1 |
perfinion |
1.31 |
# Copyright 1999-2015 Gentoo Foundation |
2 |
pebenito |
1.1 |
# Distributed under the terms of the GNU General Public License v2 |
3 |
perfinion |
1.32 |
# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.31 2015/04/04 17:11:35 perfinion Exp $ |
4 |
pebenito |
1.1 |
|
5 |
|
|
# Eclass for installing SELinux policy, and optionally |
6 |
blueness |
1.5 |
# reloading the reference-policy based modules. |
7 |
pebenito |
1.1 |
|
8 |
blueness |
1.7 |
# @ECLASS: selinux-policy-2.eclass |
9 |
vapier |
1.9 |
# @MAINTAINER: |
10 |
blueness |
1.7 |
# selinux@gentoo.org |
11 |
|
|
# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy |
12 |
|
|
# @DESCRIPTION: |
13 |
|
|
# The selinux-policy-2.eclass supports deployment of the various SELinux modules |
14 |
|
|
# defined in the sec-policy category. It is responsible for extracting the |
15 |
|
|
# specific bits necessary for single-module deployment (instead of full-blown |
16 |
|
|
# policy rebuilds) and applying the necessary patches. |
17 |
vapier |
1.9 |
# |
18 |
blueness |
1.7 |
# Also, it supports for bundling patches to make the whole thing just a bit more |
19 |
|
|
# manageable. |
20 |
|
|
|
21 |
|
|
# @ECLASS-VARIABLE: MODS |
22 |
vapier |
1.9 |
# @DESCRIPTION: |
23 |
blueness |
1.7 |
# This variable contains the (upstream) module name for the SELinux module. |
24 |
|
|
# This name is only the module name, not the category! |
25 |
|
|
: ${MODS:="_illegal"} |
26 |
|
|
|
27 |
|
|
# @ECLASS-VARIABLE: BASEPOL |
28 |
|
|
# @DESCRIPTION: |
29 |
|
|
# This variable contains the version string of the selinux-base-policy package |
30 |
|
|
# that this module build depends on. It is used to patch with the appropriate |
31 |
vapier |
1.9 |
# patch bundle(s) that are part of selinux-base-policy. |
32 |
swift |
1.23 |
: ${BASEPOL:=${PVR}} |
33 |
blueness |
1.7 |
|
34 |
|
|
# @ECLASS-VARIABLE: POLICY_PATCH |
35 |
|
|
# @DESCRIPTION: |
36 |
|
|
# This variable contains the additional patch(es) that need to be applied on top |
37 |
|
|
# of the patchset already contained within the BASEPOL variable. The variable |
38 |
|
|
# can be both a simple string (space-separated) or a bash array. |
39 |
|
|
: ${POLICY_PATCH:=""} |
40 |
|
|
|
41 |
swift |
1.12 |
# @ECLASS-VARIABLE: POLICY_FILES |
42 |
|
|
# @DESCRIPTION: |
43 |
|
|
# When defined, this contains the files (located in the ebuilds' files/ |
44 |
|
|
# directory) which should be copied as policy module files into the store. |
45 |
|
|
# Generally, users would want to include at least a .te and .fc file, but .if |
46 |
|
|
# files are supported as well. The variable can be both a simple string |
47 |
|
|
# (space-separated) or a bash array. |
48 |
|
|
: ${POLICY_FILES:=""} |
49 |
|
|
|
50 |
blueness |
1.7 |
# @ECLASS-VARIABLE: POLICY_TYPES |
51 |
|
|
# @DESCRIPTION: |
52 |
|
|
# This variable informs the eclass for which SELinux policies the module should |
53 |
|
|
# be built. Currently, Gentoo supports targeted, strict, mcs and mls. |
54 |
|
|
# This variable is the same POLICY_TYPES variable that we tell SELinux |
55 |
zmedico |
1.18 |
# users to set in make.conf. Therefore, it is not the module that should |
56 |
blueness |
1.7 |
# override it, but the user. |
57 |
|
|
: ${POLICY_TYPES:="targeted strict mcs mls"} |
58 |
|
|
|
59 |
swift |
1.22 |
# @ECLASS-VARIABLE: SELINUX_GIT_REPO |
60 |
|
|
# @DESCRIPTION: |
61 |
|
|
