gentoo-x86/eclass/selinux-policy-2.eclass

# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.13 2012/07/26 12:53:01 swift Exp $

# Eclass for installing SELinux policy, and optionally
# reloading the reference-policy based modules.

# @ECLASS: selinux-policy-2.eclass
# @MAINTAINER:
# selinux@gentoo.org
# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
# @DESCRIPTION:
# The selinux-policy-2.eclass supports deployment of the various SELinux modules
# defined in the sec-policy category. It is responsible for extracting the
# specific bits necessary for single-module deployment (instead of full-blown
# policy rebuilds) and applying the necessary patches.
#
# Also, it supports for bundling patches to make the whole thing just a bit more
# manageable.

# @ECLASS-VARIABLE: MODS
# @DESCRIPTION:
# This variable contains the (upstream) module name for the SELinux module.
# This name is only the module name, not the category!
: ${MODS:="_illegal"}

# @ECLASS-VARIABLE: BASEPOL
# @DESCRIPTION:
# This variable contains the version string of the selinux-base-policy package
# that this module build depends on. It is used to patch with the appropriate
# patch bundle(s) that are part of selinux-base-policy.
: ${BASEPOL:=""}

# @ECLASS-VARIABLE: POLICY_PATCH
# @DESCRIPTION:
# This variable contains the additional patch(es) that need to be applied on top
# of the patchset already contained within the BASEPOL variable. The variable
# can be both a simple string (space-separated) or a bash array.
: ${POLICY_PATCH:=""}

# @ECLASS-VARIABLE: POLICY_FILES
# @DESCRIPTION:
# When defined, this contains the files (located in the ebuilds' files/
# directory) which should be copied as policy module files into the store.
# Generally, users would want to include at least a .te and .fc file, but .if
# files are supported as well. The variable can be both a simple string
# (space-separated) or a bash array.
: ${POLICY_FILES:=""}

# @ECLASS-VARIABLE: POLICY_TYPES
# @DESCRIPTION:
# This variable informs the eclass for which SELinux policies the module should
# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
# This variable is the same POLICY_TYPES variable that we tell SELinux
# users to set in /etc/make.conf. Therefor, it is not the module that should
# override it, but the user.
: ${POLICY_TYPES:="targeted strict mcs mls"}

extra_eclass=""
case ${BASEPOL} in
        9999)   extra_eclass="git-2";
                        EGIT_REPO_URI="git://git.overlays.gentoo.org/proj/hardened-refpolicy.git";
                        EGIT_SOURCEDIR="${WORKDIR}/refpolicy";;
esac

inherit eutils ${extra_eclass}

IUSE=""

HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
then
        SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
                http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
elif [[ "${BASEPOL}" != "9999" ]];
then
        SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
else
        SRC_URI=""
fi

LICENSE="GPL-2"
SLOT="0"
S="${WORKDIR}/"
PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"

# Modules should always depend on at least the first release of the
# selinux-base-policy for which they are generated.
if [[ -n ${BASEPOL} ]];
then
        RDEPEND=">=sys-apps/policycoreutils-2.0.82
                >=sec-policy/selinux-base-policy-${BASEPOL}"
else
        RDEPEND=">=sys-apps/policycoreutils-2.0.82
                >=sec-policy/selinux-base-policy-${PV}"
fi
DEPEND="${RDEPEND}
        sys-devel/m4
        >=sys-apps/checkpolicy-2.0.21"

SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
case "${EAPI:-0}" in
        2|3|4) SELINUX_EXPF+=" src_prepare" ;;
        *) ;;
esac

EXPORT_FUNCTIONS ${SELINUX_EXPF}

# @FUNCTION: selinux-policy-2_src_unpack
# @DESCRIPTION:
# Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
# older than 2, call src_prepare too.
selinux-policy-2_src_unpack() {
        if [[ "${BASEPOL}" != "9999" ]];
        then
                unpack ${A}
        else
                git-2_src_unpack
        fi

