From c8603f841142ee4214e085d7f81f61a0aa4efccd Mon Sep 17 00:00:00 2001 From: Sven Vermeulen Date: Sat, 31 Mar 2012 12:29:43 +0000 Subject: Pushing out 2.20120215 SELinux policies (Portage version: 2.1.10.49/cvs/Linux x86_64) --- sec-policy/selinux-base/ChangeLog | 14 ++ sec-policy/selinux-base/files/config | 15 +++ sec-policy/selinux-base/metadata.xml | 14 ++ .../selinux-base/selinux-base-2.20120215-r6.ebuild | 144 +++++++++++++++++++++ 4 files changed, 187 insertions(+) create mode 100644 sec-policy/selinux-base/ChangeLog create mode 100644 sec-policy/selinux-base/files/config create mode 100644 sec-policy/selinux-base/metadata.xml create mode 100644 sec-policy/selinux-base/selinux-base-2.20120215-r6.ebuild (limited to 'sec-policy/selinux-base') diff --git a/sec-policy/selinux-base/ChangeLog b/sec-policy/selinux-base/ChangeLog new file mode 100644 index 000000000000..5c31c5a70747 --- /dev/null +++ b/sec-policy/selinux-base/ChangeLog @@ -0,0 +1,14 @@ +# ChangeLog for sec-policy/selinux-base +# Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base/ChangeLog,v 1.1 2012/03/31 12:29:14 swift Exp $ + + 31 Mar 2012; +selinux-base-2.20120215-r6.ebuild, + +files/config, +metadata.xml: + Bumping to 2.20120215 policies + +*selinux-base-2.20120215-r6 (31 Mar 2012) + + 31 Mar 2012; +selinux-base-2.20120215-r6.ebuild, + +files/config, +metadata.xml: + Initial base policy package (without additional modules) + diff --git a/sec-policy/selinux-base/files/config b/sec-policy/selinux-base/files/config new file mode 100644 index 000000000000..55933ea0e534 --- /dev/null +++ b/sec-policy/selinux-base/files/config @@ -0,0 +1,15 @@ +# This file controls the state of SELinux on the system on boot. + +# SELINUX can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=permissive + +# SELINUXTYPE can take one of these four values: +# targeted - Only targeted network daemons are protected. +# strict - Full SELinux protection. +# mls - Full SELinux protection with Multi-Level Security +# mcs - Full SELinux protection with Multi-Category Security +# (mls, but only one sensitivity level) +SELINUXTYPE=strict diff --git a/sec-policy/selinux-base/metadata.xml b/sec-policy/selinux-base/metadata.xml new file mode 100644 index 000000000000..393f3bb02965 --- /dev/null +++ b/sec-policy/selinux-base/metadata.xml @@ -0,0 +1,14 @@ + + + + selinux + + Gentoo SELinux base policy. This contains policy for a system at the end of system installation. + There is no extra policy in this package. + + + Enable the labeled networking peer permissions (SELinux policy capability). + Enable the open permissions for file object classes (SELinux policy capability). + Enable User Based Access Control (UBAC) in the SELinux policy + + diff --git a/sec-policy/selinux-base/selinux-base-2.20120215-r6.ebuild b/sec-policy/selinux-base/selinux-base-2.20120215-r6.ebuild new file mode 100644 index 000000000000..cd81e09767db --- /dev/null +++ b/sec-policy/selinux-base/selinux-base-2.20120215-r6.ebuild @@ -0,0 +1,144 @@ +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base/selinux-base-2.20120215-r6.ebuild,v 1.1 2012/03/31 12:29:14 swift Exp $ + +EAPI="4" +IUSE="+peer_perms +open_perms +ubac doc" + +inherit eutils + +DESCRIPTION="Gentoo base policy for SELinux" +HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/" +SRC_URI="http://oss.tresys.com/files/refpolicy/refpolicy-${PV}.tar.bz2 + http://dev.gentoo.org/~swift/patches/selinux-base-policy/patchbundle-selinux-base-policy-${PVR}.tar.bz2" +LICENSE="GPL-2" +SLOT="0" + +KEYWORDS="~amd64 ~x86" + +RDEPEND=">=sys-apps/policycoreutils-2.1.10 + >=sys-fs/udev-151 + !