From 5ad91efc7c892b07aa3735e5be3b42b1c2e91885 Mon Sep 17 00:00:00 2001 From: Zhongling He Date: Sat, 15 Apr 2023 11:06:32 +0800 Subject: [PATCH] refactor rpm spec --- selinux-policy.spec | 938 +++++++++++++++++++++----------------------- 1 file changed, 450 insertions(+), 488 deletions(-) diff --git a/selinux-policy.spec b/selinux-policy.spec index 75a31eb..b964141 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %define distro redhat %define polyinstatiate n %define monolithic n @@ -14,70 +14,59 @@ %if %{?BUILD_MLS:0}%{!?BUILD_MLS:1} %define BUILD_MLS 1 %endif -%define POLICYVER 33 -%define POLICYCOREUTILSVER 3.4 -%define CHECKPOLICYVER 3.2 - -Summary: SELinux policy configuration -Name: selinux-policy -Version: 37.18 -Release: %{anolis_release}%{?dist} -License: GPLv2+ -Url: https://github.com/fedora-selinux/selinux-policy - -Source0: https://github.com/fedora-selinux/selinux-policy/archive/refs/tags/v%{version}.tar.gz -Source1: modules-targeted-base.conf -Source2: booleans-targeted.conf -Source3: Makefile.devel -Source4: setrans-targeted.conf -Source5: modules-mls-base.conf -Source6: booleans-mls.conf - -Source8: setrans-mls.conf - -Source14: securetty_types-targeted -Source15: securetty_types-mls - -#Source16: modules-minimum.conf -Source17: booleans-minimum.conf -Source18: setrans-minimum.conf -Source19: securetty_types-minimum -Source20: customizable_types -Source22: users-mls -Source23: users-targeted -Source25: users-minimum -Source26: file_contexts.subs_dist -Source27: selinux-policy.conf -Source28: permissivedomains.cil -Source30: booleans.subs_dist -Source31: modules-targeted-contrib.conf -Source32: modules-mls-contrib.conf - -# Tool helps during policy development, to expand system m4 macros to raw allow rules -# Git repo: https://github.com/fedora-selinux/macro-expander.git -#Source33: https://github.com/fedora-selinux/macro-expander/blob/master/macro-expander.sh -Source33: macro-expander - -# Include SELinux policy for container from separate container-selinux repo -# Git repo: https://github.com/containers/container-selinux.git -#Source35: https://github.com/containers/container-selinux/archive/refs/tags/v2.180.0.tar.gz -Source35: container-selinux.tgz - -Source36: selinux-check-proper-disable.service - -# Provide rpm macros for packages installing SELinux modules -Source102: rpm.macros - -BuildArch: noarch -BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 -BuildRequires: make +%define policy_version 33 +%define policy_coreutils_version 3.4 +%define check_policy_version 3.2 + +Summary: SELinux policy configuration +Name: selinux-policy +Version: 37.18 +Release: %{anolis_release}%{?dist} +License: GPLv2+ +Url: https://github.com/fedora-selinux/%{name} + +Source0: https://github.com/fedora-selinux/%{name}/archive/refs/tags/v%{version}.tar.gz +Source1: modules-targeted-base.conf +Source2: booleans-targeted.conf +Source3: Makefile.devel +Source4: setrans-targeted.conf +Source5: modules-mls-base.conf +Source6: booleans-mls.conf + +Source8: setrans-mls.conf + +Source14: securetty_types-targeted +Source15: securetty_types-mls + +#Source16: modules-minimum.conf +Source17: booleans-minimum.conf +Source18: setrans-minimum.conf +Source19: securetty_types-minimum +Source20: customizable_types +Source22: users-mls +Source23: users-targeted +Source25: users-minimum +Source26: file_contexts.subs_dist +Source27: %{name}.conf +Source28: permissivedomains.cil +Source30: booleans.subs_dist +Source31: modules-targeted-contrib.conf +Source32: modules-mls-contrib.conf +Source33: macro-expander +Source35: container-selinux.tgz +Source36: selinux-check-proper-disable.service +Source102: rpm.macros + +BuildArch: noarch +BuildRequires: python3 gawk checkpolicy >= %{check_policy_version} m4 policycoreutils-devel >= %{policy_coreutils_version} bzip2 +BuildRequires: make python3-distro BuildRequires: systemd-rpm-macros -Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Requires(pre): policycoreutils >= %{policy_coreutils_version} Requires(post): /bin/awk /usr/bin/sha512sum -Requires: rpm-plugin-selinux -Requires: selinux-policy-any = %{version}-%{release} -Provides: selinux-policy-base = %{version}-%{release} -Suggests: selinux-policy-targeted +Requires: rpm-plugin-selinux +Requires: %{name}-any = %{version}-%{release} +Provides: %{name}-base = %{version}-%{release} +Suggests: %{name}-targeted %description SELinux core policy package. @@ -87,19 +76,19 @@ the policy has been adjusted to provide support for Anolis. %files %{!?_licensedir:%global license %%doc} %license COPYING -%dir %{_datadir}/selinux -%dir %{_datadir}/selinux/packages -%dir %{_sysconfdir}/selinux -%ghost %config(noreplace) %{_sysconfdir}/selinux/config -%ghost %{_sysconfdir}/sysconfig/selinux -%{_usr}/lib/tmpfiles.d/selinux-policy.conf -%{_rpmconfigdir}/macros.d/macros.selinux-policy %{_unitdir}/selinux-check-proper-disable.service +%{_rpmconfigdir}/macros.d/macros.