gentoo-x86/eclass/selinux-policy-2.eclass

# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.31 2015/04/04 17:11:35 perfinion Exp $

# Eclass for installing SELinux policy, and optionally
# reloading the reference-policy based modules.

# @ECLASS: selinux-policy-2.eclass
# @MAINTAINER:
# selinux@gentoo.org
# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
# @DESCRIPTION:
# The selinux-policy-2.eclass supports deployment of the various SELinux modules
# defined in the sec-policy category. It is responsible for extracting the
# specific bits necessary for single-module deployment (instead of full-blown
# policy rebuilds) and applying the necessary patches.
#
# Also, it supports for bundling patches to make the whole thing just a bit more
# manageable.

# @ECLASS-VARIABLE: MODS
# @DESCRIPTION:
# This variable contains the (upstream) module name for the SELinux module.
# This name is only the module name, not the category!
: ${MODS:="_illegal"}

# @ECLASS-VARIABLE: BASEPOL
# @DESCRIPTION:
# This variable contains the version string of the selinux-base-policy package
# that this module build depends on. It is used to patch with the appropriate
# patch bundle(s) that are part of selinux-base-policy.
: ${BASEPOL:=${PVR}}

# @ECLASS-VARIABLE: POLICY_PATCH
# @DESCRIPTION:
# This variable contains the additional patch(es) that need to be applied on top
# of the patchset already contained within the BASEPOL variable. The variable
# can be both a simple string (space-separated) or a bash array.
: ${POLICY_PATCH:=""}

# @ECLASS-VARIABLE: POLICY_FILES
# @DESCRIPTION:
# When defined, this contains the files (located in the ebuilds' files/
# directory) which should be copied as policy module files into the store.
# Generally, users would want to include at least a .te and .fc file, but .if
# files are supported as well. The variable can be both a simple string
# (space-separated) or a bash array.
: ${POLICY_FILES:=""}

# @ECLASS-VARIABLE: POLICY_TYPES
# @DESCRIPTION:
# This variable informs the eclass for which SELinux policies the module should
# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
# This variable is the same POLICY_TYPES variable that we tell SELinux
# users to set in make.conf. Therefore, it is not the module that should
# override it, but the user.
: ${POLICY_TYPES:="targeted strict mcs mls"}

# @ECLASS-VARIABLE: SELINUX_GIT_REPO
# @DESCRIPTION:
# When defined, this variable overrides the default repository URL as used by
# this eclass. It allows end users to point to a different policy repository
# using a single variable, rather than having to set the packagename_LIVE_REPO
# variable for each and every SELinux policy module package they want to install.
# The default value is Gentoo's hardened-refpolicy repository.
: ${SELINUX_GIT_REPO:="git://anongit.gentoo.org/proj/hardened-refpolicy.git https://anongit.gentoo.org/git/proj/hardened-refpolicy.git"};

# @ECLASS-VARIABLE: SELINUX_GIT_BRANCH
# @DESCRIPTION:
# When defined, this variable sets the Git branch to use of the repository. This
# allows for users and developers to use a different branch for the entire set of
# SELinux policy packages, rather than having to override them one by one with the
# packagename_LIVE_BRANCH variable.
# The default value is the 'master' branch.
: ${SELINUX_GIT_BRANCH:="master"};

extra_eclass=""
case ${BASEPOL} in
        9999)   extra_eclass="git-r3";
                        EGIT_REPO_URI="${SELINUX_GIT_REPO}";
                        EGIT_BRANCH="${SELINUX_GIT_BRANCH}";
                        EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy";;
esac

inherit eutils ${extra_eclass}

IUSE=""

HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
then
        SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
                http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
elif [[ "${BASEPOL}" != "9999" ]];
then
        SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2"
else
        SRC_URI=""
fi

LICENSE="GPL-2"
SLOT="0"
S="${WORKDIR}/"
PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"

