Daniel J Walsh wrote:
Paul Howarth wrote:
Christopher J. PeBenito wrote:
On Tue, 2006-07-25 at 10:14 +0100, Paul Howarth wrote:
Now that RPM packages are starting to include policy module packages
(my mod_fcgid package was approved for Extras recently:
http://bugzilla.redhat.com/195666), it would be nice to have a
standard place for the .pp files to be dropped, and for that
directory to be owned by the selinux-policy package (so that all the
packages don't need to own it themselves).
I propose the following:
/usr/share/selinux/packages
(container directory, separate from modules bundled with Core package)
/usr/share/selinux/packages/mls
(policy modules for use with the mls base policy)
/usr/share/selinux/packages/strict
(policy modules for use with the strict base policy)
/usr/share/selinux/packages/targeted
(policy modules for use with the targeted base policy)
/usr/share/selinux/packages/share
(policy modules that have no base-specific elements, and can be used
with all base policies)
I think this is a good idea.
Good, but you might change your mind...
There already is a standard location:
/usr/share/selinux/NAME/
Currently the selinux-policy-TYPE package looks in this directory and
installs all the pp files that are in this directory.
It should probably change to only install the pp files that it is
packaging. This is a management headache because we
don't need to manage this now. If someone has a good solution to
figuring out the pp files during the spec build this would be
great. Trying to update the modules-TYPE.conf file and maintaining the
spec file in sync would be a royal pain.
Try the attached patch which groks the module names from the
modules-TYPE.conf file.
It also moves the directory ownership of the /usr/share/selinux/NAME/
directory from the selinux-policy-NAME package to the selinux-policy
package, so that RPMs containing policy module packages for all base
policies will have properly-owned directories to install them into even
on systems that only have one of the base policies installed.
Regarding .pp files that are identical for each of the base policies, I
think it's better not to have a "share" directory for them but instead
to install them into one of the /usr/share/selinux/NAME/ directories and
then link them to the other /usr/share/selinux/NAME/ directories. This
could be done automagically with a bit of boilerplate scripting in the
spec file that looks for identical .pp files and links them together.
The advantage of doing it this way is that it'll still work properly
even if some of the policy macros change and what was once a policy
package that was identical across all base policies suddenly becomes
different for each base policy, i.e. the module packager doesn't need to
make any changes, just rebuild against the new policy.
With the attached patch and the module packaging policy described above,
all .pp files, from both the Core policy packages and others, will go in
/usr/share/selinux/NAME/ and there is no need for the separate
/usr/share/selinux/packages/ hierarchy.
Paul.
--- selinux-policy.spec 2006-07-26 10:22:24.000000000 +0100
+++ selinux-policy.spec 2006-07-26 12:40:09.000000000 +0100
@@ -58,6 +58,9 @@
%{_usr}/share/selinux/devel/policygentool
%{_usr}/share/selinux/devel/example.*
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
+%dir %{_usr}/share/selinux/targeted
+%dir %{_usr}/share/selinux/strict
+%dir %{_usr}/share/selinux/mls
%define setupCmds() \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 bare \
@@ -65,6 +68,9 @@
cp -f ${RPM_SOURCE_DIR}/modules-%1.conf ./policy/modules.conf \
cp -f ${RPM_SOURCE_DIR}/booleans-%1.conf ./policy/booleans.conf \
+%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
+sort %{_sourcedir}/modules-%{1}.conf | awk '$2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }')
+
%define installCmds() \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 base.pp \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 modules \
@@ -91,7 +97,6 @@
%define fileList() \
%defattr(-,root,root) \
-%dir %{_usr}/share/selinux/%1 \
%{_usr}/share/selinux/%1/*.pp \
%dir %{_sysconfdir}/selinux/%1 \
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
@@ -130,8 +135,7 @@
%define rebuildpolicy() \
( cd /usr/share/selinux/%1; \
-x=`ls *.pp | grep -v -e base.pp -e enableaudit.pp | awk '{ print "-i " $1 }'`; \
-semodule -b base.pp $x -s %1; \
+semodule -b base.pp %{expand:%%moduleList %1} -s %1; \
);\
rm -f %{_sysconfdir}/selinux/%1/policy/policy.*.rpmnew
@@ -160,6 +164,9 @@
touch %{buildroot}%{_sysconfdir}/selinux/config
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
+# Always create policy module package directories
+mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,strict,mls}/
+
# Install devel
make clean
make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=%3 install-headers install-docs
@@ -281,7 +288,7 @@
%relabel mls
%triggerpostun mls -- mls <= 2.0.7
-%{rebuildpolicy} mls
+%rebuildpolicy mls
%files mls
%fileList mls
@@ -315,7 +322,7 @@
semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init -r libraries -r locallogin -r logging -r lvm -r miscfiles -r modutils -r mount -r mta -r netutils -r selinuxutil -r storage -r sysnetwork -r udev -r userdomain -r vpnc -r xend $x -s strict
%triggerpostun strict -- strict <= 2.0.7
-%{rebuildpolicy} strict
+%rebuildpolicy strict
%files strict
%fileList strict
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
