/[gentoo-x86]/eclass/selinux-policy-2.eclass
Gentoo

Contents of /eclass/selinux-policy-2.eclass

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1.32 - (hide annotations) (download)
Tue Apr 21 11:19:10 2015 UTC (4 months, 2 weeks ago) by perfinion
Branch: MAIN
CVS Tags: HEAD
Changes since 1.31: +5 -5 lines
update git urls and migrate git-2 -> git-r3

1 perfinion 1.31 # Copyright 1999-2015 Gentoo Foundation
2 pebenito 1.1 # Distributed under the terms of the GNU General Public License v2
3 perfinion 1.32 # $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.31 2015/04/04 17:11:35 perfinion Exp $
4 pebenito 1.1
5     # Eclass for installing SELinux policy, and optionally
6 blueness 1.5 # reloading the reference-policy based modules.
7 pebenito 1.1
8 blueness 1.7 # @ECLASS: selinux-policy-2.eclass
9 vapier 1.9 # @MAINTAINER:
10 blueness 1.7 # selinux@gentoo.org
11     # @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
12     # @DESCRIPTION:
13     # The selinux-policy-2.eclass supports deployment of the various SELinux modules
14     # defined in the sec-policy category. It is responsible for extracting the
15     # specific bits necessary for single-module deployment (instead of full-blown
16     # policy rebuilds) and applying the necessary patches.
17 vapier 1.9 #
18 blueness 1.7 # Also, it supports for bundling patches to make the whole thing just a bit more
19     # manageable.
20    
21     # @ECLASS-VARIABLE: MODS
22 vapier 1.9 # @DESCRIPTION:
23 blueness 1.7 # This variable contains the (upstream) module name for the SELinux module.
24     # This name is only the module name, not the category!
25     : ${MODS:="_illegal"}
26    
27     # @ECLASS-VARIABLE: BASEPOL
28     # @DESCRIPTION:
29     # This variable contains the version string of the selinux-base-policy package
30     # that this module build depends on. It is used to patch with the appropriate
31 vapier 1.9 # patch bundle(s) that are part of selinux-base-policy.
32 swift 1.23 : ${BASEPOL:=${PVR}}
33 blueness 1.7
34     # @ECLASS-VARIABLE: POLICY_PATCH
35     # @DESCRIPTION:
36     # This variable contains the additional patch(es) that need to be applied on top
37     # of the patchset already contained within the BASEPOL variable. The variable
38     # can be both a simple string (space-separated) or a bash array.
39     : ${POLICY_PATCH:=""}
40    
41 swift 1.12 # @ECLASS-VARIABLE: POLICY_FILES
42     # @DESCRIPTION:
43     # When defined, this contains the files (located in the ebuilds' files/
44     # directory) which should be copied as policy module files into the store.
45     # Generally, users would want to include at least a .te and .fc file, but .if
46     # files are supported as well. The variable can be both a simple string
47     # (space-separated) or a bash array.
48     : ${POLICY_FILES:=""}
49    
50 blueness 1.7 # @ECLASS-VARIABLE: POLICY_TYPES
51     # @DESCRIPTION:
52     # This variable informs the eclass for which SELinux policies the module should
53     # be built. Currently, Gentoo supports targeted, strict, mcs and mls.
54     # This variable is the same POLICY_TYPES variable that we tell SELinux
55 zmedico 1.18 # users to set in make.conf. Therefore, it is not the module that should
56 blueness 1.7 # override it, but the user.
57     : ${POLICY_TYPES:="targeted strict mcs mls"}
58    
59 swift 1.22 # @ECLASS-VARIABLE: SELINUX_GIT_REPO
60     # @DESCRIPTION:
61     # When defined, this variable overrides the default repository URL as used by
62     # this eclass. It allows end users to point to a different policy repository
63     # using a single variable, rather than having to set the packagename_LIVE_REPO
64     # variable for each and every SELinux policy module package they want to install.
65     # The default value is Gentoo's hardened-refpolicy repository.