# Modules should always depend on at least the first release of the
# selinux-base-policy for which they are generated.
if [[ -n ${BASEPOL} ]];
then
        RDEPEND=">=sys-apps/policycoreutils-2.0.82
                >=sec-policy/selinux-base-policy-${BASEPOL}"
else
        RDEPEND=">=sys-apps/policycoreutils-2.0.82
                >=sec-policy/selinux-base-policy-${PV}"
fi
DEPEND="${RDEPEND}
        sys-devel/m4
        >=sys-apps/checkpolicy-2.0.21"

case "${EAPI:-0}" in
        0|1|2|3|4) die "EAPI<5 is not supported";;
        *) : ;;
esac

EXPORT_FUNCTIONS "src_unpack src_prepare src_compile src_install pkg_postinst pkg_postrm"

# @FUNCTION: selinux-policy-2_src_unpack
# @DESCRIPTION:
# Unpack the policy sources as offered by upstream (refpolicy).
selinux-policy-2_src_unpack() {
        if [[ "${BASEPOL}" != "9999" ]];
        then
                unpack ${A}
        else
                git-r3_src_unpack
        fi
}

# @FUNCTION: selinux-policy-2_src_prepare
# @DESCRIPTION:
# Patch the reference policy sources with our set of enhancements. Start with
# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
# then apply the additional patches as offered by the ebuild.
#
# Next, extract only those files needed for this particular module (i.e. the .te
# and .fc files for the given module in the MODS variable).
#
# Finally, prepare the build environments for each of the supported SELinux
# types (such as targeted or strict), depending on the POLICY_TYPES variable
# content.
selinux-policy-2_src_prepare() {
        local modfiles
        local add_interfaces=0;

        # Create 3rd_party location for user-contributed policies
        cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;

        # Patch the sources with the base patchbundle
        if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
        then
                cd "${S}"
                EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
                EPATCH_SUFFIX="patch" \
                EPATCH_SOURCE="${WORKDIR}" \
                EPATCH_FORCE="yes" \
                epatch
        fi

        # Call in epatch_user. We do this early on as we start moving
        # files left and right hereafter.
        epatch_user

        # Copy additional files to the 3rd_party/ location
        if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
           [[ -n ${POLICY_FILES} ]];
        then
            add_interfaces=1;
                cd "${S}/refpolicy/policy/modules"
                for POLFILE in ${POLICY_FILES[@]};
                do
                        cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
                done
        fi

        # Apply the additional patches refered to by the module ebuild.
        # But first some magic to differentiate between bash arrays and strings
        if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
           [[ -n ${POLICY_PATCH} ]];
        then
                cd "${S}/refpolicy/policy/modules"
                for POLPATCH in ${POLICY_PATCH[@]};
                do
                        epatch "${POLPATCH}"
                done
        fi

        # Collect only those files needed for this particular module
        for i in ${MODS}; do
                modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
                modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
                if [ ${add_interfaces} -eq 1 ];
                then
                        modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
                fi
        done

        for i in ${POLICY_TYPES}; do
                mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
                cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
                        || die "Failed to copy Makefile.example to ${S}/${i}/Makefile"

                cp ${modfiles} "${S}"/${i} \
                        || die "Failed to copy the module files to ${S}/${i}"
        done
}

# @FUNCTION: selinux-policy-2_src_compile
# @DESCRIPTION:
# Build the SELinux policy module (.pp file) for just the selected module, and
# this for each SELinux policy mentioned in POLICY_TYPES
selinux-policy-2_src_compile() {
        local makeuse=""
        for useflag in ${IUSE};
        do
                use ${useflag} && makeuse="${makeuse} -D use_${useflag}"
        done

        for i in ${POLICY_TYPES}; do
                # Support USE flags in builds
                export M4PARAM="${makeuse}"
                if [[ ${BASEPOL} == 2.20140311* ]]; then
                        # Parallel builds are broken in 2.20140311-r7 and earlier, bug 530178
                        emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
                else
                        emake NAME=$i -C "${S}"/${i} || die "${i} compile failed"
                fi
        done
}

