* [PATCH v2 2/4] [DO NOT MERGE] Install selinux-policy-devel in test environment
[not found] ` <20210407101245.276527-1-vmojzis@redhat.com>
@ 2021-04-07 10:12 ` Vit Mojzis
2021-04-07 10:12 ` [PATCH v2 3/4] selinux: Remove 'make' dependency Vit Mojzis
2021-04-07 10:12 ` [PATCH v2 4/4] selinux: add "mls" binary version of the policy Vit Mojzis
2 siblings, 0 replies; 4+ messages in thread
From: Vit Mojzis @ 2021-04-07 10:12 UTC (permalink / raw)
To: selinux
Temporary commit for testing purposes.
The change needs to be done in
https://gitlab.com/libvirt/libvirt-ci/-/blob/master/guests/lcitool/lcitool/ansible/vars/projects/libvirt.yml
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
ci/containers/ci-centos-8.Dockerfile | 1 +
ci/containers/ci-centos-stream.Dockerfile | 1 +
ci/containers/ci-fedora-32.Dockerfile | 1 +
ci/containers/ci-fedora-33.Dockerfile | 1 +
ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile | 1 +
ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile | 1 +
ci/containers/ci-fedora-rawhide.Dockerfile | 1 +
7 files changed, 7 insertions(+)
diff --git a/ci/containers/ci-centos-8.Dockerfile b/ci/containers/ci-centos-8.Dockerfile
index e600598329..7d6cbafe6b 100644
--- a/ci/containers/ci-centos-8.Dockerfile
+++ b/ci/containers/ci-centos-8.Dockerfile
@@ -84,6 +84,7 @@ RUN dnf update -y && \
rpm-build \
sanlock-devel \
scrub \
+ selinux-policy-devel \
systemtap-sdt-devel \
wireshark-devel \
xfsprogs-devel \
diff --git a/ci/containers/ci-centos-stream.Dockerfile b/ci/containers/ci-centos-stream.Dockerfile
index 2b51eccc8d..b4d02f4148 100644
--- a/ci/containers/ci-centos-stream.Dockerfile
+++ b/ci/containers/ci-centos-stream.Dockerfile
@@ -86,6 +86,7 @@ RUN dnf install -y centos-release-stream && \
rpm-build \
sanlock-devel \
scrub \
+ selinux-policy-devel \
systemtap-sdt-devel \
wireshark-devel \
xfsprogs-devel \
diff --git a/ci/containers/ci-fedora-32.Dockerfile b/ci/containers/ci-fedora-32.Dockerfile
index 71d391b7bd..3b9d98c83f 100644
--- a/ci/containers/ci-fedora-32.Dockerfile
+++ b/ci/containers/ci-fedora-32.Dockerfile
@@ -89,6 +89,7 @@ exec "$@"' > /usr/bin/nosync && \
rpm-build \
sanlock-devel \
scrub \
+ selinux-policy-devel \
sheepdog \
systemtap-sdt-devel \
wireshark-devel \
diff --git a/ci/containers/ci-fedora-33.Dockerfile b/ci/containers/ci-fedora-33.Dockerfile
index 5fb30380b0..c8b4dcca34 100644
--- a/ci/containers/ci-fedora-33.Dockerfile
+++ b/ci/containers/ci-fedora-33.Dockerfile
@@ -89,6 +89,7 @@ exec "$@"' > /usr/bin/nosync && \
rpm-build \
sanlock-devel \
scrub \
+ selinux-policy-devel \
sheepdog \
systemtap-sdt-devel \
wireshark-devel \
diff --git a/ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile b/ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile
index c718778acb..55825c9753 100644
--- a/ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile
+++ b/ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile
@@ -55,6 +55,7 @@ exec "$@"' > /usr/bin/nosync && \
rpcgen \
rpm-build \
scrub \
+ selinux-policy-devel \
sheepdog \
zfs-fuse && \
nosync dnf autoremove -y && \
diff --git a/ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile b/ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile
index 6058d0c0b2..69159a7e3c 100644
--- a/ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile
+++ b/ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile
@@ -55,6 +55,7 @@ exec "$@"' > /usr/bin/nosync && \
rpcgen \
rpm-build \
scrub \
+ selinux-policy-devel \
sheepdog \
zfs-fuse && \
nosync dnf autoremove -y && \
diff --git a/ci/containers/ci-fedora-rawhide.Dockerfile b/ci/containers/ci-fedora-rawhide.Dockerfile
index 027e8a7c41..edd9c34c46 100644
--- a/ci/containers/ci-fedora-rawhide.Dockerfile
+++ b/ci/containers/ci-fedora-rawhide.Dockerfile
@@ -90,6 +90,7 @@ exec "$@"' > /usr/bin/nosync && \
rpm-build \
sanlock-devel \
scrub \
+ selinux-policy-devel \
sheepdog \
systemtap-sdt-devel \
wireshark-devel \
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 3/4] selinux: Remove 'make' dependency
[not found] ` <20210407101245.276527-1-vmojzis@redhat.com>
2021-04-07 10:12 ` [PATCH v2 2/4] [DO NOT MERGE] Install selinux-policy-devel in test environment Vit Mojzis
@ 2021-04-07 10:12 ` Vit Mojzis
2021-04-07 10:12 ` [PATCH v2 4/4] selinux: add "mls" binary version of the policy Vit Mojzis
2 siblings, 0 replies; 4+ messages in thread
From: Vit Mojzis @ 2021-04-07 10:12 UTC (permalink / raw)
To: selinux
Compile the policy using a script executed by meson.
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
Changes:
* Rewrite policy compilation script in python
libvirt.spec.in | 12 ----
meson.build | 12 ++++
selinux/compile_policy.py | 128 ++++++++++++++++++++++++++++++++++++++
selinux/meson.build | 23 +++++++
4 files changed, 163 insertions(+), 12 deletions(-)
create mode 100755 selinux/compile_policy.py
create mode 100644 selinux/meson.build
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 9cbdb2c513..1b807ec324 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1239,14 +1239,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/%{name}.spec)
%{?arg_login_shell}
%meson_build
-%if 0%{?with_selinux}
-# SELinux policy (originally from selinux-policy-contrib)
-# this policy module will override the production module
-cd selinux
-
-make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
-bzip2 -9 %{modulename}.pp
-%endif
%install
rm -fr %{buildroot}
@@ -1331,10 +1323,6 @@ mv $RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \
%endif
%endif
-%if 0%{?with_selinux}
-install -D -m 0644 selinux/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
-%endif
-
%check
# Building on slow archs, like emulated s390x in Fedora copr, requires
# raising the test timeout
diff --git a/meson.build b/meson.build
index 69a7b4c88e..884d3a490d 100644
--- a/meson.build
+++ b/meson.build
@@ -2182,6 +2182,18 @@ endif
subdir('build-aux')
+os_release = run_command('grep', '^ID=', '/etc/os-release').stdout()
+os_version = run_command('grep', '^VERSION_ID=', '/etc/os-release').stdout().split('=')
+if (os_version.length() == 2)
+ os_version = os_version[1]
+else
+ os_version = 0
+endif
+
+if ((os_release.contains('fedora') and os_version.version_compare('>33')) or
+ (os_release.contains('rhel') and os_version.version_compare('>8')))
+ subdir('selinux')
+endif
# install pkgconfig files
pkgconfig_files = [
diff --git a/selinux/compile_policy.py b/selinux/compile_policy.py
new file mode 100755
index 0000000000..2de26f21c7
--- /dev/null
+++ b/selinux/compile_policy.py
@@ -0,0 +1,128 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 Red Hat, Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see
+# <http://www.gnu.org/licenses/>.