66 perfinion 1.32 : ${SELINUX_GIT_REPO:="git://anongit.gentoo.org/proj/hardened-refpolicy.git https://anongit.gentoo.org/git/proj/hardened-refpolicy.git"};
67 swift 1.22
68     # @ECLASS-VARIABLE: SELINUX_GIT_BRANCH
69     # @DESCRIPTION:
70     # When defined, this variable sets the Git branch to use of the repository. This
71     # allows for users and developers to use a different branch for the entire set of
72     # SELinux policy packages, rather than having to override them one by one with the
73     # packagename_LIVE_BRANCH variable.
74     # The default value is the 'master' branch.
75     : ${SELINUX_GIT_BRANCH:="master"};
76    
77 swift 1.14 extra_eclass=""
78     case ${BASEPOL} in
79 perfinion 1.32 9999) extra_eclass="git-r3";
80 swift 1.22 EGIT_REPO_URI="${SELINUX_GIT_REPO}";
81     EGIT_BRANCH="${SELINUX_GIT_BRANCH}";
82 perfinion 1.32 EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy";;
83 swift 1.14 esac
84    
85     inherit eutils ${extra_eclass}
86 pebenito 1.1
87     IUSE=""
88    
89 perfinion 1.30 HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
90 swift 1.14 if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
91 blueness 1.7 then
92 perfinion 1.30 SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
93 swift 1.8 http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
94 swift 1.14 elif [[ "${BASEPOL}" != "9999" ]];
95     then
96 perfinion 1.30 SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2"
97 blueness 1.7 else
98 swift 1.14 SRC_URI=""
99 blueness 1.7 fi
100 pebenito 1.1
101     LICENSE="GPL-2"
102     SLOT="0"
103     S="${WORKDIR}/"
104 blueness 1.7 PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
105 pebenito 1.1
106 blueness 1.7 # Modules should always depend on at least the first release of the
107     # selinux-base-policy for which they are generated.
108     if [[ -n ${BASEPOL} ]];
109     then
110     RDEPEND=">=sys-apps/policycoreutils-2.0.82
111     >=sec-policy/selinux-base-policy-${BASEPOL}"
112     else
113     RDEPEND=">=sys-apps/policycoreutils-2.0.82
114     >=sec-policy/selinux-base-policy-${PV}"
115     fi
116 pebenito 1.1 DEPEND="${RDEPEND}
117     sys-devel/m4
118 blueness 1.7 >=sys-apps/checkpolicy-2.0.21"
119 pebenito 1.1
120 blueness 1.7 case "${EAPI:-0}" in
121 perfinion 1.31 0|1|2|3|4) die "EAPI<5 is not supported";;
122     *) : ;;
123 blueness 1.7 esac
124    
125 perfinion 1.31 EXPORT_FUNCTIONS "src_unpack src_prepare src_compile src_install pkg_postinst pkg_postrm"
126 blueness 1.7
127     # @FUNCTION: selinux-policy-2_src_unpack
128     # @DESCRIPTION:
129 perfinion 1.31 # Unpack the policy sources as offered by upstream (refpolicy).
130 pebenito 1.1 selinux-policy-2_src_unpack() {
131 swift 1.14 if [[ "${BASEPOL}" != "9999" ]];
132     then
133     unpack ${A}
134     else
135 perfinion 1.32 git-r3_src_unpack
136 swift 1.14 fi
137 blueness 1.7 }
138    
139     # @FUNCTION: selinux-policy-2_src_prepare
140     # @DESCRIPTION:
141     # Patch the reference policy sources with our set of enhancements. Start with
142     # the base patchbundle referred to by the ebuilds through the BASEPOL variable,
143     # then apply the additional patches as offered by the ebuild.
144 vapier 1.11 #
145 blueness 1.7 # Next, extract only those files needed for this particular module (i.e. the .te
146     # and .fc files for the given module in the MODS variable).
147 vapier 1.11 #
148 blueness 1.7 # Finally, prepare the build environments for each of the supported SELinux
149     # types (such as targeted or strict), depending on the POLICY_TYPES variable
150     # content.
