%define distro redhat %define polyinstatiate n %define monolithic n %define BUILD_DOC 1 %define BUILD_TARGETED 1 %define BUILD_MINIMUM 1 %define BUILD_MLS 1 %define POLICYVER 31 %define POLICYCOREUTILSVER 2.8 %define CHECKPOLICYVER 2.8 Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 Release: 44 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ Source0: https://github.com/fedora-selinux/selinux-policy/archive/38fa84dc715893cab1cc76aa9c43ba325b153e10/selinux-policy-38fa84d.tar.gz Source1: modules-targeted-base.conf Source2: booleans-targeted.conf Source3: Makefile.devel Source4: setrans-targeted.conf Source5: modules-mls-base.conf Source6: booleans-mls.conf Source8: setrans-mls.conf Source14: securetty_types-targeted Source15: securetty_types-mls Source17: booleans-minimum.conf Source18: setrans-minimum.conf Source19: securetty_types-minimum Source20: customizable_types Source22: users-mls Source23: users-targeted Source25: users-minimum Source26: file_contexts.subs_dist Source27: selinux-policy.conf Source28: permissivedomains.cil Source29: https://github.com/fedora-selinux/selinux-policy-contrib/archive/f9b7466780b5250bf94b5d40764277bc9c5b5f62/selinux-policy-contrib-f9b7466.tar.gz Source30: booleans.subs_dist Source31: modules-targeted-contrib.conf Source32: modules-mls-contrib.conf Source35: container-selinux.tgz Source102: rpm.macros Patch9000: add_userman_access_run_dir.patch Patch9001: add_syslogd_t_domtrans_logrotate.patch Patch9002: bugfix-add_syslogd_t_domtrans_logrotate.patch Patch9003: Fix-userdom_write_user_tmp_dirs-to-allow-caller-doma.patch Patch9004: Fixing-range-for-ephemeral-ports-BZ-1518807.patch Patch9005: Fix-userdom_admin_user_template-interface-by-adding-.patch Patch9006: Fix-bug-in-userdom_restricted_xwindows_user_template.patch Patch9007: add-allow-for-ldconfig-to-map-libsudo_util-so.patch Patch9008: add-allow-syslogd_t-domain-to-send-null-signal-to-all-do.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} Requires(post): /bin/awk /usr/bin/sha512sum Requires: rpm-plugin-selinux %description SELinux Base package for SELinux Reference Policy - modular. %define makeCmds() \ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 bare \ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 conf \ cp -f selinux_config/booleans-%1.conf ./policy/booleans.conf \ cp -f selinux_config/users-%1 ./policy/users \ %define makeModulesConf() \ cp -f selinux_config/modules-%1-%2.conf ./policy/modules-base.conf \ cp -f selinux_config/modules-%1-%2.conf ./policy/modules.conf \ if [ %3 == "contrib" ];then \ cp selinux_config/modules-%1-%3.conf ./policy/modules-contrib.conf; \ cat selinux_config/modules-%1-%3.conf >> ./policy/modules.conf; \ fi; \ %define installCmds() \ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 base.pp \ make validate UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} MLS_CATS=1024 MCS_CATS=1024 modules \ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install \ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 install-appconfig \ make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 SEMODULE="semodule -p %{buildroot} -X 100 " load \ %{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/logins \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ install -m0644 selinux_config/securetty_types-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_types \ install -m0644 selinux_config/file_contexts.subs_dist %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files \ install -m0644 selinux_config/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ install -m0644 selinux_config/customizable_types %{buildroot}%{_sysconfdir}/selinux/%1/contexts/customizable_types \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ cp %{SOURCE30} %{buildroot}%{_sysconfdir}/selinux/%1 \ rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp* \ /usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts \ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %nil %define fileList() \ %defattr(-,root,root) \ %{_datadir}/selinux/%1 \ %dir %{_sysconfdir}/selinux/%1 \ %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \ %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/seusers \ %dir %{_sysconfdir}/selinux/%1/logins \ %dir %{_sharedstatedir}/selinux/%1/active \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.read.LOCK \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/semanage.trans.LOCK \ %dir %attr(700,root,root) %dir %{_sharedstatedir}/selinux/%1/active/modules \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/base \ %dir %{_sysconfdir}/selinux/%1/policy/ \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ %{_sysconfdir}/selinux/%1/.policy.sha512 \ %dir %{_sysconfdir}/selinux/%1/contexts \ %config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_types \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/x_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_domain_context \ %config %{_sysconfdir}/selinux/%1/contexts/virtual_image_context \ %config %{_sysconfdir}/selinux/%1/contexts/lxc_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/systemd_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/sepgsql_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/openssh_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/snapperd_contexts \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/failsafe_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/initrc_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/removable_context \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/userhelper_context \ %dir %{_sysconfdir}/selinux/%1/contexts/files \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \ %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs.bin \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \ %ghost %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \ %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \ %{_sysconfdir}/selinux/%1/booleans.subs_dist \ %config %{_sysconfdir}/selinux/%1/contexts/files/media \ %dir %{_sysconfdir}/selinux/%1/contexts/users \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/root \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u \ %{_sharedstatedir}/selinux/%1/active/commit_num \ %{_sharedstatedir}/selinux/%1/active/users_extra \ %{_sharedstatedir}/selinux/%1/active/homedir_template \ %{_sharedstatedir}/selinux/%1/active/seusers \ %{_sharedstatedir}/selinux/%1/active/file_contexts \ %{_sharedstatedir}/selinux/%1/active/policy.kern \ %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ %nil %define relabel() \ . %{_sysconfdir}/selinux/config; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ /usr/sbin/selinuxenabled; \ if [ $? = 0 -a "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT}.pre ]; then \ /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; \ rm -f ${FILE_CONTEXT}.pre; \ fi; \ if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \ continue; \ fi; \ %define preInstall() \ if [ $1 -ne 1 ] && [ -s /etc/selinux/config ]; then \ if [ -d %{_sharedstatedir}/selinux/%1/active/modules/100/ganesha ]; then \ %{_sbindir}/semodule -n -d ganesha; \ fi; \ . %{_sysconfdir}/selinux/config; \ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \ [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \ fi; \ touch /etc/selinux/%1/.rebuild; \ if [ -e /etc/selinux/%1/.policy.sha512 ]; then \ POLICY_FILE=`ls /etc/selinux/%1/policy/policy.* | sort | head -1` \ sha512=`sha512sum $POLICY_FILE | cut -d ' ' -f 1`; \ checksha512=`cat /etc/selinux/%1/.policy.sha512`; \ if [ "$sha512" == "$checksha512" ] ; then \ rm /etc/selinux/%1/.rebuild; \ fi; \ fi; \ fi; %define postInstall() \ . %{_sysconfdir}/selinux/config; \ if [ -e /etc/selinux/%2/.rebuild ]; then \ rm /etc/selinux/%2/.rebuild; \ /usr/sbin/semodule -B -n -s %2; \ fi; \ [ "${SELINUXTYPE}" == "%2" ] && selinuxenabled && load_policy; \ if [ %1 -eq 1 ]; then \ /sbin/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; \ else \ %relabel %2 \ fi; %define modulesList() \ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst \ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/modules-base.conf > %{buildroot}/%{_usr}/share/selinux/%1/base.lst \ if [ -e ./policy/modules-contrib.conf ];then \ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s ", $1 }' ./policy/modules-contrib.conf > %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst; \ fi; %define nonBaseModulesList() \ contrib_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-contrib.lst` \ base_modules=`cat %{buildroot}/%{_usr}/share/selinux/%1/modules-base.lst` \ for i in $contrib_modules $base_modules; do \ if [ $i != "sandbox" ];then \ echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}/%{_usr}/share/selinux/%1/nonbasemodules.lst \ fi; \ done; %define installFactoryResetFiles() \ mkdir -p %{buildroot}%{_datadir}/selinux/%1/default \ cp -R --preserve=mode,ownership,timestamps,links %{buildroot}%{_sharedstatedir}/selinux/%1/active %{buildroot}%{_datadir}/selinux/%1/default/ \ find %{buildroot}%{_datadir}/selinux/%1/default/ -name hll | xargs rm \ find %{buildroot}%{_datadir}/selinux/%1/default/ -name lang_ext | xargs sed -i 's/pp/cil/' \ mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \ %prep %setup -n %{name}-contrib-f9b7466780b5250bf94b5d40764277bc9c5b5f62 -q -b 29 tar -xf %{SOURCE35} contrib_path=`pwd` %autosetup -n %{name}-38fa84dc715893cab1cc76aa9c43ba325b153e10 -p1 refpolicy_path=`pwd` cp $contrib_path/* $refpolicy_path/policy/modules/contrib mkdir selinux_config for i in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE5} %{SOURCE6} %{SOURCE8} %{SOURCE14} %{SOURCE15} %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} %{SOURCE22} %{SOURCE23} %{SOURCE25} %{SOURCE26} %{SOURCE31} %{SOURCE32}; do cp $i selinux_config done %install %{__rm} -fR %{buildroot} mkdir -p %{buildroot}%{_sysconfdir}/selinux mkdir -p %{buildroot}%{_sysconfdir}/sysconfig touch %{buildroot}%{_sysconfdir}/selinux/config touch %{buildroot}%{_sysconfdir}/sysconfig/selinux mkdir -p %{buildroot}%{_usr}/lib/tmpfiles.d/ cp %{SOURCE27} %{buildroot}%{_usr}/lib/tmpfiles.d/ mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_sharedstatedir}/selinux/{targeted,mls,minimum,modules}/ mkdir -p %{buildroot}%{_usr}/share/selinux/packages make clean %if %{BUILD_TARGETED} cp %{SOURCE28} %{buildroot}/ %makeCmds targeted mcs n allow %makeModulesConf targeted base contrib %installCmds targeted mcs n allow semodule -p %{buildroot} -X 100 -i %{buildroot}/permissivedomains.cil rm -rf %{buildroot}/permissivedomains.cil rm -rf %{buildroot}%{_sharedstatedir}/selinux/targeted/active/modules/100/sandbox make UNK_PERMS=%4 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} MLS_CATS=1024 MCS_CATS=1024 sandbox.pp mv sandbox.pp %{buildroot}/usr/share/selinux/packages/sandbox.pp %modulesList targeted %nonBaseModulesList targeted %installFactoryResetFiles targeted %endif %if %{BUILD_MINIMUM} mkdir -p %{buildroot}%{_usr}/share/selinux/minimum %makeCmds minimum mcs n allow %makeModulesConf targeted base contrib %installCmds minimum mcs n allow rm -f %{buildroot}/%{_sysconfdir}/selinux/minimum/modules/active/modules/sandbox.pp rm -rf %{buildroot}%{_sharedstatedir}/selinux/minimum/active/modules/100/sandbox %modulesList minimum %nonBaseModulesList minimum %installFactoryResetFiles minimum %endif %if %{BUILD_MLS} %makeCmds mls mls n deny %makeModulesConf mls base contrib %installCmds mls mls n deny %modulesList mls %nonBaseModulesList mls %installFactoryResetFiles mls %endif mkdir -p %{buildroot}%{_mandir} cp -R man/* %{buildroot}%{_mandir} make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-docs make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} UBAC=n DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name} MLS_CATS=1024 MCS_CATS=1024 install-headers mkdir %{buildroot}%{_usr}/share/selinux/devel/ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include install -m 644 selinux_config/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/ install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/ /usr/bin/sepolicy manpage -a -p %{buildroot}/usr/share/man/man8/ -w -r %{buildroot} mkdir %{buildroot}%{_usr}/share/selinux/devel/html mv %{buildroot}%{_usr}/share/man/man8/*.html %{buildroot}%{_usr}/share/selinux/devel/html mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinux/devel/html mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d install -m 644 %{SOURCE102} %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy sed -i 's/SELINUXPOLICYVERSION/%{version}-%{release}/' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy sed -i 's@SELINUXSTOREPATH@%{_sharedstatedir}/selinux@' %{buildroot}%{_rpmconfigdir}/macros.d/macros.selinux-policy rm -rf selinux_config %post if [ ! -s /etc/selinux/config ]; then echo " # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted " > /etc/selinux/config ln -sf ../selinux/config /etc/sysconfig/selinux restorecon /etc/selinux/config 2> /dev/null || : else . /etc/selinux/config fi exit 0 %postun if [ $1 = 0 ]; then setenforce 0 2> /dev/null if [ ! -s /etc/selinux/config ]; then echo "SELINUX=disabled" > /etc/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config fi fi exit 0 %files %{!?