+
+# This script is based on selinux-policy Makefile
+# https://github.com/fedora-selinux/selinux-policy/blob/rawhide/support/Makefile.devel
+
+import subprocess
+import sys
+import os
+import glob
+
+if len(sys.argv) != 6:
+ print("Usage: %s <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>"
+ % sys.argv[0], file=sys.stderr)
+ exit(os.EX_USAGE)
+
+module_name = os.path.splitext(os.path.basename(sys.argv[1]))[0]
+
+m4param = ["-D", "enable_mcs", "-D", "distro_redhat", "-D",
+ "hide_broken_symptoms", "-D", "mls_num_sens=16", "-D",
+ "mls_num_cats=1024", "-D", "mcs_num_cats=1024"]
+
+SHAREDIR = "/usr/share/selinux"
+HEADERDIR = os.path.join(SHAREDIR, "devel/include")
+
+m4support = sorted(glob.glob("{}/support/*.spt".format(HEADERDIR)))
+header_layers = glob.glob("{}/*/".format(HEADERDIR))
+header_layers = sorted([x for x in header_layers
+ if os.path.join(HEADERDIR, "support") not in x])
+
+header_interfaces = []
+for layer in header_layers:
+ header_interfaces.extend(glob.glob("{}/*.if".format(layer)))
+header_interfaces.sort()
+
+# prepare temp folder
+try:
+ os.makedirs(sys.argv[5])
+except Exception:
+ pass
+
+# remove old trash from the temp folder
+for name in ["iferror.m4" "all_interfaces.conf" "{}.*".format(module_name)]:
+ try:
+ os.remove(os.path.join(sys.argv[5], name))
+ except Exception:
+ pass
+
+# tmp/all_interfaces.conf
+# echo "ifdef(\`__if_error',\`m4exit(1)')" > $5/iferror.m4
+with open(os.path.join(sys.argv[5], "iferror.m4"), "w") as file:
+ file.write("ifdef(`__if_error',`m4exit(1)')\n")
+
+# echo "divert(-1)" > $5/all_interfaces.conf
+with open(os.path.join(sys.argv[5], "all_interfaces.conf"), "w") as int_file:
+ int_file.write("divert(-1)\n")
+
+# m4 $M4SUPPORT $HEADER_INTERFACES $2 $5/iferror.m4
+# | sed -e s/dollarsstar/\$\$\*/g >> $5/all_interfaces.conf
+subprocess.run(r"m4 {} | sed -e s/dollarsstar/\$\$\*/g >> {}".format(
+ " ".join([*m4support, *header_interfaces, sys.argv[2],
+ os.path.join(sys.argv[5], "iferror.m4")]),
+ os.path.join(sys.argv[5], "all_interfaces.conf")),
+ shell=True, check=True)
+
+# doesn't work properly without "shell=True"
+# m4_process = Popen(["m4", *m4support, *header_interfaces, sys.argv[2],
+# os.path.join(sys.argv[5], "iferror.m4")],
+# stdout=PIPE, stderr=PIPE)
+# sed_process = Popen(["sed", "-e", "s/dollarsstar/\$\$\*/g"],
+# stdin=m4_process.stdout, stdout=int_file)
+# outs, errs = m4_process.communicate()
+
+# echo "divert" >> $5/all_interfaces.conf
+with open(os.path.join(sys.argv[5], "all_interfaces.conf"), "a") as file:
+ file.write("divert\n")
+
+# tmp/%.mod
+# m4 $M4PARAM -s $M4SUPPORT $5/all_interfaces.conf $1 > $5/$MODULE_NAME.tmp
+with open(os.path.join(sys.argv[5], "{}.tmp".format(module_name)),
+ "w") as tmp_file:
+ subprocess.run(["m4", *m4param, "-s", *m4support,
