/[gentoo-x86]/eclass/selinux-policy-2.eclass
Gentoo

Contents of /eclass/selinux-policy-2.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.30 - (hide annotations) (download)
Sun Dec 7 11:13:35 2014 UTC (2 months, 3 weeks ago) by perfinion
Branch: MAIN
CVS Tags: HEAD
Changes since 1.29: +4 -4 lines
update SRC_URI

1 swift 1.21 # Copyright 1999-2014 Gentoo Foundation
2 pebenito 1.1 # Distributed under the terms of the GNU General Public License v2
3 perfinion 1.30 # $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.29 2014/12/05 09:23:03 perfinion Exp $
4 pebenito 1.1
5     # Eclass for installing SELinux policy, and optionally
6 blueness 1.5 # reloading the reference-policy based modules.
7 pebenito 1.1
8 blueness 1.7 # @ECLASS: selinux-policy-2.eclass
9 vapier 1.9 # @MAINTAINER:
10 blueness 1.7 # selinux@gentoo.org
11     # @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
12     # @DESCRIPTION:
13     # The selinux-policy-2.eclass supports deployment of the various SELinux modules
14     # defined in the sec-policy category. It is responsible for extracting the
15     # specific bits necessary for single-module deployment (instead of full-blown
16     # policy rebuilds) and applying the necessary patches.
17 vapier 1.9 #
18 blueness 1.7 # Also, it supports for bundling patches to make the whole thing just a bit more
19     # manageable.
20    
21     # @ECLASS-VARIABLE: MODS
22 vapier 1.9 # @DESCRIPTION:
23 blueness 1.7 # This variable contains the (upstream) module name for the SELinux module.
24     # This name is only the module name, not the category!
25     : ${MODS:="_illegal"}
26    
27     # @ECLASS-VARIABLE: BASEPOL
28     # @DESCRIPTION:
29     # This variable contains the version string of the selinux-base-policy package
30     # that this module build depends on. It is used to patch with the appropriate
31 vapier 1.9 # patch bundle(s) that are part of selinux-base-policy.
32 swift 1.23 : ${BASEPOL:=${PVR}}
33 blueness 1.7
34     # @ECLASS-VARIABLE: POLICY_PATCH
35     # @DESCRIPTION:
36     # This variable contains the additional patch(es) that need to be applied on top
37     # of the patchset already contained within the BASEPOL variable. The variable
38     # can be both a simple string (space-separated) or a bash array.
39     : ${POLICY_PATCH:=""}
40    
41 swift 1.12 # @ECLASS-VARIABLE: POLICY_FILES
42     # @DESCRIPTION:
43     # When defined, this contains the files (located in the ebuilds' files/
44     # directory) which should be copied as policy module files into the store.
45     # Generally, users would want to include at least a .te and .fc file, but .if
46     # files are supported as well. The variable can be both a simple string
47     # (space-separated) or a bash array.
48     : ${POLICY_FILES:=""}
49    
50 blueness 1.7 # @ECLASS-VARIABLE: POLICY_TYPES
51     # @DESCRIPTION:
52     # This variable informs the eclass for which SELinux policies the module should
53     # be built. Currently, Gentoo supports targeted, strict, mcs and mls.
54     # This variable is the same POLICY_TYPES variable that we tell SELinux
55 zmedico 1.18 # users to set in make.conf. Therefore, it is not the module that should
56 blueness 1.7 # override it, but the user.
57     : ${POLICY_TYPES:="targeted strict mcs mls"}
58    
59 swift 1.22 # @ECLASS-VARIABLE: SELINUX_GIT_REPO
60     # @DESCRIPTION:
61     # When defined, this variable overrides the default repository URL as used by
62     # this eclass. It allows end users to point to a different policy repository
63     # using a single variable, rather than having to set the packagename_LIVE_REPO
64     # variable for each and every SELinux policy module package they want to install.
65     # The default value is Gentoo's hardened-refpolicy repository.
