[PATCH v2 4/4] selinux: add "mls" binary version of the policy
Daniel P. Berrangé
berrange at redhat.com
Mon Apr 26 17:24:05 UTC 2021
On Wed, Apr 07, 2021 at 07:08:37AM -0700, Vit Mojzis wrote:
> Compile the module also for use with "mls" systems and allow
> installation to systems with any selinux type (targeted, mls and
> minimum).
>
> Signed-off-by: Vit Mojzis <vmojzis at redhat.com>
> ---
> libvirt.spec.in | 53 +++++++++++++++++++++++++++++++++------
> selinux/compile_policy.py | 21 ++++++++++------
> selinux/meson.build | 11 +++++---
> selinux/mls/meson.build | 20 +++++++++++++++
Since we have an subdir for the mls buld, I'd suggest similarly using
an "mcs" subdir for the other build
This whole patch ought to be squashed into the earlier patch though.
> 4 files changed, 87 insertions(+), 18 deletions(-)
> create mode 100644 selinux/mls/meson.build
>
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index 1b807ec324..9efbd2e6db 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -5,9 +5,8 @@
> # or versions, but no effort will be made to ensure that going forward.
>
> %if 0%{?fedora} > 33 || 0%{?rhel} > 8
> - %global with_selinux 1
> - %global selinuxtype targeted
> - %global modulename virt
> + %global with_selinux 1
> + %global modulename virt
> %endif
>
> %define min_rhel 7
> @@ -1535,18 +1534,57 @@ exit 0
> # SELinux contexts are saved so that only affected files can be
> # relabeled after the policy module installation
> %pre selinux
> -%selinux_relabel_pre -s %{selinuxtype}
> +if [ -e /etc/selinux/config ]; then
> + . /etc/selinux/config
> + %selinux_relabel_pre -s ${SELINUXTYPE}
> +fi
>
> %post selinux
> -%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
> +# only policy reload is needed - module installation is managed by triggers
> +/usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
>
> %postun selinux
> if [ $1 -eq 0 ]; then
> - %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
> + /usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
> fi
>
> %posttrans selinux
> -%selinux_relabel_post -s %{selinuxtype}
> +if [ -e /etc/selinux/config ]; then
> + . /etc/selinux/config
> + %selinux_relabel_post -s ${SELINUXTYPE}
> +fi
> +
> +# install the policy module to corresponding policy store if
> +# selinux-policy-{targeted|mls|minimum} package is installed on the system
> +%triggerin -n %{name}-selinux -- selinux-policy-targeted
> +/usr/sbin/semodule -n -s targeted -X 200 -i %{_datadir}/selinux/packages/%{modulename}.pp.bz2 || :
> +
> +%triggerin -n %{name}-selinux -- selinux-policy-minimum
> +/usr/sbin/semodule -n -s minimum -X 200 -i %{_datadir}/selinux/packages/%{modulename}.pp.bz2 || :
> +# libvirt module is installed by default, but disabled -- enable it
> +/usr/sbin/semodule -n -s minimum -e %{modulename} || :
> +
> +%triggerin -n %{name}-selinux -- selinux-policy-mls
> +/usr/sbin/semodule -n -s mls -X 200 -i %{_datadir}/selinux/packages/mls/%{modulename}.pp.bz2 || :
> +
> +# remove the policy module from corresponding module store if
> +# libvirt-selinux or selinux-policy-* was removed from the system,
> +# but not when either package gets updated
> +%triggerun -n %{name}-selinux -- selinux-policy-targeted
> +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename} ]; then
> + /usr/sbin/semodule -n -s targeted -X 200 -r %{modulename} || :
> +fi
> +
> +%triggerun -n %{name}-selinux -- selinux-policy-minimum
> +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename} ]; then
> + /usr/sbin/semodule -n -s minimum -X 200 -r %{modulename} || :
> + /usr/sbin/semodule -n -d %{modulename} || :
> +fi
> +
> +%triggerun -n %{name}-selinux -- selinux-policy-mls
> +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename} ]; then
> + /usr/sbin/semodule -n -s mls -X 200 -r %{modulename} || :
> +fi
> %endif
>
> %files
