commit selinux-policy for openSUSE:Factory
Hello community, here is the log from the commit of package selinux-policy for openSUSE:Factory checked in at 2017-03-31 15:08:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/selinux-policy (Old) and /work/SRC/openSUSE:Factory/.selinux-policy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "selinux-policy" Fri Mar 31 15:08:32 2017 rev:28 rq:482447 version:20140730 Changes: -------- --- /work/SRC/openSUSE:Factory/selinux-policy/selinux-policy.changes 2015-08-27 08:57:15.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.selinux-policy.new/selinux-policy.changes 2017-03-31 15:08:35.455989842 +0200 @@ -1,0 +2,39 @@ +Wed Mar 15 21:50:32 UTC 2017 - mwilck@suse.com + +- POLCYVER depends both on the libsemanage/policycoreutils version + and the kernel. The former is more important for us, kernel seems + to have all necessary features in Leap 42.1 already. + +- Replaced = runtime dependencies on checkpolicy/policycoreutils + with "=". 2.5 policy is not supposed to work with 2.3 tools, + The runtime policy tools need to be same the policy was built with. + +------------------------------------------------------------------- +Wed Mar 15 15:16:20 UTC 2017 - mwilck@suse.com + +- Changes required by policycoreutils update to 2.5 + * lots of spec file content needs to be conditional on + policycoreutils version. + +- Specific policycoreutils 2.5 related changes: + * modules moved from /etc/selinux to /var/lib/selinux + (https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration) + * module path now includes includes priority. Users override default + policies by setting higher priority. Thus installed policy modules can be + fully verified by RPM. + * Installed modules have a different format and path. + Raw bzip2 doesn't suffice to create them any more, but we can process them + all in a single semodule -i command. + +- Policy version depends on kernel / distro version + * do not touch policy.<version>, rather fail if it's not created + +- Enabled building mls policy for Leap (not for SLES) + +- Other + * Bug: "sandbox.disabled" should be "sandbox.pp.disabled" for old policycoreutils + * Bug: (minimum) additional modules that need to be activated: postfix + (required by apache), plymouthd (required by getty) + * Cleanup: /etc -> %{sysconfdir} etc. + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ selinux-policy.spec ++++++ --- /var/tmp/diff_new_pack.MOokgA/_old 2017-03-31 15:08:38.511557851 +0200 +++ /var/tmp/diff_new_pack.MOokgA/_new 2017-03-31 15:08:38.515557285 +0200 @@ -1,7 +1,7 @@ # # spec file for package selinux-policy # -# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,14 +25,100 @@ %define BUILD_DOC 1 %define BUILD_TARGETED 1 %define BUILD_MINIMUM 1 -%if 0%{suse_version} == 1315 +%if 0%{suse_version} == 1315 && 0%{is_opensuse} == 0 %define BUILD_MLS 0 %else %define BUILD_MLS 1 %endif + +%if 0%{?suse_version} >= 1330 || ( 0%{?suse_version} == 1315 && 0%{?sle_version} >= 120200 ) +%else +%endif + +%define POLICYCOREUTILSVER %(rpm -q --qf %%{version} policycoreutils) +%define CHECKPOLICYVER %POLICYCOREUTILSVER + +%define coreutils_ge() %{lua: if (rpm.vercmp(rpm.expand("%POLICYCOREUTILSVER"), rpm.expand("%1")) >= 0) then print "1" else print "0" end } + +# conditional stuff depending on policycoreutils version +# See https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration +%if %{coreutils_ge 2.5} + +# Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions +# It depends on the kernel, but apparently more so on the libsemanage version. +%define POLICYVER 30 + +# macros calling module_store have to be defined using global, not define, and +# "lazy" evaluation +%global module_store() %{_localstatedir}/lib/selinux/%%{1} +%global policy_prio 100 +%global module_dir active/modules/%{policy_prio} +%global module_disabled() %{module_store %%{1}}/active/modules/disabled/%%{2} + +%global install_pp() \ + (cd %{buildroot}/%{_usr}/share/selinux/%1/ \ + /usr/sbin/semodule -s %%{1} -X %{policy_prio} -n -p %{buildroot} -i *.pp \ + rm -f *pp*); + +# FixMe 170315: None of these exist any more. Are they necessary? +%global files_base_pp() %nil +%global touch_file_contexts() touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local +%global files_file_contexts() %nil +%global mkdir_other() \ + %{__mkdir} -p %{buildroot}%{module_store %%1}/active/modules/disabled +%global files_other() \ + %dir %{module_store %%1}/active/modules \ + %dir %{module_store %%1}/active/modules/disabled \ + %{module_disabled %%1 sandbox} +%global files_dot_bin() %nil +%global rm_selinux_mod() rm -rf %%1 + +%else +# Policy version, see https://selinuxproject.org/page/NB_PolicyType#Policy_Versions +# It depends on the kernel, but apparently more so on the libsemanage version. %define POLICYVER 29 -%define POLICYCOREUTILSVER 2.3 -%define CHECKPOLICYVER 2.3 + +%global module_store() %{_sysconfdir}/selinux/%%{1}/modules +%global module_dir active/modules +%global module_disabled() %{module_store %%{1}}/active/modules/%%{2}.pp.disabled + +# FixMe 170315: Why is bzip2 used here rather than semodule -i? +%global install_pp() \ + (cd %{buildroot}/%{_usr}/share/selinux/%%1/ \ + bzip2 -c base.pp > %{buildroot}/%{_sysconfdir}/selinux/%%1/modules/active/base.pp \ + rm -f base.pp \ + for i in *.pp; do \ + bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%%1/modules/active/modules/$i \ + done \ + rm -f *pp* ); + +# FixMe 170315: +# Why is base.pp installed in a different path than other modules? +# Requirement of policycoreutils 2.3 ?? +%global files_base_pp() %verify(not md5 size mtime) %{module_store %%{1}}/active/base.pp + +# FixMe 170315: do we really need these? +%global touch_file_contexts() \ + touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.local \ + touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.homedirs.bin \ + touch %{buildroot}%{_sysconfdir}/selinux/%%1/modules/active/file_contexts.bin; + +%global mkdir_other() %nil + +# FixMe 170315: do we really need these? +%global files_file_contexts() \ + %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/file_contexts.homedirs \ + %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/file_contexts.template + +# FixMe 170315: do we really need these? +%global files_other() \ + %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/seusers.final \ + %verify(not md5 size mtime) %{_sysconfdir}/selinux/%%1/modules/active/netfilter_contexts + +%global files_dot_bin() %ghost %{module_store %%{1}}/active/*.bin +%global rm_selinux_mod() rm -f %%{1}.pp + +%endif Summary: SELinux policy configuration License: GPL-2.0+ @@ -121,12 +207,12 @@ BuildRequires: %fillup_prereq BuildRequires: %insserv_prereq BuildRequires: bzip2 -BuildRequires: checkpolicy >= %{CHECKPOLICYVER} +BuildRequires: checkpolicy BuildRequires: gawk BuildRequires: libxml2-tools BuildRequires: m4 -BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} -BuildRequires: policycoreutils-python >= %{POLICYCOREUTILSVER} +BuildRequires: policycoreutils +BuildRequires: policycoreutils-python BuildRequires: python BuildRequires: python-xml #BuildRequires: selinux-policy-devel @@ -139,14 +225,14 @@ # for audit2allow Recommends: policycoreutils-python -%define makeCmds() \ -make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \ -make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \ +%global makeCmds() \ +make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \ +make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \ cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ cp -f selinux_config/users-%1 ./policy/users \ #cp -f selinux_config/modules-%1-base.conf ./policy/modules.conf \ -%define makeModulesConf() \ +%global makeModulesConf() \ cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ if [ "%3" = "contrib" ];then \ @@ -154,71 +240,63 @@ cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ fi; \ -%define installCmds() \ -make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \ -make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \ -make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \ -make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ +%global installCmds() \ +make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" base.pp \ +make validate SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 SEMOD_EXP="/usr/bin/semodule_expand -a" modules \ +make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \ +make SYSTEMD=y UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \ -%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules \ +%{__mkdir} -p %{buildroot}/%{module_store %%{1}}/%{module_dir} \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \ -touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \ -touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \ +%{mkdir_other %%1} \ +touch %{buildroot}/%{module_store %%{1}}/semanage.read.LOCK \ +touch %{buildroot}/%{module_store %%{1}}/semanage.trans.LOCK \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ +%{touch_file_contexts %%1} \ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/seusers \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.local \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/nodes.local \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/users_extra.local \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/users.local \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs.bin \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/file_contexts.bin \ +touch %{buildroot}%{module_store %%{1}}/active/seusers \ +touch %{buildroot}%{module_store %%{1}}/active/nodes.local \ +touch %{buildroot}%{module_store %%{1}}/active/users_extra.local \ +touch %{buildroot}%{module_store %%{1}}/active/users.local \ cp %{SOURCE23} %{buildroot}%{_sysconfdir}/selinux/%1 \ -bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/base.pp \ -rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp \ -for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \ -rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/modules/sandbox.disabled \ -/usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \ +%install_pp %%1 \ +touch %{buildroot}%{module_disabled %%1 sandbox} \ +/usr/sbin/semodule -s %%1 -n -B -p %{buildroot}; \ /usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern \ -ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ +ln -sf %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} %{buildroot}%{module_store %%{1}}/active/policy.kern \ %nil -%define fileList() \ +%global fileList() \ %defattr(-,root,root) \ %dir %{_usr}/share/selinux/%1 \ %dir %{_sysconfdir}/selinux/%1 \ %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ %dir %{_sysconfdir}/selinux/%1/logins \ -%dir %{_sysconfdir}/selinux/%1/modules \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \ -%dir %attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \ -%dir %{_sysconfdir}/selinux/%1/modules/active/modules \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/policy.kern \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/commit_num \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/base.pp \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.homedirs \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/file_contexts.template \ -%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/seusers.final \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/netfilter_contexts \ -%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/users_extra \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/homedir_template \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/modules/*.pp \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/modules/sandbox.disabled \ -%ghost %{_sysconfdir}/selinux/%1/modules/active/*.local \ -%ghost %{_sysconfdir}/selinux/%1/modules/active/*.bin \ -%ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \ +%dir %{module_store %%{1}} \ +%verify(not md5 size mtime) %{module_store %%{1}}/semanage.read.LOCK \ +%verify(not md5 size mtime) %{module_store %%{1}}/semanage.trans.LOCK \ +%dir %attr(700,root,root) %dir %{module_store %%{1}}/active \ +%dir %{module_store %%{1}}/%{module_dir} \ +%verify(not md5 size mtime) %{module_store %%{1}}/active/policy.kern \ +%verify(not md5 size mtime) %{module_store %%{1}}/active/commit_num \ +%{files_base_pp %%1} \ +%verify(not md5 size mtime) %{module_store %%{1}}/active/file_contexts \ +%{files_file_contexts %%1} \ +%{files_other %%1} \ +%config(noreplace) %verify(not md5 size mtime) %{module_store %%{1}}/active/users_extra \ +%verify(not md5 size mtime) %{module_store %%{1}}/active/homedir_template \ +%{module_store %%{1}}/%{module_dir}/* \ +%ghost %{module_store %%{1}}/active/*.local \ +%{files_dot_bin %%1} \ +%ghost %{module_store %%{1}}/active/seusers \ %dir %{_sysconfdir}/selinux/%1/policy/ \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ %{_sysconfdir}/selinux/%1/.policy.sha512 \ @@ -258,35 +336,35 @@ /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore 2> /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ fi; \ - /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ + /sbin/restorecon -e /run/media -R /root /var/log /var/run %{_sysconfdir}/passwd* %{_sysconfdir}/group* %{_sysconfdir}/*shadow* 2> /dev/null; \ /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null || true; \ fi; -%define preInstall() \ -if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \ +%global preInstall() \ +if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \ . %{_sysconfdir}/selinux/config; \ - FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ - if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" = %%1 -a -f ${FILE_CONTEXT} ]; then \ [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ fi; \ - touch /etc/selinux/%1/.rebuild; \ - if [ -e /etc/selinux/%1/.policy.sha512 ]; then \ - sha512=`sha512sum /etc/selinux/%1/modules/active/policy.kern | cut -d ' ' -f 1`; \ - checksha512=`cat /etc/selinux/%1/.policy.sha512`; \ + touch %{_sysconfdir}/selinux/%%1/.rebuild; \ + if [ -e %{_sysconfdir}/selinux/%%1/.policy.sha512 ]; then \ + sha512=`sha512sum %{module_store %%{1}}/active/policy.kern | cut -d ' ' -f 1`; \ + checksha512=`cat %{_sysconfdir}/selinux/%%1/.policy.sha512`; \ if [ "$sha512" = "$checksha512" ] ; then \ - rm /etc/selinux/%1/.rebuild; \ + rm %{_sysconfdir}/selinux/%%1/.rebuild; \ fi; \ fi; \ fi; -%define postInstall() \ +%global postInstall() \ . %{_sysconfdir}/selinux/config; \ -if [ -e /etc/selinux/%2/.rebuild ]; then \ - rm /etc/selinux/%2/.rebuild; \ - (cd /etc/selinux/%2/modules/active/modules; rm -f shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp l2tp.