66 swift 1.26 : ${SELINUX_GIT_REPO:="git://git.overlays.gentoo.org/proj/hardened-refpolicy.git https://git.overlays.gentoo.org/gitroot/proj/hardened-refpolicy.git"};
67 swift 1.22
68     # @ECLASS-VARIABLE: SELINUX_GIT_BRANCH
69     # @DESCRIPTION:
70     # When defined, this variable sets the Git branch to use of the repository. This
71     # allows for users and developers to use a different branch for the entire set of
72     # SELinux policy packages, rather than having to override them one by one with the
73     # packagename_LIVE_BRANCH variable.
74     # The default value is the 'master' branch.
75     : ${SELINUX_GIT_BRANCH:="master"};
76    
77 swift 1.14 extra_eclass=""
78     case ${BASEPOL} in
79     9999) extra_eclass="git-2";
80 swift 1.22 EGIT_REPO_URI="${SELINUX_GIT_REPO}";
81     EGIT_BRANCH="${SELINUX_GIT_BRANCH}";
82 swift 1.14 EGIT_SOURCEDIR="${WORKDIR}/refpolicy";;
83     esac
84    
85     inherit eutils ${extra_eclass}
86 pebenito 1.1
87     IUSE=""
88    
89 perfinion 1.30 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
90 swift 1.14 if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
91 blueness 1.7 then
92 perfinion 1.30 SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
93 swift 1.8 http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
94 swift 1.14 elif [[ "${BASEPOL}" != "9999" ]];
95     then
96 perfinion 1.30 SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2"
97 blueness 1.7 else
98 swift 1.14 SRC_URI=""
99 blueness 1.7 fi
100 pebenito 1.1
101     LICENSE="GPL-2"
102     SLOT="0"
103     S="${WORKDIR}/"
104 blueness 1.7 PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
105 pebenito 1.1
106 blueness 1.7 # Modules should always depend on at least the first release of the
107     # selinux-base-policy for which they are generated.
108     if [[ -n ${BASEPOL} ]];
109     then
110     RDEPEND=">=sys-apps/policycoreutils-2.0.82
111     >=sec-policy/selinux-base-policy-${BASEPOL}"
112     else
113     RDEPEND=">=sys-apps/policycoreutils-2.0.82
114     >=sec-policy/selinux-base-policy-${PV}"
115     fi
116 pebenito 1.1 DEPEND="${RDEPEND}
117     sys-devel/m4
118 blueness 1.7 >=sys-apps/checkpolicy-2.0.21"
119 pebenito 1.1
120 swift 1.16 SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst pkg_postrm"
121 blueness 1.7 case "${EAPI:-0}" in
122 axs 1.15 2|3|4|5) SELINUX_EXPF+=" src_prepare" ;;
123 blueness 1.7 *) ;;
124     esac
125    
126     EXPORT_FUNCTIONS ${SELINUX_EXPF}
127    
128     # @FUNCTION: selinux-policy-2_src_unpack
129     # @DESCRIPTION:
130     # Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
131     # older than 2, call src_prepare too.
132 pebenito 1.1 selinux-policy-2_src_unpack() {
133 swift 1.14 if [[ "${BASEPOL}" != "9999" ]];
134     then
135     unpack ${A}
136     else
137     git-2_src_unpack
138     fi
139 blueness 1.7
140     # Call src_prepare explicitly for EAPI 0 or 1
141     has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
142     }
143    
144     # @FUNCTION: selinux-policy-2_src_prepare
145     # @DESCRIPTION:
146     # Patch the reference policy sources with our set of enhancements. Start with
147     # the base patchbundle referred to by the ebuilds through the BASEPOL variable,
148     # then apply the additional patches as offered by the ebuild.
149 vapier 1.11 #
150 blueness 1.7 # Next, extract only those files needed for this particular module (i.e. the .te
151     # and .fc files for the given module in the MODS variable).
152 vapier 1.11 #
153 blueness 1.7 # Finally, prepare the build environments for each of the supported SELinux
154     # types (such as targeted or strict), depending on the POLICY_TYPES variable
155     # content.