151     selinux-policy-2_src_prepare() {
152 pebenito 1.2 local modfiles
153 swift 1.12 local add_interfaces=0;
154    
155     # Create 3rd_party location for user-contributed policies
156     cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
157 pebenito 1.2
158 blueness 1.7 # Patch the sources with the base patchbundle
159 swift 1.14 if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
160 blueness 1.7 then
161     cd "${S}"
162 swift 1.10 EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
163     EPATCH_SUFFIX="patch" \
164     EPATCH_SOURCE="${WORKDIR}" \
165     EPATCH_FORCE="yes" \
166     epatch
167 blueness 1.7 fi
168    
169 swift 1.19 # Call in epatch_user. We do this early on as we start moving
170     # files left and right hereafter.
171     epatch_user
172    
173 swift 1.12 # Copy additional files to the 3rd_party/ location
174     if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
175     [[ -n ${POLICY_FILES} ]];
176     then
177     add_interfaces=1;
178     cd "${S}/refpolicy/policy/modules"
179     for POLFILE in ${POLICY_FILES[@]};
180     do
181     cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
182     done
183     fi
184    
185 blueness 1.7 # Apply the additional patches refered to by the module ebuild.
186     # But first some magic to differentiate between bash arrays and strings
187 swift 1.12 if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
188     [[ -n ${POLICY_PATCH} ]];
189 blueness 1.7 then
190     cd "${S}/refpolicy/policy/modules"
191 swift 1.12 for POLPATCH in ${POLICY_PATCH[@]};
192 blueness 1.7 do
193     epatch "${POLPATCH}"
194     done
195     fi
196 pebenito 1.1
197 blueness 1.7 # Collect only those files needed for this particular module
198 pebenito 1.1 for i in ${MODS}; do
199 blueness 1.7 modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
200     modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
201 swift 1.12 if [ ${add_interfaces} -eq 1 ];
202     then
203     modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
204     fi
205 pebenito 1.1 done
206    
207     for i in ${POLICY_TYPES}; do
208 blueness 1.7 mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
209     cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
210     || die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
211 kaiowas 1.3
212 blueness 1.7 cp ${modfiles} "${S}"/${i} \
213     || die "Failed to copy the module files to ${S}/${i}"
214 pebenito 1.1 done
215     }
216    
217 blueness 1.7 # @FUNCTION: selinux-policy-2_src_compile
218 vapier 1.9 # @DESCRIPTION:
219 blueness 1.7 # Build the SELinux policy module (.pp file) for just the selected module, and
220     # this for each SELinux policy mentioned in POLICY_TYPES
221 pebenito 1.1 selinux-policy-2_src_compile() {
222 swift 1.21 local makeuse=""
223     for useflag in ${IUSE};
224     do
225     use ${useflag} && makeuse="${makeuse} -D use_${useflag}"
226     done
227 perfinion 1.29
228 pebenito 1.1 for i in ${POLICY_TYPES}; do
229 swift 1.21 # Support USE flags in builds
230     export M4PARAM="${makeuse}"
231 perfinion 1.29 if [[ ${BASEPOL} == 2.20140311* ]]; then
232     # Parallel builds are broken in 2.20140311-r7 and earlier, bug 530178
233     emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
234     else
235     emake NAME=$i -C "${S}"/${i} || die "${i} compile failed"
236     fi
237 pebenito 1.1 done
238     }
239    
240 blueness 1.7 # @FUNCTION: selinux-policy-2_src_install
241     # @DESCRIPTION:
242     # Install the built .pp files in the correct subdirectory within
243     # /usr/share/selinux.