# @FUNCTION: selinux-policy-2_src_install
# @DESCRIPTION:
# Install the built .pp files in the correct subdirectory within
# /usr/share/selinux.
selinux-policy-2_src_install() {
        local BASEDIR="/usr/share/selinux"

        for i in ${POLICY_TYPES}; do
                for j in ${MODS}; do
                        einfo "Installing ${i} ${j} policy package"
                        insinto ${BASEDIR}/${i}
                        doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"

                        if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
                        then
                                insinto ${BASEDIR}/${i}/include/3rd_party
                                doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
                        fi
                done
        done
}

# @FUNCTION: selinux-policy-2_pkg_postinst
# @DESCRIPTION:
# Install the built .pp files in the SELinux policy stores, effectively
# activating the policy on the system.
selinux-policy-2_pkg_postinst() {
        # build up the command in the case of multiple modules
        local COMMAND
        for i in ${MODS}; do
                COMMAND="-i ${i}.pp ${COMMAND}"
        done

        for i in ${POLICY_TYPES}; do
                if [ "${i}" == "strict" ] && [ "${MODS}" = "unconfined" ];
                then
                        einfo "Ignoring loading of unconfined module in strict module store.";
                        continue;
                fi
                einfo "Inserting the following modules into the $i module store: ${MODS}"

                cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
                semodule -s ${i} ${COMMAND}
                if [ $? -ne 0 ];
                then
                        ewarn "SELinux module load failed. Trying full reload...";
                        if [ "${i}" == "targeted" ];
                        then
                                semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
                        else
                                semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
                        fi
                        if [ $? -ne 0 ];
                        then
                                ewarn "Failed to reload SELinux policies."
                                ewarn ""
                                ewarn "If this is *not* the last SELinux module package being installed,"
                                ewarn "then you can safely ignore this as the reloads will be retried"
                                ewarn "with other, recent modules."
                                ewarn ""
                                ewarn "If it is the last SELinux module package being installed however,"
                                ewarn "then it is advised to look at the error above and take appropriate"
                                ewarn "action since the new SELinux policies are not loaded until the"
                                ewarn "command finished succesfully."
                                ewarn ""
                                ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
                                ewarn "  semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
                                ewarn "or"
                                ewarn "  semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
                                ewarn "depending on if you need the unconfined domain loaded as well or not."
                        else
                                einfo "SELinux modules reloaded succesfully."
                        fi
                else
                        einfo "SELinux modules loaded succesfully."
                fi
        done

        # Relabel depending packages
        PKGSET="";
        if [ -x /usr/bin/qdepends ] ; then
          PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v "sec-policy/selinux-");
        elif [ -x /usr/bin/equery ] ; then
          PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v "sec-policy/selinux-");
        fi
    if [ -n "${PKGSET}" ] ; then
          rlpkg ${PKGSET};
        fi
}

# @FUNCTION: selinux-policy-2_pkg_postrm
# @DESCRIPTION:
# Uninstall the module(s) from the SELinux policy stores, effectively
# deactivating the policy on the system.
selinux-policy-2_pkg_postrm() {
        # Only if we are not upgrading
        if [[ -z "${REPLACED_BY_VERSION}" ]];
        then
                # build up the command in the case of multiple modules
                local COMMAND
                for i in ${MODS}; do
                        COMMAND="-r ${i} ${COMMAND}"
                done

                for i in ${POLICY_TYPES}; do
                        einfo "Removing the following modules from the $i module store: ${MODS}"

                        semodule -s ${i} ${COMMAND}
                        if [ $? -ne 0 ];
                        then
                                ewarn "SELinux module unload failed.";
                        else
                                einfo "SELinux modules unloaded succesfully."
                        fi
                done
        fi
}