%{name} +%{_usr}/lib/tmpfiles.d/%{name}.conf +%ghost %{_sysconfdir}/sysconfig/selinux +%ghost %config(noreplace) %{_sysconfdir}/selinux/config +%dir %{_sysconfdir}/selinux +%dir %{_datadir}/selinux/packages +%dir %{_datadir}/selinux %package sandbox Summary: SELinux sandbox policy -Requires(pre): selinux-policy-base = %{version}-%{release} -Requires(pre): selinux-policy-targeted = %{version}-%{release} +Requires(pre): %{name}-base = %{version}-%{release} +Requires(pre): %{name}-targeted = %{version}-%{release} %description sandbox SELinux sandbox policy for use with the sandbox utility. @@ -112,26 +101,25 @@ rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null %{_sbindir}/semodule -n -X 100 -i %{_datadir}/selinux/packages/sandbox.pp if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy + %{_sbindir}/load_policy fi; exit 0 %preun sandbox if [ $1 -eq 0 ] ; then - %{_sbindir}/semodule -n -d sandbox 2>/dev/null - if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy - fi; + %{_sbindir}/semodule -n -d sandbox 2>/dev/null + if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy + fi; fi; exit 0 %package devel Summary: SELinux policy development files -Requires(pre): selinux-policy = %{version}-%{release} -Requires: selinux-policy = %{version}-%{release} -Requires: m4 checkpolicy >= %{CHECKPOLICYVER} -Requires: /usr/bin/make -Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER} +Requires(pre): %{name} = %{version}-%{release} +Requires: %{name} = %{version}-%{release} +Requires: m4 checkpolicy >= %{check_policy_version} make +Requires(post): policycoreutils-devel >= %{policy_coreutils_version} %description devel SELinux policy development package. @@ -143,18 +131,18 @@ and some additional files. %files devel %dir %{abidir} -%{_bindir}/macro-expander -%{abidir}/macro-expander-option.list -%dir %{_datadir}/selinux/devel -%dir %{_datadir}/selinux/devel/include -%{_datadir}/selinux/devel/include/* -%dir %{_datadir}/selinux/devel/html -%{_datadir}/selinux/devel/html/*html -%{_datadir}/selinux/devel/html/*css -%{_datadir}/selinux/devel/Makefile -%{_datadir}/selinux/devel/example.* -%{_datadir}/selinux/devel/policy.* %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/sepolgen/interface_info +%{_datadir}/selinux/devel/policy.* +%{_datadir}/selinux/devel/example.* +%{_datadir}/selinux/devel/Makefile +%{_datadir}/selinux/devel/html/*css +%{_datadir}/selinux/devel/html/*html +%dir %{_datadir}/selinux/devel/html +%{_datadir}/selinux/devel/include/* +%dir %{_datadir}/selinux/devel/include +%dir %{_datadir}/selinux/devel +%{abidir}/macro-expander-option.list +%{_bindir}/macro-expander %post devel %{_sbindir}/selinuxenabled && %{_bindir}/sepolgen-ifgen 2>/dev/null @@ -162,8 +150,8 @@ exit 0 %package doc Summary: SELinux policy documentation -Requires(pre): selinux-policy = %{version}-%{release} -Requires: selinux-policy = %{version}-%{release} +Requires(pre): %{name} = %{version}-%{release} +Requires: %{name} = %{version}-%{release} %description doc SELinux policy documentation package. @@ -171,233 +159,216 @@ This package contains manual pages and documentation of the policy modules. %define common_params DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 -%define makeCmds() \ -%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \ -%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \ -cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ -cp -f selinux_config/users-%1 ./policy/users \ +%define backupConfigLua() \ +local sysconfdir = rpm.expand("%{_sysconfdir}") \ +local config_file = sysconfdir .. "/selinux/config" \ +local config_backup = sysconfdir .. "/selinux/.config_backup" \ +os.remove(config_backup) \ +if posix.stat(config_file) then \ + local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \ + local content = f:read("*all") \ + f:close() \ + local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \ + local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \ + bf:write(backup) \ + bf:close() \ +end -%define makeModulesConf() \ -cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ -cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ -if [ %3 == "contrib" ];then \ - cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ - cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ +%define nonBaseModulesList() \ +contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \ +base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \ +for i in $contrib_modules $base_modules; do \ + if [ $i != "sandbox" ];then \ + echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \ + fi; \ +done; +%define checkConfigConsistency() \ +if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \ + . %{_sysconfdir}/selinux/.config_backup; \ +else \ + BACKUP_SELINUXTYPE=targeted; \ fi; \ +if [ -s %{_sysconfdir}/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \ + if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \ + sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \ + fi; \ + elif [ "%1" = "targeted" ]; then \ + if [ "%1" != "$SELINUXTYPE" ]; then \ + sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ + fi; \ + elif ! ls %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \ + if [ "%1" != "$SELINUXTYPE" ]; then \ + sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ + fi; \ + fi; \ +fi; -%define installCmds() \ -%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ -%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \ -make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \ -make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \ -make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ -%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ -install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ -install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ -install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ -install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ -touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ -cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ -rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \ -%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ -rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ -rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ -rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ -%nil - -%define fileList() \ -%defattr(-,root,root) \ -%dir %{_sysconfdir}/selinux/%1 \ -%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ -%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ -%dir %{_sysconfdir}/selinux/%1/logins \ -%dir %{_sharedstatedir}/selinux/%1/active \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ -%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ -%dir %{_sysconfdir}/selinux/%1/policy/ \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ -%{_sysconfdir}/selinux/%1/.policy.sha512 \ -%dir %{_sysconfdir}/selinux/%1/contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ -%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ -%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \ -%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ -%dir %{_sysconfdir}/selinux/%1/contexts/files \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ -%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ -%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ -%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ -%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ -%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ -%{_sysconfdir}/selinux/%1/booleans.subs_dist \ -%config %{_sysconfdir}/selinux/%1/contexts/files/media \ -%dir %{_sysconfdir}/selinux/%1/contexts/users \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ -%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ -%dir %{_datadir}/selinux/%1 \ -%{_datadir}/selinux/%1/base.lst \ -%{_datadir}/selinux/%1/modules-base.lst \ -%{_datadir}/selinux/%1/modules-contrib.lst \ -%{_datadir}/selinux/%1/nonbasemodules.lst \ -%dir %{_sharedstatedir}/selinux/%1 \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \ -%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ -%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ -%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ -%nil +%define modulesList() \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \ +awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ +if [ -e ./policy/modules-contrib.conf ];then \ + awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \ +fi; -%define relabel() \ +%define postInstall() \ if [ -s %{_sysconfdir}/selinux/config ]; then \ - . %{_sysconfdir}/selinux/config &> /dev/null || true; \ + . %{_sysconfdir}/selinux/config &> /dev/null || true; \ fi; \ -FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ -if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ - %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \ - rm -f ${FILE_CONTEXT}.pre; \ +if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ + rm %{_sysconfdir}/selinux/%2/.rebuild; \ fi; \ -# rebuilding the rpm database still can sometimes result in an incorrect context \ -%{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \ -if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ - continue; \ +%{_sbindir}/semodule -B -n -s %2; \ +[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \ +if [ %1 -eq 1 ]; then \ + %{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ +else \ +%relabel %2 \ fi; %define preInstall() \ if [ $1 -ne 1 ] && [ -s %{_sysconfdir}/selinux/config ]; then \ - for MOD_NAME in ganesha ipa_custodia kdbus; do \ - if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \ - %{_sbindir}/semodule -n -d $MOD_NAME; \ - fi; \ - done; \ - . %{_sysconfdir}/selinux/config; \ - FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ - if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ - [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ - fi; \ - touch %{_sysconfdir}/selinux/%1/.rebuild; \ - if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \ - POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \ - sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \ + for MOD_NAME in ganesha ipa_custodia kdbus; do \ + if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/$MOD_NAME ]; then \ + %{_sbindir}/semodule -n -d $MOD_NAME; \ + fi; \ + done; \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ + [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ + fi; \ + touch %{_sysconfdir}/selinux/%1/.rebuild; \ + if [ -e %{_sysconfdir}/selinux/%1/.policy.sha512 ]; then \ + POLICY_FILE=`ls %{_sysconfdir}/selinux/%1/policy/policy.