1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
|
# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.14 2012/09/08 18:36:12 swift Exp $
# Eclass for installing SELinux policy, and optionally
# reloading the reference-policy based modules.
# @ECLASS: selinux-policy-2.eclass
# @MAINTAINER:
# selinux@gentoo.org
# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy
# @DESCRIPTION:
# The selinux-policy-2.eclass supports deployment of the various SELinux modules
# defined in the sec-policy category. It is responsible for extracting the
# specific bits necessary for single-module deployment (instead of full-blown
# policy rebuilds) and applying the necessary patches.
#
# Also, it supports for bundling patches to make the whole thing just a bit more
# manageable.
# @ECLASS-VARIABLE: MODS
# @DESCRIPTION:
# This variable contains the (upstream) module name for the SELinux module.
# This name is only the module name, not the category!
: ${MODS:="_illegal"}
# @ECLASS-VARIABLE: BASEPOL
# @DESCRIPTION:
# This variable contains the version string of the selinux-base-policy package
# that this module build depends on. It is used to patch with the appropriate
# patch bundle(s) that are part of selinux-base-policy.
: ${BASEPOL:=""}
# @ECLASS-VARIABLE: POLICY_PATCH
# @DESCRIPTION:
# This variable contains the additional patch(es) that need to be applied on top
# of the patchset already contained within the BASEPOL variable. The variable
# can be both a simple string (space-separated) or a bash array.
: ${POLICY_PATCH:=""}
# @ECLASS-VARIABLE: POLICY_FILES
# @DESCRIPTION:
# When defined, this contains the files (located in the ebuilds' files/
# directory) which should be copied as policy module files into the store.
# Generally, users would want to include at least a .te and .fc file, but .if
# files are supported as well. The variable can be both a simple string
# (space-separated) or a bash array.
: ${POLICY_FILES:=""}
# @ECLASS-VARIABLE: POLICY_TYPES
# @DESCRIPTION:
# This variable informs the eclass for which SELinux policies the module should
# be built. Currently, Gentoo supports targeted, strict, mcs and mls.
# This variable is the same POLICY_TYPES variable that we tell SELinux
# users to set in /etc/make.conf. Therefor, it is not the module that should
# override it, but the user.
: ${POLICY_TYPES:="targeted strict mcs mls"}
extra_eclass=""
case ${BASEPOL} in
9999) extra_eclass="git-2";
EGIT_REPO_URI="git://git.overlays.gentoo.org/proj/hardened-refpolicy.git";
EGIT_SOURCEDIR="${WORKDIR}/refpolicy";;
esac
inherit eutils ${extra_eclass}
IUSE=""
HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
then
SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2
http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
elif [[ "${BASEPOL}" != "9999" ]];
then
SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2"
else
SRC_URI=""
fi
LICENSE="GPL-2"
SLOT="0"
S="${WORKDIR}/"
PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2"
# Modules should always depend on at least the first release of the
# selinux-base-policy for which they are generated.
if [[ -n ${BASEPOL} ]];
then
RDEPEND=">=sys-apps/policycoreutils-2.0.82
>=sec-policy/selinux-base-policy-${BASEPOL}"
else
RDEPEND=">=sys-apps/policycoreutils-2.0.82
>=sec-policy/selinux-base-policy-${PV}"
fi
DEPEND="${RDEPEND}
sys-devel/m4
>=sys-apps/checkpolicy-2.0.21"
SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst"
case "${EAPI:-0}" in
2|3|4) SELINUX_EXPF+=" src_prepare" ;;
*) ;;
esac
EXPORT_FUNCTIONS ${SELINUX_EXPF}
# @FUNCTION: selinux-policy-2_src_unpack
# @DESCRIPTION:
# Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI
# older than 2, call src_prepare too.
selinux-policy-2_src_unpack() {
if [[ "${BASEPOL}" != "9999" ]];
