1 |
%define distro redhat |
2 |
%define polyinstatiate n |
3 |
%define monolithic n |
4 |
%if %{?BUILD_DOC:0}%{!?BUILD_DOC:1} |
5 |
%define BUILD_DOC 1 |
6 |
%endif |
7 |
%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1} |
8 |
%define BUILD_TARGETED 1 |
9 |
%endif |
10 |
%if %{?BUILD_MINIMUM:0}%{!?BUILD_MINIMUM:1} |
11 |
%define BUILD_MINIMUM 1 |
12 |
%endif |
13 |
%if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} |
14 |
%define BUILD_MLS 1 |
15 |
%endif |
16 |
%define POLICYVER 29 |
17 |
%define POLICYCOREUTILSVER 2.1.14 |
18 |
%define CHECKPOLICYVER 2.1.12 |
19 |
Summary: SELinux policy configuration |
20 |
Name: selinux-policy |
21 |
Version: 3.12.1 |
22 |
Release: %mkrel 1 |
23 |
License: GPLv2+ |
24 |
Group: System/Base |
25 |
Url: http://oss.tresys.com/repos/refpolicy/ |
26 |
Source: serefpolicy-%{version}.tgz |
27 |
Patch0: policy-cauldron-base.patch |
28 |
Patch1: policy-cauldron-contrib.patch |
29 |
#Patch2: policy_contrib-rawhide-roleattribute.patch |
30 |
Source1: modules-targeted-base.conf |
31 |
Source2: booleans-targeted.conf |
32 |
Source3: Makefile.devel |
33 |
Source4: setrans-targeted.conf |
34 |
Source5: modules-mls-base.conf |
35 |
Source6: booleans-mls.conf |
36 |
Source8: setrans-mls.conf |
37 |
Source14: securetty_types-targeted |
38 |
Source15: securetty_types-mls |
39 |
# Source16: modules-minimum.conf |
40 |
Source17: booleans-minimum.conf |
41 |
Source18: setrans-minimum.conf |
42 |
Source19: securetty_types-minimum |
43 |
Source20: customizable_types |
44 |
Source21: config.tgz |
45 |
Source22: users-mls |
46 |
Source23: users-targeted |
47 |
Source25: users-minimum |
48 |
Source26: file_contexts.subs_dist |
49 |
Source27: selinux-policy.conf |
50 |
Source28: permissivedomains.pp |
51 |
Source29: serefpolicy-contrib-%{version}.tgz |
52 |
Source30: booleans.subs_dist |
53 |
Source31: modules-targeted-contrib.conf |
54 |
Source32: modules-mls-contrib.conf |
55 |
BuildRequires: python |
56 |
BuildRequires: gawk |
57 |
BuildRequires: checkpolicy >= %{CHECKPOLICYVER} |
58 |
BuildRequires: m4 |
59 |
BuildRequires: policycoreutils-devel >= %{POLICYCOREUTILSVER} |
60 |
BuildRequires: bzip2 |
61 |
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} |
62 |
Requires(post): awk sha512sum |
63 |
Requires: checkpolicy >= %{CHECKPOLICYVER} |
64 |
BuildArch: noarch |
65 |
|
66 |
%description |
67 |
SELinux Base package |
68 |
|
69 |
%files |
70 |
%dir %{_usr}/share/selinux |
71 |
%dir %{_usr}/share/selinux/packages |
72 |
%dir %{_sysconfdir}/selinux |
73 |
%ghost %config(noreplace) %{_sysconfdir}/selinux/config |
74 |
%ghost %{_sysconfdir}/sysconfig/selinux |
75 |
%{_usr}/lib/tmpfiles.d/selinux-policy.conf |
76 |
|
77 |
%package devel |
78 |
Summary: SELinux policy devel |
79 |
Group: System/Base |
80 |
Requires(pre): selinux-policy = %{version}-%{release} |
81 |
Requires: m4 |
82 |
Requires: checkpolicy >= %{CHECKPOLICYVER} |
83 |
Requires: make |
84 |
|
85 |
%description devel |
86 |
SELinux policy development and man page package |
87 |
|
88 |
%files devel |
89 |
%{_mandir}/man*/* |
90 |
%{_mandir}/ru/*/* |
91 |
%dir %{_usr}/share/selinux/devel |
92 |
%dir %{_usr}/share/selinux/devel/include |
93 |
%{_usr}/share/selinux/devel/include/* |
94 |
%dir %{_usr}/share/selinux/devel/html |
95 |
%{_usr}/share/selinux/devel/html/*html |
96 |
%{_usr}/share/selinux/devel/Makefile |
97 |
%{_usr}/share/selinux/devel/example.* |
98 |
%{_usr}/share/selinux/devel/policy.* |
99 |
|
100 |
%package doc |
101 |
Summary: SELinux policy documentation |
102 |
Group: System/Base |
103 |
Requires(pre): selinux-policy = %{version}-%{release} |
104 |
Requires: xdg-utils |
105 |
|
106 |
%description doc |
107 |
SELinux policy documentation package |
108 |
|
109 |
%files doc |
110 |
%doc %{_usr}/share/doc/%{name}-%{version} |
111 |
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp |
112 |
|
113 |
|
114 |
%define makeCmds() \ |
115 |
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \ |
116 |
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \ |
117 |
cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ |
118 |
cp -f selinux_config/users-%1 ./policy/users \ |
119 |
#cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ |
120 |
|
121 |
%define makeModulesConf() \ |
122 |
cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ |
123 |
cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ |
124 |
if [ %3 == "contrib" ];then \ |
125 |
cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ |
126 |
cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ |
127 |
fi; \ |
128 |
|
129 |
%define installCmds() \ |
130 |
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \ |
131 |
make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \ |
132 |
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \ |
133 |
make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ |
134 |
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \ |
135 |
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \ |
136 |
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \ |
137 |
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \ |
138 |
touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \ |
139 |
touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \ |
140 |
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \ |
141 |
touch %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ |
142 |
touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ |
143 |
install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ |
144 |
install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ |
145 |
install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ |
146 |
install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ |
147 |
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/seusers \ |
148 |
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.local \ |
149 |
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/nodes.local \ |
150 |
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/users_extra.local \ |
151 |
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/users.local \ |
152 |
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs.bin \ |
153 |
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.bin \ |
154 |
cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ |
155 |
bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \ |
156 |
rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \ |
157 |
for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \ |
158 |
rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \ |
159 |
touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/modules/sandbox.disabled \ |
160 |
/usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \ |
161 |
/usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ |
162 |
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ |
163 |
rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern |
164 |
%nil |
165 |
|
166 |
%define fileList() \ |
167 |
%defattr(-,root,root) \ |
168 |
%dir %{_usr}/share/selinux/%1 \ |
169 |
%dir %{_sysconfdir}/selinux/%1 \ |
170 |
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ |
171 |
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ |
172 |
%dir %{_sysconfdir}/selinux/%1/logins \ |
173 |
%dir %{_sysconfdir}/selinux/%1/modules \ |
174 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \ |
175 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \ |
176 |
%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \ |
177 |
%dir %{_sysconfdir}/selinux/%1/modules/active/modules \ |
178 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \ |
179 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \ |
180 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/base.pp \ |
181 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts \ |
182 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs \ |
183 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.template \ |
184 |
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/seusers.final \ |
185 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/netfilter_contexts \ |
186 |
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/users_extra \ |
187 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/homedir_template \ |
188 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/modules/*.pp \ |
189 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/modules/sandbox.disabled \ |
190 |
%ghost %{_sysconfdir}/selinux/%1/modules/active/*.local \ |
191 |
%ghost %{_sysconfdir}/selinux/%1/modules/active/*.bin \ |
192 |
%ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \ |
193 |
%dir %{_sysconfdir}/selinux/%1/policy/ \ |
194 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ |
195 |
%{_sysconfdir}/selinux/%1/.policy.sha512 \ |
196 |
%dir %{_sysconfdir}/selinux/%1/contexts \ |
197 |
%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ |
198 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ |
199 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ |
200 |
%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ |
201 |