# When defined, this variable overrides the default repository URL as used by |
62 |
|
|
# this eclass. It allows end users to point to a different policy repository |
63 |
|
|
# using a single variable, rather than having to set the packagename_LIVE_REPO |
64 |
|
|
# variable for each and every SELinux policy module package they want to install. |
65 |
|
|
# The default value is Gentoo's hardened-refpolicy repository. |
66 |
perfinion |
1.32 |
: ${SELINUX_GIT_REPO:="git://anongit.gentoo.org/proj/hardened-refpolicy.git https://anongit.gentoo.org/git/proj/hardened-refpolicy.git"}; |
67 |
swift |
1.22 |
|
68 |
|
|
# @ECLASS-VARIABLE: SELINUX_GIT_BRANCH |
69 |
|
|
# @DESCRIPTION: |
70 |
|
|
# When defined, this variable sets the Git branch to use of the repository. This |
71 |
|
|
# allows for users and developers to use a different branch for the entire set of |
72 |
|
|
# SELinux policy packages, rather than having to override them one by one with the |
73 |
|
|
# packagename_LIVE_BRANCH variable. |
74 |
|
|
# The default value is the 'master' branch. |
75 |
|
|
: ${SELINUX_GIT_BRANCH:="master"}; |
76 |
|
|
|
77 |
swift |
1.14 |
extra_eclass="" |
78 |
|
|
case ${BASEPOL} in |
79 |
perfinion |
1.32 |
9999) extra_eclass="git-r3"; |
80 |
swift |
1.22 |
EGIT_REPO_URI="${SELINUX_GIT_REPO}"; |
81 |
|
|
EGIT_BRANCH="${SELINUX_GIT_BRANCH}"; |
82 |
perfinion |
1.32 |
EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy";; |
83 |
swift |
1.14 |
esac |
84 |
|
|
|
85 |
|
|
inherit eutils ${extra_eclass} |
86 |
pebenito |
1.1 |
|
87 |
|
|
IUSE="" |
88 |
|
|
|
89 |
perfinion |
1.30 |
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux" |
90 |
swift |
1.14 |
if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]]; |
91 |
blueness |
1.7 |
then |
92 |
perfinion |
1.30 |
SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2 |
93 |
swift |
1.8 |
http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2" |
94 |
swift |
1.14 |
elif [[ "${BASEPOL}" != "9999" ]]; |
95 |
|
|
then |
96 |
perfinion |
1.30 |
SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2" |
97 |
blueness |
1.7 |
else |
98 |
swift |
1.14 |
SRC_URI="" |
99 |
blueness |
1.7 |
fi |
100 |
pebenito |
1.1 |
|
101 |
|
|
LICENSE="GPL-2" |
102 |
|
|
SLOT="0" |
103 |
|
|
S="${WORKDIR}/" |
104 |
blueness |
1.7 |
PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2" |
105 |
pebenito |
1.1 |
|
106 |
blueness |
1.7 |
# Modules should always depend on at least the first release of the |
107 |
|
|
# selinux-base-policy for which they are generated. |
108 |
|
|
if [[ -n ${BASEPOL} ]]; |
109 |
|
|
then |
110 |
|
|
RDEPEND=">=sys-apps/policycoreutils-2.0.82 |
111 |
|
|
>=sec-policy/selinux-base-policy-${BASEPOL}" |
112 |
|
|
else |
113 |
|
|
RDEPEND=">=sys-apps/policycoreutils-2.0.82 |
114 |
|
|
>=sec-policy/selinux-base-policy-${PV}" |
115 |
|
|
fi |
116 |
pebenito |
1.1 |
DEPEND="${RDEPEND} |
117 |
|
|
sys-devel/m4 |
118 |
blueness |
1.7 |
>=sys-apps/checkpolicy-2.0.21" |
119 |
pebenito |
1.1 |
|
120 |
blueness |
1.7 |
case "${EAPI:-0}" in |
121 |
perfinion |
1.31 |
0|1|2|3|4) die "EAPI<5 is not supported";; |
122 |
|
|
*) : ;; |
123 |
blueness |
1.7 |
esac |
124 |
|
|
|
125 |
perfinion |
1.31 |
EXPORT_FUNCTIONS "src_unpack src_prepare src_compile src_install pkg_postinst pkg_postrm" |
126 |
blueness |
1.7 |
|
127 |
|
|
# @FUNCTION: selinux-policy-2_src_unpack |
128 |
|
|
# @DESCRIPTION: |
129 |
perfinion |
1.31 |
