rpms / gcl

Clone
Source Code
GIT

Blame gcl-2.6.8-selinux.patch

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f7 f8 f9 fc6 main rawhide
  1.   ea354a517092767b6ce4030ca9cfea2fca477214
  2.   gcl-2.6.8-selinux.patch
Blob History Raw
e6a2505 
diff -durN gcl-2.6.8.ORIG/clcs/makefile gcl-2.6.8/clcs/makefile
e6a2505 
--- gcl-2.6.8.ORIG/clcs/makefile	2005-05-06 15:56:55.000000000 -0600
b06d300 
+++ gcl-2.6.8/clcs/makefile	2009-10-06 08:16:02.062488470 -0600
e6a2505 
@@ -9,6 +9,9 @@
e6a2505
e6a2505 
 saved_clcs_gcl: ../unixport/saved_pcl_gcl
e6a2505 
 	echo '(load "package.lisp")(load "myload.lisp")(si::save-system "$@")' | $< $(
e6a2505 
+	if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \
e6a2505 
+		chcon -t gcl_exec_t $@; \
e6a2505 
+	fi
e6a2505
e6a2505 
 %.h %.data %.c : %.lisp saved_clcs_gcl
e6a2505 
 	cp ../h/cmpinclude.h .
e6a2505 
@@ -31,6 +34,9 @@
e6a2505
e6a2505 
 saved_full_gcl: ${LISP}
e6a2505 
 	echo '(load "package.lisp")(load "loading.lisp")(jamie-load-clcs :compiled)(system::save-system "saved_full_gcl")' | ${LISP}
e6a2505 
+	if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \
e6a2505 
+		chcon -t gcl_exec_t $@; \
e6a2505 
+	fi
e6a2505
e6a2505 
 clean:
e6a2505 
 	rm -f *.o *.fn saved_full_gcl$(EXE) saved_full_gcl cmpinclude.h *.c *.h *.data saved_clcs_gcl
e6a2505 
diff -durN gcl-2.6.8.ORIG/makefile gcl-2.6.8/makefile
e6a2505 
--- gcl-2.6.8.ORIG/makefile	2007-11-30 09:59:33.000000000 -0700
b06d300 
+++ gcl-2.6.8/makefile	2009-10-06 08:16:02.063488196 -0600
e6a2505 
@@ -187,6 +187,9 @@
e6a2505 
 	if gcc --version | grep -i mingw >/dev/null 2>&1 ; then if grep -i oncrpc makedefs >/dev/null 2>&1 ; then cp /mingw/bin/oncrpc.dll $(DESTDIR)$(INSTALL_LIB_DIR)/$(PORTDIR); fi ; fi
e6a2505 
 	cd $(DESTDIR)$(INSTALL_LIB_DIR)/$(PORTDIR) && \
e6a2505 
 		mv $(FLISP)$(EXE) temp$(EXE) && \
e6a2505 
+		if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \
e6a2505 
+			chcon -t gcl_exec_t temp$(EXE); \
e6a2505 
+		fi && \
e6a2505 
 		echo '(reset-sys-paths "$(INSTALL_LIB_DIR)/")(si::save-system "$(FLISP)$(EXE)")' | ./temp$(EXE) && \
e6a2505 
 		rm -f temp$(EXE)
e6a2505 
 	if [ -e "unixport/rsym$(EXE)" ] ; then cp unixport/rsym$(EXE) $(DESTDIR)$(INSTALL_LIB_DIR)/unixport/ ; fi
e6a2505 
diff -durN gcl-2.6.8.ORIG/selinux/gcl.fc gcl-2.6.8/selinux/gcl.fc
e6a2505 
--- gcl-2.6.8.ORIG/selinux/gcl.fc	1969-12-31 17:00:00.000000000 -0700
b06d300 
+++ gcl-2.6.8/selinux/gcl.fc	2009-10-06 08:17:02.445600007 -0600
b06d300 
@@ -0,0 +1,5 @@
e6a2505 
+/usr/lib64/gcl-[^/]+/unixport/saved_.*	--	gen_context(system_u:object_r:gcl_exec_t,s0)
e6a2505 
+/usr/lib/gcl-[^/]+/unixport/saved_.*	--	gen_context(system_u:object_r:gcl_exec_t,s0)
b06d300 
+/usr/lib/maxima/[^/]+/binary-gcl	--	gen_context(system_u:object:r:gcl_exec_t,s0)
b06d300 
+/usr/lib64/maxima/[^/]+/binary-gcl	--	gen_context(system_u:object:r:gcl_exec_t,s0)
b06d300 
+
e6a2505 
diff -durN gcl-2.6.8.ORIG/selinux/gcl.if gcl-2.6.8/selinux/gcl.if
e6a2505 
--- gcl-2.6.8.ORIG/selinux/gcl.if	1969-12-31 17:00:00.000000000 -0700
b06d300 
+++ gcl-2.6.8/selinux/gcl.if	2009-10-06 08:16:02.064488944 -0600
e6a2505 
@@ -0,0 +1,146 @@
e6a2505 
+
e6a2505 
+## <summary>policy for gcl</summary>
e6a2505 
+
e6a2505 
+########################################
e6a2505 
+## <summary>
e6a2505 
+##	Execute a domain transition to run gcl.
