From d29dd2b1490a689a3a8f1cb1f5f6375118b208e4 Mon Sep 17 00:00:00 2001 From: Nathan Straz Date: Thu, 19 Nov 2009 17:55:21 -0500 Subject: Pull in all services and apps interfaces This isn't completely possible because some interfaces cause syntax or load errors. We need to keep a list of interfaces to filter out to get something that loads. This adds gxpp as a requirement to build qarsh. --- SELinux/Makefile | 28 ++++++++++++---------------- SELinux/qarshd.bad-interfaces | 32 ++++++++++++++++++++++++++++++++ SELinux/qarshd.te.m4 | 2 -- qarsh.spec | 5 ++--- 4 files changed, 46 insertions(+), 21 deletions(-) create mode 100644 SELinux/qarshd.bad-interfaces delete mode 100644 SELinux/qarshd.te.m4 diff --git a/SELinux/Makefile b/SELinux/Makefile index 57aec51..c810efb 100644 --- a/SELinux/Makefile +++ b/SELinux/Makefile @@ -1,29 +1,25 @@ - # Since qarshd.te is generated, set an explicit dep on qarshd.pp all: qarshd.pp -vpath qarshd.% /usr/share/selinux/packages/qarsh selinux_devel := /usr/share/selinux/devel -interfaces := services/aisexec.if \ - services/ccs.if \ - services/rgmanager.if \ - services/rhcs.if \ - system/lvm.if \ - system/logging.if - - -interfaces_full := $(addprefix $(selinux_devel)/include/, $(interfaces)) -# Wouldn't it be nice to do them all? -#interfaces_full := $(wildcard $(selinux_devel)/include/services/*.if) - include $(selinux_devel)/Makefile qarshd.te: qarshd.te.in qarshd.te.trans cat $^ > $@ -qarshd.te.trans: qarshd.te.m4 $(interfaces_full) - $(M4) $^ | grep qarshd_t > $@ +# Pull all interfaces listed in policy.xml from the services or apps layer +# which have one parameter named domains and whose name contains domtrans +allinterfaces := $(shell gxpp '//layer[@name = "services" or @name = "apps"]//interface[param/@name="domain" and count(param) = 1 and contains(@name, "domtrans")]/@name' $(selinux_devel)/policy.xml) +badinterfaces := $(shell cat qarshd.bad-interfaces) + +# Filter out interfaces which break policy building or loading. +interfaces = $(filter-out $(badinterfaces), $(allinterfaces)) + +qarshd.te.trans: $(selinux_devel)/policy.xml qarshd.bad-interfaces + for d in $(interfaces); do \ + echo "$$d(qarshd_t)"; \ + done > $@ # Add a cleanup step for our generated files clean: clean-qarsh diff --git a/SELinux/qarshd.bad-interfaces b/SELinux/qarshd.bad-interfaces new file mode 100644 index 0000000..62a06c5 --- /dev/null +++ b/SELinux/qarshd.bad-interfaces @@ -0,0 +1,32 @@ +apache_script_domtrans +authbind_domtrans +avahi_initrc_domtrans +clockspeed_domtrans_cli +ddclient_domtrans +dnsmasq_initrc_domtrans +domain_entry_file_spec_domtrans +exim_domtrans +fail2ban_domtrans +init_script_domtrans_spec +loadkeys_domtrans +nx_spec_domtrans_server +oav_domtrans_update +openca_domtrans +pegasus_domtrans +pki_ca_script_domtrans +pki_kra_script_domtrans +pki_ocsp_script_domtrans +pki_ra_script_domtrans +pki_tks_script_domtrans +pki_tps_script_domtrans +portslave_domtrans +postgrey_script_domtrans +qemu_domtrans +qmail_domtrans_inject +qmail_domtrans_queue +rssh_spec_domtrans_all_users +spamassassin_spamd_initrc_domtrans +tor_domtrans +usernetctl_domtrans +uwimap_domtrans +yam_domtrans diff --git a/SELinux/qarshd.te.m4 b/SELinux/qarshd.te.m4 deleted file mode 100644 index 27291b1..0000000 --- a/SELinux/qarshd.te.m4 +++ /dev/null @@ -1,2 +0,0 @@ -define(interface, `ifelse(regexp($1, `domtrans$'), `-1', , `$1(qarshd_t)')') - diff --git a/qarsh.spec b/qarsh.spec index 14c9ff5..282fe4e 100644 --- a/qarsh.spec +++ b/qarsh.spec @@ -33,17 +33,16 @@ WARNING: THIS PACKAGE PROVIDES REMOTE ROOT ACCESS WITHOUT AUTHENTICATION -%global selinux_variants targeted %global selinux_policyver %(%{__sed} -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp || echo 0.0.0) %package selinux Summary: SELinux policy module supporting qarsh Group: QA -BuildRequires: checkpolicy, selinux-policy-devel, /usr/share/selinux/devel/policyhelp, hardlink +BuildRequires: checkpolicy, selinux-policy-devel, /usr/share/selinux/devel/policyhelp, hardlink, gxpp %if "%{selinux_policyver}" != "" Requires: selinux-policy >= %{selinux_policyver} %endif -Requires: %{name} = %{version}-%{release} +Requires: %{name}-server = %{version}-%{release} Requires(post): /usr/sbin/semodule, /sbin/fixfiles, qarsh-server Requires(postun): /usr/sbin/semodule -- cgit