# Unpack the policy sources as offered by upstream (refpolicy). |
130 |
pebenito |
1.1 |
selinux-policy-2_src_unpack() { |
131 |
swift |
1.14 |
if [[ "${BASEPOL}" != "9999" ]]; |
132 |
|
|
then |
133 |
|
|
unpack ${A} |
134 |
|
|
else |
135 |
perfinion |
1.32 |
git-r3_src_unpack |
136 |
swift |
1.14 |
fi |
137 |
blueness |
1.7 |
} |
138 |
|
|
|
139 |
|
|
# @FUNCTION: selinux-policy-2_src_prepare |
140 |
|
|
# @DESCRIPTION: |
141 |
|
|
# Patch the reference policy sources with our set of enhancements. Start with |
142 |
|
|
# the base patchbundle referred to by the ebuilds through the BASEPOL variable, |
143 |
|
|
# then apply the additional patches as offered by the ebuild. |
144 |
vapier |
1.11 |
# |
145 |
blueness |
1.7 |
# Next, extract only those files needed for this particular module (i.e. the .te |
146 |
|
|
# and .fc files for the given module in the MODS variable). |
147 |
vapier |
1.11 |
# |
148 |
blueness |
1.7 |
# Finally, prepare the build environments for each of the supported SELinux |
149 |
|
|
# types (such as targeted or strict), depending on the POLICY_TYPES variable |
150 |
|
|
# content. |
151 |
|
|
selinux-policy-2_src_prepare() { |
152 |
pebenito |
1.2 |
local modfiles |
153 |
swift |
1.12 |
local add_interfaces=0; |
154 |
|
|
|
155 |
|
|
# Create 3rd_party location for user-contributed policies |
156 |
|
|
cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party; |
157 |
pebenito |
1.2 |
|
158 |
blueness |
1.7 |
# Patch the sources with the base patchbundle |
159 |
swift |
1.14 |
if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]]; |
160 |
blueness |
1.7 |
then |
161 |
|
|
cd "${S}" |
162 |
swift |
1.10 |
EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \ |
163 |
|
|
EPATCH_SUFFIX="patch" \ |
164 |
|
|
EPATCH_SOURCE="${WORKDIR}" \ |
165 |
|
|
EPATCH_FORCE="yes" \ |
166 |
|
|
epatch |
167 |
blueness |
1.7 |
fi |
168 |
|
|
|
169 |
swift |
1.19 |
# Call in epatch_user. We do this early on as we start moving |
170 |
|
|
# files left and right hereafter. |
171 |
|
|
epatch_user |
172 |
|
|
|
173 |
swift |
1.12 |
# Copy additional files to the 3rd_party/ location |
174 |
|
|
if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] || |
175 |
|
|
[[ -n ${POLICY_FILES} ]]; |
176 |
|
|
then |
177 |
|
|
add_interfaces=1; |
178 |
|
|
cd "${S}/refpolicy/policy/modules" |
179 |
|
|
for POLFILE in ${POLICY_FILES[@]}; |
180 |
|
|
do |
181 |
|
|
cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location"; |
182 |
|
|
done |
183 |
|
|
fi |
184 |
|
|
|
185 |
blueness |
1.7 |
# Apply the additional patches refered to by the module ebuild. |
186 |
|
|
# But first some magic to differentiate between bash arrays and strings |
187 |
swift |
1.12 |
if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] || |
188 |
|
|
[[ -n ${POLICY_PATCH} ]]; |
189 |
blueness |
1.7 |
then |
190 |
|
|
cd "${S}/refpolicy/policy/modules" |
191 |
swift |
1.12 |
for POLPATCH in ${POLICY_PATCH[@]}; |
192 |
blueness |
1.7 |
do |
193 |
|
|
epatch "${POLPATCH}" |
194 |
|
|
done |
195 |
|
|
fi |
196 |
pebenito |
1.1 |
|
197 |
blueness |
1.7 |
# Collect only those files needed for this particular module |
198 |
pebenito |
1.1 |
for i in ${MODS}; do |
199 |
blueness |
1.7 |
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles" |
200 |
|
|
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles" |
201 |
swift |
1.12 |
if [ ${add_interfaces} -eq 1 ]; |
202 |
|
|
then |
203 |
|
|
