="yes" \
124 epatch 137 epatch
125 fi 138 fi
126 139
140 # Copy additional files to the 3rd_party/ location
141 if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
142 [[ -n ${POLICY_FILES} ]];
143 then
144 add_interfaces=1;
145 cd "${S}/refpolicy/policy/modules"
146 for POLFILE in ${POLICY_FILES[@]};
147 do
148 cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
149 done
150 fi
151
127 # Apply the additional patches refered to by the module ebuild. 152 # Apply the additional patches refered to by the module ebuild.
128 # But first some magic to differentiate between bash arrays and strings 153 # But first some magic to differentiate between bash arrays and strings
129 if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]]; 154 if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
155 [[ -n ${POLICY_PATCH} ]];
130 then 156 then
131 cd "${S}/refpolicy/policy/modules" 157 cd "${S}/refpolicy/policy/modules"
132 for POLPATCH in "${POLICY_PATCH[@]}"; 158 for POLPATCH in ${POLICY_PATCH[@]};
133 do 159 do
134 epatch "${POLPATCH}" 160 epatch "${POLPATCH}"
135 done 161 done
136 else
137 if [[ -n ${POLICY_PATCH} ]];
138 then
139 cd "${S}/refpolicy/policy/modules"
140 for POLPATCH in ${POLICY_PATCH};
141 do
142 epatch "${POLPATCH}"
143 done
144 fi
145 fi 162 fi
146 163
147 # Collect only those files needed for this particular module 164 # Collect only those files needed for this particular module
148 for i in ${MODS}; do 165 for i in ${MODS}; do
149 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles" 166 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
150 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles" 167 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
168 if [ ${add_interfaces} -eq 1 ];
169 then
170 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
171 fi
151 done 172 done
152 173
153 for i in ${POLICY_TYPES}; do 174 for i in ${POLICY_TYPES}; do
154 mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}" 175 mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
155 cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \ 176 cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
181 for i in ${POLICY_TYPES}; do 202 for i in ${POLICY_TYPES}; do
182 for j in ${MODS}; do 203 for j in ${MODS}; do
183 einfo "Installing ${i} ${j} policy package" 204 einfo "Installing ${i} ${j} policy package"
184 insinto ${BASEDIR}/${i} 205 insinto ${BASEDIR}/${i}
185 doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}" 206 doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
207
208 if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
209 then
210 insinto ${BASEDIR}/${i}/include/3rd_party
211 doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
212 fi
186 done 213 done
187 done 214 done
188} 215}
189 216
190# @FUNCTION: selinux-policy-2_pkg_postinst 217# @FUNCTION: selinux-policy-2_pkg_postinst
200 227
201 for i in ${POLICY_TYPES}; do 228 for i in ${POLICY_TYPES}; do
202 einfo "Inserting the following modules into the $i module store: ${MODS}" 229 einfo "Inserting the following modules into the $i module store: ${MODS}"
203 230
204 cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}" 231 cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
205 semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store" 232 semodule -s ${i} ${COMMAND}
233 if [ $? -ne 0 ];
234 then
235 ewarn "SELinux module load failed. Trying full reload...";
236 if [ "${i}" == "targeted" ];
237 then
238 semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
239 else
240 semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
241 fi
242 if [ $? -ne 0 ];
243 then
244 eerror "Failed to reload SELinux policies."
245 eerror ""
246 eerror "If this is *not* the last SELinux module package being installed,"
247 eerror "then you can safely ignore this as the reloads will be retried"
248 eerror "with other, recent modules."
249 eerror ""
250 eerror "If it is the last SELinux module package being installed however,"
251 eerror "then it is advised to look at the error above and take appropriate"
252 eerror "action since the new SELinux policies are not loaded until the"
253 eerror "command finished succesfully."
254 eerror ""
255 eerror "To reload, run the following command from within /usr/share/selinux/${i}:"
256 eerror " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
257 eerror "or"
258 eerror " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
259 eerror "depending on if you need the unconfined domain loaded as well or not."
260 else
261 einfo "SELinux modules reloaded succesfully."
262 fi
263 else
264 einfo "SELinux modules loaded succesfully."
265 fi
206 done 266 done
207} 267}
208 268

Legend:
Removed from v.1.11  
changed lines
  Added in v.1.12

  ViewVC Help
Powered by ViewVC 1.1.20