From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SM15B-0006ar-Nx for garchives@archives.gentoo.org; Sun, 22 Apr 2012 18:00:22 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EC09DE08AF; Sun, 22 Apr 2012 18:00:14 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id AED13E08AF for ; Sun, 22 Apr 2012 18:00:14 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id CD27A1B400A for ; Sun, 22 Apr 2012 18:00:13 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 8B376E5402 for ; Sun, 22 Apr 2012 18:00:12 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1335117588.c9c0824e1e0ac98a651a991f7266d25783ab542d.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-dev:master commit in: eclass/ X-VCS-Repository: proj/hardened-dev X-VCS-Files: eclass/selinux-policy-2.eclass X-VCS-Directories: eclass/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: c9c0824e1e0ac98a651a991f7266d25783ab542d X-VCS-Branch: master Date: Sun, 22 Apr 2012 18:00:12 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: f864c670-b1e0-4fd2-9382-7ac016b40b6a X-Archives-Hash: abd03713abd1d4e1e4fcb796fa4474b4 commit: c9c0824e1e0ac98a651a991f7266d25783ab542d Author: Sven Vermeulen siphos be> AuthorDate: Sun Apr 22 17:59:48 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sun Apr 22 17:59:48 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-dev.= git;a=3Dcommit;h=3Dc9c0824e Adding (as-is) selinux policy eclass --- eclass/selinux-policy-2.eclass | 208 ++++++++++++++++++++++++++++++++++= ++++++ 1 files changed, 208 insertions(+), 0 deletions(-) diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.ecl= ass new file mode 100644 index 0000000..a20d3e9 --- /dev/null +++ b/eclass/selinux-policy-2.eclass @@ -0,0 +1,208 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.11= 2011/08/29 01:28:10 vapier Exp $ + +# Eclass for installing SELinux policy, and optionally +# reloading the reference-policy based modules. + +# @ECLASS: selinux-policy-2.eclass +# @MAINTAINER: +# selinux@gentoo.org +# @BLURB: This eclass supports the deployment of the various SELinux mod= ules in sec-policy +# @DESCRIPTION: +# The selinux-policy-2.eclass supports deployment of the various SELinux= modules +# defined in the sec-policy category. It is responsible for extracting t= he +# specific bits necessary for single-module deployment (instead of full-= blown +# policy rebuilds) and applying the necessary patches. +# +# Also, it supports for bundling patches to make the whole thing just a = bit more +# manageable. + +# @ECLASS-VARIABLE: MODS +# @DESCRIPTION: +# This variable contains the (upstream) module name for the SELinux modu= le. +# This name is only the module name, not the category! +: ${MODS:=3D"_illegal"} + +# @ECLASS-VARIABLE: BASEPOL +# @DESCRIPTION: +# This variable contains the version string of the selinux-base-policy p= ackage +# that this module build depends on. It is used to patch with the approp= riate +# patch bundle(s) that are part of selinux-base-policy. +: ${BASEPOL:=3D""} + +# @ECLASS-VARIABLE: POLICY_PATCH +# @DESCRIPTION: +# This variable contains the additional patch(es) that need to be applie= d on top +# of the patchset already contained within the BASEPOL variable. The var= iable +# can be both a simple string (space-separated) or a bash array. +: ${POLICY_PATCH:=3D""} + +# @ECLASS-VARIABLE: POLICY_TYPES +# @DESCRIPTION: +# This variable informs the eclass for which SELinux policies the module= should +# be built. Currently, Gentoo supports targeted, strict, mcs and mls. +# This variable is the same POLICY_TYPES variable that we tell SELinux +# users to set in /etc/make.conf. Therefor, it is not the module that sh= ould +# override it, but the user. +: ${POLICY_TYPES:=3D"targeted strict mcs mls"} + +inherit eutils + +IUSE=3D"" + +HOMEPAGE=3D"http://www.gentoo.org/proj/en/hardened/selinux/" +if [[ -n ${BASEPOL} ]]; +then + SRC_URI=3D"http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz= 2 + http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-s= elinux-base-policy-${BASEPOL}.tar.bz2" +else + SRC_URI=3D"http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz= 2" +fi + +LICENSE=3D"GPL-2" +SLOT=3D"0" +S=3D"${WORKDIR}/" +PATCHBUNDLE=3D"${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar= .bz2" + +# Modules should always depend on at least the first release