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles" |
204 |
|
|
fi |
205 |
pebenito |
1.1 |
done |
206 |
|
|
|
207 |
|
|
for i in ${POLICY_TYPES}; do |
208 |
blueness |
1.7 |
mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}" |
209 |
|
|
cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \ |
210 |
|
|
|| die "Failed to copy Makefile.example to ${S}/${i}/Makefile" |
211 |
kaiowas |
1.3 |
|
212 |
blueness |
1.7 |
cp ${modfiles} "${S}"/${i} \ |
213 |
|
|
|| die "Failed to copy the module files to ${S}/${i}" |
214 |
pebenito |
1.1 |
done |
215 |
|
|
} |
216 |
|
|
|
217 |
blueness |
1.7 |
# @FUNCTION: selinux-policy-2_src_compile |
218 |
vapier |
1.9 |
# @DESCRIPTION: |
219 |
blueness |
1.7 |
# Build the SELinux policy module (.pp file) for just the selected module, and |
220 |
|
|
# this for each SELinux policy mentioned in POLICY_TYPES |
221 |
pebenito |
1.1 |
selinux-policy-2_src_compile() { |
222 |
swift |
1.21 |
local makeuse="" |
223 |
|
|
for useflag in ${IUSE}; |
224 |
|
|
do |
225 |
|
|
use ${useflag} && makeuse="${makeuse} -D use_${useflag}" |
226 |
|
|
done |
227 |
perfinion |
1.29 |
|
228 |
pebenito |
1.1 |
for i in ${POLICY_TYPES}; do |
229 |
swift |
1.21 |
# Support USE flags in builds |
230 |
|
|
export M4PARAM="${makeuse}" |
231 |
perfinion |
1.29 |
if [[ ${BASEPOL} == 2.20140311* ]]; then |
232 |
|
|
# Parallel builds are broken in 2.20140311-r7 and earlier, bug 530178 |
233 |
|
|
emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed" |
234 |
|
|
else |
235 |
|
|
emake NAME=$i -C "${S}"/${i} || die "${i} compile failed" |
236 |
|
|
fi |
237 |
pebenito |
1.1 |
done |
238 |
|
|
} |
239 |
|
|
|
240 |
blueness |
1.7 |
# @FUNCTION: selinux-policy-2_src_install |
241 |
|
|
# @DESCRIPTION: |
242 |
|
|
# Install the built .pp files in the correct subdirectory within |
243 |
|
|
# /usr/share/selinux. |
244 |
pebenito |
1.1 |
selinux-policy-2_src_install() { |
245 |
pebenito |
1.2 |
local BASEDIR="/usr/share/selinux" |
246 |
pebenito |
1.1 |
|
247 |
|
|
for i in ${POLICY_TYPES}; do |
248 |
|
|
for j in ${MODS}; do |
249 |
blueness |
1.7 |
einfo "Installing ${i} ${j} policy package" |
250 |
pebenito |
1.1 |
insinto ${BASEDIR}/${i} |
251 |
blueness |
1.7 |
doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}" |
252 |
swift |
1.12 |
|
253 |
|
|
if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]]; |
254 |
|
|
then |
255 |
|
|
insinto ${BASEDIR}/${i}/include/3rd_party |
256 |
|
|
doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}" |
257 |
|
|
fi |
258 |
pebenito |
1.1 |
done |
259 |
|
|
done |
260 |
|
|
} |
261 |
|
|
|
262 |
blueness |
1.7 |
# @FUNCTION: selinux-policy-2_pkg_postinst |
263 |
|
|
# @DESCRIPTION: |
264 |
|
|
# Install the built .pp files in the SELinux policy stores, effectively |
265 |
|
|
# activating the policy on the system. |
266 |
pebenito |
1.1 |
selinux-policy-2_pkg_postinst() { |
267 |
|
|
# build up the command in the case of multiple modules |
268 |
|
|
local COMMAND |
269 |
|
|
for i in ${MODS}; do |
270 |
|
|
COMMAND="-i ${i}.pp ${COMMAND}" |
271 |
|
|
done |
272 |
|
|
|
273 |
blueness |
1.5 |
for i in ${POLICY_TYPES}; do |
274 |
swift |
1.17 |
if [ "${i}" == "strict" ] && [ "${MODS}" = "unconfined" ]; |
275 |
|
|
then |
276 |
|
|
einfo "Ignoring loading of unconfined module in strict module store."; |
277 |
|
|
continue; |
278 |
|
|
fi |
279 |
blueness |
1.5 |
einfo "Inserting the following modules into the $i module store: ${MODS}" |