+ os.path.join(sys.argv[5], "all_interfaces.conf"),
+ sys.argv[1]], stdout=tmp_file, check=True)
+
+# /usr/bin/checkmodule -M -m $5/$MODULE_NAME.tmp -o $5/$MODULE_NAME.mod
+subprocess.run(["/usr/bin/checkmodule",
+ "-M",
+ "-m",
+ os.path.join(sys.argv[5], "{}.tmp".format(module_name)),
+ "-o",
+ os.path.join(sys.argv[5], "{}.mod".format(module_name))],
+ check=True)
+
+
+# tmp/%.mod.fc
+# m4 $M4PARAM $M4SUPPORT $3 > $5/$MODULE_NAME.mod.fc
+with open(os.path.join(sys.argv[5],
+ "{}.mod.fc".format(module_name)), "w") as mod_fc_file:
+ subprocess.run(["m4", *m4param, *m4support, sys.argv[3]],
+ stdout=mod_fc_file, check=True)
+
+# %.pp
+# /usr/bin/semodule_package -o $4 -m $5/$MODULE_NAME.mod
+# -f $5/$MODULE_NAME.mod.fc
+subprocess.run(["/usr/bin/semodule_package",
+ "-o",
+ sys.argv[4],
+ "-m",
+ os.path.join(sys.argv[5], "{}.mod".format(module_name)),
+ "-f",
+ os.path.join(sys.argv[5], "{}.mod.fc".format(module_name))],
+ check=True)
diff --git a/selinux/meson.build b/selinux/meson.build
new file mode 100644
index 0000000000..2737e60519
--- /dev/null
+++ b/selinux/meson.build
@@ -0,0 +1,23 @@
+selinux_sources = [
+ 'virt.te',
+ 'virt.if',
+ 'virt.fc',
+]
+
+compile_policy_prog = find_program('compile_policy.py')
+
+virt_pp = custom_target('virt.pp',
+ output : 'virt.pp',
+ input : selinux_sources,
+ command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp'],
+ install : false)
+
+bzip2_prog = find_program('bzip2')
+
+bzip = custom_target('virt.pp.bz2',
+ output : 'virt.pp.bz2',
+ input : virt_pp,
+ command : [bzip2_prog, '-c', '-9', '@INPUT@'],
+ capture : true,
+ install : true,
+ install_dir : 'share/selinux/packages/')
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 4/4] selinux: add "mls" binary version of the policy
[not found] ` <20210407101245.276527-1-vmojzis@redhat.com>
2021-04-07 10:12 ` [PATCH v2 2/4] [DO NOT MERGE] Install selinux-policy-devel in test environment Vit Mojzis
2021-04-07 10:12 ` [PATCH v2 3/4] selinux: Remove 'make' dependency Vit Mojzis
@ 2021-04-07 10:12 ` Vit Mojzis
2021-04-07 12:49 ` Vit Mojzis
2 siblings, 1 reply; 4+ messages in thread
From: Vit Mojzis @ 2021-04-07 10:12 UTC (permalink / raw)
To: selinux
Compile the module also for use with "mls" systems and allow
installation to systems with any selinux type (targeted, mls and
minimum).
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
libvirt.spec.in | 53 +++++++++++++++++++++++++++++++++------
selinux/compile_policy.py | 21 ++++++++++------
selinux/meson.build | 11 +++++---
selinux/mls/meson.build | 20 +++++++++++++++
4 files changed, 87 insertions(+), 18 deletions(-)
create mode 100644 selinux/mls/meson.build
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 1b807ec324..9efbd2e6db 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -5,9 +5,8 @@
