diff options
| author |   Kenton Groombridge <concord@gentoo.org> | 2024-05-14 15:24:40 -0400 |
|---|---|---|
| committer | Kenton Groombridge <concord@gentoo.org> | 2024-05-14 15:44:20 -0400 |
| commit | aa11df06796676d0d98aa3b51093e639cb264635 (patch) | |
| tree | cfa502c4605d2417f9b53036b8f05717bc2c5eb1 /sec-policy/selinux-base-policy | |
| parent | sec-policy/selinux-firewalld: new package, add 9999 (diff) | |
| download | gentoo-aa11df06796676d0d98aa3b51093e639cb264635.tar.gz gentoo-aa11df06796676d0d98aa3b51093e639cb264635.tar.bz2 gentoo-aa11df06796676d0d98aa3b51093e639cb264635.zip | |
sec-policy/*: Release of SELinux policies 2.20240226-r2
Closes: https://bugs.gentoo.org/928060
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Diffstat (limited to 'sec-policy/selinux-base-policy')
| -rw-r--r-- | sec-policy/selinux-base-policy/Manifest | 1 | ||||
| -rw-r--r-- | sec-policy/selinux-base-policy/selinux-base-policy-2.20240226-r2.ebuild | 141 |
2 files changed, 142 insertions, 0 deletions
diff --git a/sec-policy/selinux-base-policy/Manifest b/sec-policy/selinux-base-policy/Manifest index adee87f98e64..d0e625a181d9 100644 --- a/sec-policy/selinux-base-policy/Manifest +++ b/sec-policy/selinux-base-policy/Manifest @@ -1,4 +1,5 @@ DIST patchbundle-selinux-base-policy-2.20231002-r2.tar.bz2 436443 BLAKE2B f481e661b4afadd15f786a5d69d975d79e5d9a378c7bca279282d59215a02897a9587cbd56f7a2d95fd8152f931c0a8d469927033910e8fe214ee4494f4e6e49 SHA512 8545592130d7d10f7d6411a356e79f9cb2689138a7eb69a5f7bcd630203019c61336f1e3bdbc95dea31efceb41c9bce2e7ff42ced6a51a9b7482e991864fec05 DIST patchbundle-selinux-base-policy-2.20240226-r1.tar.bz2 430565 BLAKE2B 2d552f868375c240e71e987542a3026970f1d375d7d1e65f11386ce1b07aae84911ded2379fc768ff4bff664eb98dc3361a7392467fed3feb4916477eb957f58 SHA512 f22245ad8759d88ddbf26b71443e4ba8c804fc80d69383120ed98b7887d08a7034b8125e4d15e695b26776ef4ac1a933e14a1a382d5be90aa942358842cc6c77 +DIST patchbundle-selinux-base-policy-2.20240226-r2.tar.bz2 442650 BLAKE2B f2f7c5e4a595afafc072fd78fc4ef3930cf739d05cbe9670f2fb2956fe84e3045518345e103bc3880603d2562f06ba0597fc005d8d394e9f8cd057363f9bf95f SHA512 2cb00d088eebdb098a6496f156eeb3dcee026fc6e53d732bac5bc8a4cfee1ce3bf2bdbbbfbbe9bba237d61c06f299d96bb9d123a57a44aaaa17cc122e15ea268 DIST refpolicy-2.20231002.tar.bz2 600458 BLAKE2B 254d6d3d6b95f21e1f8e1df5822520ccaeade427053fb172079427cf70bd33f8ced87a9e09e1d36ec5f7b33f0bac8d730020d91996c6d25eafdcec66ebe35bb3 SHA512 029cd2225ce57d96f681720f24828e962320af41832ad2dc95d4d41d00dbde20bb08d91fa8b964b592812a9fedd908c261734b77ad72cccfde2de541b9c2c74d DIST refpolicy-2.20240226.tar.bz2 610561 BLAKE2B 5dc54dcf7238776d4e4b282c1dcbc499f45c0d96676dbf931da39592854034874b5dd6197a2e2776fccec5106d5f245eea3fb9419959bd4d61e9b2c12aeaaa85 SHA512 896a57afb024bd131f25d2831a9a5ac90ee7e5d76b0565bc818c156f6c310d86758bcd4cedbd9df5b29954c9a92a42300d16685a7e07a5efd8f789320724b3f9 diff --git a/sec-policy/selinux-base-policy/selinux-base-policy-2.20240226-r2.ebuild b/sec-policy/selinux-base-policy/selinux-base-policy-2.20240226-r2.ebuild new file mode 100644 index 000000000000..434c01183b91 --- /dev/null +++ b/sec-policy/selinux-base-policy/selinux-base-policy-2.20240226-r2.ebuild @@ -0,0 +1,141 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI="7" + +if [[ ${PV} == 9999* ]]; then + EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}" + EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}" + EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy" + + inherit git-r3 +else + SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2 + https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2" + KEYWORDS="~amd64 ~arm ~arm64 ~mips ~x86" +fi + +HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux" +DESCRIPTION="SELinux policy for core modules" + +IUSE="systemd +unconfined" + +PDEPEND="unconfined? ( sec-policy/selinux-unconfined )" +DEPEND="=sec-policy/selinux-base-${PVR}[systemd?]" +RDEPEND="${DEPEND}" +BDEPEND=" + sys-apps/checkpolicy + sys-devel/m4" + +MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg" +DEL_MODS="hotplug" +LICENSE="GPL-2" +SLOT="0" +S="${WORKDIR}/" + +# Code entirely copied from selinux-eclass (cannot inherit due to dependency on +# itself), when reworked reinclude it. Only postinstall (where -b base.pp is +# added) needs to remain then. + +pkg_pretend() { + for i in ${POLICY_TYPES}; do + if [[ "${i}" == "targeted" ]] && ! use unconfined; then + die "If you use POLICY_TYPES=targeted, then USE=unconfined is mandatory." + fi + done +} + +src_prepare() { + local modfiles + + if [[ ${PV} != 9999* ]]; then + einfo "Applying SELinux policy updates ... " + eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch" + fi + + eapply_user + + # Collect only those files needed for this particular module + for i in ${MODS}; do + modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.te) $modfiles" + modfiles="$(find "${S}"/refpolicy/policy/modules -iname $i.fc) $modfiles" + done + + for i in ${DEL_MODS}; do + [[ "${MODS}" != *${i}* ]] || die "Duplicate module in MODS and DEL_MODS: ${i}" + done + + for i in ${POLICY_TYPES}; do + mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}" + cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \ + || die "Failed to copy Makefile.example to ${S}/${i}/Makefile" + + cp ${modfiles} "${S}"/${i} \ + || die "Failed to copy the module files to ${S}/${i}" + done +} + +src_compile() { + for i in ${POLICY_TYPES}; do + emake NAME=$i SHAREDIR="${SYSROOT%/}/usr/share/selinux" -C "${S}"/${i} + done +} + +src_install() { + local BASEDIR="/usr/share/selinux" + + for i in ${POLICY_TYPES}; do + for j in ${MODS}; do + einfo "Installing ${i} ${j} policy package" + insinto ${BASEDIR}/${i} + doins "${S}"/${i}/${j}.pp + done + done +} + +pkg_postinst() { + # Set root path and don't load policy into the kernel when cross compiling + local root_opts="" + if [[ "${ROOT}" != "" ]]; then + root_opts="-p ${ROOT} -n" + fi + + # Override the command from the eclass, we need to load in base as well here + local COMMAND="-i base.pp" + if has_version "<sys-apps/policycoreutils-2.5"; then + COMMAND="-b base.pp" + fi + + for i in ${MODS}; do + COMMAND="${COMMAND} -i ${i}.pp" + done + + for i in ${POLICY_TYPES}; do + einfo "Inserting the following modules, with base, into the $i module store: ${MODS}" + + cd "${ROOT}/usr/share/selinux/${i}" + + semodule ${root_opts} -s ${i} ${COMMAND} + + for mod in ${DEL_MODS}; do + if semodule ${root_opts} -s ${i} -l | grep -q "\b${mod}\b"; then + einfo "Removing obsolete ${i} ${mod} policy package" + semodule ${root_opts} -s ${i} -r ${mod} + fi + done + done + + # Don't relabel when cross compiling + if [[ "${ROOT}" == "" ]]; then + # Relabel depending packages + local PKGSET=""; + if [[ -x /usr/bin/qdepends ]] ; then + PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-'); + elif [[ -x /usr/bin/equery ]] ; then + PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-'); + fi + if [[ -n "${PKGSET}" ]] ; then + rlpkg ${PKGSET}; + fi + fi +} |