1	perfinion	1.31	# Copyright 1999-2015 Gentoo Foundation
2	pebenito	1.1	# Distributed under the terms of the GNU General Public License v2
3	perfinion	1.32	# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.31 2015/04/04 17:11:35 perfinion Exp $
4	pebenito	1.1
5			# Eclass for installing SELinux policy, and optionally
6	blueness	1.5	# reloading the reference-policy based modules.
7	pebenito	1.1
8	blueness	1.7	# @ECLASS: selinux-policy-2.eclass
9	vapier	1.9	# @MAINTAINER:
10	blueness	1.7	# selinux@gentoo.org
11			# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
12			# @DESCRIPTION:
13			# The selinux-policy-2.eclass supports deployment of the various SELinux modules
14			# defined in the sec-policy category. It is responsible for extracting the
15			# specific bits necessary for single-module deployment (instead of full-blown
16			# policy rebuilds) and applying the necessary patches.
17	vapier	1.9	#
18	blueness	1.7	# Also, it supports for bundling patches to make the whole thing just a bit more
19			# manageable.
20
21			# @ECLASS-VARIABLE: MODS
22	vapier	1.9	# @DESCRIPTION:
23	blueness	1.7	# This variable contains the (upstream) module name for the SELinux module.
24			# This name is only the module name, not the category!
25			: ${MODS:="_illegal"}
26
27			# @ECLASS-VARIABLE: BASEPOL
28			# @DESCRIPTION:
29			# This variable contains the version string of the selinux-base-policy package
30			# that this module build depends on. It is used to patch with the appropriate
31	vapier	1.9	# patch bundle(s) that are part of selinux-base-policy.
32	swift	1.23	: ${BASEPOL:=${PVR}}
33	blueness	1.7
34			# @ECLASS-VARIABLE: POLICY_PATCH
35			# @DESCRIPTION:
36			# This variable contains the additional patch(es) that need to be applied on top
37			# of the patchset already contained within the BASEPOL variable. The variable
38			# can be both a simple string (space-separated) or a bash array.
39			: ${POLICY_PATCH:=""}
40
41	swift	1.12	# @ECLASS-VARIABLE: POLICY_FILES
42			# @DESCRIPTION:
43			# When defined, this contains the files (located in the ebuilds' files/
44			# directory) which should be copied as policy module files into the store.
45			# Generally, users would want to include at least a .te and .fc file, but .if
46			# files are supported as well. The variable can be both a simple string
47			# (space-separated) or a bash array.
48			: ${POLICY_FILES:=""}
49
50	blueness	1.7	# @ECLASS-VARIABLE: POLICY_TYPES
51			# @DESCRIPTION:
52			# This variable informs the eclass for which SELinux policies the module should
53			# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
54			# This variable is the same POLICY_TYPES variable that we tell SELinux
55	zmedico	1.18	# users to set in make.conf. Therefore, it is not the module that should
56	blueness	1.7	# override it, but the user.
57			: ${POLICY_TYPES:="targeted strict mcs mls"}
58
59	swift	1.22	# @ECLASS-VARIABLE: SELINUX_GIT_REPO
60			# @DESCRIPTION:
61			# When defined, this variable overrides the default repository URL as used by
62			# this eclass. It allows end users to point to a different policy repository
63			# using a single variable, rather than having to set the packagename_LIVE_REPO
64			# variable for each and every SELinux policy module package they want to install.
65			# The default value is Gentoo's hardened-refpolicy repository.
66	perfinion	1.32	: ${SELINUX_GIT_REPO:="git://anongit.gentoo.org/proj/hardened-refpolicy.git https://anongit.gentoo.org/git/proj/hardened-refpolicy.git"};
67	swift	1.22
68			# @ECLASS-VARIABLE: SELINUX_GIT_BRANCH
69			# @DESCRIPTION:
70			# When defined, this variable sets the Git branch to use of the repository. This
