rpms/portreserve/devel portreserve.fc, NONE, 1.1 portreserve.if, NONE, 1.1 portreserve.te, NONE, 1.1 portreserve.spec, 1.3, 1.4
Tim Waugh
twaugh at fedoraproject.org
Wed Oct 15 13:18:35 UTC 2008
- Previous message (by thread): rpms/gc/devel gc-7.1-gcinit.patch, NONE, 1.1 gc-7.1-sparc.patch, NONE, 1.1 gc.spec, 1.35, 1.36 gc-7.0-gcinit.patch, 1.1, NONE
- Next message (by thread): rpms/cobbler/EL-4 .cvsignore, 1.45, 1.46 cobbler.spec, 1.55, 1.56 sources, 1.54, 1.55
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: twaugh
Update of /cvs/pkgs/rpms/portreserve/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv32457
Modified Files:
portreserve.spec
Added Files:
portreserve.fc portreserve.if portreserve.te
Log Message:
* Wed Oct 15 2008 Tim Waugh <twaugh at redhat.com> 0.0.3-2
- New selinux sub-package for SELinux policy. Policy contributed by
Miroslav Grepl (thanks!).
--- NEW FILE portreserve.fc ---
# portreserve executable will have:
# label: system_u:object_r:portreserve_exec_t
# MLS sensitivity: s0
# MCS categories: <none>
#exec
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
/var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
--- NEW FILE portreserve.if ---
## <summary>policy for portreserve</summary>
########################################
## <summary>
## Execute a domain transition to run portreserve.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`portreserve_domtrans',`
gen_require(`
type portreserve_t, portreserve_exec_t;
')
domain_auto_trans($1,portreserve_exec_t,portreserve_t)
allow portreserve_t $1:fd use;
allow portreserve_t $1:fifo_file rw_file_perms;
allow portreserve_t $1:process sigchld;
')
#######################################
## <summary>
## Allow the specified domain to read
## portreserve etcuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
##
#
interface(`portreserve_read_etc',`
gen_require(`
type portreserve_etc_t;
')
files_search_etc($1)
allow $1 portreserve_etc_t:dir list_dir_perms;
read_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
')
#######################################
## <summary>
## Allow the specified domain to manage
## portreserve etcuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
##
#
interface(`portreserve_manage_etc',`
gen_require(`
type portreserve_etc_t;
')
files_search_etc($1)
manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t)
manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
')
########################################
### <summary>
### All of the rules required to administrate
### an portreserve environment
### </summary>
### <param name="domain">
### <summary>
### Domain allowed access.
### </summary>
### </param>
### <param name="role">
### <summary>
### The role to be allowed to manage the portreserve domain.
### </summary>
### </param>
### <rolecap/>
##
#
interface(`portreserve_admin',`
gen_require(`
type portreserve_t, portreserve_var_run_t,
portreserve_etc_t;
')
allow $1 portreserve_t:process { ptrace signal_perms };
ps_process_pattern($1, portreserve_t)
admin_pattern($1, portreserve_etc_t)
files_search_etc($1)
admin_pattern($1, portreserve_var_run_t)
files_search_pids($1)
')
--- NEW FILE portreserve.te ---
policy_module(portreserve,1.0.0)
########################################
#
# Declarations
#
type portreserve_t;
type portreserve_exec_t;
init_daemon_domain(portreserve_t, portreserve_exec_t)
type portreserve_etc_t;
files_type(portreserve_etc_t)
type portreserve_var_run_t;
files_pid_file(portreserve_var_run_t)
########################################
#
# Portreserve local policy
#
allow portreserve_t self:fifo_file rw_fifo_file_perms;
allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
allow portreserve_t self:tcp_socket create_socket_perms;
allow portreserve_t self:udp_socket create_socket_perms;
# Read etc files
list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
# Manage /var/run/portreserve/*
manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
files_pid_filetrans(portreserve_t,portreserve_var_run_t, { file sock_file })
## Networking basics
corenet_tcp_bind_all_ports(portreserve_t)
corenet_tcp_bind_all_ports(portreserve_t)
corenet_udp_bind_all_nodes(portreserve_t)
corenet_udp_bind_all_ports(portreserve_t)
corenet_tcp_bind_inaddr_any_node(portreserve_t)
corenet_udp_bind_inaddr_any_node(portreserve_t)
files_read_etc_files(portreserve_t)
libs_use_ld_so(portreserve_t)
libs_use_shared_libs(portreserve_t)
# Init script handling
#init_use_fds(portreserve_t)
#init_use_script_ptys(portreserve_t)
#domain_use_interactive_fds(portreserve_t)
Index: portreserve.spec
===================================================================
RCS file: /cvs/pkgs/rpms/portreserve/devel/portreserve.spec,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- portreserve.spec 1 Jul 2008 16:44:10 -0000 1.3
+++ portreserve.spec 15 Oct 2008 13:18:05 -0000 1.4
@@ -1,14 +1,22 @@
+%global selinux_policyver %(%{__sed} -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp || echo 0.0.0)
+%define selinux_variants mls strict targeted
+
Summary: TCP port reservation utility
Name: portreserve
Version: 0.0.3
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Daemons
URL: http://cyberelk.net/tim/portreserve/
Source0: http://cyberelk.net/tim/data/portreserve/stable/%{name}-%{version}.tar.bz2
+Source1: portreserve.te
+Source2: portreserve.fc
+Source3: portreserve.if
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: xmlto
+BuildRequires: checkpolicy, selinux-policy-devel
+BuildRequires: hardlink
%description
The portreserve program aims to help services with well-known ports that
@@ -16,13 +24,32 @@
by occupying it itself, until the real service tells it to release the
port (generally in the init script).