e6a2505 
+## </summary>
e6a2505 
+## <param name="domain">
e6a2505 
+## <summary>
e6a2505 
+##	Domain allowed to transition.
e6a2505 
+## </summary>
e6a2505 
+## </param>
e6a2505 
+#
e6a2505 
+interface(`gcl_domtrans',`
e6a2505 
+	gen_require(`
e6a2505 
+		type gcl_t;
e6a2505 
+                type gcl_exec_t;
e6a2505 
+	')
e6a2505 
+
e6a2505 
+	domtrans_pattern($1,gcl_exec_t,gcl_t)
e6a2505 
+')
e6a2505 
+
e6a2505 
+
e6a2505 
+########################################
e6a2505 
+## <summary>
e6a2505 
+##	Do not audit attempts to read,
e6a2505 
+##	gcl tmp files
e6a2505 
+## </summary>
e6a2505 
+## <param name="domain">
e6a2505 
+##	<summary>
e6a2505 
+##	Domain to not audit.
e6a2505 
+##	</summary>
e6a2505 
+## </param>
e6a2505 
+#
e6a2505 
+interface(`gcl_dontaudit_read_tmp_files',`
e6a2505 
+	gen_require(`
e6a2505 
+		type gcl_tmp_t;
e6a2505 
+	')
e6a2505 
+
e6a2505 
+	dontaudit $1 gcl_tmp_t:file read_file_perms;
e6a2505 
+')
e6a2505 
+
e6a2505 
+########################################
e6a2505 
+## <summary>
e6a2505 
+##	Allow domain to read, gcl tmp files
e6a2505 
+## </summary>
e6a2505 
+## <param name="domain">
e6a2505 
+##	<summary>
e6a2505 
+##	Domain to not audit.
e6a2505 
+##	</summary>
e6a2505 
+## </param>
e6a2505 
+#
e6a2505 
+interface(`gcl_read_tmp_files',`
e6a2505 
+	gen_require(`
e6a2505 
+		type gcl_tmp_t;
e6a2505 
+	')
e6a2505 
+
e6a2505 
+	allow $1 gcl_tmp_t:file read_file_perms;
e6a2505 
+')
e6a2505 
+
e6a2505 
+########################################
e6a2505 
+## <summary>
e6a2505 
+##	Allow domain to manage gcl tmp files
e6a2505 
+## </summary>
e6a2505 
+## <param name="domain">
e6a2505 
+##	<summary>
e6a2505 
+##	Domain to not audit.
e6a2505 
+##	</summary>
e6a2505 
+## </param>
e6a2505 
+#
e6a2505 
+interface(`gcl_manage_tmp',`
e6a2505 
+	gen_require(`
e6a2505 
+		type gcl_tmp_t;
e6a2505 
+	')
e6a2505 
+
e6a2505 
+         manage_dirs_pattern($1,gcl_tmp_t,gcl_tmp_t)
e6a2505 
+         manage_files_pattern($1,gcl_tmp_t,gcl_tmp_t)
e6a2505 
+         manage_lnk_files_pattern($1,gcl_tmp_t,gcl_tmp_t)
e6a2505 
+')
e6a2505 
+
e6a2505 
+########################################
e6a2505 
+## <summary>
e6a2505 
+##	Execute gcl in the gcl domain, and
e6a2505 
+##	allow the specified role the gcl domain.
e6a2505 
+## </summary>
e6a2505 
+## <param name="domain">
e6a2505 
+##	<summary>
e6a2505 
+##	Domain allowed access
e6a2505 
+##	</summary>
e6a2505 
+## </param>
e6a2505 
+## <param name="role">
e6a2505 
+##	<summary>
e6a2505 
+##	The role to be allowed the gcl domain.
e6a2505 
+##	</summary>
e6a2505 
+## </param>
e6a2505 
+## <param name="terminal">
e6a2505 
+##	<summary>
e6a2505 
+##	The type of the role's terminal.
e6a2505 
+##	</summary>
e6a2505 
+## </param>
e6a2505 
+#
e6a2505 
+interface(`gcl_run',`
e6a2505 
+	gen_require(`
e6a2505 
+		type gcl_t;
e6a2505 
+	')
e6a2505 
+
e6a2505 
+	gcl_domtrans($1)
e6a2505 
+	role $2 types gcl_t;
e6a2505 
+	dontaudit gcl_t $3:chr_file rw_term_perms;
e6a2505 
+')
e6a2505 
+
e6a2505 
+
e6a2505 
+########################################
e6a2505 
+## <summary>
e6a2505 
+##	All of the rules required to administrate
e6a2505 
+##	an gcl environment
e6a2505 
+## </summary>
e6a2505 
+## <param name="domain">
e6a2505 
+##	<summary>
e6a2505 
+##	Domain allowed access.
e6a2505 
+##	</summary>
e6a2505 
+## </param>
e6a2505 
+## <param name="role">
e6a2505 
+##	<summary>
e6a2505 
+##	The role to be allowed to manage the gcl domain.
