|
|
7fc6c88 |
diff -durpN gcl-2.6.8.ORIG/clcs/makefile gcl-2.6.8/clcs/makefile
|
|
|
7fc6c88 |
--- gcl-2.6.8.ORIG/clcs/makefile 2010-08-04 15:44:22.000000000 -0600
|
|
|
7fc6c88 |
+++ gcl-2.6.8/clcs/makefile 2010-12-29 11:46:30.623141563 -0700
|
|
|
7fc6c88 |
@@ -9,6 +9,9 @@ all: $(addsuffix .c,$(FILES)) $(addsuffi
|
|
|
e6a2505 |
|
|
|
7fc6c88 |
saved_clcs_gcl: ../unixport/saved_pcl_gcl$(EXE)
|
|
|
e6a2505 |
echo '(load "package.lisp")(load "myload.lisp")(si::save-system "$@")' | $< $(
|
|
|
e6a2505 |
+ if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \
|
|
|
e6a2505 |
+ chcon -t gcl_exec_t $@; \
|
|
|
e6a2505 |
+ fi
|
|
|
e6a2505 |
|
|
|
e6a2505 |
%.h %.data %.c : %.lisp saved_clcs_gcl
|
|
|
e6a2505 |
cp ../h/cmpinclude.h .
|
|
|
7fc6c88 |
@@ -31,6 +34,9 @@ compile: ${LISP}
|
|
|
e6a2505 |
|
|
|
e6a2505 |
saved_full_gcl: ${LISP}
|
|
|
e6a2505 |
echo '(load "package.lisp")(load "loading.lisp")(jamie-load-clcs :compiled)(system::save-system "saved_full_gcl")' | ${LISP}
|
|
|
e6a2505 |
+ if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \
|
|
|
e6a2505 |
+ chcon -t gcl_exec_t $@; \
|
|
|
e6a2505 |
+ fi
|
|
|
e6a2505 |
|
|
|
e6a2505 |
clean:
|
|
|
7fc6c88 |
rm -f *.o *.fn saved_full_gcl$(EXE) saved_full_gcl cmpinclude.h *.c *.h *.data saved_clcs_gcl$(EXE)
|
|
|
7fc6c88 |
diff -durpN gcl-2.6.8.ORIG/makefile gcl-2.6.8/makefile
|
|
|
7fc6c88 |
--- gcl-2.6.8.ORIG/makefile 2010-11-04 11:53:32.000000000 -0600
|
|
|
7fc6c88 |
+++ gcl-2.6.8/makefile 2010-12-29 11:46:30.624141447 -0700
|
|
|
7fc6c88 |
@@ -187,6 +187,9 @@ install1:
|
|
|
e6a2505 |
if gcc --version | grep -i mingw >/dev/null 2>&1 ; then if grep -i oncrpc makedefs >/dev/null 2>&1 ; then cp /mingw/bin/oncrpc.dll $(DESTDIR)$(INSTALL_LIB_DIR)/$(PORTDIR); fi ; fi
|
|
|
e6a2505 |
cd $(DESTDIR)$(INSTALL_LIB_DIR)/$(PORTDIR) && \
|
|
|
e6a2505 |
mv $(FLISP)$(EXE) temp$(EXE) && \
|
|
|
e6a2505 |
+ if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \
|
|
|
e6a2505 |
+ chcon -t gcl_exec_t temp$(EXE); \
|
|
|
e6a2505 |
+ fi && \
|
|
|
e6a2505 |
echo '(reset-sys-paths "$(INSTALL_LIB_DIR)/")(si::save-system "$(FLISP)$(EXE)")' | ./temp$(EXE) && \
|
|
|
e6a2505 |
rm -f temp$(EXE)
|
|
|
e6a2505 |
if [ -e "unixport/rsym$(EXE)" ] ; then cp unixport/rsym$(EXE) $(DESTDIR)$(INSTALL_LIB_DIR)/unixport/ ; fi
|
|
|
7fc6c88 |
diff -durpN gcl-2.6.8.ORIG/selinux/gcl.fc gcl-2.6.8/selinux/gcl.fc
|
|
|
e6a2505 |
--- gcl-2.6.8.ORIG/selinux/gcl.fc 1969-12-31 17:00:00.000000000 -0700
|
|
|
7fc6c88 |
+++ gcl-2.6.8/selinux/gcl.fc 2010-12-29 11:46:30.625141327 -0700
|
|
|
767892e |
@@ -0,0 +1,5 @@
|
|
|
e6a2505 |
+/usr/lib64/gcl-[^/]+/unixport/saved_.* -- gen_context(system_u:object_r:gcl_exec_t,s0)
|
|
|
e6a2505 |
+/usr/lib/gcl-[^/]+/unixport/saved_.* -- gen_context(system_u:object_r:gcl_exec_t,s0)
|
|
|
277e3b5 |
+/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:gcl_exec_t,s0)
|
|
|
277e3b5 |
+/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:gcl_exec_t,s0)
|
|
|
767892e |
+
|
|
|
7fc6c88 |
diff -durpN gcl-2.6.8.ORIG/selinux/gcl.if gcl-2.6.8/selinux/gcl.if
|
|
|
e6a2505 |
--- gcl-2.6.8.ORIG/selinux/gcl.if 1969-12-31 17:00:00.000000000 -0700
|
|
|
7fc6c88 |
+++ gcl-2.6.8/selinux/gcl.if 2010-12-29 11:46:30.626141206 -0700
|
|
|
e6a2505 |
@@ -0,0 +1,146 @@
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+## <summary>policy for gcl</summary>
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+########################################
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## Execute a domain transition to run gcl.
