/[gentoo-x86]/eclass/selinux-policy-2.eclass
Gentoo

Contents of /eclass/selinux-policy-2.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.12 - (show annotations) (download)
Sat May 26 14:25:02 2012 UTC (2 years, 2 months ago) by swift
Branch: MAIN
Changes since 1.11: +74 -14 lines
Update on SELinux eclass, introducing support for user-provided policies and fix loading logic of SELinux modules (bugs #414599 and #414017)

1 # Copyright 1999-2012 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.11 2011/08/29 01:28:10 vapier Exp $
4
5 # Eclass for installing SELinux policy, and optionally
6 # reloading the reference-policy based modules.
7
8 # @ECLASS: selinux-policy-2.eclass
9 # @MAINTAINER:
10 # selinux@gentoo.org
11 # @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
12 # @DESCRIPTION:
13 # The selinux-policy-2.eclass supports deployment of the various SELinux modules
14 # defined in the sec-policy category. It is responsible for extracting the
15 # specific bits necessary for single-module deployment (instead of full-blown
16 # policy rebuilds) and applying the necessary patches.
17 #
18 # Also, it supports for bundling patches to make the whole thing just a bit more
19 # manageable.
20
21 # @ECLASS-VARIABLE: MODS
22 # @DESCRIPTION:
23 # This variable contains the (upstream) module name for the SELinux module.
24 # This name is only the module name, not the category!
25 : ${MODS:="_illegal"}
26
27 # @ECLASS-VARIABLE: BASEPOL
28 # @DESCRIPTION:
29 # This variable contains the version string of the selinux-base-policy package
30 # that this module build depends on. It is used to patch with the appropriate
31 # patch bundle(s) that are part of selinux-base-policy.
32 : ${BASEPOL:=""}
33
34 # @ECLASS-VARIABLE: POLICY_PATCH
35 # @DESCRIPTION:
36 # This variable contains the additional patch(es) that need to be applied on top
37 # of the patchset already contained within the BASEPOL variable. The variable
38 # can be both a simple string (space-separated) or a bash array.
39 : ${POLICY_PATCH:=""}
40
41 # @ECLASS-VARIABLE: POLICY_FILES
42 # @DESCRIPTION:
43 # When defined, this contains the files (located in the ebuilds' files/
44 # directory) which should be copied as policy module files into the store.
45 # Generally, users would want to include at least a .te and .fc file, but .if
46 # files are supported as well. The variable can be both a simple string
47 # (space-separated) or a bash array.
48 : ${POLICY_FILES:=""}
49
50 # @ECLASS-VARIABLE: POLICY_TYPES
51 # @DESCRIPTION:
52 # This variable informs the eclass for which SELinux policies the module should
53 # be built. Currently, Gentoo supports targeted, strict, mcs and mls.
54 # This variable is the same POLICY_TYPES variable that we tell SELinux
55 # users to set in /etc/make.conf. Therefor, it is not the module that should
56 # override it, but the user.
57 : ${POLICY_TYPES:="targeted strict mcs mls"}
58
59 inherit eutils
60
61 IUSE=""
62
63 HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
64 if [[ -n ${BASEPOL} ]];
65 then
66 SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
67 http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
68 else
69 SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
70 fi
71
72 LICENSE="GPL-2"
73 SLOT="0"
74 S="${WORKDIR}/"
75 PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
76
77 # Modules should always depend on at least the first release of the
78 # selinux-base-policy for which they are generated.
79 if [[ -n ${BASEPOL} ]];
80 then
81 RDEPEND=">=sys-apps/policycoreutils-2.0.82
82 >=sec-policy/selinux-base-policy-${BASEPOL}"
83 else
84 RDEPEND=">=sys-apps/policycoreutils-2.0.82
85 >=sec-policy/selinux-base-policy-${PV}"
86 fi
87 DEPEND="${RDEPEND}
88 sys-devel/m4
89 >=sys-apps/checkpolicy-2.0.21"
90
91 SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
92 case "${EAPI:-0}" in
93 2|3|4) SELINUX_EXPF+=" src_prepare" ;;
94 *) ;;
95 esac
96
97 EXPORT_FUNCTIONS ${SELINUX_EXPF}
98
99 # @FUNCTION: selinux-policy-2_src_unpack
100 # @DESCRIPTION:
101 # Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
102 # older than 2, call src_prepare too.
103 selinux-policy-2_src_unpack() {
104 unpack ${A}
105
106 # Call src_prepare explicitly for EAPI 0 or 1
107 has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
108 }
109
110 # @FUNCTION: selinux-policy-2_src_prepare
111 # @DESCRIPTION:
112 # Patch the reference policy sources with our set of enhancements. Start with
113 # the base patchbundle referred to by the ebuilds through the BASEPOL variable,
114 # then apply the additional patches as offered by the ebuild.
115 #
116 # Next, extract only those files needed for this particular module (i.e. the .te
117 # and .fc files for the given module in the MODS variable).
118 #
119 # Finally, prepare the build environments for each of the supported SELinux
120 # types (such as targeted or strict), depending on the POLICY_TYPES variable