%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ |
202 |
%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ |
203 |
%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ |
204 |
%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ |
205 |
%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ |
206 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ |
207 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ |
208 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ |
209 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ |
210 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ |
211 |
%dir %{_sysconfdir}/selinux/%1/contexts/files \ |
212 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ |
213 |
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ |
214 |
%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \ |
215 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ |
216 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ |
217 |
%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ |
218 |
%{_sysconfdir}/selinux/%1/booleans.subs_dist \ |
219 |
%config %{_sysconfdir}/selinux/%1/contexts/files/media \ |
220 |
%dir %{_sysconfdir}/selinux/%1/contexts/users \ |
221 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ |
222 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ |
223 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ |
224 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ |
225 |
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u |
226 |
|
227 |
%define relabel() \ |
228 |
. %{_sysconfdir}/selinux/config; \ |
229 |
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ |
230 |
/usr/sbin/selinuxenabled; \ |
231 |
if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ |
232 |
/sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \ |
233 |
rm -f ${FILE_CONTEXT}.pre; \ |
234 |
fi; \ |
235 |
if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ |
236 |
continue; \ |
237 |
fi; \ |
238 |
if /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null;then \ |
239 |
continue; \ |
240 |
fi; |
241 |
|
242 |
%define preInstall() \ |
243 |
if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \ |
244 |
. %{_sysconfdir}/selinux/config; \ |
245 |
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ |
246 |
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ |
247 |
[ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ |
248 |
fi; \ |
249 |
touch /etc/selinux/%1/.rebuild; \ |
250 |
if [ -e /etc/selinux/%1/.policy.sha512 ]; then \ |
251 |
sha512=`sha512sum /etc/selinux/%1/modules/active/policy.kern | cut -d ' ' -f 1`; \ |
252 |
checksha512=`cat /etc/selinux/%1/.policy.sha512`; \ |
253 |
if [ "$sha512" == "$checksha512" ] ; then \ |
254 |
rm /etc/selinux/%1/.rebuild; \ |
255 |
fi; \ |
256 |
fi; \ |
257 |
fi; |
258 |
|
259 |
%define postInstall() \ |
260 |
. %{_sysconfdir}/selinux/config; \ |
261 |
if [ -e /etc/selinux/%2/.rebuild ]; then \ |
262 |
rm /etc/selinux/%2/.rebuild; \ |
263 |
(cd /etc/selinux/%2/modules/active/modules; rm -f l2tpd.pp shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \ |
264 |
/usr/sbin/semodule -B -n -s %2; \ |
265 |
else \ |
266 |
touch /etc/selinux/%2/modules/active/modules/sandbox.disabled \ |
267 |
fi; \ |
268 |
[ "${SELINUXTYPE}" == "%2" ] && selinuxenabled && load_policy; \ |
269 |
if [ %1 -eq 1 ]; then \ |
270 |
/sbin/restorecon -R /root /var/log /run 2> /dev/null; \ |
271 |
else \ |
272 |
%relabel %2 \ |
273 |
fi; |
274 |
|
275 |
%define modulesList() \ |
276 |
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \ |
277 |
if [ -e ./policy/modules-contrib.conf ];then \ |
278 |
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \ |
279 |
fi; |
280 |
|
281 |
%description |
282 |
SELinux Reference Policy - modular. |
283 |
Based off of reference policy: Checked out revision 2.20091117 |
284 |
|
285 |
%build |
286 |
|
287 |
%prep |
288 |
%setup -n serefpolicy-contrib-%{version} -q -b 29 |
289 |
%patch1 -p1 |
290 |
contrib_path=`pwd` |
291 |
%setup -n serefpolicy-%{version} -q |
292 |
%patch0 -p1 |
293 |
refpolicy_path=`pwd` |
294 |
cp $contrib_path/* $refpolicy_path/policy/modules/contrib |
295 |
|
296 |
%install |
297 |
mkdir selinux_config |
298 |
for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32};do |
299 |
cp $i selinux_config |
300 |
done |
301 |
tar zxvf selinux_config/config.tgz |
302 |
# Build targeted policy |
303 |
%{__rm} -fR %{buildroot} |
304 |
mkdir -p %{buildroot}%{_sysconfdir}/selinux |
305 |
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig |
306 |
touch %{buildroot}%{_sysconfdir}/selinux/config |
307 |
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux |
308 |
mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ |
309 |
cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ |
310 |
|
311 |
# Always create policy module package directories |
312 |
mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/ |
313 |
|
314 |
# Install devel |
315 |
make clean |
316 |
%if %{BUILD_TARGETED} |
317 |
# Build targeted policy |
318 |
# Commented out because only targeted ref policy currently builds |
319 |
mkdir -p %{buildroot}%{_usr}/share/selinux/targeted |
320 |
cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/targeted |
321 |
%makeCmds targeted mcs n allow |
322 |
%makeModulesConf targeted base contrib |
323 |
%installCmds targeted mcs n allow |
324 |
%modulesList targeted |
325 |
%endif |
326 |
|
327 |
%if %{BUILD_MINIMUM} |
328 |
# Build minimum policy |
329 |
# Commented out because only minimum ref policy currently builds |
330 |
mkdir -p %{buildroot}%{_usr}/share/selinux/minimum |
331 |
cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum |
332 |
%makeCmds minimum mcs n allow |
333 |
%makeModulesConf targeted base contrib |
334 |
%installCmds minimum mcs n allow |
335 |
%modulesList minimum |
336 |
%endif |
337 |
|
338 |
%if %{BUILD_MLS} |
339 |
# Build mls policy |
340 |
%makeCmds mls mls n deny |
341 |
%makeModulesConf mls base contrib |
342 |
%installCmds mls mls n deny |
343 |
%modulesList mls |
344 |
%endif |
345 |
|
346 |
mkdir -p %{buildroot}%{_mandir} |
347 |
cp -R man/* %{buildroot}%{_mandir} |
348 |
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs |
349 |
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers |
350 |
mkdir %{buildroot}%{_usr}/share/selinux/devel/ |
351 |
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include |
352 |
install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile |
353 |
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/ |
354 |
install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/ |
355 |
echo "xdg-open file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp |
356 |
chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp |
357 |
/usr/bin/sepolicy manpage -a -p %{buildroot}/usr/share/man/man8/ -w -r %{buildroot} |
358 |
mkdir %{buildroot}%{_usr}/share/selinux/devel/html |
359 |
htmldir=`compgen -d %{buildroot}%{_usr}/share/man/man8/` |
360 |
mv ${htmldir}/* %{buildroot}%{_usr}/share/selinux/devel/html |
361 |
rm -rf ${htmldir} |
362 |
mkdir %{buildroot}%{_usr}/share/selinux/packages/ |
363 |
|
364 |
rm -rf selinux_config |
365 |
%clean |
366 |
%{__rm} -fR %{buildroot} |
367 |
|
368 |
%post |
369 |
if [ ! -s /etc/selinux/config ]; then |
370 |
# |
371 |
# New install so we will default to targeted policy |
372 |
# |
373 |
echo " |
374 |
# This file controls the state of SELinux on the system. |
375 |
# SELINUX= can take one of these three values: |
376 |
# enforcing - SELinux security policy is enforced. |
377 |
# permissive - SELinux prints warnings instead of enforcing. |
378 |
# disabled - No SELinux policy is loaded. |
379 |
SELINUX=enforcing |
380 |
# SELINUXTYPE= can take one of these two values: |
381 |
# targeted - Targeted processes are protected, |
382 |
# minimum - Modification of targeted policy. Only selected processes are protected. |
383 |
# mls - Multi Level Security protection. |
384 |
SELINUXTYPE=targeted |
385 |
|
386 |
" > /etc/selinux/config |
387 |
|
388 |
ln -sf ../selinux/config /etc/sysconfig/selinux |
389 |
restorecon /etc/selinux/config 2> /dev/null || : |
390 |
else |
391 |
. /etc/selinux/config |
392 |
# if first time update booleans.local needs to be copied to sandbox |
393 |
[ -f /etc/selinux/${SELINUXTYPE}/booleans.local ] && mv /etc/selinux/${SELINUXTYPE}/booleans.local /etc/selinux/targeted/modules/active/ |
394 |
[ -f /etc/selinux/${SELINUXTYPE}/seusers ] && cp -f /etc/selinux/${SELINUXTYPE}/seusers /etc/selinux/${SELINUXTYPE}/modules/active/seusers |
395 |
fi |
396 |
exit 0 |
397 |
|
398 |
%postun |
399 |
if [ $1 = 0 ]; then |
400 |
setenforce 0 2> /dev/null |
401 |
if [ ! -s /etc/selinux/config ]; then |
402 |
echo "SELINUX=disabled" > /etc/selinux/config |
403 |
else |
404 |
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config |
405 |
fi |
406 |
fi |
407 |
exit 0 |
408 |
|
409 |
%if %{BUILD_TARGETED} |
410 |
%package targeted |
411 |
Summary: SELinux targeted base policy |
412 |
Provides: selinux-policy-base = %{version}-%{release} |
413 |
Group: System Environment/Base |