        # Call src_prepare explicitly for EAPI 0 or 1
        has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
}

# @FUNCTION: selinux-policy-2_src_prepare
# @DESCRIPTION:
# Patch the reference policy sources with our set of enhancements. Start with
# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
# then apply the additional patches as offered by the ebuild.
#
# Next, extract only those files needed for this particular module (i.e. the .te
# and .fc files for the given module in the MODS variable).
#
# Finally, prepare the build environments for each of the supported SELinux
# types (such as targeted or strict), depending on the POLICY_TYPES variable
# content.
selinux-policy-2_src_prepare() {
        local modfiles
        local add_interfaces=0;

        # Create 3rd_party location for user-contributed policies
        cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;

        # Patch the sources with the base patchbundle
        if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
        then
                cd "${S}"
                EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
                EPATCH_SUFFIX="patch" \
                EPATCH_SOURCE="${WORKDIR}" \
                EPATCH_FORCE="yes" \
                epatch
        fi

        # Copy additional files to the 3rd_party/ location
        if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
           [[ -n ${POLICY_FILES} ]];
        then
            add_interfaces=1;
                cd "${S}/refpolicy/policy/modules"
                for POLFILE in ${POLICY_FILES[@]};
                do
                        cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
                done
        fi

        # Apply the additional patches refered to by the module ebuild.
        # But first some magic to differentiate between bash arrays and strings
        if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
           [[ -n ${POLICY_PATCH} ]];
        then
                cd "${S}/refpolicy/policy/modules"
                for POLPATCH in ${POLICY_PATCH[@]};
                do
                        epatch "${POLPATCH}"
                done
        fi

        # Collect only those files needed for this particular module
        for i in ${MODS}; do
                modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
                modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
                if [ ${add_interfaces} -eq 1 ];
                then
                        modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
                fi
        done

        for i in ${POLICY_TYPES}; do
                mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
                cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
                        || die "Failed to copy Makefile.example to ${S}/${i}/Makefile"

                cp ${modfiles} "${S}"/${i} \
                        || die "Failed to copy the module files to ${S}/${i}"
        done
}

# @FUNCTION: selinux-policy-2_src_compile
# @DESCRIPTION:
# Build the SELinux policy module (.pp file) for just the selected module, and
# this for each SELinux policy mentioned in POLICY_TYPES
selinux-policy-2_src_compile() {
        for i in ${POLICY_TYPES}; do
                # Parallel builds are broken, so we need to force -j1 here
                emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
        done
}

# @FUNCTION: selinux-policy-2_src_install
# @DESCRIPTION:
# Install the built .pp files in the correct subdirectory within
# /usr/share/selinux.
selinux-policy-2_src_install() {
        local BASEDIR="/usr/share/selinux"

        for i in ${POLICY_TYPES}; do
                for j in ${MODS}; do
                        einfo "Installing ${i} ${j} policy package"
                        insinto ${BASEDIR}/${i}
                        doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"

                        if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
                        then
                                insinto ${BASEDIR}/${i}/include/3rd_party
                                doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
                        fi
                done
        done
}

# @FUNCTION: selinux-policy-2_pkg_postinst
# @DESCRIPTION:
# Install the built .pp files in the SELinux policy stores, effectively
# activating the policy on the system.
selinux-policy-2_pkg_postinst() {
        # build up the command in the case of multiple modules
        local COMMAND
        for i in ${MODS}; do
                COMMAND="-i ${i}.pp ${COMMAND}"
        done

        for i in ${POLICY_TYPES}; do
                einfo "Inserting the following modules into the $i module store: ${MODS}"

                cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
                semodule -s ${i} ${COMMAND}
                if [ $? -ne 0 ];
                then
                        ewarn "SELinux module load failed. Trying full reload...";
                        if [ "${i}" == "targeted" ];
                        then
                                semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
                        else
                                semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
                        fi
                        if [ $? -ne 0 ];
                        then
                                ewarn "Failed to reload SELinux policies."
                                ewarn ""
                                ewarn "If this is *not* the last SELinux module package being installed,"
                                ewarn "then you can safely ignore this as the reloads will be retried"
                                ewarn "with other, recent modules."
                                ewarn ""
                                ewarn "If it is the last SELinux module package being installed however,"
                                ewarn "then it is advised to look at the error above and take appropriate"
                                ewarn "action since the new SELinux policies are not loaded until the"
                                ewarn "command finished succesfully."
                                ewarn ""
                                ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
                                ewarn "  semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
                                ewarn "or"
                                ewarn "  semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
                                ewarn "depending on if you need the unconfined domain loaded as well or not."
                        else
                                einfo "SELinux modules reloaded succesfully."
                        fi
                else
                        einfo "SELinux modules loaded succesfully."
                fi
        done
}
1	# Copyright 1999-2012 Gentoo Foundation
2	# Distributed under the terms of the GNU General Public License v2
3	# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.13 2012/07/26 12:53:01 swift Exp $
4
5	# Eclass for installing SELinux policy, and optionally
6	# reloading the reference-policy based modules.
7
8	# @ECLASS: selinux-policy-2.eclass
9	# @MAINTAINER:
10	# selinux@gentoo.org
11	# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
12	# @DESCRIPTION:
13	# The selinux-policy-2.eclass supports deployment of the various SELinux modules
14	# defined in the sec-policy category. It is responsible for extracting the
15	# specific bits necessary for single-module deployment (instead of full-blown
16	# policy rebuilds) and applying the necessary patches.
17	#
18	# Also, it supports for bundling patches to make the whole thing just a bit more
19	# manageable.
20
21	# @ECLASS-VARIABLE: MODS
22	# @DESCRIPTION:
23	# This variable contains the (upstream) module name for the SELinux module.
24	# This name is only the module name, not the category!
25	: ${MODS:="_illegal"}
26
27	# @ECLASS-VARIABLE: BASEPOL
28	# @DESCRIPTION:
29	# This variable contains the version string of the selinux-base-policy package
30	# that this module build depends on. It is used to patch with the appropriate
31	# patch bundle(s) that are part of selinux-base-policy.
32	: ${BASEPOL:=""}
33
34	# @ECLASS-VARIABLE: POLICY_PATCH
35	# @DESCRIPTION:
36	# This variable contains the additional patch(es) that need to be applied on top
37	# of the patchset already contained within the BASEPOL variable. The variable
38	# can be both a simple string (space-separated) or a bash array.
39	: ${POLICY_PATCH:=""}
40
41	# @ECLASS-VARIABLE: POLICY_FILES
42	# @DESCRIPTION:
43	# When defined, this contains the files (located in the ebuilds' files/