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \ - /usr/sbin/semodule -B -n -s %2; \ +if [ -e %{_sysconfdir}/selinux/%%2/.rebuild ]; then \ + rm %{_sysconfdir}/selinux/%%2/.rebuild; \ + (cd %{module_store %%2}/%{module_dir}; for _mod in shutdown amavis clamav gnomeclock matahari xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor pki-selinux phpfpm consoletype ctdbd fcoemon isnsd l2tp rgmanager corosync aisexec pacemaker; do %{rm_selinux_mod ${_mod}}; done ) \ + /usr/sbin/semodule -B -n -s %%2; \ else \ - touch /etc/selinux/%2/modules/active/modules/sandbox.disabled \ + touch %{module_disabled %%2 sandbox} \ fi; \ if [ "${SELINUXTYPE}" = "%2" ]; then \ if selinuxenabled; then \ @@ -308,9 +386,9 @@ fi; %define modulesList() \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \ if [ -e ./policy/modules-contrib.conf ];then \ - awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \ + awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \ fi; %files @@ -422,8 +500,8 @@ # Install devel mkdir -p %{buildroot}%{_mandir} cp -R man/* %{buildroot}%{_mandir} -make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs -make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers +make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-docs +make SYSTEMD=y UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} MLS_CATS=1024 MCS_CATS=1024 install-headers mkdir %{buildroot}%{_usr}/share/selinux/devel/ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include chmod +x %{buildroot}%{_usr}/share/selinux/devel/include/support/segenxml.py @@ -440,23 +518,23 @@ %post %{fillup_only} -if [ ! -s /etc/selinux/config ]; then +if [ ! -s %{_sysconfdir}/selinux/config ]; then # new install - ln -sf /etc/sysconfig/selinux-policy /etc/selinux/config - restorecon /etc/selinux/config 2> /dev/null || : + ln -sf %{_sysconfdir}/sysconfig/selinux-policy %{_sysconfdir}/selinux/config + restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : else - . /etc/sysconfig/selinux-policy + . %{_sysconfdir}/sysconfig/selinux-policy # if first time update booleans.local needs to be copied to sandbox - [ -f /etc/selinux/${SELINUXTYPE}/booleans.local ] && mv /etc/selinux/${SELINUXTYPE}/booleans.local /etc/selinux/targeted/modules/active/ - [ -f /etc/selinux/${SELINUXTYPE}/seusers ] && cp -f /etc/selinux/${SELINUXTYPE}/seusers /etc/selinux/${SELINUXTYPE}/modules/active/seusers + [ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local ] && mv %{_sysconfdir}/selinux/${SELINUXTYPE}/booleans.local %{module_store targeted}/active/ + [ -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers ] && cp -f %{_sysconfdir}/selinux/${SELINUXTYPE}/seusers %{module_store ${SELINUXTYPE}}/active/seusers fi exit 0 %postun if [ $1 = 0 ]; then setenforce 0 2> /dev/null - if [ -s /etc/selinux/config ]; then - sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config + if [ -s %{_sysconfdir}/selinux/config ]; then + sed -i --follow-symlinks 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config fi fi exit 0 @@ -524,7 +602,6 @@ %files targeted %defattr(-,root,root,-) -%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u %fileList targeted %{_usr}/share/selinux/targeted/modules-base.lst %{_usr}/share/selinux/targeted/modules-contrib.lst @@ -535,7 +612,7 @@ Summary: SELinux minimum base policy Group: System/Management Provides: selinux-policy-base = %{version}-%{release} -Requires(post): policycoreutils-python >= %{POLICYCOREUTILSVER} +Requires(post): policycoreutils-python = %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} @@ -555,12 +632,12 @@ basepackages=`cat /usr/share/selinux/minimum/modules-base.lst` if [ $1 -eq 1 ]; then for p in $contribpackages; do - touch /etc/selinux/minimum/modules/active/modules/$p.disabled + touch %{module_disabled minimum $p} done # this is temporarily needed to make minimum policy work without errors. Will be included # into the proper places later on -for p in $basepackages apache.pp dbus.pp inetd.pp kerberos.pp mta.pp nis.pp nscd.pp cron.pp; do - rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled +for p in $basepackages plymouthd postfix apache dbus inetd kerberos mta nis nscd cron; do + rm -f %{module_disabled minimum $p} done # those are default anyway # /usr/sbin/semanage -S minimum -i - << __eof @@ -572,10 +649,10 @@ else instpackages=`cat /usr/share/selinux/minimum/instmodules.lst` for p in $contribpackages; do - touch /etc/selinux/minimum/modules/active/modules/$p.disabled + touch %{module_disabled minimum $p} done for p in $instpackages apache dbus inetd kerberos mta nis; do - rm -f /etc/selinux/minimum/modules/active/modules/$p.pp.disabled + rm -f %{module_disabled minimum $p} done /usr/sbin/semodule -B -s minimum %relabel minimum @@ -584,7 +661,6 @@ %files minimum %defattr(-,root,root,-) -%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u %fileList minimum %{_usr}/share/selinux/minimum/modules-base.lst %{_usr}/share/selinux/minimum/modules-contrib.lst @@ -596,9 +672,9 @@ Group: System/Management Provides: selinux-policy-base = %{version}-%{release} Obsoletes: selinux-policy-mls-sources < 2 -Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} +Requires: policycoreutils-newrole = %{POLICYCOREUTILSVER} Requires: setransd -Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): policycoreutils = %{POLICYCOREUTILSVER} Requires(pre): coreutils Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release}
participants (1)
-
root@hilbert.suse.de