e6a2505 
+##	</summary>
e6a2505 
+## </param>
e6a2505 
+## <param name="terminal">
e6a2505 
+##	<summary>
e6a2505 
+##	The type of the user terminal.
e6a2505 
+##	</summary>
e6a2505 
+## </param>
e6a2505 
+## <rolecap/>
e6a2505 
+#
e6a2505 
+interface(`gcl_admin',`
e6a2505 
+	gen_require(`
e6a2505 
+		type gcl_t;
e6a2505 
+	')
e6a2505 
+
e6a2505 
+	allow $1 gcl_t:process { ptrace signal_perms getattr };
e6a2505 
+	read_files_pattern($1, gcl_t, gcl_t)
e6a2505 
+
e6a2505 
+
e6a2505 
+	gcl_manage_tmp($1)
e6a2505 
+
e6a2505 
+')
e6a2505 
diff -durN gcl-2.6.8.ORIG/selinux/gcl.te gcl-2.6.8/selinux/gcl.te
e6a2505 
--- gcl-2.6.8.ORIG/selinux/gcl.te	1969-12-31 17:00:00.000000000 -0700
b06d300 
+++ gcl-2.6.8/selinux/gcl.te	2009-10-06 08:17:51.669426472 -0600
b06d300 
@@ -0,0 +1,44 @@
e6a2505 
+policy_module(gcl,1.0.0)
e6a2505 
+
e6a2505 
+########################################
e6a2505 
+#
e6a2505 
+# Declarations
e6a2505 
+#
e6a2505 
+
e6a2505 
+type gcl_t;
e6a2505 
+type gcl_exec_t;
e6a2505 
+application_domain(gcl_t, gcl_exec_t)
e6a2505 
+role system_r types gcl_t;
e6a2505 
+
e6a2505 
+########################################
e6a2505 
+#
e6a2505 
+# gcl local policy
e6a2505 
+#
e6a2505 
+
e6a2505 
+## internal communication is often done using fifo and unix sockets.
e6a2505 
+allow gcl_t self:fifo_file rw_file_perms;
e6a2505 
+allow gcl_t self:unix_stream_socket create_stream_socket_perms;
e6a2505 
+
e6a2505 
+libs_use_ld_so(gcl_t)
e6a2505 
+libs_use_shared_libs(gcl_t)
e6a2505 
+
e6a2505 
+miscfiles_read_localization(gcl_t)
e6a2505 
+
e6a2505 
+## The GCL memory management and executable dumping routines manipulate memory
e6a2505 
+## in various (usually forbidden) ways.
e6a2505 
+allow gcl_t self:memprotect mmap_zero;
e6a2505 
+allow gcl_t self:process { execmem execheap };
e6a2505 
+
e6a2505 
+unconfined_domain(gcl_t)
e6a2505 
+
e6a2505 
+optional_policy(`
e6a2505 
+	gen_require(`
e6a2505 
+		type unconfined_t;
e6a2505 
+		type unconfined_devpts_t;
e6a2505 
+		type unconfined_tty_device_t;
e6a2505 
+		role unconfined_r;
e6a2505 
+	')
e6a2505 
+
e6a2505 
+	gcl_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
e6a2505 
+	allow gcl_t gcl_exec_t:file execmod;
e6a2505 
+')
e6a2505 
diff -durN gcl-2.6.8.ORIG/unixport/makefile gcl-2.6.8/unixport/makefile
e6a2505 
--- gcl-2.6.8.ORIG/unixport/makefile	2006-08-23 12:14:22.000000000 -0600
b06d300 
+++ gcl-2.6.8/unixport/makefile	2009-10-06 08:16:02.065488296 -0600
e6a2505 
@@ -118,6 +118,9 @@
e6a2505 
 	cp init_$*.lsp foo
e6a2505 
 	echo " (in-package \"USER\")(system:save-system \"$@\")" >>foo
e6a2505 
 	$(PORTDIR)/raw_$*$(EXE) $(PORTDIR)/ -libdir $(GCLDIR)/ < foo
e6a2505 
+	if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \
e6a2505 
+		chcon -t gcl_exec_t $@; \
e6a2505 
+	fi
e6a2505
e6a2505 
 $(RSYM): $(SPECIAL_RSYM) $(HDIR)/mdefs.h
e6a2505 
 	$(CC) $(CFLAGS) -I$(HDIR) -I$(ODIR) -o $(RSYM) $(SPECIAL_RSYM)
e6a2505 
@@ -157,6 +160,9 @@
e6a2505 
 	$(CC) -o raw_$*$(EXE) $(filter %.o,$^) \
e6a2505 
 		-L. $(EXTRA_LD_LIBS) $(LD_LIBS_PRE) -l$* $(LD_LIBS_POST)
e6a2505 
 endif
e6a2505 
+	if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \
e6a2505 
+		chcon -t gcl_exec_t raw_$*$(EXE); \
e6a2505 
+	fi
e6a2505 
 #	diff map_$* map_$*.old >/dev/null || (cp map_$* map_$*.old && rm -f $@ && $(MAKE) $@)
e6a2505 
 #	cp map_$*.old map_$*
e6a2505
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.