blob: 0c870e9f5bb417a5ccc8afd1f3ce98b5513fe2a2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
PYTHON_COMPAT=( python3_{10..12} )
PYTHON_REQ_USE="xml(+)"
inherit python-any-r1
if [[ ${PV} == 9999* ]]; then
EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy"
inherit git-r3
else
SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
https://dev.gentoo.org/~perfinion/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2"
KEYWORDS="amd64 arm arm64 ~riscv x86"
fi
IUSE="doc +unknown-perms systemd +ubac +unconfined"
DESCRIPTION="Gentoo base policy for SELinux"
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
LICENSE="GPL-2"
SLOT="0"
RDEPEND=">=sys-apps/policycoreutils-2.8"
DEPEND="${RDEPEND}"
BDEPEND="
${PYTHON_DEPS}
>=sys-apps/checkpolicy-2.8
sys-devel/m4"
S=${WORKDIR}/
src_prepare() {
if [[ ${PV} != 9999* ]]; then
einfo "Applying SELinux policy updates ... "
eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
fi
eapply_user
cd "${S}/refpolicy" || die
emake bare
}
src_configure() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
# Update the SELinux refpolicy capabilities based on the users' USE flags.
if use unknown-perms; then
sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/build.conf" \
|| die "Failed to allow Unknown Permissions Handling"
sed -i -e '/^UNK_PERMS/s/deny/allow/' "${S}/refpolicy/Makefile" \
|| die "Failed to allow Unknown Permissions Handling"
fi
if ! use ubac; then
sed -i -e '/^UBAC/s/y/n/' "${S}/refpolicy/build.conf" \
|| die "Failed to disable User Based Access Control"
fi
if use systemd; then
sed -i -e '/^SYSTEMD/s/n/y/' "${S}/refpolicy/build.conf" \
|| die "Failed to enable SystemD"
fi
echo "DISTRO = gentoo" >> "${S}/refpolicy/build.conf" || die
# Prepare initial configuration
cd "${S}/refpolicy" || die
emake conf
# Setup the policies based on the types delivered by the end user.
# These types can be "targeted", "strict", "mcs" and "mls".
for i in ${POLICY_TYPES}; do
cp -a "${S}/refpolicy" "${S}/${i}" || die
cd "${S}/${i}" || die
sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" || die
sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \
"${S}/${i}/build.conf" || die "build.conf setup failed."
if [[ "${i}" == "mls" ]] || [[ "${i}" == "mcs" ]];
then
# MCS/MLS require additional settings
sed -i -e "/^TYPE/s/standard/${i}/" "${S}/${i}/build.conf" \
|| die "failed to set type to mls"
fi
if [ "${i}" == "targeted" ]; then
sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \
"${S}/${i}/config/appconfig-standard/seusers" \
|| die "targeted seusers setup failed."
fi
if [ "${i}" != "targeted" ] && [ "${i}" != "strict" ] && use unconfined; then
sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \
"${S}/${i}/config/appconfig-${i}/seusers" \
|| die "policy seusers setup failed."
fi
done
}
src_compile() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
for i in ${POLICY_TYPES}; do
cd "${S}/${i}" || die
emake base
if use doc; then
emake html
fi
done
}
src_install() {
[ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs"
for i in ${POLICY_TYPES}; do
cd "${S}/${i}" || die
emake DESTDIR="${D}" install
emake DESTDIR="${D}" install-headers
echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type" || die
echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types" || die
# libsemanage won't make this on its own
keepdir "/etc/selinux/${i}/policy"
if use doc; then
docinto ${i}/html
dodoc -r doc/html/*;
fi
insinto /usr/share/selinux/devel;
doins doc/policy.xml;
done
docinto /
dodoc doc/Makefile.example doc/example.{te,fc,if}
doman man/man8/*.8;
insinto /etc/selinux
doins "${FILESDIR}/config"
insinto /usr/share/portage/config/sets
doins "${FILESDIR}/selinux.conf"
}
|