Directories for policy module packages
Daniel J Walsh
dwalsh at redhat.com
Wed Jul 26 15:10:55 UTC 2006
Paul Howarth wrote:
> Daniel J Walsh wrote:
>> Paul Howarth wrote:
>>> Christopher J. PeBenito wrote:
>>>> On Tue, 2006-07-25 at 10:14 +0100, Paul Howarth wrote:
>>>>> Now that RPM packages are starting to include policy module
>>>>> packages (my mod_fcgid package was approved for Extras recently:
>>>>> http://bugzilla.redhat.com/195666), it would be nice to have a
>>>>> standard place for the .pp files to be dropped, and for that
>>>>> directory to be owned by the selinux-policy package (so that all
>>>>> the packages don't need to own it themselves).
>>>>>
>>>>> I propose the following:
>>>>>
>>>>> /usr/share/selinux/packages
>>>>> (container directory, separate from modules bundled with Core
>>>>> package)
>>>>>
>>>>> /usr/share/selinux/packages/mls
>>>>> (policy modules for use with the mls base policy)
>>>>>
>>>>> /usr/share/selinux/packages/strict
>>>>> (policy modules for use with the strict base policy)
>>>>>
>>>>> /usr/share/selinux/packages/targeted
>>>>> (policy modules for use with the targeted base policy)
>>>>>
>>>>> /usr/share/selinux/packages/share
>>>>> (policy modules that have no base-specific elements, and can be
>>>>> used with all base policies)
>>>>
>> I think this is a good idea.
>
> Good, but you might change your mind...
>
>>>> There already is a standard location:
>>>>
>>>> /usr/share/selinux/NAME/
>>>>
>> Currently the selinux-policy-TYPE package looks in this directory and
>> installs all the pp files that are in this directory.
>> It should probably change to only install the pp files that it is
>> packaging. This is a management headache because we
>> don't need to manage this now. If someone has a good solution to
>> figuring out the pp files during the spec build this would be
>> great. Trying to update the modules-TYPE.conf file and maintaining
>> the spec file in sync would be a royal pain.
>
> Try the attached patch which groks the module names from the
> modules-TYPE.conf file.
>
> It also moves the directory ownership of the /usr/share/selinux/NAME/
> directory from the selinux-policy-NAME package to the selinux-policy
> package, so that RPMs containing policy module packages for all base
> policies will have properly-owned directories to install them into
> even on systems that only have one of the base policies installed.
>
> Regarding .pp files that are identical for each of the base policies,
> I think it's better not to have a "share" directory for them but
> instead to install them into one of the /usr/share/selinux/NAME/
> directories and then link them to the other /usr/share/selinux/NAME/
> directories. This could be done automagically with a bit of
> boilerplate scripting in the spec file that looks for identical .pp
> files and links them together. The advantage of doing it this way is
> that it'll still work properly even if some of the policy macros
> change and what was once a policy package that was identical across
> all base policies suddenly becomes different for each base policy,
> i.e. the module packager doesn't need to make any changes, just
> rebuild against the new policy.
>
> With the attached patch and the module packaging policy described
> above, all .pp files, from both the Core policy packages and others,
> will go in /usr/share/selinux/NAME/ and there is no need for the
> separate /usr/share/selinux/packages/ hierarchy.
>
> Paul.
> ------------------------------------------------------------------------
>
> --- selinux-policy.spec 2006-07-26 10:22:24.000000000 +0100
> +++ selinux-policy.spec 2006-07-26 12:40:09.000000000 +0100
> @@ -58,6 +58,9 @@
> %{_usr}/share/selinux/devel/policygentool
> %{_usr}/share/selinux/devel/example.*
> %attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
> +%dir %{_usr}/share/selinux/targeted
> +%dir %{_usr}/share/selinux/strict
> +%dir %{_usr}/share/selinux/mls
>
> %define setupCmds() \
> make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 bare \
> @@ -65,6 +68,9 @@
> cp -f ${RPM_SOURCE_DIR}/modules-%1.conf ./policy/modules.conf \
> cp -f ${RPM_SOURCE_DIR}/booleans-%1.conf ./policy/booleans.conf \
>
> +%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
> +sort %{_sourcedir}/modules-%{1}.conf | awk '$2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }')
> +
> %define installCmds() \
> make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 base.pp \
> make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 modules \
> @@ -91,7 +97,6 @@
>
> %define fileList() \
> %defattr(-,root,root) \
> -%dir %{_usr}/share/selinux/%1 \
> %{_usr}/share/selinux/%1/*.pp \
> %dir %{_sysconfdir}/selinux/%1 \
> %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
> @@ -130,8 +135,7 @@
>
> %define rebuildpolicy() \
> ( cd /usr/share/selinux/%1; \
> -x=`ls *.pp | grep -v -e base.pp -e enableaudit.pp | awk '{ print "-i " $1 }'`; \
> -semodule -b base.pp $x -s %1; \
> +semodule -b base.pp %{expand:%%moduleList %1} -s %1; \
> );\
> rm -f %{_sysconfdir}/selinux/%1/policy/policy.*.rpmnew
>
> @@ -160,6 +164,9 @@
> touch %{buildroot}%{_sysconfdir}/selinux/config
> touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
>
> +# Always create policy module package directories
> +mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,strict,mls}/
> +
> # Install devel
> make clean
> make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=%3 install-headers install-docs
> @@ -281,7 +288,7 @@
> %relabel mls
>
> %triggerpostun mls -- mls <= 2.0.7
> -%{rebuildpolicy} mls
> +%rebuildpolicy mls
>
> %files mls
> %fileList mls
> @@ -315,7 +322,7 @@
> semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init -r libraries -r locallogin -r logging -r lvm -r miscfiles -r modutils -r mount -r mta -r netutils -r selinuxutil -r storage -r sysnetwork -r udev -r userdomain -r vpnc -r xend $x -s strict
>
> %triggerpostun strict -- strict <= 2.0.7
> -%{rebuildpolicy} strict
> +%rebuildpolicy strict
>
> %files strict
> %fileList strict
>
Changing to use
%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
awk '$1 !~ "#.*" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ",
$1 }' %{_sourcedir}/modules-%{1}.conf )
Any reason for the sort?
Do not want to grab comment lines.
More information about the fedora-selinux-list
mailing list