then
unpack ${A}
else
git-2_src_unpack
fi
# Call src_prepare explicitly for EAPI 0 or 1
has "${EAPI:-0}" 0 1 && selinux-policy-2_src_prepare
}
# @FUNCTION: selinux-policy-2_src_prepare
# @DESCRIPTION:
# Patch the reference policy sources with our set of enhancements. Start with
# the base patchbundle referred to by the ebuilds through the BASEPOL variable,
# then apply the additional patches as offered by the ebuild.
#
# Next, extract only those files needed for this particular module (i.e. the .te
# and .fc files for the given module in the MODS variable).
#
# Finally, prepare the build environments for each of the supported SELinux
# types (such as targeted or strict), depending on the POLICY_TYPES variable
# content.
selinux-policy-2_src_prepare() {
local modfiles
local add_interfaces=0;
# Create 3rd_party location for user-contributed policies
cd "${S}/refpolicy/policy/modules" && mkdir 3rd_party;
# Patch the sources with the base patchbundle
if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]];
then
cd "${S}"
EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \
EPATCH_SUFFIX="patch" \
EPATCH_SOURCE="${WORKDIR}" \
EPATCH_FORCE="yes" \
epatch
fi
# Copy additional files to the 3rd_party/ location
if [[ "$(declare -p POLICY_FILES 2>/dev/null 2>&1)" == "declare -a"* ]] ||
[[ -n ${POLICY_FILES} ]];
then
add_interfaces=1;
cd "${S}/refpolicy/policy/modules"
for POLFILE in ${POLICY_FILES[@]};
do
cp "${FILESDIR}/${POLFILE}" 3rd_party/ || die "Could not copy ${POLFILE} to 3rd_party/ location";
done
fi
# Apply the additional patches refered to by the module ebuild.
# But first some magic to differentiate between bash arrays and strings
if [[ "$(declare -p POLICY_PATCH 2>/dev/null 2>&1)" == "declare -a"* ]] ||
[[ -n ${POLICY_PATCH} ]];
then
cd "${S}/refpolicy/policy/modules"
for POLPATCH in ${POLICY_PATCH[@]};
do
epatch "${POLPATCH}"
done
fi
# Collect only those files needed for this particular module
for i in ${MODS}; do
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
if [ ${add_interfaces} -eq 1 ];
then
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles"
fi
done
for i in ${POLICY_TYPES}; do
mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
|| die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
cp ${modfiles} "${S}"/${i} \
|| die "Failed to copy the module files to ${S}/${i}"
done
}
# @FUNCTION: selinux-policy-2_src_compile
# @DESCRIPTION:
# Build the SELinux policy module (.pp file) for just the selected module, and
# this for each SELinux policy mentioned in POLICY_TYPES
selinux-policy-2_src_compile() {
for i in ${POLICY_TYPES}; do
# Parallel builds are broken, so we need to force -j1 here
emake -j1 NAME=$i -C "${S}"/${i} || die "${i} compile failed"
done
}
# @FUNCTION: selinux-policy-2_src_install
# @DESCRIPTION:
# Install the built .pp files in the correct subdirectory within
# /usr/share/selinux.
selinux-policy-2_src_install() {
local BASEDIR="/usr/share/selinux"
for i in ${POLICY_TYPES}; do
for j in ${MODS}; do
einfo "Installing ${i} ${j} policy package"
insinto ${BASEDIR}/${i}
doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}"
if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]];
then
insinto ${BASEDIR}/${i}/include/3rd_party
doins "${S}"/${i}/${j}.if || die "Failed to add ${j}.if to ${i}"
fi
done
done
}
# @FUNCTION: selinux-policy-2_pkg_postinst
# @DESCRIPTION:
# Install the built .pp files in the SELinux policy stores, effectively
# activating the policy on the system.
selinux-policy-2_pkg_postinst() {
# build up the command in the case of multiple modules
local COMMAND
for i in ${MODS}; do
COMMAND="-i ${i}.pp ${COMMAND}"
done
for i in ${POLICY_TYPES}; do
einfo "Inserting the following modules into the $i module store: ${MODS}"
cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
semodule -s ${i} ${COMMAND}
if [ $? -ne 0 ];
then
ewarn "SELinux module load failed. Trying full reload...";
if [ "${i}" == "targeted" ];
then
semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp);
else
semodule -s ${i} -b base.pp -i $(ls *.pp | grep -v base.pp | grep -v unconfined.pp);
fi
if [ $? -ne 0 ];
then
ewarn "Failed to reload SELinux policies."
ewarn ""
ewarn "If this is *not* the last SELinux module package being installed,"
ewarn "then you can safely ignore this as the reloads will be retried"
ewarn "with other, recent modules."
ewarn ""
ewarn "If it is the last SELinux module package being installed however,"
ewarn "then it is advised to look at the error above and take appropriate"
ewarn "action since the new SELinux policies are not loaded until the"
ewarn "command finished succesfully."
ewarn ""
ewarn "To reload, run the following command from within /usr/share/selinux/${i}:"
ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp)"
ewarn "or"
ewarn " semodule -b base.pp -i \$(ls *.pp | grep -v base.pp | grep -v unconfined.pp)"
ewarn "depending on if you need the unconfined domain loaded as well or not."
else
einfo "SELinux modules reloaded succesfully."
fi
else
einfo "SELinux modules loaded succesfully."
fi
done
}
|