71			# allows for users and developers to use a different branch for the entire set of
72			# SELinux policy packages, rather than having to override them one by one with the
73			# packagename_LIVE_BRANCH variable.
74			# The default value is the 'master' branch.
75			: ${SELINUX_GIT_BRANCH:="master"};
76
77	swift	1.14	extra_eclass=""
78			case ${BASEPOL} in
79	perfinion	1.32	9999) extra_eclass="git-r3";
80	swift	1.22	EGIT_REPO_URI="${SELINUX_GIT_REPO}";
81			EGIT_BRANCH="${SELINUX_GIT_BRANCH}";
82	perfinion	1.32	EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy";;
83	swift	1.14	esac
84
85			inherit eutils ${extra_eclass}
86	pebenito	1.1
87			IUSE=""
88
89	perfinion	1.30	HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
90	swift	1.14	if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
91	blueness	1.7	then
92	perfinion	1.30	SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2
93	swift	1.8	http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
94	swift	1.14	elif [[ "${BASEPOL}" != "9999" ]];
95			then
96	perfinion	1.30	SRC_URI="https://raw.githubusercontent.com/wiki/TresysTechnology/refpolicy/files/refpolicy-${PV}.tar.bz2"
97	blueness	1.7	else
98	swift	1.14	SRC_URI=""
99	blueness	1.7	fi
100	pebenito	1.1
101			LICENSE="GPL-2"
102			SLOT="0"
103			S="${WORKDIR}/"
104	blueness	1.7	PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
105	pebenito	1.1
106	blueness	1.7	# Modules should always depend on at least the first release of the
107			# selinux-base-policy for which they are generated.
108			if [[ -n ${BASEPOL} ]];
109			then
110			RDEPEND=">=sys-apps/policycoreutils-2.0.82
111			>=sec-policy/selinux-base-policy-${BASEPOL}"
112			else
113			RDEPEND=">=sys-apps/policycoreutils-2.0.82
114			>=sec-policy/selinux-base-policy-${PV}"
115			fi
116	pebenito	1.1	DEPEND="${RDEPEND}
117			sys-devel/m4
118	blueness	1.7	>=sys-apps/checkpolicy-2.0.21"
119	pebenito	1.1
120	blueness	1.7	case "${EAPI:-0}" in
121	perfinion	1.31	0\|1\|2\|3\|4) die "EAPI<5 is not supported";;
122			*) : ;;
123	blueness	1.7	esac
124
125	perfinion	1.31	EXPORT_FUNCTIONS "src_unpack src_prepare src_compile src_install pkg_postinst pkg_postrm"
126	blueness	1.7
127			# @FUNCTION: selinux-policy-2_src_unpack
128			# @DESCRIPTION:
129	perfinion	1.31	# Unpack the policy sources as offered by upstream (refpolicy).
130	pebenito	1.1	selinux-policy-2_src_unpack() {
131	swift	1.14	if [[ "${BASEPOL}" != "9999" ]];
132			then
133			unpack ${A}
134			else
135	perfinion	1.32	git-r3_src_unpack
136	swift	1.14	fi
137	blueness	1.7	}
138
139			# @FUNCTION: selinux-policy-2_src_prepare
140			# @DESCRIPTION:
141			# Patch the reference policy sources with our set of enhancements. Start with
142			# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
143			# then apply the additional patches as offered by the ebuild.
144	vapier	1.11	#
145	blueness	1.7	# Next, extract only those files needed for this particular module (i.e. the .te
146			# and .fc files for the given module in the MODS variable).
147	vapier	1.11	#
148	blueness	1.7	# Finally, prepare the build environments for each of the supported SELinux
149			# types (such as targeted or strict), depending on the POLICY_TYPES variable
150			# content.
151			selinux-policy-2_src_prepare() {
152	pebenito	1.2	local modfiles
153	swift	1.12	local add_interfaces=0;
154
155			# Create 3rd_party location for user-contributed policies
156			cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
157	pebenito	1.2
158	blueness	1.7	# Patch the sources with the base patchbundle
159	swift	1.14	if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
160	blueness	1.7	then
161			cd "${S}"
162	swift	1.10	EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