44	# directory) which should be copied as policy module files into the store.
45	# Generally, users would want to include at least a .te and .fc file, but .if
46	# files are supported as well. The variable can be both a simple string
47	# (space-separated) or a bash array.
48	: ${POLICY_FILES:=""}
49
50	# @ECLASS-VARIABLE: POLICY_TYPES
51	# @DESCRIPTION:
52	# This variable informs the eclass for which SELinux policies the module should
53	# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
54	# This variable is the same POLICY_TYPES variable that we tell SELinux
55	# users to set in /etc/make.conf. Therefor, it is not the module that should
56	# override it, but the user.
57	: ${POLICY_TYPES:="targeted strict mcs mls"}
58
59	extra_eclass=""
60	case ${BASEPOL} in
61	9999) extra_eclass="git-2";
62	EGIT_REPO_URI="git://git.overlays.gentoo.org/proj/hardened-refpolicy.git";
63	EGIT_SOURCEDIR="${WORKDIR}/refpolicy";;
64	esac
65
66	inherit eutils ${extra_eclass}
67
68	IUSE=""
69
70	HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
71	if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
72	then
73	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
74	http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
75	elif [[ "${BASEPOL}" != "9999" ]];
76	then
77	SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
78	else
79	SRC_URI=""
80	fi
81
82	LICENSE="GPL-2"
83	SLOT="0"
84	S="${WORKDIR}/"
85	PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
86
87	# Modules should always depend on at least the first release of the
88	# selinux-base-policy for which they are generated.
89	if [[ -n ${BASEPOL} ]];
90	then
91	RDEPEND=">=sys-apps/policycoreutils-2.0.82
92	>=sec-policy/selinux-base-policy-${BASEPOL}"
93	else
94	RDEPEND=">=sys-apps/policycoreutils-2.0.82
95	>=sec-policy/selinux-base-policy-${PV}"
96	fi
97	DEPEND="${RDEPEND}
98	sys-devel/m4
99	>=sys-apps/checkpolicy-2.0.21"
100
101	SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
102	case "${EAPI:-0}" in
103	2\|3\|4) SELINUX_EXPF+=" src_prepare" ;;
104	*) ;;
105	esac
106
107	EXPORT_FUNCTIONS ${SELINUX_EXPF}
108
109	# @FUNCTION: selinux-policy-2_src_unpack
110	# @DESCRIPTION:
111	# Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
112	# older than 2, call src_prepare too.
113	selinux-policy-2_src_unpack() {
114	if [[ "${BASEPOL}" != "9999" ]];
115	then
116	unpack ${A}
117	else
118	git-2_src_unpack
119	fi
120
121	# Call src_prepare explicitly for EAPI 0 or 1
122	has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
123	}
124
125	# @FUNCTION: selinux-policy-2_src_prepare
126	# @DESCRIPTION:
127	# Patch the reference policy sources with our set of enhancements. Start with
128	# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
129	# then apply the additional patches as offered by the ebuild.
130	#
131	# Next, extract only those files needed for this particular module (i.e. the .te
132	# and .fc files for the given module in the MODS variable).
133	#
134	# Finally, prepare the build environments for each of the supported SELinux
135	# types (such as targeted or strict), depending on the POLICY_TYPES variable
136	# content.
137	selinux-policy-2_src_prepare() {
138	local modfiles
139	local add_interfaces=0;
140
141	# Create 3rd_party location for user-contributed policies
142	cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
143
144	# Patch the sources with the base patchbundle
145	if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
146	then
147	cd "${S}"
148	EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
149	EPATCH_SUFFIX="patch" \
150	EPATCH_SOURCE="${WORKDIR}" \
151	EPATCH_FORCE="yes" \
152	epatch
153	fi
154
155	# Copy additional files to the 3rd_party/ location
156	if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] \|\|
157	[[ -n ${POLICY_FILES} ]];
158	then
159	add_interfaces=1;
160	cd "${S}/refpolicy/policy/modules"
161	for POLFILE in ${POLICY_FILES[@]};
162	do
163	cp "${FILESDIR}/${POLFILE}" 3rd_party/ \|\| die "Could not copy ${POLFILE} to 3rd_party/ location";
164	done
165	fi
166
167	# Apply the additional patches refered to by the module ebuild.