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## <param name="domain">
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## Domain allowed to transition.
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## </param>
|
|
|
e6a2505 |
+#
|
|
|
e6a2505 |
+interface(`gcl_domtrans',`
|
|
|
e6a2505 |
+ gen_require(`
|
|
|
e6a2505 |
+ type gcl_t;
|
|
|
e6a2505 |
+ type gcl_exec_t;
|
|
|
e6a2505 |
+ ')
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+ domtrans_pattern($1,gcl_exec_t,gcl_t)
|
|
|
e6a2505 |
+')
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+########################################
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## Do not audit attempts to read,
|
|
|
e6a2505 |
+## gcl tmp files
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## <param name="domain">
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## Domain to not audit.
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## </param>
|
|
|
e6a2505 |
+#
|
|
|
e6a2505 |
+interface(`gcl_dontaudit_read_tmp_files',`
|
|
|
e6a2505 |
+ gen_require(`
|
|
|
e6a2505 |
+ type gcl_tmp_t;
|
|
|
e6a2505 |
+ ')
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+ dontaudit $1 gcl_tmp_t:file read_file_perms;
|
|
|
e6a2505 |
+')
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+########################################
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## Allow domain to read, gcl tmp files
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## <param name="domain">
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## Domain to not audit.
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## </param>
|
|
|
e6a2505 |
+#
|
|
|
e6a2505 |
+interface(`gcl_read_tmp_files',`
|
|
|
e6a2505 |
+ gen_require(`
|
|
|
e6a2505 |
+ type gcl_tmp_t;
|
|
|
e6a2505 |
+ ')
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+ allow $1 gcl_tmp_t:file read_file_perms;
|
|
|
e6a2505 |
+')
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+########################################
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## Allow domain to manage gcl tmp files
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## <param name="domain">
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## Domain to not audit.
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## </param>
|
|
|
e6a2505 |
+#
|
|
|
e6a2505 |
+interface(`gcl_manage_tmp',`
|
|
|
e6a2505 |
+ gen_require(`
|
|
|
e6a2505 |
+ type gcl_tmp_t;
|
|
|
e6a2505 |
+ ')
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+ manage_dirs_pattern($1,gcl_tmp_t,gcl_tmp_t)
|
|
|
e6a2505 |
+ manage_files_pattern($1,gcl_tmp_t,gcl_tmp_t)
|
|
|
e6a2505 |
+ manage_lnk_files_pattern($1,gcl_tmp_t,gcl_tmp_t)
|
|
|
e6a2505 |
+')
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+########################################
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## Execute gcl in the gcl domain, and
|
|
|
e6a2505 |
+## allow the specified role the gcl domain.
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## <param name="domain">
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## Domain allowed access
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## </param>
|
|
|
e6a2505 |
+## <param name="role">
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## The role to be allowed the gcl domain.
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## </param>
|
|
|
e6a2505 |
+## <param name="terminal">
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## The type of the role's terminal.
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## </param>
|
|
|
e6a2505 |
+#
|
|
|
e6a2505 |
+interface(`gcl_run',`
|
|
|
e6a2505 |
+ gen_require(`
|
|
|
e6a2505 |
+ type gcl_t;
|
|
|
e6a2505 |
+ ')
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+ gcl_domtrans($1)
|
|
|
e6a2505 |
+ role $2 types gcl_t;
|
|
|
e6a2505 |
+ dontaudit gcl_t $3:chr_file rw_term_perms;
|
|
|
e6a2505 |
+')
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+########################################
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## All of the rules required to administrate
|
|
|
e6a2505 |
+## an gcl environment
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## <param name="domain">
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## Domain allowed access.
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## </param>
|
|
|
e6a2505 |
+## <param name="role">
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## The role to be allowed to manage the gcl domain.
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## </param>
|
|
|
e6a2505 |
+## <param name="terminal">
|
|
|
e6a2505 |
+## <summary>
|
|
|
e6a2505 |
+## The type of the user terminal.