280 |
pebenito |
1.1 |
|
281 |
blueness |
1.7 |
cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}" |
282 |
swift |
1.12 |
semodule -s ${i} ${COMMAND} |
283 |
|
|
if [ $? -ne 0 ]; |
284 |
|
|
then |
285 |
|
|
ewarn "SELinux module load failed. Trying full reload..."; |
286 |
|
|
if [ "${i}" == "targeted" ]; |
287 |
|
|
then |
288 |
|
|
semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp); |
289 |
|
|
else |
290 |
|
|
semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp); |
291 |
|
|
fi |
292 |
|
|
if [ $? -ne 0 ]; |
293 |
|
|
then |
294 |
swift |
1.13 |
ewarn "Failed to reload SELinux policies." |
295 |
|
|
ewarn "" |
296 |
|
|
ewarn "If this is *not* the last SELinux module package being installed," |
297 |
|
|
ewarn "then you can safely ignore this as the reloads will be retried" |
298 |
|
|
ewarn "with other, recent modules." |
299 |
|
|
ewarn "" |
300 |
|
|
ewarn "If it is the last SELinux module package being installed however," |
301 |
|
|
ewarn "then it is advised to look at the error above and take appropriate" |
302 |
|
|
ewarn "action since the new SELinux policies are not loaded until the" |
303 |
|
|
ewarn "command finished succesfully." |
304 |
|
|
ewarn "" |
305 |
|
|
ewarn "To reload, run the following command from within /usr/share/selinux/${i}:" |
306 |
|
|
ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)" |
307 |
|
|
ewarn "or" |
308 |
|
|
ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)" |
309 |
|
|
ewarn "depending on if you need the unconfined domain loaded as well or not." |
310 |
swift |
1.12 |
else |
311 |
|
|
einfo "SELinux modules reloaded succesfully." |
312 |
|
|
fi |
313 |
|
|
else |
314 |
|
|
einfo "SELinux modules loaded succesfully." |
315 |
|
|
fi |
316 |
blueness |
1.5 |
done |
317 |
swift |
1.24 |
|
318 |
|
|
# Relabel depending packages |
319 |
|
|
PKGSET=""; |
320 |
|
|
if [ -x /usr/bin/qdepends ] ; then |
321 |
swift |
1.28 |
PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v "sec-policy/selinux-"); |
322 |
swift |
1.24 |
elif [ -x /usr/bin/equery ] ; then |
323 |
swift |
1.27 |
PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v "sec-policy/selinux-"); |
324 |
|
|
fi |
325 |
|
|
if [ -n "${PKGSET}" ] ; then |
326 |
|
|
rlpkg ${PKGSET}; |
327 |
swift |
1.24 |
fi |
328 |
pebenito |
1.1 |
} |
329 |
|
|
|
330 |
swift |
1.16 |
# @FUNCTION: selinux-policy-2_pkg_postrm |
331 |
|
|
# @DESCRIPTION: |
332 |
|
|
# Uninstall the module(s) from the SELinux policy stores, effectively |
333 |
|
|
# deactivating the policy on the system. |
334 |
|
|
selinux-policy-2_pkg_postrm() { |
335 |
|
|
# Only if we are not upgrading |
336 |
perfinion |
1.31 |
if [[ -z "${REPLACED_BY_VERSION}" ]]; |
337 |
swift |
1.16 |
then |
338 |
|
|
# build up the command in the case of multiple modules |
339 |
|
|
local COMMAND |
340 |
|
|
for i in ${MODS}; do |
341 |
|
|
COMMAND="-r ${i} ${COMMAND}" |
342 |
|
|
done |
343 |
perfinion |
1.31 |
|
344 |
swift |
1.16 |
for i in ${POLICY_TYPES}; do |
345 |
|
|
einfo "Removing the following modules from the $i module store: ${MODS}" |
346 |
perfinion |
1.31 |
|
347 |
swift |
1.16 |
semodule -s ${i} ${COMMAND} |
348 |
|
|
if [ $? -ne 0 ]; |
349 |
|
|
then |
350 |
|
|
ewarn "SELinux module unload failed."; |
351 |
|
|
else |
352 |
|
|
einfo "SELinux modules unloaded succesfully." |
353 |
|
|
fi |
354 |
|
|
done |
355 |
|
|
fi |
356 |
|
|
} |
357 |
|
|
|