From 8f2aa45db35bbf3a74f8db09ece9edac60e79ee4 Mon Sep 17 00:00:00 2001 From: Sven Vermeulen Date: Sun, 30 Aug 2015 10:34:24 +0200 Subject: selinux-policy-2.eclass: Enable CIL support Recent SELinux userspace supports a new intermediate policy language called CIL. This enables using .cil files in our policy ebuilds. Gentoo-Bug: 558958 --- eclass/selinux-policy-2.eclass | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) (limited to 'eclass/selinux-policy-2.eclass') diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass index d582b2d8a227..92f2f820350c 100644 --- a/eclass/selinux-policy-2.eclass +++ b/eclass/selinux-policy-2.eclass @@ -198,6 +198,7 @@ selinux-policy-2_src_prepare() { for i in ${MODS}; do modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles" modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles" + modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.cil) $modfiles" if [ ${add_interfaces} -eq 1 ]; then modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.if) $modfiles" @@ -239,7 +240,7 @@ selinux-policy-2_src_compile() { # @FUNCTION: selinux-policy-2_src_install # @DESCRIPTION: -# Install the built .pp files in the correct subdirectory within +# Install the built .pp (or copied .cil) files in the correct subdirectory within # /usr/share/selinux. selinux-policy-2_src_install() { local BASEDIR="/usr/share/selinux" @@ -248,7 +249,11 @@ selinux-policy-2_src_install() { for j in ${MODS}; do einfo "Installing ${i} ${j} policy package" insinto ${BASEDIR}/${i} - doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}" + if [ -f "${S}/${i}/${j}.pp" ] ; then + doins "${S}"/${i}/${j}.pp || die "Failed to add ${j}.pp to ${i}" + elif [ -f "${S}/${i}/${j}.cil" ] ; then + doins "${S}"/${i}/${j}.cil || die "Failed to add ${j}.cil to ${i}" + fi if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]]; then @@ -261,14 +266,11 @@ selinux-policy-2_src_install() { # @FUNCTION: selinux-policy-2_pkg_postinst # @DESCRIPTION: -# Install the built .pp files in the SELinux policy stores, effectively +# Install the built .pp (or copied .cil) files in the SELinux policy stores, effectively # activating the policy on the system. selinux-policy-2_pkg_postinst() { # build up the command in the case of multiple modules local COMMAND - for i in ${MODS}; do - COMMAND="-i ${i}.pp ${COMMAND}" - done for i in ${POLICY_TYPES}; do if [ "${i}" == "strict" ] && [ "${MODS}" = "unconfined" ]; @@ -279,7 +281,14 @@ selinux-policy-2_pkg_postinst() { einfo "Inserting the following modules into the $i module store: ${MODS}" cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}" - semodule -s ${i} ${COMMAND} + for j in ${MODS} ; do + if [ -f "${j}.pp" ] ; then + COMMAND="${j}.pp ${COMMAND}" + elif [ -f "${j}.cil" ] ; then + COMMAND="${j}.cil ${COMMAND}" + fi + done + semodule -s ${i} -i ${COMMAND} if [ $? -ne 0 ]; then ewarn "SELinux module load failed. Trying full reload..."; @@ -313,6 +322,7 @@ selinux-policy-2_pkg_postinst() { else einfo "SELinux modules loaded succesfully." fi + COMMAND=""; done # Relabel depending packages -- cgit v1.2.3-65-gdbad