121 # content.
122 selinux-policy-2_src_prepare() {
123 local modfiles
124 local add_interfaces=0;
125
126 # Create 3rd_party location for user-contributed policies
127 cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
128
129 # Patch the sources with the base patchbundle
130 if [[ -n ${BASEPOL} ]];
131 then
132 cd "${S}"
133 EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
134 EPATCH_SUFFIX="patch" \
135 EPATCH_SOURCE="${WORKDIR}" \
136 EPATCH_FORCE="yes" \
137 epatch
138 fi
139
140 # Copy additional files to the 3rd_party/ location
141 if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
142 [[ -n ${POLICY_FILES} ]];
143 then
144 add_interfaces=1;
145 cd "${S}/refpolicy/policy/modules"
146 for POLFILE in ${POLICY_FILES[@]};
147 do
148 cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
149 done
150 fi
151
152 # Apply the additional patches refered to by the module ebuild.
153 # But first some magic to differentiate between bash arrays and strings
154 if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
155 [[ -n ${POLICY_PATCH} ]];
156 then
157 cd "${S}/refpolicy/policy/modules"
158 for POLPATCH in ${POLICY_PATCH[@]};
159 do
160 epatch "${POLPATCH}"
161 done
162 fi
163
164 # Collect only those files needed for this particular module
165 for i in ${MODS}; do
166 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
167 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
168 if [ ${add_interfaces} -eq 1 ];
169 then
170 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
171 fi
172 done
173
174 for i in ${POLICY_TYPES}; do
175 mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
176 cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
177 || die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
178
179 cp ${modfiles} "${S}"/${i} \
180 || die "Failed to copy the module files to ${S}/${i}"
181 done
182 }
183
184 # @FUNCTION: selinux-policy-2_src_compile
185 # @DESCRIPTION:
186 # Build the SELinux policy module (.pp file) for just the selected module, and
187 # this for each SELinux policy mentioned in POLICY_TYPES
188 selinux-policy-2_src_compile() {
189 for i in ${POLICY_TYPES}; do
190 # Parallel builds are broken, so we need to force -j1 here
191 emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
192 done
193 }
194
195 # @FUNCTION: selinux-policy-2_src_install
196 # @DESCRIPTION:
197 # Install the built .pp files in the correct subdirectory within
198 # /usr/share/selinux.
199 selinux-policy-2_src_install() {
200 local BASEDIR="/usr/share/selinux"
201
202 for i in ${POLICY_TYPES}; do
203 for j in ${MODS}; do
204 einfo "Installing ${i} ${j} policy package"
205 insinto ${BASEDIR}/${i}
206 doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
207
208 if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
209 then
210 insinto ${BASEDIR}/${i}/include/3rd_party
211 doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
212 fi
213 done
214 done
215 }
216
217 # @FUNCTION: selinux-policy-2_pkg_postinst
218 # @DESCRIPTION:
219 # Install the built .pp files in the SELinux policy stores, effectively
220 # activating the policy on the system.
221 selinux-policy-2_pkg_postinst() {
222 # build up the command in the case of multiple modules
223 local COMMAND
224 for i in ${MODS}; do
225 COMMAND="-i ${i}.pp ${COMMAND}"
226 done
227
228 for i in ${POLICY_TYPES}; do
229 einfo "Inserting the following modules into the $i module store: ${MODS}"
230
231 cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
232 semodule -s ${i} ${COMMAND}
233 if [ $? -ne 0 ];
234 then
235 ewarn "SELinux module load failed. Trying full reload...";
236 if [ "${i}" == "targeted" ];
237 then
238 semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
239 else
240 semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
241 fi
242 if [ $? -ne 0 ];
243 then
244 eerror "Failed to reload SELinux policies."
245 eerror ""
246 eerror "If this is *not* the last SELinux module package being installed,"
247 eerror "then you can safely ignore this as the reloads will be retried"
248 eerror "with other, recent modules."
249 eerror ""
250 eerror "If it is the last SELinux module package being installed however,"
251 eerror "then it is advised to look at the error above and take appropriate"
252 eerror "action since the new SELinux policies are not loaded until the"
253 eerror "command finished succesfully."
254 eerror ""
255 eerror "To reload, run the following command from within /usr/share/selinux/${i}:"
256 eerror " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
257 eerror "or"
258 eerror " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
259 eerror "depending on if you need the unconfined domain loaded as well or not."
260 else
261 einfo "SELinux modules reloaded succesfully."
262 fi
263 else
264 einfo "SELinux modules loaded succesfully."
265 fi
266 done
267 }

  ViewVC Help
Powered by ViewVC 1.1.20