_licensedir:%global license %%doc} %license COPYING %dir %{_usr}/share/selinux %dir %{_usr}/share/selinux/packages %dir %{_sysconfdir}/selinux %ghost %config(noreplace) %{_sysconfdir}/selinux/config %ghost %{_sysconfdir}/sysconfig/selinux %{_usr}/lib/tmpfiles.d/selinux-policy.conf %{_rpmconfigdir}/macros.d/macros.selinux-policy %package sandbox Summary: SELinux policy sandbox Requires(pre): selinux-policy-base = %{version}-%{release} selinux-policy-targeted = %{version}-%{release} %description sandbox SELinux sandbox policy used for the policycoreutils-sandbox package %post sandbox rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null rm -f %{_sharedstatedir}/selinux/*/active/modules/disabled/sandbox 2>/dev/null semodule -n -X 100 -i /usr/share/selinux/packages/sandbox.pp if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy fi; exit 0 %preun sandbox if [ $1 -eq 0 ] ; then semodule -n -d sandbox 2>/dev/null if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy fi; fi; exit 0 %files sandbox %verify(not md5 size mtime) /usr/share/selinux/packages/sandbox.pp %package devel Summary: SELinux policy devel Requires: selinux-policy = %{version}-%{release} m4 checkpolicy >= %{CHECKPOLICYVER} /usr/bin/make Requires(post): policycoreutils-devel >= %{POLICYCOREUTILSVER} %description devel SELinux policy development and man page package %post devel selinuxenabled && /usr/bin/sepolgen-ifgen 2>/dev/null exit 0 %files devel %dir %{_usr}/share/selinux/devel %dir %{_usr}/share/selinux/devel/include %{_usr}/share/selinux/devel/include/* %dir %{_usr}/share/selinux/devel/html %{_usr}/share/selinux/devel/html/*html %{_usr}/share/selinux/devel/html/*css %{_usr}/share/selinux/devel/Makefile %{_usr}/share/selinux/devel/example.* %{_usr}/share/selinux/devel/policy.* %ghost %{_sharedstatedir}/sepolgen/interface_info %package help Summary: SELinux policy documentation Requires: selinux-policy = %{version}-%{release} Provides: selinux-policy-doc Obsoletes: selinux-policy-doc %description help SELinux policy documentation package %files help %{_mandir}/man*/* %{_mandir}/ru/*/* %doc %{_usr}/share/doc/%{name} %if %{BUILD_TARGETED} %package targeted Summary: SELinux targeted base policy Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} coreutils selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} Provides: selinux-policy-base = %{version}-%{release} Obsoletes: selinux-policy-targeted-sources < 2 Obsoletes: mod_fcgid-selinux <= %{version}-%{release} Obsoletes: cachefilesd-selinux <= 0.10-1 Conflicts: audispd-plugins <= 1.7.7-1 Conflicts: seedit Conflicts: 389-ds-base < 1.2.7, 389-admin < 1.1.12 Conflicts: container-selinux < 2:1.12.1-22 %description targeted SELinux Reference policy targeted base module. %pre targeted %preInstall targeted %post targeted %postInstall $1 targeted exit 0 %postun targeted if [ $1 = 0 ]; then source /etc/selinux/config if [ "$SELINUXTYPE" = "targeted" ]; then setenforce 0 2> /dev/null if [ ! -s /etc/selinux/config ]; then echo "SELINUX=disabled" > /etc/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config fi fi fi exit 0 %triggerin -- pcre selinuxenabled && semodule -nB exit 0 %triggerpostun -- selinux-policy-targeted < 3.12.1-74 rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null exit 0 %triggerpostun targeted -- selinux-policy-targeted < 3.13.1-138 CR=$'\n' INPUT="" for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*disabled`; do module=`basename $i | sed 's/.pp.disabled//'` if [ -d /var/lib/selinux/targeted/active/modules/100/$module ]; then touch /var/lib/selinux/targeted/active/modules/disabled/$p fi done for i in `find /etc/selinux/targeted/modules/active/modules/ -name \*.pp`; do INPUT="${INPUT}${CR}module -N -a $i" done for i in $(find /etc/selinux/targeted/modules/active -name \*.local); do cp $i /var/lib/selinux/targeted/active done echo "$INPUT" | %{_sbindir}/semanage import -S targeted -N if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy fi exit 0 %files targeted -f %{buildroot}/%{_usr}/share/selinux/targeted/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u %fileList targeted %verify(not md5 size mtime) %{_sharedstatedir}/selinux/targeted/active/modules/100/permissivedomains %endif %if %{BUILD_MINIMUM} %package minimum Summary: SELinux minimum base policy Requires(pre): coreutils selinux-policy = %{version}-%{release} Requires(post): policycoreutils-python-utils >= %{POLICYCOREUTILSVER} Requires: selinux-policy = %{version}-%{release} Provides: selinux-policy-base = %{version}-%{release} Conflicts: seedit Conflicts: container-selinux <= 1.9.0-9 %description minimum SELinux Reference policy minimum base module. %pre minimum %preInstall minimum if [ $1 -ne 1 ]; then /usr/sbin/semodule -s minimum --list-modules=full | awk '{ if ($4 != "disabled") print $2; }' > /usr/share/selinux/minimum/instmodules.lst fi %post minimum contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst` basepackages=`cat /usr/share/selinux/minimum/modules-base.lst` if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then mkdir /var/lib/selinux/minimum/active/modules/disabled fi if [ $1 -eq 1 ]; then for p in $contribpackages; do touch /var/lib/selinux/minimum/active/modules/disabled/$p done for p in $basepackages apache dbus inetd kerberos mta nis; do rm -f /var/lib/selinux/minimum/active/modules/disabled/$p done /usr/sbin/semanage import -S minimum -f - << __eof login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ login -m -s unconfined_u -r s0-s0:c0.c1023 root __eof /sbin/restorecon -R /root /var/log /var/run 2> /dev/null /usr/sbin/semodule -B -s minimum else instpackages=`cat /usr/share/selinux/minimum/instmodules.lst` for p in $contribpackages; do touch /var/lib/selinux/minimum/active/modules/disabled/$p done for p in $instpackages apache dbus inetd kerberos mta nis; do rm -f /var/lib/selinux/minimum/active/modules/disabled/$p done /usr/sbin/semodule -B -s minimum %relabel minimum fi exit 0 %postun minimum if [ $1 = 0 ]; then source /etc/selinux/config if [ "$SELINUXTYPE" = "minimum" ]; then setenforce 0 2> /dev/null if [ ! -s /etc/selinux/config ]; then echo "SELINUX=disabled" > /etc/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config fi fi fi exit 0 %triggerpostun minimum -- selinux-policy-minimum < 3.13.1-138 if [ `ls -A /var/lib/selinux/minimum/active/modules/disabled/` ]; then rm -f /var/lib/selinux/minimum/active/modules/disabled/* fi CR=$'\n' INPUT="" for i in `find /etc/selinux/minimum/modules/active/modules/ -name \*disabled`; do module=`basename $i | sed 's/.pp.disabled//'` if [ -d /var/lib/selinux/minimum/active/modules/100/$module ]; then touch /var/lib/selinux/minimum/active/modules/disabled/$p fi done for i in `find /etc/selinux/minimum/modules/active/modules/ -name \*.pp`; do INPUT="${INPUT}${CR}module -N -a $i" done echo "$INPUT" | %{_sbindir}/semanage import -S minimum -N if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy fi exit 0 %files minimum -f %{buildroot}/%{_usr}/share/selinux/minimum/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u %fileList minimum %endif %if %{BUILD_MLS} %package mls Summary: SELinux mls base policy Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd selinux-policy = %{version}-%{release} Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} coreutils Provides: selinux-policy-base = %{version}-%{release} Obsoletes: selinux-policy-mls-sources < 2 Conflicts: seedit Conflicts: container-selinux <= 1.9.0-9 %description mls SELinux Reference policy mls base module. %pre mls %preInstall mls %post mls %postInstall $1 mls exit 0 %postun mls if [ $1 = 0 ]; then source /etc/selinux/config if [ "$SELINUXTYPE" = "mls" ]; then setenforce 0 2> /dev/null if [ ! -s /etc/selinux/config ]; then echo "SELINUX=disabled" > /etc/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config fi fi fi exit 0 %triggerpostun mls -- selinux-policy-mls < 3.13.1-138 CR=$'\n' INPUT="" for i in `find /etc/selinux/mls/modules/active/modules/ -name \*disabled`; do module=`basename $i | sed 's/.pp.disabled//'` if [ -d /var/lib/selinux/mls/active/modules/100/$module ]; then touch /var/lib/selinux/mls/active/modules/disabled/$p fi done for i in `find /etc/selinux/mls/modules/active/modules/ -name \*.pp`; do INPUT="${INPUT}${CR}module -N -a $i" done echo "$INPUT" | %{_sbindir}/semanage import -S mls -N if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy fi exit 0 %files mls -f %{buildroot}/%{_usr}/share/selinux/mls/nonbasemodules.lst %config(noreplace) %{_sysconfdir}/selinux/mls/contexts/users/unconfined_u %fileList mls %endif %changelog * Mon Dec 23 2019 openEuler Buildteam - 3.14.2-44 - add URL * Fri Dec 20 2019 openEuler Buildteam - 3.14.2-43 - add source of tarball * Mon Dec 16 2019 openEuler Buildteam - 3.14.2-42 - add allow for ldconfig to map /usr/libexec/libsudo_util.so allow syslogd_t domain to send null signal to all domain * Thu Sep 12 2019 openEuler Buildteam - 3.14.2-41 - Package init