# or versions, but no effort will be made to ensure that going forward.
%if 0%{?fedora} > 33 || 0%{?rhel} > 8
- %global with_selinux 1
- %global selinuxtype targeted
- %global modulename virt
+ %global with_selinux 1
+ %global modulename virt
%endif
%define min_rhel 7
@@ -1535,18 +1534,57 @@ exit 0
# SELinux contexts are saved so that only affected files can be
# relabeled after the policy module installation
%pre selinux
-%selinux_relabel_pre -s %{selinuxtype}
+if [ -e /etc/selinux/config ]; then
+ . /etc/selinux/config
+ %selinux_relabel_pre -s ${SELINUXTYPE}
+fi
%post selinux
-%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+# only policy reload is needed - module installation is managed by triggers
+/usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
%postun selinux
if [ $1 -eq 0 ]; then
- %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+ /usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
fi
%posttrans selinux
-%selinux_relabel_post -s %{selinuxtype}
+if [ -e /etc/selinux/config ]; then
+ . /etc/selinux/config
+ %selinux_relabel_post -s ${SELINUXTYPE}
+fi
+
+# install the policy module to corresponding policy store if
+# selinux-policy-{targeted|mls|minimum} package is installed on the system
+%triggerin -n %{name}-selinux -- selinux-policy-targeted
+/usr/sbin/semodule -n -s targeted -X 200 -i %{_datadir}/selinux/packages/%{modulename}.pp.bz2 || :
+
+%triggerin -n %{name}-selinux -- selinux-policy-minimum
+/usr/sbin/semodule -n -s minimum -X 200 -i %{_datadir}/selinux/packages/%{modulename}.pp.bz2 || :
+# libvirt module is installed by default, but disabled -- enable it
+/usr/sbin/semodule -n -s minimum -e %{modulename} || :
+
+%triggerin -n %{name}-selinux -- selinux-policy-mls
+/usr/sbin/semodule -n -s mls -X 200 -i %{_datadir}/selinux/packages/mls/%{modulename}.pp.bz2 || :
+
+# remove the policy module from corresponding module store if
+# libvirt-selinux or selinux-policy-* was removed from the system,
+# but not when either package gets updated
+%triggerun -n %{name}-selinux -- selinux-policy-targeted
+if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename} ]; then
+ /usr/sbin/semodule -n -s targeted -X 200 -r %{modulename} || :
+fi
+
+%triggerun -n %{name}-selinux -- selinux-policy-minimum
+if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename} ]; then
+ /usr/sbin/semodule -n -s minimum -X 200 -r %{modulename} || :
+ /usr/sbin/semodule -n -d %{modulename} || :
+fi
+
+%triggerun -n %{name}-selinux -- selinux-policy-mls
+if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename} ]; then
+ /usr/sbin/semodule -n -s mls -X 200 -r %{modulename} || :
+fi
%endif
%files
@@ -2018,6 +2056,7 @@ fi
%if 0%{?with_selinux}
%files selinux
%{_datadir}/selinux/packages/%{modulename}.pp.*
+%{_datadir}/selinux/packages/mls/%{modulename}.pp.*
%ghost %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename}
%ghost %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename}
%ghost %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename}
diff --git a/selinux/compile_policy.py b/selinux/compile_policy.py
index 2de26f21c7..7a703dbb3d 100755
--- a/selinux/compile_policy.py
+++ b/selinux/compile_policy.py
@@ -24,16 +24,21 @@ import sys
import os
import glob
-if len(sys.argv) != 6:
- print("Usage: %s <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>"
- % sys.argv[0], file=sys.stderr)
+if len(sys.argv) != 7:
+ print(("Usage: {} <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>"
+ " <type (mls/mcs)>").format(sys.argv[0]), file=sys.stderr)
exit(os.EX_USAGE)
module_name = os.path.splitext(os.path.basename(sys.argv[1]))[0]
-m4param = ["-D", "enable_mcs", "-D", "distro_redhat", "-D",