156     selinux-policy-2_src_prepare() {
157 pebenito 1.2 local modfiles
158 swift 1.12 local add_interfaces=0;
159    
160     # Create 3rd_party location for user-contributed policies
161     cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
162 pebenito 1.2
163 blueness 1.7 # Patch the sources with the base patchbundle
164 swift 1.14 if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
165 blueness 1.7 then
166     cd "${S}"
167 swift 1.10 EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
168     EPATCH_SUFFIX="patch" \
169     EPATCH_SOURCE="${WORKDIR}" \
170     EPATCH_FORCE="yes" \
171     epatch
172 blueness 1.7 fi
173    
174 swift 1.19 # Call in epatch_user. We do this early on as we start moving
175     # files left and right hereafter.
176     epatch_user
177    
178 swift 1.12 # Copy additional files to the 3rd_party/ location
179     if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
180     [[ -n ${POLICY_FILES} ]];
181     then
182     add_interfaces=1;
183     cd "${S}/refpolicy/policy/modules"
184     for POLFILE in ${POLICY_FILES[@]};
185     do
186     cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
187     done
188     fi
189    
190 blueness 1.7 # Apply the additional patches refered to by the module ebuild.
191     # But first some magic to differentiate between bash arrays and strings
192 swift 1.12 if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
193     [[ -n ${POLICY_PATCH} ]];
194 blueness 1.7 then
195     cd "${S}/refpolicy/policy/modules"
196 swift 1.12 for POLPATCH in ${POLICY_PATCH[@]};
197 blueness 1.7 do
198     epatch "${POLPATCH}"
199     done
200     fi
201 pebenito 1.1
202 blueness 1.7 # Collect only those files needed for this particular module
203 pebenito 1.1 for i in ${MODS}; do
204 blueness 1.7 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
205     modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
206 swift 1.12 if [ ${add_interfaces} -eq 1 ];
207     then
208     modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
209     fi
210 pebenito 1.1 done
211    
212     for i in ${POLICY_TYPES}; do
213 blueness 1.7 mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
214     cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
215     || die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
216 kaiowas 1.3
217 blueness 1.7 cp ${modfiles} "${S}"/${i} \
218     || die "Failed to copy the module files to ${S}/${i}"
219 pebenito 1.1 done
220     }
221    
222 blueness 1.7 # @FUNCTION: selinux-policy-2_src_compile
223 vapier 1.9 # @DESCRIPTION:
224 blueness 1.7 # Build the SELinux policy module (.pp file) for just the selected module, and
225     # this for each SELinux policy mentioned in POLICY_TYPES
226 pebenito 1.1 selinux-policy-2_src_compile() {
227 swift 1.21 local makeuse=""
228     for useflag in ${IUSE};
229     do
230     use ${useflag} && makeuse="${makeuse} -D use_${useflag}"
231     done
232 perfinion 1.29
233 pebenito 1.1 for i in ${POLICY_TYPES}; do
234 swift 1.21 # Support USE flags in builds
235     export M4PARAM="${makeuse}"
236 perfinion 1.29 if [[ ${BASEPOL} == 2.20140311* ]]; then
237     # Parallel builds are broken in 2.20140311-r7 and earlier, bug 530178
238     emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
239     else
240     emake NAME=$i -C "${S}"/${i} || die "${i} compile failed"
241     fi
242 pebenito 1.1 done
243     }
244    
245 blueness 1.7 # @FUNCTION: selinux-policy-2_src_install
246     # @DESCRIPTION:
247     # Install the built .pp files in the correct subdirectory within
248     # /usr/share/selinux.
