/[gentoo-x86]/eclass/selinux-policy-2.eclass
Gentoo

Contents of /eclass/selinux-policy-2.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.30 - (show annotations) (download)
Sun Dec 7 11:13:35 2014 UTC (7 weeks, 1 day ago) by perfinion
Branch: MAIN
CVS Tags: HEAD
Changes since 1.29: +4 -4 lines
update SRC_URI

1 # Copyright 1999-2014 Gentoo Foundation
2 # Distributed under the terms of the GNU General Public License v2
3 # $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.29 2014/12/05 09:23:03 perfinion Exp $
4
5 # Eclass for installing SELinux policy, and optionally
6 # reloading the reference-policy based modules.
7
8 # @ECLASS: selinux-policy-2.eclass
9 # @MAINTAINER:
10 # selinux@gentoo.org
11 # @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
12 # @DESCRIPTION:
13 # The selinux-policy-2.eclass supports deployment of the various SELinux modules
14 # defined in the sec-policy category. It is responsible for extracting the
15 # specific bits necessary for single-module deployment (instead of full-blown
16 # policy rebuilds) and applying the necessary patches.
17 #
18 # Also, it supports for bundling patches to make the whole thing just a bit more
19 # manageable.
20
21 # @ECLASS-VARIABLE: MODS
22 # @DESCRIPTION:
23 # This variable contains the (upstream) module name for the SELinux module.
24 # This name is only the module name, not the category!
25 : ${MODS:="_illegal"}
26
27 # @ECLASS-VARIABLE: BASEPOL
28 # @DESCRIPTION:
29 # This variable contains the version string of the selinux-base-policy package
30 # that this module build depends on. It is used to patch with the appropriate
31 # patch bundle(s) that are part of selinux-base-policy.
32 : ${BASEPOL:=${PVR}}
33
34 # @ECLASS-VARIABLE: POLICY_PATCH
35 # @DESCRIPTION:
36 # This variable contains the additional patch(es) that need to be applied on top
37 # of the patchset already contained within the BASEPOL variable. The variable
38 # can be both a simple string (space-separated) or a bash array.
39 : ${POLICY_PATCH:=""}
40
41 # @ECLASS-VARIABLE: POLICY_FILES
42 # @DESCRIPTION:
43 # When defined, this contains the files (located in the ebuilds' files/
44 # directory) which should be copied as policy module files into the store.
45 # Generally, users would want to include at least a .te and .fc file, but .if
46 # files are supported as well. The variable can be both a simple string
47 # (space-separated) or a bash array.
48 : ${POLICY_FILES:=""}
49
50 # @ECLASS-VARIABLE: POLICY_TYPES
51 # @DESCRIPTION:
52 # This variable informs the eclass for which SELinux policies the module should
53 # be built. Currently, Gentoo supports targeted, strict, mcs and mls.
54 # This variable is the same POLICY_TYPES variable that we tell SELinux
55 # users to set in make.conf. Therefore, it is not the module that should
56 # override it, but the user.
57 : ${POLICY_TYPES:="targeted strict mcs mls"}
58
59 # @ECLASS-VARIABLE: SELINUX_GIT_REPO
60 # @DESCRIPTION:
61 # When defined, this variable overrides the default repository URL as used by
62 # this eclass. It allows end users to point to a different policy repository
63 # using a single variable, rather than having to set the packagename_LIVE_REPO
64 # variable for each and every SELinux policy module package they want to install.
65 # The default value is Gentoo's hardened-refpolicy repository.
66 : ${SELINUX_GIT_REPO:="git://git.overlays.gentoo.org/proj/hardened-refpolicy.git https://git.overlays.gentoo.org/gitroot/proj/hardened-refpolicy.git"};
67
68 # @ECLASS-VARIABLE: SELINUX_GIT_BRANCH
69 # @DESCRIPTION:
70 # When defined, this variable sets the Git branch to use of the repository. This
71 # allows for users and developers to use a different branch for the entire set of
72 # SELinux policy packages, rather than having to override them one by one with the
73 # packagename_LIVE_BRANCH variable.
74 # The default value is the 'master' branch.