163			EPATCH_SUFFIX="patch" \
164			EPATCH_SOURCE="${WORKDIR}" \
165			EPATCH_FORCE="yes" \
166			epatch
167	blueness	1.7	fi
168
169	swift	1.19	# Call in epatch_user. We do this early on as we start moving
170			# files left and right hereafter.
171			epatch_user
172
173	swift	1.12	# Copy additional files to the 3rd_party/ location
174			if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] \|\|
175			[[ -n ${POLICY_FILES} ]];
176			then
177			add_interfaces=1;
178			cd "${S}/refpolicy/policy/modules"
179			for POLFILE in ${POLICY_FILES[@]};
180			do
181			cp "${FILESDIR}/${POLFILE}" 3rd_party/ \|\| die "Could not copy ${POLFILE} to 3rd_party/ location";
182			done
183			fi
184
185	blueness	1.7	# Apply the additional patches refered to by the module ebuild.
186			# But first some magic to differentiate between bash arrays and strings
187	swift	1.12	if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] \|\|
188			[[ -n ${POLICY_PATCH} ]];
189	blueness	1.7	then
190			cd "${S}/refpolicy/policy/modules"
191	swift	1.12	for POLPATCH in ${POLICY_PATCH[@]};
192	blueness	1.7	do
193			epatch "${POLPATCH}"
194			done
195			fi
196	pebenito	1.1
197	blueness	1.7	# Collect only those files needed for this particular module
198	pebenito	1.1	for i in ${MODS}; do
199	blueness	1.7	modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
200			modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
201	swift	1.12	if [ ${add_interfaces} -eq 1 ];
202			then
203			modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
204			fi
205	pebenito	1.1	done
206
207			for i in ${POLICY_TYPES}; do
208	blueness	1.7	mkdir "${S}"/${i} \|\| die "Failed to create directory ${S}/${i}"
209			cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
210			\|\| die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
211	kaiowas	1.3
212	blueness	1.7	cp ${modfiles} "${S}"/${i} \
213			\|\| die "Failed to copy the module files to ${S}/${i}"
214	pebenito	1.1	done
215			}
216
217	blueness	1.7	# @FUNCTION: selinux-policy-2_src_compile
218	vapier	1.9	# @DESCRIPTION:
219	blueness	1.7	# Build the SELinux policy module (.pp file) for just the selected module, and
220			# this for each SELinux policy mentioned in POLICY_TYPES
221	pebenito	1.1	selinux-policy-2_src_compile() {
222	swift	1.21	local makeuse=""
223			for useflag in ${IUSE};
224			do
225			use ${useflag} && makeuse="${makeuse} -D use_${useflag}"
226			done
227	perfinion	1.29
228	pebenito	1.1	for i in ${POLICY_TYPES}; do
229	swift	1.21	# Support USE flags in builds
230			export M4PARAM="${makeuse}"
231	perfinion	1.29	if [[ ${BASEPOL} == 2.20140311* ]]; then
232			# Parallel builds are broken in 2.20140311-r7 and earlier, bug 530178
233			emake -j1 NAME=$i -C "${S}"/${i} \|\| die "${i} compile failed"
234			else
235			emake NAME=$i -C "${S}"/${i} \|\| die "${i} compile failed"
236			fi
237	pebenito	1.1	done
238			}
239
240	blueness	1.7	# @FUNCTION: selinux-policy-2_src_install
241			# @DESCRIPTION:
242			# Install the built .pp files in the correct subdirectory within
243			# /usr/share/selinux.
244	pebenito	1.1	selinux-policy-2_src_install() {
245	pebenito	1.2	local BASEDIR="/usr/share/selinux"
246	pebenito	1.1
247			for i in ${POLICY_TYPES}; do
248			for j in ${MODS}; do
249	blueness	1.7	einfo "Installing ${i} ${j} policy package"
250	pebenito	1.1	insinto ${BASEDIR}/${i}
251	blueness	1.7	doins "${S}"/${i}/${j}.pp \|\| die "Failed to add ${j}.pp to ${i}"
252	swift	1.12
253			if [[ "${POLICY_FILES[@]}" == "${j}.if" ]];
254			then
255			insinto ${BASEDIR}/${i}/include/3rd_party
256			doins "${S}"/${i}/${j}.if \|\| die "Failed to add ${j}.if to ${i}"
257			fi
258	pebenito	1.1	done
259			done
260			}
261