of the +# selinux-base-policy for which they are generated. +if [[ -n ${BASEPOL} ]]; +then + RDEPEND=3D">=3Dsys-apps/policycoreutils-2.0.82 + >=3Dsec-policy/selinux-base-policy-${BASEPOL}" +else + RDEPEND=3D">=3Dsys-apps/policycoreutils-2.0.82 + >=3Dsec-policy/selinux-base-policy-${PV}" +fi +DEPEND=3D"${RDEPEND} + sys-devel/m4 + >=3Dsys-apps/checkpolicy-2.0.21" + +SELINUX_EXPF=3D"src_unpack src_compile src_install pkg_postinst" +case "${EAPI:-0}" in + 2|3|4) SELINUX_EXPF+=3D" src_prepare" ;; + *) ;; +esac + +EXPORT_FUNCTIONS ${SELINUX_EXPF} + +# @FUNCTION: selinux-policy-2_src_unpack +# @DESCRIPTION: +# Unpack the policy sources as offered by upstream (refpolicy). In case = of EAPI +# older than 2, call src_prepare too. +selinux-policy-2_src_unpack() { + unpack ${A} + + # Call src_prepare explicitly for EAPI 0 or 1 + has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare +} + +# @FUNCTION: selinux-policy-2_src_prepare +# @DESCRIPTION: +# Patch the reference policy sources with our set of enhancements. Start= with +# the base patchbundle referred to by the ebuilds through the BASEPOL va= riable, +# then apply the additional patches as offered by the ebuild. +# +# Next, extract only those files needed for this particular module (i.e.= the .te +# and .fc files for the given module in the MODS variable). +# +# Finally, prepare the build environments for each of the supported SELi= nux +# types (such as targeted or strict), depending on the POLICY_TYPES vari= able +# content. +selinux-policy-2_src_prepare() { + local modfiles + + # Patch the sources with the base patchbundle + if [[ -n ${BASEPOL} ]]; + then + cd "${S}" + EPATCH_MULTI_MSG=3D"Applying SELinux policy updates ... " \ + EPATCH_SUFFIX=3D"patch" \ + EPATCH_SOURCE=3D"${WORKDIR}" \ + EPATCH_FORCE=3D"yes" \ + epatch + fi + + # Apply the additional patches refered to by the module ebuild. + # But first some magic to differentiate between bash arrays and strings + if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" =3D=3D "declare -a"= * ]]; + then + cd "${S}/refpolicy/policy/modules" + for POLPATCH in "${POLICY_PATCH[@]}"; + do + epatch "${POLPATCH}" + done + else + if [[ -n ${POLICY_PATCH} ]]; + then + cd "${S}/refpolicy/policy/modules" + for POLPATCH in ${POLICY_PATCH}; + do + epatch "${POLPATCH}" + done + fi + fi + + # Collect only those files needed for this particular module + for i in ${MODS}; do + modfiles=3D"$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfil= es" + modfiles=3D"$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfil= es" + done + + for i in ${POLICY_TYPES}; do + mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}" + cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \ + || die "Failed to copy Makefile.example to ${S}/${i}/Makefile" + + cp ${modfiles} "${S}"/${i} \ + || die "Failed to copy the module files to ${S}/${i}" + done +} + +# @FUNCTION: selinux-policy-2_src_compile +# @DESCRIPTION: +# Build the SELinux policy module (.pp file) for just the selected modul= e, and +# this for each SELinux policy mentioned in POLICY_TYPES +selinux-policy-2_src_compile() { + for i in ${POLICY_TYPES}; do + # Parallel builds are broken, so we need to force -j1 here + emake -j1 NAME=3D$i -C "${S}"/${i} || die "${i} compile failed" + done +} + +# @FUNCTION: selinux-policy-2_src_install +# @DESCRIPTION: +# Install the built .pp files in the correct subdirectory within +# /usr/share/selinux. +selinux-policy-2_src_install() { + local BASEDIR=3D"/usr/share/selinux" + + for i in ${POLICY_TYPES}; do + for j in ${MODS}; do + einfo "Installing ${i} ${j} policy package" + insinto ${BASEDIR}/${i} + doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}" + done + done +} + +# @FUNCTION: selinux-policy-2_pkg_postinst +# @DESCRIPTION: +# Install the built .pp files in the SELinux policy stores, effectively +# activating the policy on the system. +selinux-policy-2_pkg_postinst() { + # build up the command in the case of multiple modules + local COMMAND + for i in ${MODS}; do + COMMAND=3D"-i ${i}.pp ${COMMAND}" + done + + for i in ${POLICY_TYPES}; do + einfo "Inserting the following modules into the $i module store: ${MOD= S}" + + cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/= ${i}" + semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} = in the $i policy store" + done +} +