From 95c8b01d3776fca7ad1f624b2f880162b9964db6 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec Date: Sep 22 2015 12:45:08 +0000 Subject: Added support for permissive domains --- diff --git a/permissivedomains.cil b/permissivedomains.cil new file mode 100644 index 0000000..3a53af3 --- /dev/null +++ b/permissivedomains.cil @@ -0,0 +1 @@ +(roleattributeset cil_gen_require system_r) diff --git a/permissivedomains.fc b/permissivedomains.fc deleted file mode 100644 index 6e6a8fc..0000000 --- a/permissivedomains.fc +++ /dev/null @@ -1 +0,0 @@ -# No file contexts diff --git a/permissivedomains.if b/permissivedomains.if deleted file mode 100644 index bd83148..0000000 --- a/permissivedomains.if +++ /dev/null @@ -1 +0,0 @@ -## No Interfaces diff --git a/permissivedomains.pp b/permissivedomains.pp deleted file mode 100644 index e5425f0..0000000 Binary files a/permissivedomains.pp and /dev/null differ diff --git a/permissivedomains.te b/permissivedomains.te deleted file mode 100644 index 2406aee..0000000 --- a/permissivedomains.te +++ /dev/null @@ -1,2 +0,0 @@ -policy_module(permissivedomains,23) - diff --git a/selinux-policy.spec b/selinux-policy.spec index 4727d87..b841121 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -51,7 +51,7 @@ Source23: users-targeted Source25: users-minimum Source26: file_contexts.subs_dist Source27: selinux-policy.conf -Source28: permissivedomains.pp +Source28: permissivedomains.cil Source29: serefpolicy-contrib-%{version}.tgz Source30: booleans.subs_dist Source33: manpages_html.tgz @@ -180,6 +180,7 @@ install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir} install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ touch %{buildroot}%{_sysconfdir}/selinux/%1/file_contexts.homedirs.bin \ touch %{buildroot}%{_sysconfdir}/selinux/%1/file_contexts.bin \ cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ @@ -227,6 +228,7 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs* \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ +%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ # %ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ @@ -342,10 +344,13 @@ make clean %if %{BUILD_TARGETED} # Build targeted policy # Commented out because only targeted ref policy currently builds -cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/targeted +cp %{SOURCE28} %{buildroot}/ %makeCmds targeted mcs n allow %makeModulesConf targeted base contrib %installCmds targeted mcs n allow +# install permissivedomains.cil +semodule -p %{buildroot} -X 100 -i %{buildroot}/permissivedomains.cil +rm -rf %{buildroot}/permissivedomains.cil # recreate sandbox.pp rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 sandbox.pp @@ -358,7 +363,6 @@ mv sandbox.pp %{buildroot}/usr/share/selinux/packages/sandbox.pp # Build minimum policy # Commented out because only minimum ref policy currently builds mkdir -p %{buildroot}%{_usr}/share/selinux/minimum -cp %{SOURCE28} %{buildroot}/%{_usr}/share/selinux/minimum %makeCmds minimum mcs n allow %makeModulesConf targeted base contrib %installCmds minimum mcs n allow @@ -499,6 +503,7 @@ exit 0 %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u %fileList targeted +%verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains %{_usr}/share/selinux/targeted/base.lst %{_usr}/share/selinux/targeted/modules-base.lst %{_usr}/share/selinux/targeted/modules-contrib.lst