262	blueness	1.7	# @FUNCTION: selinux-policy-2_pkg_postinst
263			# @DESCRIPTION:
264			# Install the built .pp files in the SELinux policy stores, effectively
265			# activating the policy on the system.
266	pebenito	1.1	selinux-policy-2_pkg_postinst() {
267			# build up the command in the case of multiple modules
268			local COMMAND
269			for i in ${MODS}; do
270			COMMAND="-i ${i}.pp ${COMMAND}"
271			done
272
273	blueness	1.5	for i in ${POLICY_TYPES}; do
274	swift	1.17	if [ "${i}" == "strict" ] && [ "${MODS}" = "unconfined" ];
275			then
276			einfo "Ignoring loading of unconfined module in strict module store.";
277			continue;
278			fi
279	blueness	1.5	einfo "Inserting the following modules into the $i module store: ${MODS}"
280	pebenito	1.1
281	blueness	1.7	cd /usr/share/selinux/${i} \|\| die "Could not enter /usr/share/selinux/${i}"
282	swift	1.12	semodule -s ${i} ${COMMAND}
283			if [ $? -ne 0 ];
284			then
285			ewarn "SELinux module load failed. Trying full reload...";
286			if [ "${i}" == "targeted" ];
287			then
288			semodule -s ${i} -b base.pp -i $(ls *.pp \| grep -v base.pp);
289			else
290			semodule -s ${i} -b base.pp -i $(ls *.pp \| grep -v base.pp \| grep -v unconfined.pp);
291			fi
292			if [ $? -ne 0 ];
293			then
294	swift	1.13	ewarn "Failed to reload SELinux policies."
295			ewarn ""
296			ewarn "If this is not the last SELinux module package being installed,"
297			ewarn "then you can safely ignore this as the reloads will be retried"
298			ewarn "with other, recent modules."
299			ewarn ""
300			ewarn "If it is the last SELinux module package being installed however,"
301			ewarn "then it is advised to look at the error above and take appropriate"
302			ewarn "action since the new SELinux policies are not loaded until the"
303			ewarn "command finished succesfully."
304			ewarn ""
305			ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
306			ewarn " semodule -b base.pp -i \$(ls *.pp \| grep -v base.pp)"
307			ewarn "or"
308			ewarn " semodule -b base.pp -i \$(ls *.pp \| grep -v base.pp \| grep -v unconfined.pp)"
309			ewarn "depending on if you need the unconfined domain loaded as well or not."
310	swift	1.12	else
311			einfo "SELinux modules reloaded succesfully."
312			fi
313			else
314			einfo "SELinux modules loaded succesfully."
315			fi
316	blueness	1.5	done
317	swift	1.24
318			# Relabel depending packages
319			PKGSET="";
320			if [ -x /usr/bin/qdepends ] ; then
321	swift	1.28	PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} \| grep -v "sec-policy/selinux-");
322	swift	1.24	elif [ -x /usr/bin/equery ] ; then
323	swift	1.27	PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} \| grep -v "sec-policy/selinux-");
324			fi
325			if [ -n "${PKGSET}" ] ; then
326			rlpkg ${PKGSET};
327	swift	1.24	fi
328	pebenito	1.1	}
329
330	swift	1.16	# @FUNCTION: selinux-policy-2_pkg_postrm
331			# @DESCRIPTION:
332			# Uninstall the module(s) from the SELinux policy stores, effectively
333			# deactivating the policy on the system.
334			selinux-policy-2_pkg_postrm() {
335			# Only if we are not upgrading
336	perfinion	1.31	if [[ -z "${REPLACED_BY_VERSION}" ]];
337	swift	1.16	then
338			# build up the command in the case of multiple modules
339			local COMMAND
340			for i in ${MODS}; do
341			COMMAND="-r ${i} ${COMMAND}"
342			done
343	perfinion	1.31
344	swift	1.16	for i in ${POLICY_TYPES}; do
345			einfo "Removing the following modules from the $i module store: ${MODS}"
346	perfinion	1.31
347	swift	1.16	semodule -s ${i} ${COMMAND}
348			if [ $? -ne 0 ];
349			then
350			ewarn "SELinux module unload failed.";
351			else
352			einfo "SELinux modules unloaded succesfully."
353			fi
354			done
355			fi
356			}
357