1 |
commit: 6c782ad7479b4e661a8c0616f7f3bff17d04b1b0 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Wed Aug 3 08:28:32 2011 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Aug 3 08:28:32 2011 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=6c782ad7 |
7 |
|
8 |
Adding updated selinux-policy-2 eclass |
9 |
|
10 |
--- |
11 |
eclass/selinux-policy-2.eclass | 195 ++++++++++++++++++++++++++++++++++++++++ |
12 |
1 files changed, 195 insertions(+), 0 deletions(-) |
13 |
|
14 |
diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass |
15 |
new file mode 100644 |
16 |
index 0000000..3c42633 |
17 |
--- /dev/null |
18 |
+++ b/eclass/selinux-policy-2.eclass |
19 |
@@ -0,0 +1,195 @@ |
20 |
+# Copyright 1999-2011 Gentoo Foundation |
21 |
+# Distributed under the terms of the GNU General Public License v2 |
22 |
+# $Header: /var/cvsroot/gentoo-x86/eclass/selinux-policy-2.eclass,v 1.6 2011/05/20 19:06:07 blueness Exp $ |
23 |
+ |
24 |
+# Eclass for installing SELinux policy, and optionally |
25 |
+# reloading the reference-policy based modules. |
26 |
+ |
27 |
+# @ECLASS: selinux-policy-2.eclass |
28 |
+# @MAINTAINER: |
29 |
+# selinux@g.o |
30 |
+# @BLURB: This eclass supports the deployment of the various SELinux modules in sec-policy |
31 |
+# @DESCRIPTION: |
32 |
+# The selinux-policy-2.eclass supports deployment of the various SELinux modules |
33 |
+# defined in the sec-policy category. It is responsible for extracting the |
34 |
+# specific bits necessary for single-module deployment (instead of full-blown |
35 |
+# policy rebuilds) and applying the necessary patches. |
36 |
+# |
37 |
+# Also, it supports for bundling patches to make the whole thing just a bit more |
38 |
+# manageable. |
39 |
+ |
40 |
+# @ECLASS-VARIABLE: MODS |
41 |
+# @DESCRIPTION: |
42 |
+# This variable contains the (upstream) module name for the SELinux module. |
43 |
+# This name is only the module name, not the category! |
44 |
+: ${MODS:="_illegal"} |
45 |
+ |
46 |
+# @ECLASS-VARIABLE: BASEPOL |
47 |
+# @DESCRIPTION: |
48 |
+# This variable contains the version string of the selinux-base-policy package |
49 |
+# that this module build depends on. It is used to patch with the appropriate |
50 |
+# patch bundle(s) that are part of selinux-base-policy. |
51 |
+: ${BASEPOL:="0"} |
52 |
+ |
53 |
+# @ECLASS-VARIABLE: POLICY_PATCH |
54 |
+# @DESCRIPTION: |
55 |
+# This variable contains the additional patch(es) that need to be applied on top |
56 |
+# of the patchset already contained within the BASEPOL variable. |
57 |
+: ${POLICY_PATCH:=""} |
58 |
+ |
59 |
+# @ECLASS-VARIABLE: POLICY_TYPES |
60 |
+# @DESCRIPTION: |
61 |
+# This variable informs the eclass for which SELinux policies the module should |
62 |
+# be built. Currently, Gentoo supports targeted, strict, mcs and mls. |
63 |
+# This variable is the same POLICY_TYPES variable that we tell SELinux |
64 |
+# users to set in /etc/make.conf. Therefor, it is not the module that should |
65 |
+# override it, but the user. |
66 |
+: ${POLICY_TYPES:="targeted strict mcs mls"} |
67 |
+ |
68 |
+inherit eutils |
69 |
+ |
70 |
+IUSE="" |
71 |
+ |
72 |
+HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/" |
73 |
+if [[ "${BASEPOL}" == "0" ]]; |
74 |
+then |
75 |
+ SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2" |
76 |
+else |
77 |
+ SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2 |
78 |
+ http://dev.gentoo.org/~blueness/patchbundle-selinux-base-policy/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2" |
79 |
+fi |
80 |
+ |
81 |
+LICENSE="GPL-2" |
82 |
+SLOT="0" |
83 |
+S="${WORKDIR}/" |
84 |
+PATCHBUNDLE="${DISTDIR}/patchbundle-selinux-base-policy-${BASEPOL}.tar.bz2" |
85 |
+ |
86 |
+# Modules should always depend on at least the first release of the |
87 |
+# selinux-base-policy for which they are generated. |
88 |
+if [[ "${BASEPOL}" == "0" ]]; |
89 |
+then |
90 |
+ RDEPEND=">=sys-apps/policycoreutils-2.0.82 |
91 |
+ >=sec-policy/selinux-base-policy-${PV}" |
92 |
+else |
93 |
+ RDEPEND=">=sys-apps/policycoreutils-2.0.82 |
94 |
+ >=sec-policy/selinux-base-policy-${BASEPOL}" |
95 |
+fi |
96 |
+DEPEND="${RDEPEND} |
97 |
+ sys-devel/m4 |
98 |
+ >=sys-apps/checkpolicy-2.0.21" |
99 |
+ |
100 |
+SELINUX_EXPF="src_unpack src_compile src_install pkg_postinst" |