* | sort | head -1` \ + sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \ checksha512=`cat %{_sysconfdir}/selinux/%1/.policy.sha512`; \ if [ "$sha512" == "$checksha512" ] ; then \ rm %{_sysconfdir}/selinux/%1/.rebuild; \ fi; \ - fi; \ + fi; \ fi; -%define postInstall() \ +%define relabel() \ if [ -s %{_sysconfdir}/selinux/config ]; then \ - . %{_sysconfdir}/selinux/config &> /dev/null || true; \ + . %{_sysconfdir}/selinux/config &> /dev/null || true; \ fi; \ -if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ - rm %{_sysconfdir}/selinux/%2/.rebuild; \ +FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ +if %{_sbindir}/selinuxenabled && [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ + %{_sbindir}/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \ + rm -f ${FILE_CONTEXT}.pre; \ fi; \ -%{_sbindir}/semodule -B -n -s %2; \ -[ "${SELINUXTYPE}" == "%2" ] && %{_sbindir}/selinuxenabled && load_policy; \ -if [ %1 -eq 1 ]; then \ - %{_sbindir}/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ -else \ -%relabel %2 \ +# rebuilding the rpm database still can sometimes result in an incorrect context \ +%{_sbindir}/restorecon -R /usr/lib/sysimage/rpm \ +if %{_sbindir}/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ + continue; \ fi; -%define modulesList() \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/modules-base.lst \ -awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}%{_datadir}/selinux/%1/base.lst \ -if [ -e ./policy/modules-contrib.conf ];then \ - awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst; \ -fi; +%define fileList() \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules_checksum \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ +%ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ +%ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/policy.kern \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/seusers \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/homedir_template \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/users_extra \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/commit_num \ +%dir %{_sharedstatedir}/selinux/%1 \ +%{_datadir}/selinux/%1/nonbasemodules.lst \ +%{_datadir}/selinux/%1/modules-contrib.lst \ +%{_datadir}/selinux/%1/modules-base.lst \ +%{_datadir}/selinux/%1/base.lst \ +%dir %{_datadir}/selinux/%1 \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ +%dir %{_sysconfdir}/selinux/%1/contexts/users \ +%config %{_sysconfdir}/selinux/%1/contexts/files/media \ +%{_sysconfdir}/selinux/%1/booleans.subs_dist \ +%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ +%ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ +%dir %{_sysconfdir}/selinux/%1/contexts/files \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ +%config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ +%config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ +%config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ +%config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ +%config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ +%dir %{_sysconfdir}/selinux/%1/contexts \ +%{_sysconfdir}/selinux/%1/.policy.sha512 \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{policy_version} \ +%dir %{_sysconfdir}/selinux/%1/policy/ \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ +%dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \ +%dir %{_sharedstatedir}/selinux/%1/active \ +%dir %{_sysconfdir}/selinux/%1/logins \ +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ +%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ +%dir %{_sysconfdir}/selinux/%1 \ +%defattr(-,root,root) \ +%nil -%define nonBaseModulesList() \ -contrib_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-contrib.lst` \ -base_modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules-base.lst` \ -for i in $contrib_modules $base_modules; do \ - if [ $i != "sandbox" ];then \ - echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \ - fi; \ -done; +%define installCmds() \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 base.pp \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 validate modules \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} install-appconfig \ +make %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 DESTDIR=%{buildroot} SEMODULE="%{_sbindir}/semodule -p %{buildroot} -X 100 " load \ +%{__mkdir} -p %{buildroot}%{_sysconfdir}/selinux/%1/logins \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ +install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ +install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ +install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ +install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ +cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ +rm -f %{buildroot}%{_datadir}/selinux/%1/*pp* \ +%{_bindir}/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{policy_version} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ +rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ +rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ +%nil -# Make sure the config is consistent with what packages are installed in the system -# this covers cases when system is installed with selinux-policy-{mls,minimal} -# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not -# been rebooted yet. -# The macro should be called at the beginning of "post" (to make sure load_policy does not fail) -# and in "posttrans" (to make sure that the store is consistent when all package transitions are done) -# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable) -# Steps: -# * load values from config and its backup -# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so -# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used -# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't -%define checkConfigConsistency() \ -if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \ - . %{_sysconfdir}/selinux/.config_backup; \ -else \ - BACKUP_SELINUXTYPE=targeted; \ +%define makeModulesConf() \ +cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ +cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ +if [ %3 == "contrib" ];then \ + cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ + cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ fi; \ -if [ -s %{_sysconfdir}/selinux/config ]; then \ - . %{_sysconfdir}/selinux/config; \ - if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \ - if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \ - sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \ - fi; \ - elif [ "%1" = "targeted" ]; then \ - if [ "%1" != "$SELINUXTYPE" ]; then \ - sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ - fi; \ - elif ! ls %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \ - if [ "%1" != "$SELINUXTYPE" ]; then \ - sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \ - fi; \ - fi; \ -fi; -# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names -# of variables inside so that they are easy to use later -# This should be done in "pretrans" because config content can change during RPM operations -# The macro has to be used in a script slot with "-p " -%define backupConfigLua() \ -local sysconfdir = rpm.expand("%{_sysconfdir}") \ -local config_file = sysconfdir .. "/selinux/config" \ -local config_backup = sysconfdir .. "/selinux/.config_backup" \ -os.remove(config_backup) \ -if posix.stat(config_file) then \ - local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \ - local content = f:read("*all") \ - f:close() \ - local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \ - local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \ - bf:write(backup) \ - bf:close() \ -end +%define makeCmds() \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 bare \ +%make_build %common_params UNK_PERMS=%3 NAME=%1 TYPE=%2 conf \ +cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ +cp -f selinux_config/users-%1 ./policy/users \ %build @@ -411,7 +382,6 @@ for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOU done %install -# Build targeted policy %{__rm} -fR %{buildroot} mkdir -p %{buildroot}%{_sysconfdir}/selinux mkdir -p %{buildroot}%{_sysconfdir}/sysconfig @@ -420,32 +390,23 @@ touch %{buildroot}%{_sysconfdir}/sysconfig/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ mkdir -p %{buildroot}%{_bindir} -install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/ +install -m 755 %{SOURCE33} %{buildroot}%{_bindir}/ -# Always create policy module package directories mkdir -p %{buildroot}%{_datadir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_datadir}/selinux/packages -# Install devel make clean -%if %{BUILD_TARGETED} -# Build targeted policy -%makeCmds targeted mcs allow -%makeModulesConf targeted base contrib -%installCmds targeted mcs allow -# install permissivedomains.cil -%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28} -# recreate sandbox.pp -rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox -%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp -mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp -%modulesList targeted -%nonBaseModulesList targeted + +%if %{BUILD_MLS} +%makeCmds mls mls deny +%makeModulesConf mls base contrib +%installCmds mls mls deny +%modulesList mls +%nonBaseModulesList mls %endif %if %{BUILD_MINIMUM} -# Build minimum policy %makeCmds minimum mcs allow %makeModulesConf targeted base contrib %installCmds minimum mcs allow @@ -454,20 +415,22 @@ rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox %nonBaseModulesList minimum %endif -%if %{BUILD_MLS} -# Build mls policy -%makeCmds mls mls deny -%makeModulesConf mls base contrib -%installCmds mls mls deny -%modulesList mls -%nonBaseModulesList mls +%if %{BUILD_TARGETED} +%makeCmds targeted mcs allow +%makeModulesConf targeted base contrib +%installCmds targeted mcs allow +%{_sbindir}/semodule -p %{buildroot} -X 100 -s targeted -i %{SOURCE28} +rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox +%make_build %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs sandbox.pp +mv sandbox.pp %{buildroot}%{_datadir}/selinux/packages/sandbox.pp +%modulesList targeted +%nonBaseModulesList targeted %endif -# remove leftovers when save-previous=true (semanage.conf) is used rm -rf %{buildroot}%{_sharedstatedir}/selinux/{minimum,targeted,mls}/previous mkdir -p %{buildroot}%{_mandir} -cp -R man/* %{buildroot}%{_mandir} +cp -R man/* %{buildroot}%{_mandir} make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-docs make %common_params UNK_PERMS=allow NAME=targeted TYPE=mcs DESTDIR=%{buildroot} PKGNAME=%{name} install-headers mkdir %{buildroot}%{_datadir}/selinux/devel/ @@ -481,9 +444,9 @@ mv %{buildroot}%{_datadir}/man/man8/*.html %{buildroot}%{_datadir}/selinux/devel mv %{buildroot}%{_datadir}/man/man8/style.css %{buildroot}%{_datadir}/selinux/devel/html mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d -install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy -sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy -sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy +install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.%{name} +sed -i 's/SELINUXpolicy_versionSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.%{name} +sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.%{name} mkdir -p %{buildroot}%{_unitdir} install -m 644 %{SOURCE36} %{buildroot}%{_unitdir} @@ -496,40 +459,37 @@ rm -rf selinux_config %systemd_post selinux-check-proper-disable.service if [ ! -s %{_sysconfdir}/selinux/config ]; then -# -# New install so we will default to targeted policy -# echo " # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: -# enforcing - SELinux security policy is enforced. -# permissive - SELinux prints warnings instead of enforcing. -# disabled - No SELinux policy is loaded. +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. # NOTE: If you need a system with SELinux # fully disabled instead of SELinux running with no policy loaded, you # need to pass selinux=0 to the kernel command line. You can use grubby # to persistently set the bootloader to boot with selinux=0: # -# grubby --update-kernel ALL --args selinux=0 +# grubby --update-kernel ALL --args selinux=0 # # To revert back to SELinux enabled: # -# grubby --update-kernel ALL --remove-args selinux +# grubby --update-kernel ALL --remove-args selinux # SELINUX=enforcing # SELINUXTYPE= can take one of these three values: -# targeted - Targeted processes are protected, -# minimum - Modification of targeted policy. Only selected processes are protected. -# mls - Multi Level Security protection. +# targeted - Targeted processes are protected, +# minimum - Modification of targeted policy. Only selected processes are protected. +# mls - Multi Level Security protection. SELINUXTYPE=targeted " > %{_sysconfdir}/selinux/config - ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux - %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : + ln -sf ../selinux/config %{_sysconfdir}/sysconfig/selinux + %{_sbindir}/restorecon %{_sysconfdir}/selinux/config 2> /dev/null || : else - . %{_sysconfdir}/selinux/config + . %{_sysconfdir}/selinux/config fi exit 0 @@ -539,111 +499,26 @@ exit 0 %postun %systemd_postun selinux-check-proper-disable.service if [ $1 = 0 ]; then - %{_sbindir}/setenforce 0 2> /dev/null - if [ ! -s %{_sysconfdir}/selinux/config ]; then - echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config - else - sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config - fi -fi -exit 0 - -%if %{BUILD_TARGETED} -%package targeted -Summary: SELinux targeted policy -Provides: selinux-policy-any = %{version}-%{release} -Obsoletes: selinux-policy-targeted-sources < 2 -Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} -Requires(pre): coreutils -Requires(pre): selinux-policy = %{version}-%{release} -Requires: selinux-policy = %{version}-%{release} -Conflicts: audispd-plugins <= 1.7.7-1 -Obsoletes: mod_fcgid-selinux <= %{version}-%{release} -Obsoletes: cachefilesd-selinux <= 0.10-1 -Conflicts: seedit -Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12 -Conflicts: container-selinux < 2:1.12.1-22 - -%description targeted -SELinux targeted policy package. - -%pretrans targeted -p -%backupConfigLua - -%pre targeted -%preInstall targeted - -%post targeted -%checkConfigConsistency targeted -%postInstall $1 targeted -exit 0 - -%posttrans targeted -%checkConfigConsistency targeted -%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm - -%postun targeted -if [ $1 = 0 ]; then - if [ -s %{_sysconfdir}/selinux/config ]; then - source %{_sysconfdir}/selinux/config &> /dev/null || true - fi - if [ "$SELINUXTYPE" = "targeted" ]; then - %{_sbindir}/setenforce 0 2> /dev/null - if [ ! -s %{_sysconfdir}/selinux/config ]; then - echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config - else - sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config - fi - fi + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi fi exit 0 -%triggerin -- pcre2 -%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB -exit 0 - -%triggerpostun -- selinux-policy-targeted < 