| 1 |
Hi * |
| 2 |
|
| 3 |
To allow for more manageable patching on our selinux policies (since Matthew |
| 4 |
will bombard me anyhow with things to fix ;-) and not to clutter the files/ |
| 5 |
directory in the Portage tree, I've been meaning to update the |
| 6 |
selinux-policy-2 eclass to support reusing the patchbundles offered by the |
| 7 |
selinux-base-policy releases. The result can currently be seen at |
| 8 |
http://bit.ly/owGhAs but, unless people object, I'll be pushing this eclass |
| 9 |
to the hardened-dev overlay tomorrow (in an eclass/ directory) without |
| 10 |
changing the eclass name ("bumping") since it doesn't change anything for |
| 11 |
existing ebuilds. |
| 12 |
|
| 13 |
The changes made to the eclass are: |
| 14 |
- support for the BASEPOL version (reuse of patch bundles) |
| 15 |
- (fix) apply patches before copying sources |
| 16 |
- add the necessary eclass documentation comments |
| 17 |
- define the eclass variables (including POLICY_TYPES) |
| 18 |
- support higher-level EAPIs (0 - 4 currently) |
| 19 |
|
| 20 |
Below more information about these changes for those interested. |
| 21 |
|
| 22 |
This change is part of a larger change coming up, namely to update the |
| 23 |
SELinux policy packages to 2.20110726. Since I'll make these be EAPI=4 this |
| 24 |
eclass update is a prerequisite. |
| 25 |
|
| 26 |
Wkr, |
| 27 |
Sven Vermeulen |
| 28 |
|
| 29 |
Support for the BASEPOL version (reuse of patch bundles) |
| 30 |
======================================================== |
| 31 |
|
| 32 |
We introduce a new eclass variable called BASEPOL which can be used by an |
| 33 |
ebuild to declare that the module depends on a particular |
| 34 |
selinux-base-policy as well as needs to be patched with the patches in the |
| 35 |
patchbundle (that is available with the selinux-base-policy). |
| 36 |
|
| 37 |
If BASEPOL isn't set, the old behaviour is kept (i.e. not applying the |
| 38 |
patchbundle). Also, the POLICY_PATCH variable is still used so no changes |
| 39 |
there. The main difference is that, if BASEPOL is used, then the |
| 40 |
POLICY_PATCH provided patches need to be relative to this BASEPOL version |
| 41 |
(and not the main upstream version). |
| 42 |
|
| 43 |
An example: |
| 44 |
MODS="gpg" |
| 45 |
BASEPOL="2.20110726-r1" |
| 46 |
|
| 47 |
inherit selinux-policy-2 |
| 48 |
|
| 49 |
Previously, we had to do something like this: |
| 50 |
MODS="gpg" |
| 51 |
DEPEND=">=sec-policy/selinux-base-policy-2.20110726-r1" |
| 52 |
POLICY_PATCH="${FILESDIR}/fix-apps-gpg-r1.patch" |
| 53 |
|
| 54 |
inherit selinux-policy-2 |
| 55 |
|
| 56 |
where the fix in POLICY_PATCH was still available in the patchbundle as |
| 57 |
well. This led to duplicate patch management efforts and increased the |
| 58 |
number of files we had in our various "files/" locations. |
| 59 |
|
| 60 |
|
| 61 |
(Fix) Apply patches before copying sources |
| 62 |
========================================== |
| 63 |
|
| 64 |
In our current selinux-policy-2 eclass, we copy the reference policy sources |
| 65 |
to several source directories, labeled after their target policy (targeted, |
| 66 |
strict, mcs, mls) after which we applied the (same) patches to each source |
| 67 |
directory. This we can of course optimize, so the new eclass patches the |
| 68 |
sources before copying them to the respective source directories. |
| 69 |
|
| 70 |
Add the necessary eclass documentation comments |
| 71 |
=============================================== |
| 72 |
|
| 73 |
Gentoo requires that the eclasses are properly documented using specific |
| 74 |
tags in the eclass comments, allowing for automated eclass documentation |
| 75 |
generation. An example of such automatically generated document can be found |
| 76 |
at http://devmanual.gentoo.org/eclass-reference/mysql.eclass/index.html |
| 77 |
|
| 78 |
For the selinux-policy-2 eclass, no such document exists yet since our |
| 79 |
eclass wasn't properly documented. The new eclass contains the proper |
| 80 |
documentation tags. |
| 81 |
|
| 82 |
|
| 83 |
Define the eclass variables (including POLICY_TYPES) |
| 84 |
==================================================== |
| 85 |
|
| 86 |
Part of the eclass documentation effort is to streamline the variable |
| 87 |
declarations. One variable that we currently use is POLICY_TYPES, where we |
| 88 |
did many of the following calls: |
| 89 |
[ -z "${POLICY_TYPES} ] && local POLICY_TYPES="strict targeted mls mcs" |
| 90 |
|
| 91 |
By declaring the variables with a default fallback value, all these calls |
| 92 |
aren't necessary anymore. |
| 93 |
|
| 94 |
|
| 95 |
Support higher-level EAPIs (0 - 4 currently) |
| 96 |
============================================ |
| 97 |
|
| 98 |
Higher level EAPIs (more than 1 ;-) introduce specific phase functions to |
| 99 |
streamline the build process (src_prepare & src_configure). The new eclass |
| 100 |
update supports these, but if the EAPI isn't sufficiently high, the old |
| 101 |
behaviour is retained (for instance, src_unpack then calls src_prepare |
| 102 |
itself). |
| 103 |
|
| 104 |
This also allows for sec-policy/* to be fully EAPI=4 defined, which will be |
| 105 |
the case for the 2.20110726 version(s) of the policies. |
Archives