[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Directories for policy module packages



Daniel J Walsh wrote:
Paul Howarth wrote:
Christopher J. PeBenito wrote:
On Tue, 2006-07-25 at 10:14 +0100, Paul Howarth wrote:
Now that RPM packages are starting to include policy module packages (my mod_fcgid package was approved for Extras recently: http://bugzilla.redhat.com/195666), it would be nice to have a standard place for the .pp files to be dropped, and for that directory to be owned by the selinux-policy package (so that all the packages don't need to own it themselves).

I propose the following:

/usr/share/selinux/packages
(container directory, separate from modules bundled with Core package)

/usr/share/selinux/packages/mls
(policy modules for use with the mls base policy)

/usr/share/selinux/packages/strict
(policy modules for use with the strict base policy)

/usr/share/selinux/packages/targeted
(policy modules for use with the targeted base policy)

/usr/share/selinux/packages/share
(policy modules that have no base-specific elements, and can be used with all base policies)

I think this is a good idea.

Good, but you might change your mind...

There already is a standard location:

/usr/share/selinux/NAME/

Currently the selinux-policy-TYPE package looks in this directory and installs all the pp files that are in this directory. It should probably change to only install the pp files that it is packaging. This is a management headache because we don't need to manage this now. If someone has a good solution to figuring out the pp files during the spec build this would be great. Trying to update the modules-TYPE.conf file and maintaining the spec file in sync would be a royal pain.

Try the attached patch which groks the module names from the modules-TYPE.conf file.

It also moves the directory ownership of the /usr/share/selinux/NAME/ directory from the selinux-policy-NAME package to the selinux-policy package, so that RPMs containing policy module packages for all base policies will have properly-owned directories to install them into even on systems that only have one of the base policies installed.

Regarding .pp files that are identical for each of the base policies, I think it's better not to have a "share" directory for them but instead to install them into one of the /usr/share/selinux/NAME/ directories and then link them to the other /usr/share/selinux/NAME/ directories. This could be done automagically with a bit of boilerplate scripting in the spec file that looks for identical .pp files and links them together. The advantage of doing it this way is that it'll still work properly even if some of the policy macros change and what was once a policy package that was identical across all base policies suddenly becomes different for each base policy, i.e. the module packager doesn't need to make any changes, just rebuild against the new policy.

With the attached patch and the module packaging policy described above, all .pp files, from both the Core policy packages and others, will go in /usr/share/selinux/NAME/ and there is no need for the separate /usr/share/selinux/packages/ hierarchy.

Paul.
--- selinux-policy.spec	2006-07-26 10:22:24.000000000 +0100
+++ selinux-policy.spec	2006-07-26 12:40:09.000000000 +0100
@@ -58,6 +58,9 @@
 %{_usr}/share/selinux/devel/policygentool
 %{_usr}/share/selinux/devel/example.*
 %attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
+%dir %{_usr}/share/selinux/targeted
+%dir %{_usr}/share/selinux/strict
+%dir %{_usr}/share/selinux/mls
 
 %define setupCmds() \
 make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 bare \
@@ -65,6 +68,9 @@
 cp -f ${RPM_SOURCE_DIR}/modules-%1.conf  ./policy/modules.conf \
 cp -f ${RPM_SOURCE_DIR}/booleans-%1.conf ./policy/booleans.conf \
 
+%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
+sort %{_sourcedir}/modules-%{1}.conf | awk '$2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }')
+
 %define installCmds() \
 make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 base.pp \
 make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 modules \
@@ -91,7 +97,6 @@
 
 %define fileList() \
 %defattr(-,root,root) \
-%dir %{_usr}/share/selinux/%1 \
 %{_usr}/share/selinux/%1/*.pp \
 %dir %{_sysconfdir}/selinux/%1 \
 %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
@@ -130,8 +135,7 @@
 
 %define rebuildpolicy() \
 ( cd /usr/share/selinux/%1; \
-x=`ls *.pp | grep -v -e base.pp -e enableaudit.pp | awk '{ print "-i " $1 }'`; \
-semodule -b base.pp $x -s %1; \
+semodule -b base.pp %{expand:%%moduleList %1} -s %1; \
 );\
 rm -f %{_sysconfdir}/selinux/%1/policy/policy.*.rpmnew
 
@@ -160,6 +164,9 @@
 touch %{buildroot}%{_sysconfdir}/selinux/config
 touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
 
+# Always create policy module package directories
+mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,strict,mls}/
+
 # Install devel
 make clean
 make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=%3 install-headers install-docs
@@ -281,7 +288,7 @@
 %relabel mls
 
 %triggerpostun mls -- mls <= 2.0.7
-%{rebuildpolicy} mls 
+%rebuildpolicy mls 
 
 %files mls
 %fileList mls
@@ -315,7 +322,7 @@
 semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init -r libraries -r locallogin -r logging -r lvm -r miscfiles -r modutils -r mount -r mta -r netutils -r selinuxutil -r storage -r sysnetwork -r udev -r userdomain -r vpnc -r xend $x -s strict
 
 %triggerpostun strict -- strict <= 2.0.7
-%{rebuildpolicy} strict 
+%rebuildpolicy strict 
 
 %files strict
 %fileList strict

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]