Directories for policy module packages

Daniel J Walsh dwalsh at redhat.com
Wed Jul 26 15:10:55 UTC 2006 

Paul Howarth wrote:
> Daniel J Walsh wrote:
>> Paul Howarth wrote:
>>> Christopher J. PeBenito wrote:
>>>> On Tue, 2006-07-25 at 10:14 +0100, Paul Howarth wrote:
>>>>> Now that RPM packages are starting to include policy module 
>>>>> packages (my mod_fcgid package was approved for Extras recently: 
>>>>> http://bugzilla.redhat.com/195666), it would be nice to have a 
>>>>> standard place for the .pp files to be dropped, and for that 
>>>>> directory to be owned by the selinux-policy package (so that all 
>>>>> the packages don't need to own it themselves).
>>>>>
>>>>> I propose the following:
>>>>>
>>>>> /usr/share/selinux/packages
>>>>> (container directory, separate from modules bundled with Core 
>>>>> package)
>>>>>
>>>>> /usr/share/selinux/packages/mls
>>>>> (policy modules for use with the mls base policy)
>>>>>
>>>>> /usr/share/selinux/packages/strict
>>>>> (policy modules for use with the strict base policy)
>>>>>
>>>>> /usr/share/selinux/packages/targeted
>>>>> (policy modules for use with the targeted base policy)
>>>>>
>>>>> /usr/share/selinux/packages/share
>>>>> (policy modules that have no base-specific elements, and can be 
>>>>> used with all base policies)
>>>>
>> I think this is a good idea.
>
> Good, but you might change your mind...
>
>>>> There already is a standard location:
>>>>
>>>> /usr/share/selinux/NAME/
>>>>
>> Currently the selinux-policy-TYPE package looks in this directory and 
>> installs all the pp files that are in this directory.
>> It should probably change to only install  the pp files that it is 
>> packaging.  This is a management headache because we
>> don't need to manage this now.  If someone has a good solution to 
>> figuring out the pp files during the spec build this would be
>> great.  Trying to update the modules-TYPE.conf file and maintaining 
>> the spec file in sync would be a royal pain.
>
> Try the attached patch which groks the module names from the 
> modules-TYPE.conf file.
>
> It also moves the directory ownership of the /usr/share/selinux/NAME/ 
> directory from the selinux-policy-NAME package to the selinux-policy 
> package, so that RPMs containing policy module packages for all base 
> policies will have properly-owned directories to install them into 
> even on systems that only have one of the base policies installed.
>
> Regarding .pp files that are identical for each of the base policies, 
> I think it's better not to have a "share" directory for them but 
> instead to install them into one of the /usr/share/selinux/NAME/ 
> directories and then link them to the other /usr/share/selinux/NAME/ 
> directories. This could be done automagically with a bit of 
> boilerplate scripting in the spec file that looks for identical .pp 
> files and links them together. The advantage of doing it this way is 
> that it'll still work properly even if some of the policy macros 
> change and what was once a policy package that was identical across 
> all base policies suddenly becomes different for each base policy, 
> i.e. the module packager doesn't need to make any changes, just 
> rebuild against the new policy.
>
> With the attached patch and the module packaging policy described 
> above, all .pp files, from both the Core policy packages and others, 
> will go in /usr/share/selinux/NAME/ and there is no need for the 
> separate /usr/share/selinux/packages/ hierarchy.
>
> Paul.
> ------------------------------------------------------------------------
>
> --- selinux-policy.spec	2006-07-26 10:22:24.000000000 +0100
> +++ selinux-policy.spec	2006-07-26 12:40:09.000000000 +0100
> @@ -58,6 +58,9 @@
>  %{_usr}/share/selinux/devel/policygentool
>  %{_usr}/share/selinux/devel/example.*
>  %attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
> +%dir %{_usr}/share/selinux/targeted
> +%dir %{_usr}/share/selinux/strict
> +%dir %{_usr}/share/selinux/mls
>  
>  %define setupCmds() \
>  make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 bare \
> @@ -65,6 +68,9 @@
>  cp -f ${RPM_SOURCE_DIR}/modules-%1.conf  ./policy/modules.conf \
>  cp -f ${RPM_SOURCE_DIR}/booleans-%1.conf ./policy/booleans.conf \
>  
> +%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
> +sort %{_sourcedir}/modules-%{1}.conf | awk '$2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }')
> +
>  %define installCmds() \
>  make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 base.pp \
>  make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 modules \
> @@ -91,7 +97,6 @@
>  
>  %define fileList() \
>  %defattr(-,root,root) \
> -%dir %{_usr}/share/selinux/%1 \
>  %{_usr}/share/selinux/%1/*.pp \
>  %dir %{_sysconfdir}/selinux/%1 \
>  %config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
> @@ -130,8 +135,7 @@
>  
>  %define rebuildpolicy() \
>  ( cd /usr/share/selinux/%1; \
> -x=`ls *.pp | grep -v -e base.pp -e enableaudit.pp | awk '{ print "-i " $1 }'`; \
> -semodule -b base.pp $x -s %1; \
> +semodule -b base.pp %{expand:%%moduleList %1} -s %1; \
>  );\
>  rm -f %{_sysconfdir}/selinux/%1/policy/policy.*.rpmnew
>  
> @@ -160,6 +164,9 @@
>  touch %{buildroot}%{_sysconfdir}/selinux/config
>  touch %{buildroot}%{_sysconfdir}/sysconfig/selinux
>  
> +# Always create policy module package directories
> +mkdir -p %{buildroot}%{_usr}/share/selinux/{targeted,strict,mls}/
> +
>  # Install devel
>  make clean
>  make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=%3 install-headers install-docs
> @@ -281,7 +288,7 @@
>  %relabel mls
>  
>  %triggerpostun mls -- mls <= 2.0.7
> -%{rebuildpolicy} mls 
> +%rebuildpolicy mls 
>  
>  %files mls
>  %fileList mls
> @@ -315,7 +322,7 @@
>  semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init -r libraries -r locallogin -r logging -r lvm -r miscfiles -r modutils -r mount -r mta -r netutils -r selinuxutil -r storage -r sysnetwork -r udev -r userdomain -r vpnc -r xend $x -s strict
>  
>  %triggerpostun strict -- strict <= 2.0.7
> -%{rebuildpolicy} strict 
> +%rebuildpolicy strict 
>  
>  %files strict
>  %fileList strict
>   
Changing to use

%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
awk '$1 !~ "#.*" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", 
$1 }' %{_sourcedir}/modules-%{1}.conf )

Any reason for the sort?
Do not want to grab comment lines.

More information about the fedora-selinux-list mailing list