75 : ${SELINUX_GIT_BRANCH:="master"};
76
77 extra_eclass=""
78 case ${BASEPOL} in
79 9999) extra_eclass="git-2";
80 EGIT_REPO_URI="${SELINUX_GIT_REPO}";
81 EGIT_BRANCH="${SELINUX_GIT_BRANCH}";
82 EGIT_SOURCEDIR="${WORKDIR}/refpolicy";;
83 esac
84
85 inherit eutils ${extra_eclass}
86
87 IUSE=""
88
89 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
90 if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
91 then
92 SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
93 http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
94 elif [[ "${BASEPOL}" != "9999" ]];
95 then
96 SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2"
97 else
98 SRC_URI=""
99 fi
100
101 LICENSE="GPL-2"
102 SLOT="0"
103 S="${WORKDIR}/"
104 PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
105
106 # Modules should always depend on at least the first release of the
107 # selinux-base-policy for which they are generated.
108 if [[ -n ${BASEPOL} ]];
109 then
110 RDEPEND=">=sys-apps/policycoreutils-2.0.82
111 >=sec-policy/selinux-base-policy-${BASEPOL}"
112 else
113 RDEPEND=">=sys-apps/policycoreutils-2.0.82
114 >=sec-policy/selinux-base-policy-${PV}"
115 fi
116 DEPEND="${RDEPEND}
117 sys-devel/m4
118 >=sys-apps/checkpolicy-2.0.21"
119
120 SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst pkg_postrm"
121 case "${EAPI:-0}" in
122 2|3|4|5) SELINUX_EXPF+=" src_prepare" ;;
123 *) ;;
124 esac
125
126 EXPORT_FUNCTIONS ${SELINUX_EXPF}
127
128 # @FUNCTION: selinux-policy-2_src_unpack
129 # @DESCRIPTION:
130 # Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
131 # older than 2, call src_prepare too.
132 selinux-policy-2_src_unpack() {
133 if [[ "${BASEPOL}" != "9999" ]];
134 then
135 unpack ${A}
136 else
137 git-2_src_unpack
138 fi
139
140 # Call src_prepare explicitly for EAPI 0 or 1
141 has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
142 }
143
144 # @FUNCTION: selinux-policy-2_src_prepare
145 # @DESCRIPTION:
146 # Patch the reference policy sources with our set of enhancements. Start with
147 # the base patchbundle referred to by the ebuilds through the BASEPOL variable,
148 # then apply the additional patches as offered by the ebuild.
149 #
150 # Next, extract only those files needed for this particular module (i.e. the .te
151 # and .fc files for the given module in the MODS variable).
152 #
153 # Finally, prepare the build environments for each of the supported SELinux
154 # types (such as targeted or strict), depending on the POLICY_TYPES variable
155 # content.
156 selinux-policy-2_src_prepare() {
157 local modfiles
158 local add_interfaces=0;
159
160 # Create 3rd_party location for user-contributed policies
161 cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
162
163 # Patch the sources with the base patchbundle
164 if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
165 then
166 cd "${S}"
167 EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
168 EPATCH_SUFFIX="patch" \
169 EPATCH_SOURCE="${WORKDIR}" \
170 EPATCH_FORCE="yes" \
171 epatch
172 fi
173
174 # Call in epatch_user. We do this early on as we start moving
175 # files left and right hereafter.
176 epatch_user
177
178 # Copy additional files to the 3rd_party/ location
179 if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
180 [[ -n ${POLICY_FILES} ]];
181 then
182 add_interfaces=1;
183 cd "${S}/refpolicy/policy/modules"
184 for POLFILE in ${POLICY_FILES[@]};
185 do
186 cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
187 done
188 fi
189
190 # Apply the additional patches refered to by the module ebuild.
191 # But first some magic to differentiate between bash arrays and strings
192 if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
193 [[ -n ${POLICY_PATCH} ]];
194 then
195 cd "${S}/refpolicy/policy/modules"
196 for POLPATCH in ${POLICY_PATCH[@]};
197 do
198 epatch "${POLPATCH}"
199 done
200 fi
201
202 # Collect only those files needed for this particular module
203 for i in ${MODS}; do
204 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
205 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
206 if [ ${add_interfaces} -eq 1 ];
207 then
208 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
209 fi
210 done
211
212 for i in ${POLICY_TYPES}; do
213 mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
214 cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
215 || die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
216
217 cp ${modfiles} "${S}"/${i} \
218 || die "Failed to copy the module files to ${S}/${i}"
219 done
220 }
221
222 # @FUNCTION: selinux-policy-2_src_compile
223 # @DESCRIPTION:
224 # Build the SELinux policy module (.pp file) for just the selected module, and
225 # this for each SELinux policy mentioned in POLICY_TYPES
226 selinux-policy-2_src_compile() {
227 local makeuse=""
228 for useflag in ${IUSE};
229 do
230 use ${useflag} && makeuse="${makeuse} -D use_${useflag}"
231 done
232
233 for i in ${POLICY_TYPES}; do
234 # Support USE flags in builds
235 export M4PARAM="${makeuse}"
236 if [[ ${BASEPOL} == 2.20140311* ]]; then
237 # Parallel builds are broken in 2.20140311-r7 and earlier, bug 530178
238 emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
239 else
240 emake NAME=$i -C "${S}"/${i} || die "${i} compile failed"
241 fi
242 done
243 }
244
245 # @FUNCTION: selinux-policy-2_src_install
246 # @DESCRIPTION:
247 # Install the built .pp files in the correct subdirectory within
248 # /usr/share/selinux.
