1 |
Hi * |
2 |
|
3 |
To allow for more manageable patching on our selinux policies (since Matthew |
4 |
will bombard me anyhow with things to fix ;-) and not to clutter the files/ |
5 |
directory in the Portage tree, I've been meaning to update the |
6 |
selinux-policy-2 eclass to support reusing the patchbundles offered by the |
7 |
selinux-base-policy releases. The result can currently be seen at |
8 |
http://bit.ly/owGhAs but, unless people object, I'll be pushing this eclass |
9 |
to the hardened-dev overlay tomorrow (in an eclass/ directory) without |
10 |
changing the eclass name ("bumping") since it doesn't change anything for |
11 |
existing ebuilds. |
12 |
|
13 |
The changes made to the eclass are: |
14 |
- support for the BASEPOL version (reuse of patch bundles) |
15 |
- (fix) apply patches before copying sources |
16 |
- add the necessary eclass documentation comments |
17 |
- define the eclass variables (including POLICY_TYPES) |
18 |
- support higher-level EAPIs (0 - 4 currently) |
19 |
|
20 |
Below more information about these changes for those interested. |
21 |
|
22 |
This change is part of a larger change coming up, namely to update the |
23 |
SELinux policy packages to 2.20110726. Since I'll make these be EAPI=4 this |
24 |
eclass update is a prerequisite. |
25 |
|
26 |
Wkr, |
27 |
Sven Vermeulen |
28 |
|
29 |
Support for the BASEPOL version (reuse of patch bundles) |
30 |
======================================================== |
31 |
|
32 |
We introduce a new eclass variable called BASEPOL which can be used by an |
33 |
ebuild to declare that the module depends on a particular |
34 |
selinux-base-policy as well as needs to be patched with the patches in the |
35 |
patchbundle (that is available with the selinux-base-policy). |
36 |
|
37 |
If BASEPOL isn't set, the old behaviour is kept (i.e. not applying the |
38 |
patchbundle). Also, the POLICY_PATCH variable is still used so no changes |
39 |
there. The main difference is that, if BASEPOL is used, then the |
40 |
POLICY_PATCH provided patches need to be relative to this BASEPOL version |
41 |
(and not the main upstream version). |
42 |
|
43 |
An example: |
44 |
MODS="gpg" |
45 |
BASEPOL="2.20110726-r1" |
46 |
|
47 |
inherit selinux-policy-2 |
48 |
|
49 |
Previously, we had to do something like this: |
50 |
MODS="gpg" |
51 |
DEPEND=">=sec-policy/selinux-base-policy-2.20110726-r1" |
52 |
POLICY_PATCH="${FILESDIR}/fix-apps-gpg-r1.patch" |
53 |
|
54 |
inherit selinux-policy-2 |
55 |
|
56 |
where the fix in POLICY_PATCH was still available in the patchbundle as |
57 |
well. This led to duplicate patch management efforts and increased the |
58 |
number of files we had in our various "files/" locations. |
59 |
|
60 |
|
61 |
(Fix) Apply patches before copying sources |
62 |
========================================== |
63 |
|
64 |
In our current selinux-policy-2 eclass, we copy the reference policy sources |
65 |
to several source directories, labeled after their target policy (targeted, |
66 |
strict, mcs, mls) after which we applied the (same) patches to each source |
67 |
directory. This we can of course optimize, so the new eclass patches the |
68 |
sources before copying them to the respective source directories. |
69 |
|
70 |
Add the necessary eclass documentation comments |
71 |
=============================================== |
72 |
|
73 |
Gentoo requires that the eclasses are properly documented using specific |
74 |
tags in the eclass comments, allowing for automated eclass documentation |
75 |
generation. An example of such automatically generated document can be found |
76 |
at http://devmanual.gentoo.org/eclass-reference/mysql.eclass/index.html |
77 |
|
78 |
For the selinux-policy-2 eclass, no such document exists yet since our |
79 |
eclass wasn't properly documented. The new eclass contains the proper |
80 |
documentation tags. |
81 |
|
82 |
|
83 |
Define the eclass variables (including POLICY_TYPES) |
84 |
==================================================== |
85 |
|
86 |
Part of the eclass documentation effort is to streamline the variable |
87 |
declarations. One variable that we currently use is POLICY_TYPES, where we |
88 |
did many of the following calls: |
89 |
[ -z "${POLICY_TYPES} ] && local POLICY_TYPES="strict targeted mls mcs" |
90 |
|
91 |
By declaring the variables with a default fallback value, all these calls |
92 |
aren't necessary anymore. |
93 |
|
94 |
|
95 |
Support higher-level EAPIs (0 - 4 currently) |
96 |
============================================ |
97 |
|
98 |
Higher level EAPIs (more than 1 ;-) introduce specific phase functions to |
99 |
streamline the build process (src_prepare & src_configure). The new eclass |
100 |
update supports these, but if the EAPI isn't sufficiently high, the old |
101 |
behaviour is retained (for instance, src_unpack then calls src_prepare |
102 |
itself). |
103 |
|
104 |
This also allows for sec-policy/* to be fully EAPI=4 defined, which will be |
105 |
the case for the 2.20110726 version(s) of the policies. |