3.12.1-74 -rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null -exit 0 - -%triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138 -CR=$'\n' -INPUT="" -for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*disabled`; do - module=`basename $i | sed 's/.pp.disabled//'` - if [ -d %{_sharedstatedir}/selinux/targeted/active/modules/100/$module ]; then - touch %{_sharedstatedir}/selinux/targeted/active/modules/disabled/$p - fi -done -for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*.pp`; do - INPUT="${INPUT}${CR}module -N -a $i" -done -for i in $(find %{_sysconfdir}/selinux/targeted/modules/active -name \*.local); do - cp $i %{_sharedstatedir}/selinux/targeted/active -done -echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N -if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy -fi -exit 0 - -%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst -%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u -%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u -%fileList targeted -%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains -%endif %if %{BUILD_MINIMUM} %package minimum Summary: SELinux minimum policy -Provides: selinux-policy-any = %{version}-%{release} -Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER} +Provides: %{name}-any = %{version}-%{release} +Requires(post): policycoreutils-python-utils >= %{policy_coreutils_version} Requires(pre): coreutils -Requires(pre): selinux-policy = %{version}-%{release} -Requires: selinux-policy = %{version}-%{release} -Conflicts: seedit +Requires(pre): %{name} = %{version}-%{release} +Requires: %{name} = %{version}-%{release} +Conflicts: seedit Conflicts: container-selinux <= 1.9.0-9 %description minimum @@ -655,7 +530,7 @@ SELinux minimum policy package. %pre minimum %preInstall minimum if [ $1 -ne 1 ]; then - %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst + %{_sbindir}/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > %{_datadir}/selinux/minimum/instmodules.lst fi %post minimum @@ -663,28 +538,28 @@ fi contribpackages=`cat %{_datadir}/selinux/minimum/modules-contrib.lst` basepackages=`cat %{_datadir}/selinux/minimum/modules-base.lst` if [ ! -d %{_sharedstatedir}/selinux/minimum/active/modules/disabled ]; then - mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled + mkdir %{_sharedstatedir}/selinux/minimum/active/modules/disabled fi if [ $1 -eq 1 ]; then for p in $contribpackages; do - touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done for p in $basepackages apache dbus inetd kerberos mta nis; do - rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done %{_sbindir}/semanage import -S minimum -f - << __eof -login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ -login -m -s unconfined_u -r s0-s0:c0.c1023 root +login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ +login -m -s unconfined_u -r s0-s0:c0.c1023 root __eof %{_sbindir}/restorecon -R /root /var/log /var/run 2> /dev/null %{_sbindir}/semodule -B -s minimum else instpackages=`cat %{_datadir}/selinux/minimum/instmodules.lst` for p in $contribpackages; do - touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done for p in $instpackages apache dbus inetd kerberos mta nis; do - rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p done %{_sbindir}/semodule -B -s minimum %relabel minimum @@ -697,38 +572,38 @@ exit 0 %postun minimum if [ $1 = 0 ]; then - if [ -s %{_sysconfdir}/selinux/config ]; then - source %{_sysconfdir}/selinux/config &> /dev/null || true - fi - if [ "$SELINUXTYPE" = "minimum" ]; then - %{_sbindir}/setenforce 0 2> /dev/null - if [ ! -s %{_sysconfdir}/selinux/config ]; then - echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config - else - sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config - fi - fi + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "minimum" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi fi exit 0 -%triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138 +%triggerpostun minimum -- %{name}-minimum < 3.13.1-138 if [ `ls -A %{_sharedstatedir}/selinux/minimum/active/modules/disabled/` ]; then - rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/* + rm -f %{_sharedstatedir}/selinux/minimum/active/modules/disabled/* fi CR=$'\n' INPUT="" for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*disabled`; do - module=`basename $i | sed 's/.pp.disabled//'` - if [ -d %{_sharedstatedir}/selinux/minimum/active/modules/100/$module ]; then - touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p - fi + module=`basename $i | sed 's/.pp.disabled//'` + if [ -d %{_sharedstatedir}/selinux/minimum/active/modules/100/$module ]; then + touch %{_sharedstatedir}/selinux/minimum/active/modules/disabled/$p + fi done for i in `find %{_sysconfdir}/selinux/minimum/modules/active/modules/ -name \*.pp`; do - INPUT="${INPUT}${CR}module -N -a $i" + INPUT="${INPUT}${CR}module -N -a $i" done echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy + %{_sbindir}/load_policy fi exit 0 @@ -741,14 +616,14 @@ exit 0 %if %{BUILD_MLS} %package mls Summary: SELinux MLS policy -Provides: selinux-policy-any = %{version}-%{release} -Obsoletes: selinux-policy-mls-sources < 2 -Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd -Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} +Provides: %{name}-any = %{version}-%{release} +Obsoletes: %{name}-mls-sources < 2 +Requires: policycoreutils-newrole >= %{policy_coreutils_version} setransd +Requires(pre): policycoreutils >= %{policy_coreutils_version} Requires(pre): coreutils -Requires(pre): selinux-policy = %{version}-%{release} -Requires: selinux-policy = %{version}-%{release} -Conflicts: seedit +Requires(pre): %{name} = %{version}-%{release} +Requires: %{name} = %{version}-%{release} +Conflicts: seedit Conflicts: container-selinux <= 1.9.0-9 %description mls @@ -771,35 +646,35 @@ exit 0 %postun mls if [ $1 = 0 ]; then - if [ -s %{_sysconfdir}/selinux/config ]; then - source %{_sysconfdir}/selinux/config &> /dev/null || true - fi - if [ "$SELINUXTYPE" = "mls" ]; then - %{_sbindir}/setenforce 0 2> /dev/null - if [ ! -s %{_sysconfdir}/selinux/config ]; then - echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config - else - sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config - fi - fi + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "mls" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi fi exit 0 -%triggerpostun mls -- selinux-policy-mls < 3.13.1-138 +%triggerpostun mls -- %{name}-mls < 3.13.1-138 CR=$'\n' INPUT="" for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*disabled`; do - module=`basename $i | sed 's/.pp.disabled//'` - if [ -d %{_sharedstatedir}/selinux/mls/active/modules/100/$module ]; then - touch %{_sharedstatedir}/selinux/mls/active/modules/disabled/$p - fi + module=`basename $i | sed 's/.pp.disabled//'` + if [ -d %{_sharedstatedir}/selinux/mls/active/modules/100/$module ]; then + touch %{_sharedstatedir}/selinux/mls/active/modules/disabled/$p + fi done for i in `find %{_sysconfdir}/selinux/mls/modules/active/modules/ -name \*.pp`; do - INPUT="${INPUT}${CR}module -N -a $i" + INPUT="${INPUT}${CR}module -N -a $i" done echo "$INPUT" | %{_sbindir}/semanage import -S mls -N if %{_sbindir}/selinuxenabled ; then - %{_sbindir}/load_policy + %{_sbindir}/load_policy fi exit 0 @@ -809,6 +684,90 @@ exit 0 %fileList mls %endif +%if %{BUILD_TARGETED} +%package targeted +Conflicts: container-selinux < 2:1.12.1-22 +Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12 +Conflicts: seedit cachefilesd-selinux <= 0.10-1 +Obsoletes: mod_fcgid-selinux <= %{version}-%{release} +Conflicts: audispd-plugins <= 1.7.7-1 +Requires: %{name} = %{version}-%{release} +Requires(pre): %{name} = %{version}-%{release} coreutils +Requires(pre): policycoreutils >= %{policy_coreutils_version} +Obsoletes: %{name}-targeted-sources < 2 +Provides: %{name}-any = %{version}-%{release} +Summary: SELinux targeted policy + +%description targeted +SELinux targeted policy package. + +%pretrans targeted -p +%backupConfigLua + +%pre targeted +%preInstall targeted + +%post targeted +%checkConfigConsistency targeted +%postInstall $1 targeted +exit 0 + +%posttrans targeted +%checkConfigConsistency targeted +%{_sbindir}/restorecon -Ri /usr/lib/sysimage/rpm /var/lib/rpm + +%postun targeted +if [ $1 = 0 ]; then + if [ -s %{_sysconfdir}/selinux/config ]; then + source %{_sysconfdir}/selinux/config &> /dev/null || true + fi + if [ "$SELINUXTYPE" = "targeted" ]; then + %{_sbindir}/setenforce 0 2> /dev/null + if [ ! -s %{_sysconfdir}/selinux/config ]; then + echo "SELINUX=disabled" > %{_sysconfdir}/selinux/config + else + sed -i 's/^SELINUX=.*/SELINUX=disabled/g' %{_sysconfdir}/selinux/config + fi + fi +fi +exit 0 + +%triggerin -- pcre2 +%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB +exit 0 + +%triggerpostun -- %{name}-targeted < 3.12.1-74 +rm -f %{_sysconfdir}/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null +exit 0 + +%triggerpostun targeted -- %{name}-targeted < 3.13.1-138 +CR=$'\n' +INPUT="" +for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*disabled`; do + module=`basename $i | sed 's/.pp.disabled//'` + if [ -d %{_sharedstatedir}/selinux/targeted/active/modules/100/$module ]; then + touch %{_sharedstatedir}/selinux/targeted/active/modules/disabled/$p + fi +done +for i in `find %{_sysconfdir}/selinux/targeted/modules/active/modules/ -name \*.pp`; do + INPUT="${INPUT}${CR}module -N -a $i" +done +for i in $(find %{_sysconfdir}/selinux/targeted/modules/active -name \*.local); do + cp $i %{_sharedstatedir}/selinux/targeted/active +done +echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N +if %{_sbindir}/selinuxenabled ; then + %{_sbindir}/load_policy +fi +exit 0 + +%files targeted -f %{buildroot}%{_datadir}/selinux/targeted/nonbasemodules.lst +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u +%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u +%fileList targeted +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains +%endif + %files doc %{_mandir}/man*/* %{_mandir}/ru/*/* @@ -816,6 +775,9 @@ exit 0 %changelog +* Sat Apr 15 2023 Zhongling He 37.18-2 +- refactor rpm spec + * Tue Jan 31 2023 Guyu Wang - 37.18-1 - Update to 37.18 -- Gitee