101 |
+case "${EAPI:-0}" in |
102 |
+ 2|3|4) SELINUX_EXPF+=" src_prepare" ;; |
103 |
+ *) ;; |
104 |
+esac |
105 |
+ |
106 |
+EXPORT_FUNCTIONS ${SELINUX_EXPF} |
107 |
+ |
108 |
+# @FUNCTION: selinux-policy-2_src_unpack |
109 |
+# @DESCRIPTION: |
110 |
+# Unpack the policy sources as offered by upstream (refpolicy). In case of EAPI |
111 |
+# older than 2, call src_prepare too. |
112 |
+selinux-policy-2_src_unpack() { |
113 |
+ unpack ${A} |
114 |
+ |
115 |
+ if [[ ${EAPI:-0} -le 1 ]]; |
116 |
+ then |
117 |
+ # Call src_prepare explicitly for EAPI 0 or 1 |
118 |
+ selinux-policy-2_src_prepare |
119 |
+ fi |
120 |
+} |
121 |
+ |
122 |
+# @FUNCTION: selinux-policy-2_src_prepare |
123 |
+# @DESCRIPTION: |
124 |
+# Patch the reference policy sources with our set of enhancements. Start with |
125 |
+# the base patchbundle referred to by the ebuilds through the BASEPOL variable, |
126 |
+# then apply the additional patches as offered by the ebuild. |
127 |
+# |
128 |
+# Next, extract only those files needed for this particular module (i.e. the .te |
129 |
+# and .fc files for the given module in the MODS variable). |
130 |
+# |
131 |
+# Finally, prepare the build environments for each of the supported SELinux |
132 |
+# types (such as targeted or strict), depending on the POLICY_TYPES variable |
133 |
+# content. |
134 |
+selinux-policy-2_src_prepare() { |
135 |
+ local modfiles |
136 |
+ |
137 |
+ # Patch the sources with the base patchbundle |
138 |
+ if [[ "${BASEPOL}" != "0" ]]; |
139 |
+ then |
140 |
+ cd "${S}" |
141 |
+ epatch "${PATCHBUNDLE}" |
142 |
+ fi |
143 |
+ |
144 |
+ # Apply the additional patches refered to by the module ebuild |
145 |
+ if [ -n "${POLICY_PATCH}" ]; |
146 |
+ then |
147 |
+ for POLPATCH in "${POLICY_PATCH}"; |
148 |
+ do |
149 |
+ cd "${S}/refpolicy/policy/modules" |
150 |
+ # Although epatch dies in EAPI=4 by itself, we support other EAPIs |
151 |
+ # too for the time being, so we explicitly die on it. |
152 |
+ epatch "${POLPATCH}" || die "Failed to apply patch ${POLPATCH}" |
153 |
+ done |
154 |
+ fi |
155 |
+ |
156 |
+ # Collect only those files needed for this particular module |
157 |
+ for i in ${MODS}; do |
158 |
+ modfiles="`find ${S}/refpolicy/policy/modules -iname $i.te` $modfiles" |
159 |
+ modfiles="`find ${S}/refpolicy/policy/modules -iname $i.fc` $modfiles" |
160 |
+ done |
161 |
+ |
162 |
+ for i in ${POLICY_TYPES}; do |
163 |
+ mkdir "${S}"/${i} |
164 |
+ cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile |
165 |
+ |
166 |
+ cp ${modfiles} "${S}"/${i} |
167 |
+ done |
168 |
+} |
169 |
+ |
170 |
+# @FUNCTION: selinux-policy-2_src_compile |
171 |
+# @DESCRIPTION: |
172 |
+# Build the SELinux policy module (.pp file) for just the selected module, and |
173 |
+# this for each SELinux policy mentioned in POLICY_TYPES |
174 |
+selinux-policy-2_src_compile() { |
175 |
+ for i in ${POLICY_TYPES}; do |
176 |
+ make NAME=$i -C "${S}"/${i} || die "${i} compile failed" |
177 |
+ done |
178 |
+} |
179 |
+ |
180 |
+# @FUNCTION: selinux-policy-2_src_install |
181 |
+# @DESCRIPTION: |
182 |
+# Install the built .pp files in the correct subdirectory within |
183 |
+# /usr/share/selinux. |
184 |
+selinux-policy-2_src_install() { |
185 |
+ local BASEDIR="/usr/share/selinux" |
186 |
+ |
187 |
+ for i in ${POLICY_TYPES}; do |
188 |
+ for j in ${MODS}; do |
189 |
+ echo "Installing ${i} ${j} policy package" |
190 |
+ insinto ${BASEDIR}/${i} |
191 |
+ doins "${S}"/${i}/${j}.pp |
192 |
+ done |
193 |
+ done |
194 |
+} |
195 |
+ |
196 |
+# @FUNCTION: selinux-policy-2_pkg_postinst |
197 |
+# @DESCRIPTION: |
198 |
+# Install the built .pp files in the SELinux policy stores, effectively |
199 |
+# activating the policy on the system. |
200 |
+selinux-policy-2_pkg_postinst() { |
201 |
+ # build up the command in the case of multiple modules |
202 |
+ local COMMAND |
203 |
+ for i in ${MODS}; do |
204 |
+ COMMAND="-i ${i}.pp ${COMMAND}" |
205 |
+ done |
206 |
+ |
207 |
+ for i in ${POLICY_TYPES}; do |
208 |
+ einfo "Inserting the following modules into the $i module store: ${MODS}" |
209 |
+ |
210 |
+ cd /usr/share/selinux/${i} |
211 |
+ semodule -s ${i} ${COMMAND} || die "Failed to load in modules ${MODS} in the $i policy store" |
212 |
+ done |
213 |
+} |
214 |
+ |