+%package selinux
+Summary: Portreserve SELinux policy
+Group: System Environment/Daemons
+Requires: %{name} = %{version}-%{release}
+Requires: selinux-policy >= %{selinux_policyver}
+Requires(post): /usr/sbin/semodule, /sbin/restorecon, /sbin/fixfiles, %{name}
+Requires(postun): /usr/sbin/semodule, /sbin/restorecon, /sbin/fixfiles, %{name}
+
+%description selinux
+The SELinux policy for the portreserve daemon.
+
%prep
%setup -q
+cp %{SOURCE1} %{SOURCE2} %{SOURCE3} .
%build
%configure --sbindir=/sbin
make
+for selinuxvariant in %{selinux_variants}
+do
+ make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
+ mv portreserve.pp portreserve.pp.${selinuxvariant}
+ make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
+done
+
%install
rm -rf %{buildroot}
make DESTDIR=%{buildroot} install
@@ -31,6 +58,15 @@
install -m755 portreserve.init %{buildroot}%{_initrddir}/portreserve
mkdir -p %{buildroot}%{_sysconfdir}/portreserve
+for selinuxvariant in %{selinux_variants}
+do
+ install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
+ install -p -m 644 portreserve.pp.${selinuxvariant} \
+ %{buildroot}%{_datadir}/selinux/${selinuxvariant}/portreserve.pp
+done
+
+/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux
+
%clean
rm -rf %{buildroot}
@@ -59,7 +95,37 @@
/sbin/*
%{_mandir}/*/*
+%files selinux
+%defattr(-,root,root,0755)
+%doc %{name}.{te,fc,if}
+%{_datadir}/selinux/*/%{name}.pp
+
+%post selinux
+for selinuxvariant in %{selinux_variants}
+do
+ /usr/sbin/semodule -s ${selinuxvariant} -i \
+ %{_datadir}/selinux/${selinuxvariant}/%{name}.pp &>/dev/null || :
+done
+/sbin/fixfiles -R %{name} restore || :
+/sbin/restorecon -R %{_sysconfdir}/%{name}
+/sbin/restorecon -R %{_localstatedir}/run/%{name}
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+ for selinuxvariant in %{selinux_variants}
+ do
+ /usr/sbin/semodule -s ${selinuxvariant} -r %{name} &>/dev/null || :
+ done
+ /sbin/fixfiles -R %{name} restore || :
+ /sbin/restorecon -R %{_sysconfdir}/%{name}
+ /sbin/restorecon -R %{_localstatedir}/run/%{name}
+fi
+
%changelog
+* Wed Oct 15 2008 Tim Waugh <twaugh at redhat.com> 0.0.3-2
+- New selinux sub-package for SELinux policy. Policy contributed by
+ Miroslav Grepl (thanks!).
+
* Tue Jul 1 2008 Tim Waugh <twaugh at redhat.com> 0.0.3-1
- 0.0.3:
- Allow multiple services to be defined in a single configuration
- Previous message (by thread): rpms/gc/devel gc-7.1-gcinit.patch, NONE, 1.1 gc-7.1-sparc.patch, NONE, 1.1 gc.spec, 1.35, 1.36 gc-7.0-gcinit.patch, 1.1, NONE
- Next message (by thread): rpms/cobbler/EL-4 .cvsignore, 1.45, 1.46 cobbler.spec, 1.55, 1.56 sources, 1.54, 1.55
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list