<=sec-policy/selinux-base-policy-2.20120215" +DEPEND="${RDEPEND} + sys-devel/m4 + >=sys-apps/checkpolicy-2.1.8" + +S=${WORKDIR}/ + +src_prepare() { + # Apply the gentoo patches to the policy. These patches are only necessary + # for base policies, or for interface changes on modules. + EPATCH_MULTI_MSG="Applying SELinux policy updates ... " \ + EPATCH_SUFFIX="patch" \ + EPATCH_SOURCE="${WORKDIR}" \ + EPATCH_FORCE="yes" \ + epatch + + cd "${S}/refpolicy" + # Fix bug 257111 - Correct the initial sid for cron-started jobs in the + # system_r role + sed -i -e 's:system_crond_t:system_cronjob_t:g' \ + "${S}/refpolicy/config/appconfig-standard/default_contexts" + sed -i -e 's|system_r:cronjob_t|system_r:system_cronjob_t|g' \ + "${S}/refpolicy/config/appconfig-mls/default_contexts" + sed -i -e 's|system_r:cronjob_t|system_r:system_cronjob_t|g' \ + "${S}/refpolicy/config/appconfig-mcs/default_contexts" +} + +src_configure() { + [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" + + # Update the SELinux refpolicy capabilities based on the users' USE flags. + + if ! use peer_perms; then + sed -i -e '/network_peer_controls/d' \ + "${S}/refpolicy/policy/policy_capabilities" + fi + + if ! use open_perms; then + sed -i -e '/open_perms/d' \ + "${S}/refpolicy/policy/policy_capabilities" + fi + + if ! use ubac; then + sed -i -e '/^UBAC/s/y/n/' "${S}/refpolicy/build.conf" \ + || die "Failed to disable User Based Access Control" + fi + + echo "DISTRO = gentoo" >> "${S}/refpolicy/build.conf" + + # Setup the policies based on the types delivered by the end user. + # These types can be "targeted", "strict", "mcs" and "mls". + for i in ${POLICY_TYPES}; do + cp -a "${S}/refpolicy" "${S}/${i}" + + cd "${S}/${i}"; + make conf || die "Make conf in ${i} failed" + + #cp "${FILESDIR}/modules-2.20120215.conf" "${S}/${i}/policy/modules.conf" + sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf" + + sed -i -e '/^QUIET/s/n/y/' -e "/^NAME/s/refpolicy/$i/" \ + "${S}/${i}/build.conf" || die "build.conf setup failed." + + if [[ "${i}" == "mls" ]] || [[ "${i}" == "mcs" ]]; + then + # MCS/MLS require additional settings + sed -i -e "/^TYPE/s/standard/${i}/" "${S}/${i}/build.conf" \ + || die "failed to set type to mls" + fi + + if [ "${i}" == "targeted" ]; then + sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \ + "${S}/${i}/config/appconfig-standard/seusers" \ + || die "targeted seusers setup failed." + fi + done +} + +src_compile() { + [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" + + for i in ${POLICY_TYPES}; do + cd "${S}/${i}" + make base || die "${i} compile failed" + if use doc; then + make html || die + fi + done +} + +src_install() { + [ -z "${POLICY_TYPES}" ] && local POLICY_TYPES="targeted strict mls mcs" + + for i in ${POLICY_TYPES}; do + cd "${S}/${i}" + + make DESTDIR="${D}" install \ + || die "${i} install failed." + + make DESTDIR="${D}" install-headers \ + || die "${i} headers install failed." + + echo "run_init_t" > "${D}/etc/selinux/${i}/contexts/run_init_type" + + echo "textrel_shlib_t" >> "${D}/etc/selinux/${i}/contexts/customizable_types" + + # libsemanage won't make this on its own + keepdir "/etc/selinux/${i}/policy" + + if use doc; then + dohtml doc/html/*; + fi + done + + dodoc doc/Makefile.example doc/example.{te,fc,if} + + insinto /etc/selinux + doins "${FILESDIR}/config" +} + +pkg_preinst() { + has_version "<${CATEGORY}/${PN}-2.20101213-r13" + previous_less_than_r13=$? +} -- cgit v1.2.3-65-gdbad