Paul Howarth wrote:
Daniel J Walsh wrote:
Paul Howarth wrote:
Christopher J. PeBenito wrote:
On Tue, 2006-07-25 at 10:14 +0100, Paul Howarth wrote:
Now that RPM packages are starting to include policy module
packages (my mod_fcgid package was approved for Extras recently:
http://bugzilla.redhat.com/195666), it would be nice to have a
standard place for the .pp files to be dropped, and for that
directory to be owned by the selinux-policy package (so that all
the packages don't need to own it themselves).
I propose the following:
/usr/share/selinux/packages
(container directory, separate from modules bundled with Core
package)
/usr/share/selinux/packages/mls
(policy modules for use with the mls base policy)
/usr/share/selinux/packages/strict
(policy modules for use with the strict base policy)
/usr/share/selinux/packages/targeted
(policy modules for use with the targeted base policy)
/usr/share/selinux/packages/share
(policy modules that have no base-specific elements, and can be
used with all base policies)
I think this is a good idea.
Good, but you might change your mind...
There already is a standard location:
/usr/share/selinux/NAME/
Currently the selinux-policy-TYPE package looks in this directory and
installs all the pp files that are in this directory.
It should probably change to only install the pp files that it is
packaging. This is a management headache because we
don't need to manage this now. If someone has a good solution to
figuring out the pp files during the spec build this would be
great. Trying to update the modules-TYPE.conf file and maintaining
the spec file in sync would be a royal pain.
Try the attached patch which groks the module names from the
modules-TYPE.conf file.
It also moves the directory ownership of the /usr/share/selinux/NAME/
directory from the selinux-policy-NAME package to the selinux-policy
package, so that RPMs containing policy module packages for all base
policies will have properly-owned directories to install them into
even on systems that only have one of the base policies installed.
Regarding .pp files that are identical for each of the base policies,
I think it's better not to have a "share" directory for them but
instead to install them into one of the /usr/share/selinux/NAME/
directories and then link them to the other /usr/share/selinux/NAME/
directories. This could be done automagically with a bit of
boilerplate scripting in the spec file that looks for identical .pp
files and links them together. The advantage of doing it this way is
that it'll still work properly even if some of the policy macros
change and what was once a policy package that was identical across
all base policies suddenly becomes different for each base policy,
i.e. the module packager doesn't need to make any changes, just
rebuild against the new policy.
With the attached patch and the module packaging policy described
above, all .pp files, from both the Core policy packages and others,
will go in /usr/share/selinux/NAME/ and there is no need for the
separate /usr/share/selinux/packages/ hierarchy.
Paul.
------------------------------------------------------------------------
--- selinux-policy.spec 2006-07-26 10:22:24.000000000 +0100
+++ selinux-policy.spec 2006-07-26 12:40:09.000000000 +0100
@@ -58,6 +58,9 @@
%{_usr}/share/selinux/devel/policygentool
%{_usr}/share/selinux/devel/example.*
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
+%dir %{_usr}/share/selinux/targeted
+%dir %{_usr}/share/selinux/strict
+%dir %{_usr}/share/selinux/mls
%define setupCmds() \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 bare \
@@ -65,6 +68,9 @@
cp -f ${RPM_SOURCE_DIR}/modules-%1.conf ./policy/modules.conf \
cp -f ${RPM_SOURCE_DIR}/booleans-%1.conf ./policy/booleans.conf \
+%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
+sort %{_sourcedir}/modules-%{1}.conf | awk '$2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }')
+
%define installCmds() \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 base.pp \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 modules \
@@ -91,7 +97,6 @@
%define fileList() \
%defattr(-,root,root) \
-%dir %{_usr}/share/selinux/%1 \
%{_usr}/share/selinux/%1/*.pp \
%dir %{_sysconfdir}/selinux/%1 \
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
@@ -130,8 +135,7 @@
%define rebuildpolicy() \
( cd /usr/share/selinux/%1; \
-x=`ls *.pp | grep -v -e base.pp -e enableaudit.pp | awk '{ print "-i " $1 }'`; \
-semodule -b base.pp $x -s %1; \
+semodule -b base.pp %{expand:%%moduleList %1} -s %1; \
);\
rm -f %{_sysconfdir}/selinux/%1/policy/policy.*.rpmnew
@@ -160,6 +164,9 @@
touch %{buildroot}%{_sysconfdir}/selinux/config
touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
+# Always create policy module package directories
+mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,strict,mls}/
+
# Install devel
make clean
make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=%3 install-headers install-docs
@@ -281,7 +288,7 @@
%relabel mls
%triggerpostun mls -- mls <= 2.0.7
-%{rebuildpolicy} mls
+%rebuildpolicy mls
%files mls
%fileList mls
@@ -315,7 +322,7 @@
semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init -r libraries -r locallogin -r logging -r lvm -r miscfiles -r modutils -r mount -r mta -r netutils -r selinuxutil -r storage -r sysnetwork -r udev -r userdomain -r vpnc -r xend $x -s strict
%triggerpostun strict -- strict <= 2.0.7
-%{rebuildpolicy} strict
+%rebuildpolicy strict
%files strict
%fileList strict
Changing to use
%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
awk '$1 !~ "#.*" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ",
$1 }' %{_sourcedir}/modules-%{1}.conf )
Any reason for the sort?
Do not want to grab comment lines.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list