168	# But first some magic to differentiate between bash arrays and strings
169	if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] \|\|
170	[[ -n ${POLICY_PATCH} ]];
171	then
172	cd "${S}/refpolicy/policy/modules"
173	for POLPATCH in ${POLICY_PATCH[@]};
174	do
175	epatch "${POLPATCH}"
176	done
177	fi
178
179	# Collect only those files needed for this particular module
180	for i in ${MODS}; do
181	modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
182	modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
183	if [ ${add_interfaces} -eq 1 ];
184	then
185	modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
186	fi
187	done
188
189	for i in ${POLICY_TYPES}; do
190	mkdir "${S}"/${i} \|\| die "Failed to create directory ${S}/${i}"
191	cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
192	\|\| die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
193
194	cp ${modfiles} "${S}"/${i} \
195	\|\| die "Failed to copy the module files to ${S}/${i}"
196	done
197	}
198
199	# @FUNCTION: selinux-policy-2_src_compile
200	# @DESCRIPTION:
201	# Build the SELinux policy module (.pp file) for just the selected module, and
202	# this for each SELinux policy mentioned in POLICY_TYPES
203	selinux-policy-2_src_compile() {
204	for i in ${POLICY_TYPES}; do
205	# Parallel builds are broken, so we need to force -j1 here
206	emake -j1 NAME=$i -C "${S}"/${i} \|\| die "${i} compile failed"
207	done
208	}
209
210	# @FUNCTION: selinux-policy-2_src_install
211	# @DESCRIPTION:
212	# Install the built .pp files in the correct subdirectory within
213	# /usr/share/selinux.
214	selinux-policy-2_src_install() {
215	local BASEDIR="/usr/share/selinux"
216
217	for i in ${POLICY_TYPES}; do
218	for j in ${MODS}; do
219	einfo "Installing ${i} ${j} policy package"
220	insinto ${BASEDIR}/${i}
221	doins "${S}"/${i}/${j}.pp \|\| die "Failed to add ${j}.pp to ${i}"
222
223	if [[ "${POLICY_FILES[@]}" == "${j}.if" ]];
224	then
225	insinto ${BASEDIR}/${i}/include/3rd_party
226	doins "${S}"/${i}/${j}.if \|\| die "Failed to add ${j}.if to ${i}"
227	fi
228	done
229	done
230	}
231
232	# @FUNCTION: selinux-policy-2_pkg_postinst
233	# @DESCRIPTION:
234	# Install the built .pp files in the SELinux policy stores, effectively
235	# activating the policy on the system.
236	selinux-policy-2_pkg_postinst() {
237	# build up the command in the case of multiple modules
238	local COMMAND
239	for i in ${MODS}; do
240	COMMAND="-i ${i}.pp ${COMMAND}"
241	done
242
243	for i in ${POLICY_TYPES}; do
244	einfo "Inserting the following modules into the $i module store: ${MODS}"
245
246	cd /usr/share/selinux/${i} \|\| die "Could not enter /usr/share/selinux/${i}"
247	semodule -s ${i} ${COMMAND}
248	if [ $? -ne 0 ];
249	then
250	ewarn "SELinux module load failed. Trying full reload...";
251	if [ "${i}" == "targeted" ];
252	then
253	semodule -s ${i} -b base.pp -i $(ls *.pp \| grep -v base.pp);
254	else
255	semodule -s ${i} -b base.pp -i $(ls *.pp \| grep -v base.pp \| grep -v unconfined.pp);
256	fi
257	if [ $? -ne 0 ];
258	then
259	ewarn "Failed to reload SELinux policies."
260	ewarn ""
261	ewarn "If this is not the last SELinux module package being installed,"
262	ewarn "then you can safely ignore this as the reloads will be retried"
263	ewarn "with other, recent modules."
264	ewarn ""
265	ewarn "If it is the last SELinux module package being installed however,"
266	ewarn "then it is advised to look at the error above and take appropriate"
267	ewarn "action since the new SELinux policies are not loaded until the"
268	ewarn "command finished succesfully."
269	ewarn ""
270	ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
271	ewarn " semodule -b base.pp -i \$(ls *.pp \| grep -v base.pp)"
272	ewarn "or"
273	ewarn " semodule -b base.pp -i \$(ls *.pp \| grep -v base.pp \| grep -v unconfined.pp)"
274	ewarn "depending on if you need the unconfined domain loaded as well or not."
275	else
276	einfo "SELinux modules reloaded succesfully."
277	fi
278	else
279	einfo "SELinux modules loaded succesfully."
280	fi
281	done
282	}