- "hide_broken_symptoms", "-D", "mls_num_sens=16", "-D",
- "mls_num_cats=1024", "-D", "mcs_num_cats=1024"]
+m4param = ["-D", "distro_redhat", "-D", "hide_broken_symptoms",
+ "-D", "mls_num_sens=16", "-D", "mls_num_cats=1024",
+ "-D", "mcs_num_cats=1024"]
+
+if sys.argv[6] == "mls":
+ m4param = ["-D", "enable_mls"] + m4param
+else:
+ m4param = ["-D", "enable_mcs"] + m4param
SHAREDIR = "/usr/share/selinux"
HEADERDIR = os.path.join(SHAREDIR, "devel/include")
@@ -55,7 +60,9 @@ except Exception:
pass
# remove old trash from the temp folder
-for name in ["iferror.m4" "all_interfaces.conf" "{}.*".format(module_name)]:
+tmpfiles = ["{}.{}".format(module_name, ext)
+ for ext in ["mod", "mod.fc", "tmp"]]
+for name in ["iferror.m4", "all_interfaces.conf"] + tmpfiles:
try:
os.remove(os.path.join(sys.argv[5], name))
except Exception:
diff --git a/selinux/meson.build b/selinux/meson.build
index 2737e60519..305cf59e72 100644
--- a/selinux/meson.build
+++ b/selinux/meson.build
@@ -4,15 +4,16 @@ selinux_sources = [
'virt.fc',
]
-compile_policy_prog = find_program('compile_policy.py')
+set_variable('compile_policy_prog', find_program('compile_policy.py'))
+# targeted/minimum policy module
virt_pp = custom_target('virt.pp',
output : 'virt.pp',
input : selinux_sources,
- command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp'],
+ command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp', 'mcs'],
install : false)
-bzip2_prog = find_program('bzip2')
+set_variable('bzip2_prog', find_program('bzip2'))
bzip = custom_target('virt.pp.bz2',
output : 'virt.pp.bz2',
@@ -20,4 +21,6 @@ bzip = custom_target('virt.pp.bz2',
command : [bzip2_prog, '-c', '-9', '@INPUT@'],
capture : true,
install : true,
- install_dir : 'share/selinux/packages/')
+ install_dir : 'share/selinux/packages')
+
+subdir('mls')
diff --git a/selinux/mls/meson.build b/selinux/mls/meson.build
new file mode 100644
index 0000000000..20bab41fea
--- /dev/null
+++ b/selinux/mls/meson.build
@@ -0,0 +1,20 @@
+selinux_sources = [
+ '../virt.te',
+ '../virt.if',
+ '../virt.fc',
+]
+
+# MLS policy module
+virt_pp_mls = custom_target('virt.pp',
+ output : 'virt.pp',
+ input : selinux_sources,
+ command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/mls/tmp', 'mls'],
+ install : false)
+
+bzip_mls = custom_target('virt.pp.bz2',
+ output : 'virt.pp.bz2',
+ input : virt_pp_mls,
+ command : [bzip2_prog, '-c', '-9', '@INPUT@'],
+ capture : true,
+ install : true,
+ install_dir : 'share/selinux/packages/mls')
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2 4/4] selinux: add "mls" binary version of the policy
2021-04-07 10:12 ` [PATCH v2 4/4] selinux: add "mls" binary version of the policy Vit Mojzis
@ 2021-04-07 12:49 ` Vit Mojzis
0 siblings, 0 replies; 4+ messages in thread
From: Vit Mojzis @ 2021-04-07 12:49 UTC (permalink / raw)
To: selinux
Please disregad these patches, they where intended for a different ML.
Sorry for the noise.
On 4/7/21 12:12 PM, Vit Mojzis wrote:
> Compile the module also for use with "mls" systems and allow
> installation to systems with any selinux type (targeted, mls and
> minimum).
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> ---
> libvirt.spec.in | 53 +++++++++++++++++++++++++++++++++------
> selinux/compile_policy.py | 21 ++++++++++------
> selinux/meson.build | 11 +++++---
> selinux/mls/meson.build | 20 +++++++++++++++
> 4 files changed, 87 insertions(+), 18 deletions(-)
> create mode 100644 selinux/mls/meson.build
>
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index 1b807ec324..9efbd2e6db 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -5,9 +5,8 @@
> # or versions, but no effort will be made to ensure that going forward.
