diff options
author | Nathan Straz <nstraz@redhat.com> | 2009-12-03 11:47:41 -0500 |
---|---|---|
committer | Nathan Straz <nstraz@redhat.com> | 2009-12-03 11:47:41 -0500 |
commit | 7e577a269e620dd68bc8d903970a69a63a6c2131 (patch) | |
tree | 4ec7f5268d44e09c3234f4aa4a793a60f5c4ff73 | |
parent | 9c3e3fc8d6027b6337d452e30348c68ca600acb9 (diff) | |
download | qarsh-7e577a269e620dd68bc8d903970a69a63a6c2131.tar.gz qarsh-7e577a269e620dd68bc8d903970a69a63a6c2131.tar.xz qarsh-7e577a269e620dd68bc8d903970a69a63a6c2131.zip |
Only include lvm and logging parts of system policy
There were a lot of bad things to include in the system layer.
Exclude anything with "spec" in the name.
-rw-r--r-- | SELinux/Makefile | 15 | ||||
-rw-r--r-- | SELinux/qarshd.bad-interfaces | 13 |
2 files changed, 11 insertions, 17 deletions
diff --git a/SELinux/Makefile b/SELinux/Makefile index 8b978d7..1a0c6ee 100644 --- a/SELinux/Makefile +++ b/SELinux/Makefile @@ -10,17 +10,24 @@ qarshd.te: qarshd.te.in qarshd.te.trans # Pull all interfaces listed in policy.xml from the services or apps layer # which have one parameter named domains and whose name contains domtrans -allinterfaces := $(shell gxpp '//layer[@name = "services" or @name = "apps" or @name = "system"]//interface[param/@name="domain" and count(param) = 1 and contains(@name, "domtrans")]/@name' $(selinux_devel)/policy.xml) +interfacecond := param/@name="domain" and count(param)=1 and contains(@name, "domtrans") and not(contains(@name, "_spec")) +allinterfaces := $(shell gxpp '//layer[@name = "services" or @name = "apps"]//interface[$(interfacecond)]/@name' $(selinux_devel)/policy.xml) +allinterfaces += $(shell gxpp '//layer[@name = "system"]//module[@name="lvm" or @name="logging"]/interface[$(interfacecond)]/@name' $(selinux_devel)/policy.xml) badinterfaces := $(shell cat qarshd.bad-interfaces) # Filter out interfaces which break policy building or loading. -interfaces = $(filter-out $(badinterfaces), $(allinterfaces)) +interfaces := $(filter-out $(badinterfaces), $(allinterfaces)) -qarshd.te.trans: $(selinux_devel)/policy.xml qarshd.bad-interfaces - for d in $(interfaces); do \ +qarshd.te.trans: $(selinux_devel)/policy.xml qarshd.bad-interfaces Makefile + @for d in $(interfaces); do \ echo "$$d(qarshd_t)"; \ done > $@ +# Helpful target to see what is not needed in bad-interfaces +notbad := $(filter-out $(filter $(badinterfaces), $(allinterfaces)), $(badinterfaces)) +qarshd.notbad: + @echo $(notbad) | sort + # Add a cleanup step for our generated files clean: clean-qarsh diff --git a/SELinux/qarshd.bad-interfaces b/SELinux/qarshd.bad-interfaces index 3139085..dcbd038 100644 --- a/SELinux/qarshd.bad-interfaces +++ b/SELinux/qarshd.bad-interfaces @@ -7,26 +7,13 @@ bluetooth_domtrans_helper clockspeed_domtrans_cli ddclient_domtrans ifplugd_domtrans -locallogin_domtrans -locallogin_domtrans_sulogin -modutils_domtrans_insmod -mount_domtrans oav_domtrans_update openca_domtrans -pki_ca_script_domtrans -pki_kra_script_domtrans -pki_ocsp_script_domtrans -pki_ra_script_domtrans -pki_tks_script_domtrans -pki_tps_script_domtrans portslave_domtrans qemu_domtrans rgmanager_domtrans samba_domtrans_net sendmail_domtrans -seutil_domtrans_restorecon -seutil_domtrans_setfiles_mac -seutil_init_script_domtrans_runinit thunderbird_domtrans uwimap_domtrans wireshark_domtrans |