> @@ -2018,6 +2056,7 @@ fi
> %if 0%{?with_selinux}
> %files selinux
> %{_datadir}/selinux/packages/%{modulename}.pp.*
> +%{_datadir}/selinux/packages/mls/%{modulename}.pp.*
> %ghost %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename}
> %ghost %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename}
> %ghost %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename}
> diff --git a/selinux/compile_policy.py b/selinux/compile_policy.py
> index 2de26f21c7..7a703dbb3d 100755
> --- a/selinux/compile_policy.py
> +++ b/selinux/compile_policy.py
> @@ -24,16 +24,21 @@ import sys
> import os
> import glob
>
> -if len(sys.argv) != 6:
> - print("Usage: %s <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>"
> - % sys.argv[0], file=sys.stderr)
> +if len(sys.argv) != 7:
> + print(("Usage: {} <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>"
> + " <type (mls/mcs)>").format(sys.argv[0]), file=sys.stderr)
> exit(os.EX_USAGE)
>
> module_name = os.path.splitext(os.path.basename(sys.argv[1]))[0]
>
> -m4param = ["-D", "enable_mcs", "-D", "distro_redhat", "-D",
> - "hide_broken_symptoms", "-D", "mls_num_sens=16", "-D",
> - "mls_num_cats=1024", "-D", "mcs_num_cats=1024"]
> +m4param = ["-D", "distro_redhat", "-D", "hide_broken_symptoms",
> + "-D", "mls_num_sens=16", "-D", "mls_num_cats=1024",
> + "-D", "mcs_num_cats=1024"]
> +
> +if sys.argv[6] == "mls":
> + m4param = ["-D", "enable_mls"] + m4param
> +else:
> + m4param = ["-D", "enable_mcs"] + m4param
>
> SHAREDIR = "/usr/share/selinux"
> HEADERDIR = os.path.join(SHAREDIR, "devel/include")
> @@ -55,7 +60,9 @@ except Exception:
> pass
>
> # remove old trash from the temp folder
> -for name in ["iferror.m4" "all_interfaces.conf" "{}.*".format(module_name)]:
> +tmpfiles = ["{}.{}".format(module_name, ext)
> + for ext in ["mod", "mod.fc", "tmp"]]
> +for name in ["iferror.m4", "all_interfaces.conf"] + tmpfiles:
> try:
> os.remove(os.path.join(sys.argv[5], name))
> except Exception:
> diff --git a/selinux/meson.build b/selinux/meson.build
> index 2737e60519..305cf59e72 100644
> --- a/selinux/meson.build
> +++ b/selinux/meson.build
> @@ -4,15 +4,16 @@ selinux_sources = [
> 'virt.fc',
> ]
>
> -compile_policy_prog = find_program('compile_policy.py')
> +set_variable('compile_policy_prog', find_program('compile_policy.py'))
>
> +# targeted/minimum policy module
> virt_pp = custom_target('virt.pp',
> output : 'virt.pp',
> input : selinux_sources,
> - command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp'],
> + command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp', 'mcs'],
> install : false)
>
> -bzip2_prog = find_program('bzip2')
> +set_variable('bzip2_prog', find_program('bzip2'))
>
> bzip = custom_target('virt.pp.bz2',
> output : 'virt.pp.bz2',
> @@ -20,4 +21,6 @@ bzip = custom_target('virt.pp.bz2',
> command : [bzip2_prog, '-c', '-9', '@INPUT@'],
> capture : true,
> install : true,
> - install_dir : 'share/selinux/packages/')
> + install_dir : 'share/selinux/packages')
> +
> +subdir('mls')
> diff --git a/selinux/mls/meson.build b/selinux/mls/meson.build
> new file mode 100644
> index 0000000000..20bab41fea
> --- /dev/null
> +++ b/selinux/mls/meson.build
> @@ -0,0 +1,20 @@
> +selinux_sources = [
> + '../virt.te',
> + '../virt.if',
> + '../virt.fc',
> +]
> +
> +# MLS policy module
> +virt_pp_mls = custom_target('virt.pp',
> + output : 'virt.pp',
> + input : selinux_sources,
> + command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/mls/tmp', 'mls'],
> + install : false)
> +
> +bzip_mls = custom_target('virt.pp.bz2',
> + output : 'virt.pp.bz2',
> + input : virt_pp_mls,
> + command : [bzip2_prog, '-c', '-9', '@INPUT@'],
> + capture : true,
> + install : true,
> + install_dir : 'share/selinux/packages/mls')
> --
> 2.30.2
>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list