249 pebenito 1.1 selinux-policy-2_src_install() {
250 pebenito 1.2 local BASEDIR="/usr/share/selinux"
251 pebenito 1.1
252     for i in ${POLICY_TYPES}; do
253     for j in ${MODS}; do
254 blueness 1.7 einfo "Installing ${i} ${j} policy package"
255 pebenito 1.1 insinto ${BASEDIR}/${i}
256 blueness 1.7 doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
257 swift 1.12
258     if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
259     then
260     insinto ${BASEDIR}/${i}/include/3rd_party
261     doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
262     fi
263 pebenito 1.1 done
264     done
265     }
266    
267 blueness 1.7 # @FUNCTION: selinux-policy-2_pkg_postinst
268     # @DESCRIPTION:
269     # Install the built .pp files in the SELinux policy stores, effectively
270     # activating the policy on the system.
271 pebenito 1.1 selinux-policy-2_pkg_postinst() {
272     # build up the command in the case of multiple modules
273     local COMMAND
274     for i in ${MODS}; do
275     COMMAND="-i ${i}.pp ${COMMAND}"
276     done
277    
278 blueness 1.5 for i in ${POLICY_TYPES}; do
279 swift 1.17 if [ "${i}" == "strict" ] && [ "${MODS}" = "unconfined" ];
280     then
281     einfo "Ignoring loading of unconfined module in strict module store.";
282     continue;
283     fi
284 blueness 1.5 einfo "Inserting the following modules into the $i module store: ${MODS}"
285 pebenito 1.1
286 blueness 1.7 cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
287 swift 1.12 semodule -s ${i} ${COMMAND}
288     if [ $? -ne 0 ];
289     then
290     ewarn "SELinux module load failed. Trying full reload...";
291     if [ "${i}" == "targeted" ];
292     then
293     semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
294     else
295     semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
296     fi
297     if [ $? -ne 0 ];
298     then
299 swift 1.13 ewarn "Failed to reload SELinux policies."
300     ewarn ""
301     ewarn "If this is *not* the last SELinux module package being installed,"
302     ewarn "then you can safely ignore this as the reloads will be retried"
303     ewarn "with other, recent modules."
304     ewarn ""
305     ewarn "If it is the last SELinux module package being installed however,"
306     ewarn "then it is advised to look at the error above and take appropriate"
307     ewarn "action since the new SELinux policies are not loaded until the"
308     ewarn "command finished succesfully."
309     ewarn ""
310     ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
311     ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
312     ewarn "or"
313     ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
314     ewarn "depending on if you need the unconfined domain loaded as well or not."
315 swift 1.12 else
316     einfo "SELinux modules reloaded succesfully."
317     fi
318     else
319     einfo "SELinux modules loaded succesfully."
320     fi
321 blueness 1.5 done
322 swift 1.24
323     # Relabel depending packages
324     PKGSET="";
325     if [ -x /usr/bin/qdepends ] ; then
326 swift 1.28 PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v "sec-policy/selinux-");
327 swift 1.24 elif [ -x /usr/bin/equery ] ; then
328 swift 1.27 PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v "sec-policy/selinux-");
329     fi
330     if [ -n "${PKGSET}" ] ; then
331     rlpkg ${PKGSET};
332 swift 1.24 fi
333 pebenito 1.1 }
334    
335 swift 1.16 # @FUNCTION: selinux-policy-2_pkg_postrm
336     # @DESCRIPTION:
337     # Uninstall the module(s) from the SELinux policy stores, effectively
338     # deactivating the policy on the system.
339     selinux-policy-2_pkg_postrm() {
340     # Only if we are not upgrading
341     if [[ "${EAPI}" -lt 4 || -z "${REPLACED_BY_VERSION}" ]];
342     then
343     # build up the command in the case of multiple modules
344     local COMMAND
345     for i in ${MODS}; do
346     COMMAND="-r ${i} ${COMMAND}"
347     done
348    
349     for i in ${POLICY_TYPES}; do
350     einfo "Removing the following modules from the $i module store: ${MODS}"
351    
352     semodule -s ${i} ${COMMAND}
353     if [ $? -ne 0 ];
354     then
355     ewarn "SELinux module unload failed.";
356     else
357     einfo "SELinux modules unloaded succesfully."
358     fi
359     done
360     fi
361     }

  ViewVC Help
Powered by ViewVC 1.1.20