414 |
Obsoletes: selinux-policy-targeted-sources < 2 |
415 |
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} |
416 |
Requires(pre): coreutils |
417 |
Requires(pre): selinux-policy = %{version}-%{release} |
418 |
Requires: selinux-policy = %{version}-%{release} |
419 |
Conflicts: audispd-plugins <= 1.7.7-1 |
420 |
Obsoletes: mod_fcgid-selinux <= %{version}-%{release} |
421 |
Obsoletes: cachefilesd-selinux <= 0.10-1 |
422 |
Conflicts: seedit |
423 |
Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12 |
424 |
Conflicts: pki-selinux < 10-0.0-0.45.b1 |
425 |
|
426 |
%description targeted |
427 |
SELinux Reference policy targeted base module. |
428 |
|
429 |
%pre targeted |
430 |
%preInstall targeted |
431 |
|
432 |
%post targeted |
433 |
%postInstall $1 targeted |
434 |
exit 0 |
435 |
|
436 |
%triggerpostun targeted -- selinux-policy-targeted < 3.12.1-7.fc19 |
437 |
restorecon -R -p /home |
438 |
exit 0 |
439 |
|
440 |
%files targeted |
441 |
%defattr(-,root,root,-) |
442 |
%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u |
443 |
%fileList targeted |
444 |
%{_usr}/share/selinux/targeted/modules-base.lst |
445 |
%{_usr}/share/selinux/targeted/modules-contrib.lst |
446 |
%endif |
447 |
|
448 |
%if %{BUILD_MINIMUM} |
449 |
%package minimum |
450 |
Summary: SELinux minimum base policy |
451 |
Provides: selinux-policy-base = %{version}-%{release} |
452 |
Group: System Environment/Base |
453 |
Requires(post): policycoreutils-python >= %{POLICYCOREUTILSVER} |
454 |
Requires(pre): coreutils |
455 |
Requires(pre): selinux-policy = %{version}-%{release} |
456 |
Requires: selinux-policy = %{version}-%{release} |
457 |
Conflicts: seedit |
458 |
|
459 |
%description minimum |
460 |
SELinux Reference policy minimum base module. |
461 |
|
462 |
%pre minimum |
463 |
%preInstall minimum |
464 |
if [ $1 -ne 1 ]; then |
465 |
/usr/sbin/semodule -s minimum -l 2>/dev/null | awk '{ if ($3 != "Disabled") print $1; }' > /usr/share/selinux/minimum/instmodules.lst |
466 |
fi |
467 |
|
468 |
%post minimum |
469 |
contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst` |
470 |
basepackages=`cat /usr/share/selinux/minimum/modules-base.lst` |
471 |
if [ $1 -eq 1 ]; then |
472 |
for p in $contribpackages; do |
473 |
touch /etc/selinux/minimum/modules/active/modules/$p.disabled |
474 |
done |
475 |
for p in $basepackages apache.pp dbus.pp inetd.pp kerberos.pp mta.pp nis.pp; do |
476 |
rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled |
477 |
done |
478 |
/usr/sbin/semanage -S minimum -i - << __eof |
479 |
login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ |
480 |
login -m -s unconfined_u -r s0-s0:c0.c1023 root |
481 |
__eof |
482 |
/sbin/restorecon -R /root /var/log /var/run 2> /dev/null |
483 |
/usr/sbin/semodule -B -s minimum |
484 |
else |
485 |
instpackages=`cat /usr/share/selinux/minimum/instmodules.lst` |
486 |
for p in $contribpackages; do |
487 |
touch /etc/selinux/minimum/modules/active/modules/$p.disabled |
488 |
done |
489 |
for p in $instpackages apache dbus inetd kerberos mta nis; do |
490 |
rm -f /etc/selinux/minimum/modules/active/modules/$p.pp.disabled |
491 |
done |
492 |
/usr/sbin/semodule -B -s minimum |
493 |
%relabel minimum |
494 |
fi |
495 |
exit 0 |
496 |
|
497 |
%files minimum |
498 |
%defattr(-,root,root,-) |
499 |
%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u |
500 |
%fileList minimum |
501 |
%{_usr}/share/selinux/minimum/modules-base.lst |
502 |
%{_usr}/share/selinux/minimum/modules-contrib.lst |
503 |
%endif |
504 |
|
505 |
%if %{BUILD_MLS} |
506 |
%package mls |
507 |
Summary: SELinux mls base policy |
508 |
Group: System Environment/Base |
509 |
Provides: selinux-policy-base = %{version}-%{release} |
510 |
Obsoletes: selinux-policy-mls-sources < 2 |
511 |
Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd |
512 |
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} |
513 |
Requires(pre): coreutils |
514 |
Requires(pre): selinux-policy = %{version}-%{release} |
515 |
Requires: selinux-policy = %{version}-%{release} |
516 |
Conflicts: seedit |
517 |
|
518 |
%description mls |
519 |
SELinux Reference policy mls base module. |
520 |
|
521 |
%pre mls |
522 |
%preInstall mls |
523 |
|
524 |
%post mls |
525 |
%postInstall $1 mls |
526 |
|
527 |
%files mls |
528 |
%defattr(-,root,root,-) |
529 |
%config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u |
530 |
%fileList mls |
531 |
%{_usr}/share/selinux/mls/modules-base.lst |
532 |
%{_usr}/share/selinux/mls/modules-contrib.lst |
533 |
%endif |