>
> %if 0%{?fedora} > 33 || 0%{?rhel} > 8
> - %global with_selinux 1
> - %global selinuxtype targeted
> - %global modulename virt
> + %global with_selinux 1
> + %global modulename virt
> %endif
>
> %define min_rhel 7
> @@ -1535,18 +1534,57 @@ exit 0
> # SELinux contexts are saved so that only affected files can be
> # relabeled after the policy module installation
> %pre selinux
> -%selinux_relabel_pre -s %{selinuxtype}
> +if [ -e /etc/selinux/config ]; then
> + . /etc/selinux/config
> + %selinux_relabel_pre -s ${SELINUXTYPE}
> +fi
>
> %post selinux
> -%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
> +# only policy reload is needed - module installation is managed by triggers
> +/usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
>
> %postun selinux
> if [ $1 -eq 0 ]; then
> - %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
> + /usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
> fi
>
> %posttrans selinux
> -%selinux_relabel_post -s %{selinuxtype}
> +if [ -e /etc/selinux/config ]; then
> + . /etc/selinux/config
> + %selinux_relabel_post -s ${SELINUXTYPE}
> +fi
> +
> +# install the policy module to corresponding policy store if
> +# selinux-policy-{targeted|mls|minimum} package is installed on the system
> +%triggerin -n %{name}-selinux -- selinux-policy-targeted
> +/usr/sbin/semodule -n -s targeted -X 200 -i %{_datadir}/selinux/packages/%{modulename}.pp.bz2 || :
> +
> +%triggerin -n %{name}-selinux -- selinux-policy-minimum
> +/usr/sbin/semodule -n -s minimum -X 200 -i %{_datadir}/selinux/packages/%{modulename}.pp.bz2 || :
> +# libvirt module is installed by default, but disabled -- enable it
> +/usr/sbin/semodule -n -s minimum -e %{modulename} || :
> +
> +%triggerin -n %{name}-selinux -- selinux-policy-mls
> +/usr/sbin/semodule -n -s mls -X 200 -i %{_datadir}/selinux/packages/mls/%{modulename}.pp.bz2 || :
> +
> +# remove the policy module from corresponding module store if
> +# libvirt-selinux or selinux-policy-* was removed from the system,
> +# but not when either package gets updated
> +%triggerun -n %{name}-selinux -- selinux-policy-targeted
> +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename} ]; then
> + /usr/sbin/semodule -n -s targeted -X 200 -r %{modulename} || :
> +fi
> +
> +%triggerun -n %{name}-selinux -- selinux-policy-minimum
> +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename} ]; then
> + /usr/sbin/semodule -n -s minimum -X 200 -r %{modulename} || :
> + /usr/sbin/semodule -n -d %{modulename} || :
> +fi
> +
> +%triggerun -n %{name}-selinux -- selinux-policy-mls
> +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename} ]; then
> + /usr/sbin/semodule -n -s mls -X 200 -r %{modulename} || :
> +fi
> %endif
>
> %files
> @@ -2018,6 +2056,7 @@ fi
> %if 0%{?with_selinux}
> %files selinux
> %{_datadir}/selinux/packages/%{modulename}.pp.*
> +%{_datadir}/selinux/packages/mls/%{modulename}.pp.*
> %ghost %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename}
> %ghost %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename}
> %ghost %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename}
> diff --git a/selinux/compile_policy.py b/selinux/compile_policy.py
> index 2de26f21c7..7a703dbb3d 100755
> --- a/selinux/compile_policy.py
> +++ b/selinux/compile_policy.py
> @@ -24,16 +24,21 @@ import sys
> import os
> import glob
>
> -if len(sys.argv) != 6:
> - print("Usage: %s <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>"
> - % sys.argv[0], file=sys.stderr)
> +if len(sys.argv) != 7:
> + print(("Usage: {} <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>"
> + " <type (mls/mcs)>").format(sys.argv[0]), file=sys.stderr)
> exit(os.EX_USAGE)
>
> module_name = os.path.splitext(os.path.basename(sys.argv[1]))[0]
>
> -m4param = ["-D", "enable_mcs", "-D", "distro_redhat", "-D",
> - "hide_broken_symptoms", "-D", "mls_num_sens=16", "-D",
> - "mls_num_cats=1024", "-D", "mcs_num_cats=1024"]
> +m4param = ["-D", "distro_redhat", "-D", "hide_broken_symptoms",
> + "-D", "mls_num_sens=16", "-D", "mls_num_cats=1024",
> + "-D", "mcs_num_cats=1024"]
> +
> +if sys.argv[6] == "mls":
> + m4param = ["-D", "enable_mls"] + m4param
> +else:
> + m4param = ["-D", "enable_mcs"] + m4param
>
> SHAREDIR = "/usr/share/selinux"
> HEADERDIR = os.path.join(SHAREDIR, "devel/include")
> @@ -55,7 +60,9 @@ except Exception:
> pass
>
> # remove old trash from the temp folder
> -for name in ["iferror.m4" "all_interfaces.conf" "{}.*".format(module_name)]:
> +tmpfiles = ["{}.{}".format(module_name, ext)
> + for ext in ["mod", "mod.fc", "tmp"]]
> +for name in ["iferror.m4", "all_interfaces.conf"] + tmpfiles:
> try:
> os.remove(os.path.join(sys.argv[5], name))
> except Exception:
> diff --git a/selinux/meson.build b/selinux/meson.build
> index 2737e60519..305cf59e72 100644
> --- a/selinux/meson.build
> +++ b/selinux/meson.build
> @@ -4,15 +4,16 @@ selinux_sources = [
> 'virt.fc',
> ]
>
> -compile_policy_prog = find_program('compile_policy.py')
> +set_variable('compile_policy_prog', find_program('compile_policy.py'))
>
> +# targeted/minimum policy module
> virt_pp = custom_target('virt.pp',
> output : 'virt.pp',
> input : selinux_sources,
> - command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp'],
> + command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp', 'mcs'],
> install : false)
>
> -bzip2_prog = find_program('bzip2')
> +set_variable('bzip2_prog', find_program('bzip2'))
>
> bzip = custom_target('virt.pp.bz2',
> output : 'virt.pp.bz2',
> @@ -20,4 +21,6 @@ bzip = custom_target('virt.pp.bz2',
> command : [bzip2_prog, '-c', '-9', '@INPUT@'],
> capture : true,
> install : true,
> - install_dir : 'share/selinux/packages/')
> + install_dir : 'share/selinux/packages')
> +
> +subdir('mls')
> diff --git a/selinux/mls/meson.build b/selinux/mls/meson.build
> new file mode 100644
> index 0000000000..20bab41fea
> --- /dev/null
> +++ b/selinux/mls/meson.build
> @@ -0,0 +1,20 @@
> +selinux_sources = [
> + '../virt.te',
> + '../virt.if',
> + '../virt.fc',
> +]
> +
> +# MLS policy module
> +virt_pp_mls = custom_target('virt.pp',
> + output : 'virt.pp',
> + input : selinux_sources,
> + command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/mls/tmp', 'mls'],
> + install : false)
> +
> +bzip_mls = custom_target('virt.pp.bz2',
> + output : 'virt.pp.bz2',
> + input : virt_pp_mls,
> + command : [bzip2_prog, '-c', '-9', '@INPUT@'],
> + capture : true,
> + install : true,
> + install_dir : 'share/selinux/packages/mls')
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-04-07 12:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CAEg-Je-mAOJc53LyMrmcHfgKAvaQm2-jYWKizCAjLW=15_XF3g@mail.gmail.com>
[not found] ` <20210407101245.276527-1-vmojzis@redhat.com>
2021-04-07 10:12 ` [PATCH v2 2/4] [DO NOT MERGE] Install selinux-policy-devel in test environment Vit Mojzis
2021-04-07 10:12 ` [PATCH v2 3/4] selinux: Remove 'make' dependency Vit Mojzis
2021-04-07 10:12 ` [PATCH v2 4/4] selinux: add "mls" binary version of the policy Vit Mojzis
2021-04-07 12:49 ` Vit Mojzis
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.