244 pebenito 1.1 selinux-policy-2_src_install() {
245 pebenito 1.2 local BASEDIR="/usr/share/selinux"
246 pebenito 1.1
247     for i in ${POLICY_TYPES}; do
248     for j in ${MODS}; do
249 blueness 1.7 einfo "Installing ${i} ${j} policy package"
250 pebenito 1.1 insinto ${BASEDIR}/${i}
251 blueness 1.7 doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
252 swift 1.12
253     if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
254     then
255     insinto ${BASEDIR}/${i}/include/3rd_party
256     doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
257     fi
258 pebenito 1.1 done
259     done
260     }
261    
262 blueness 1.7 # @FUNCTION: selinux-policy-2_pkg_postinst
263     # @DESCRIPTION:
264     # Install the built .pp files in the SELinux policy stores, effectively
265     # activating the policy on the system.
266 pebenito 1.1 selinux-policy-2_pkg_postinst() {
267     # build up the command in the case of multiple modules
268     local COMMAND
269     for i in ${MODS}; do
270     COMMAND="-i ${i}.pp ${COMMAND}"
271     done
272    
273 blueness 1.5 for i in ${POLICY_TYPES}; do
274 swift 1.17 if [ "${i}" == "strict" ] && [ "${MODS}" = "unconfined" ];
275     then
276     einfo "Ignoring loading of unconfined module in strict module store.";
277     continue;
278     fi
279 blueness 1.5 einfo "Inserting the following modules into the $i module store: ${MODS}"
280 pebenito 1.1
281 blueness 1.7 cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
282 swift 1.12 semodule -s ${i} ${COMMAND}
283     if [ $? -ne 0 ];
284     then
285     ewarn "SELinux module load failed. Trying full reload...";
286     if [ "${i}" == "targeted" ];
287     then
288     semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
289     else
290     semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
291     fi
292     if [ $? -ne 0 ];
293     then
294 swift 1.13 ewarn "Failed to reload SELinux policies."
295     ewarn ""
296     ewarn "If this is *not* the last SELinux module package being installed,"
297     ewarn "then you can safely ignore this as the reloads will be retried"
298     ewarn "with other, recent modules."
299     ewarn ""
300     ewarn "If it is the last SELinux module package being installed however,"
301     ewarn "then it is advised to look at the error above and take appropriate"
302     ewarn "action since the new SELinux policies are not loaded until the"
303     ewarn "command finished succesfully."
304     ewarn ""
305     ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
306     ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
307     ewarn "or"
308     ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
309     ewarn "depending on if you need the unconfined domain loaded as well or not."
310 swift 1.12 else
311     einfo "SELinux modules reloaded succesfully."
312     fi
313     else
314     einfo "SELinux modules loaded succesfully."
315     fi
316 blueness 1.5 done
317 swift 1.24
318     # Relabel depending packages
319     PKGSET="";
320     if [ -x /usr/bin/qdepends ] ; then
321 swift 1.28 PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v "sec-policy/selinux-");
322 swift 1.24 elif [ -x /usr/bin/equery ] ; then
323 swift 1.27 PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v "sec-policy/selinux-");
324     fi
325     if [ -n "${PKGSET}" ] ; then
326     rlpkg ${PKGSET};
327 swift 1.24 fi
328 pebenito 1.1 }
329    
330 swift 1.16 # @FUNCTION: selinux-policy-2_pkg_postrm
331     # @DESCRIPTION:
332     # Uninstall the module(s) from the SELinux policy stores, effectively
333     # deactivating the policy on the system.
334     selinux-policy-2_pkg_postrm() {
335     # Only if we are not upgrading
336 perfinion 1.31 if [[ -z "${REPLACED_BY_VERSION}" ]];
337 swift 1.16 then
338     # build up the command in the case of multiple modules
339     local COMMAND
340     for i in ${MODS}; do
341     COMMAND="-r ${i} ${COMMAND}"
342     done
343 perfinion 1.31
344 swift 1.16 for i in ${POLICY_TYPES}; do
345     einfo "Removing the following modules from the $i module store: ${MODS}"
346 perfinion 1.31
347 swift 1.16 semodule -s ${i} ${COMMAND}
348     if [ $? -ne 0 ];
349     then
350     ewarn "SELinux module unload failed.";
351     else
352     einfo "SELinux modules unloaded succesfully."
353     fi
354     done
355     fi
356     }

  ViewVC Help
Powered by ViewVC 1.1.20