249 selinux-policy-2_src_install() {
250 local BASEDIR="/usr/share/selinux"
251
252 for i in ${POLICY_TYPES}; do
253 for j in ${MODS}; do
254 einfo "Installing ${i} ${j} policy package"
255 insinto ${BASEDIR}/${i}
256 doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
257
258 if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
259 then
260 insinto ${BASEDIR}/${i}/include/3rd_party
261 doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
262 fi
263 done
264 done
265 }
266
267 # @FUNCTION: selinux-policy-2_pkg_postinst
268 # @DESCRIPTION:
269 # Install the built .pp files in the SELinux policy stores, effectively
270 # activating the policy on the system.
271 selinux-policy-2_pkg_postinst() {
272 # build up the command in the case of multiple modules
273 local COMMAND
274 for i in ${MODS}; do
275 COMMAND="-i ${i}.pp ${COMMAND}"
276 done
277
278 for i in ${POLICY_TYPES}; do
279 if [ "${i}" == "strict" ] && [ "${MODS}" = "unconfined" ];
280 then
281 einfo "Ignoring loading of unconfined module in strict module store.";
282 continue;
283 fi
284 einfo "Inserting the following modules into the $i module store: ${MODS}"
285
286 cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
287 semodule -s ${i} ${COMMAND}
288 if [ $? -ne 0 ];
289 then
290 ewarn "SELinux module load failed. Trying full reload...";
291 if [ "${i}" == "targeted" ];
292 then
293 semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
294 else
295 semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
296 fi
297 if [ $? -ne 0 ];
298 then
299 ewarn "Failed to reload SELinux policies."
300 ewarn ""
301 ewarn "If this is *not* the last SELinux module package being installed,"
302 ewarn "then you can safely ignore this as the reloads will be retried"
303 ewarn "with other, recent modules."
304 ewarn ""
305 ewarn "If it is the last SELinux module package being installed however,"
306 ewarn "then it is advised to look at the error above and take appropriate"
307 ewarn "action since the new SELinux policies are not loaded until the"
308 ewarn "command finished succesfully."
309 ewarn ""
310 ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
311 ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
312 ewarn "or"
313 ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
314 ewarn "depending on if you need the unconfined domain loaded as well or not."
315 else
316 einfo "SELinux modules reloaded succesfully."
317 fi
318 else
319 einfo "SELinux modules loaded succesfully."
320 fi
321 done
322
323 # Relabel depending packages
324 PKGSET="";
325 if [ -x /usr/bin/qdepends ] ; then
326 PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v "sec-policy/selinux-");
327 elif [ -x /usr/bin/equery ] ; then
328 PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v "sec-policy/selinux-");
329 fi
330 if [ -n "${PKGSET}" ] ; then
331 rlpkg ${PKGSET};
332 fi
333 }
334
335 # @FUNCTION: selinux-policy-2_pkg_postrm
336 # @DESCRIPTION:
337 # Uninstall the module(s) from the SELinux policy stores, effectively
338 # deactivating the policy on the system.
339 selinux-policy-2_pkg_postrm() {
340 # Only if we are not upgrading
341 if [[ "${EAPI}" -lt 4 || -z "${REPLACED_BY_VERSION}" ]];
342 then
343 # build up the command in the case of multiple modules
344 local COMMAND
345 for i in ${MODS}; do
346 COMMAND="-r ${i} ${COMMAND}"
347 done
348
349 for i in ${POLICY_TYPES}; do
350 einfo "Removing the following modules from the $i module store: ${MODS}"
351
352 semodule -s ${i} ${COMMAND}
353 if [ $? -ne 0 ];
354 then
355 ewarn "SELinux module unload failed.";
356 else
357 einfo "SELinux modules unloaded succesfully."
358 fi
359 done
360 fi
361 }

  ViewVC Help
Powered by ViewVC 1.1.20