|
|
|
e6a2505 |
+## </summary>
|
|
|
e6a2505 |
+## </param>
|
|
|
e6a2505 |
+## <rolecap/>
|
|
|
e6a2505 |
+#
|
|
|
e6a2505 |
+interface(`gcl_admin',`
|
|
|
e6a2505 |
+ gen_require(`
|
|
|
e6a2505 |
+ type gcl_t;
|
|
|
e6a2505 |
+ ')
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+ allow $1 gcl_t:process { ptrace signal_perms getattr };
|
|
|
e6a2505 |
+ read_files_pattern($1, gcl_t, gcl_t)
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+ gcl_manage_tmp($1)
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+')
|
|
|
7fc6c88 |
diff -durpN gcl-2.6.8.ORIG/selinux/gcl.te gcl-2.6.8/selinux/gcl.te
|
|
|
e6a2505 |
--- gcl-2.6.8.ORIG/selinux/gcl.te 1969-12-31 17:00:00.000000000 -0700
|
|
|
7fc6c88 |
+++ gcl-2.6.8/selinux/gcl.te 2010-12-29 11:46:30.627141086 -0700
|
|
|
4e91f16 |
@@ -0,0 +1,45 @@
|
|
|
4e91f16 |
+policy_module(gcl,1.0.1)
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+########################################
|
|
|
e6a2505 |
+#
|
|
|
e6a2505 |
+# Declarations
|
|
|
e6a2505 |
+#
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+type gcl_t;
|
|
|
e6a2505 |
+type gcl_exec_t;
|
|
|
e6a2505 |
+application_domain(gcl_t, gcl_exec_t)
|
|
|
e6a2505 |
+role system_r types gcl_t;
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+########################################
|
|
|
e6a2505 |
+#
|
|
|
e6a2505 |
+# gcl local policy
|
|
|
e6a2505 |
+#
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+## internal communication is often done using fifo and unix sockets.
|
|
|
e6a2505 |
+allow gcl_t self:fifo_file rw_file_perms;
|
|
|
e6a2505 |
+allow gcl_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+libs_use_ld_so(gcl_t)
|
|
|
e6a2505 |
+libs_use_shared_libs(gcl_t)
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+miscfiles_read_localization(gcl_t)
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+## The GCL memory management and executable dumping routines manipulate memory
|
|
|
e6a2505 |
+## in various (usually forbidden) ways.
|
|
|
e6a2505 |
+allow gcl_t self:process { execmem execheap };
|
|
|
e6a2505 |
+
|
|
|
4e91f16 |
+optional_policy(`
|
|
|
4e91f16 |
+ unconfined_domain(gcl_t)
|
|
|
4e91f16 |
+')
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+optional_policy(`
|
|
|
e6a2505 |
+ gen_require(`
|
|
|
e6a2505 |
+ type unconfined_t;
|
|
|
e6a2505 |
+ type unconfined_devpts_t;
|
|
|
e6a2505 |
+ type unconfined_tty_device_t;
|
|
|
e6a2505 |
+ role unconfined_r;
|
|
|
e6a2505 |
+ ')
|
|
|
e6a2505 |
+
|
|
|
e6a2505 |
+ gcl_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
|
|
|
e6a2505 |
+ allow gcl_t gcl_exec_t:file execmod;
|
|
|
e6a2505 |
+')
|
|
|
7fc6c88 |
diff -durpN gcl-2.6.8.ORIG/unixport/makefile gcl-2.6.8/unixport/makefile
|
|
|
7fc6c88 |
--- gcl-2.6.8.ORIG/unixport/makefile 2010-11-05 07:26:31.000000000 -0600
|
|
|
7fc6c88 |
+++ gcl-2.6.8/unixport/makefile 2010-12-29 11:46:30.628140965 -0700
|
|
|
7fc6c88 |
@@ -122,6 +122,9 @@ saved_%:raw_% $(RSYM) init_%.lsp raw_%_m
|
|
|
e6a2505 |
echo " (in-package \"USER\")(system:save-system \"$@\")" >>foo
|
|
|
7fc6c88 |
ar x lib$*.a $$(ar t lib$*.a |grep ^gcl_)
|
|
|
e6a2505 |
$(PORTDIR)/raw_$*$(EXE) $(PORTDIR)/ -libdir $(GCLDIR)/ < foo
|
|
|
e6a2505 |
+ if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \
|
|
|
e6a2505 |
+ chcon -t gcl_exec_t $@; \
|
|
|
e6a2505 |
+ fi
|
|
|
e6a2505 |
|
|
|
e6a2505 |
$(RSYM): $(SPECIAL_RSYM) $(HDIR)/mdefs.h
|
|
|
7fc6c88 |
$(CC) $(LD_FLAGS) $(CFLAGS) -I$(HDIR) -I$(ODIR) -o $(RSYM) $(SPECIAL_RSYM)
|
|
|
7fc6c88 |
@@ -162,6 +165,9 @@ ifeq ($(GNU_LD),1)
|
|
|
7fc6c88 |
else
|
|
|
7fc6c88 |
$(CC) $(LD_FLAGS) -o raw_$*$(EXE) $(filter %.o,$^) -L. $(EXTRA_LD_LIBS) $(LD_LIBS_PRE) -l$* $(LD_LIBS_POST)
|
|
|
e6a2505 |
endif
|
|
|
e6a2505 |
+ if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \
|
|
|
e6a2505 |
+ chcon -t gcl_exec_t raw_$*$(EXE); \
|
|
|
e6a2505 |
+ fi
|
|
|
e6a2505 |
# diff map_$* map_$*.old >/dev/null || (cp map_$* map_$*.old && rm -f $@ && $(MAKE) $@)
|
|
|
e6a2505 |
# cp map_$*.old map_$*
|
|
|
e6a2505 |
|