[ostree] Add internal SELinux policy overrides
- From: Colin Walters <walters src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [ostree] Add internal SELinux policy overrides
- Date: Thu, 20 Feb 2014 12:54:05 +0000 (UTC)
commit cc49096044051f8f1211c0489211cf413125a7fd
Author: Colin Walters <walters verbum org>
Date: Wed Feb 19 08:37:54 2014 -0500
Add internal SELinux policy overrides
In the future, this will likely include an ostree_t domain. For now,
this is just a few additional allow rules.
Makefile.am | 4 ++++
configure.ac | 1 +
packaging/ostree.spec.in | 24 ++++++++++++++++++++++++
selinux/.gitignore | 2 ++
selinux/Makefile.am | 22 ++++++++++++++++++++++
selinux/ostree.fc | 9 +++++++++
selinux/ostree.if | 1 +
selinux/ostree.te | 33 +++++++++++++++++++++++++++++++++
8 files changed, 96 insertions(+), 0 deletions(-)
---
diff --git a/Makefile.am b/Makefile.am
index b20738a..803ce0a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -31,6 +31,10 @@ endif
SUBDIRS += .
+if USE_SELINUX
+SUBDIRS += selinux
+endif
+
if ENABLE_GTK_DOC
SUBDIRS += doc
endif
diff --git a/configure.ac b/configure.ac
index 542c9ff..d3c72d7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -203,6 +203,7 @@ AC_CONFIG_FILES([
Makefile
embedded-dependencies/Makefile
doc/Makefile
+selinux/Makefile
src/libostree/ostree-1.pc
])
AC_OUTPUT
diff --git a/packaging/ostree.spec.in b/packaging/ostree.spec.in
index c2596d2..105b0ae 100644
--- a/packaging/ostree.spec.in
+++ b/packaging/ostree.spec.in
@@ -44,6 +44,19 @@ Requires: %{name} = %{version}-%{release}
%description devel
The %{name}-devel package includes the header files for the %{name} library.
+%package selinux
+Summary: SELinux policy module for %{name}
+Group: System Environment/Base
+Requires: %{name} = %{version}-%{release}
+Requires: policycoreutils, libselinux-utils
+Requires(post): selinux-policy-base, policycoreutils
+Requires(postun): policycoreutils
+BuildRequires: selinux-policy-devel
+BuildArch: noarch
+
+%description selinux
+This package installs and sets up the SELinux policy security module for %{name}.
+
%prep
%setup -q -n ostree-%{version}
@@ -69,6 +82,14 @@ rm -rf $RPM_BUILD_ROOT
%preun
%systemd_preun ostree-remount.service
+%post selinux
+semodule -n -i %{_datadir}/selinux/packages/%{name}.pp
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+ semodule -n -r %{name}
+fi
+
%files
%doc COPYING README.md
%{_bindir}/ostree
@@ -91,3 +112,6 @@ rm -rf $RPM_BUILD_ROOT
%dir %{_datadir}/gtk-doc/html/ostree
%{_datadir}/gtk-doc/html/ostree
%{_datadir}/gir-1.0/OSTree-1.0.gir
+
+%files selinux
+%attr(0600,root,root) %{_datadir}/selinux/packages/%{name}.pp
diff --git a/selinux/.gitignore b/selinux/.gitignore
new file mode 100644
index 0000000..cbefb9d
--- /dev/null
+++ b/selinux/.gitignore
@@ -0,0 +1,2 @@
+ostree.pp
+tmp
diff --git a/selinux/Makefile.am b/selinux/Makefile.am
new file mode 100644
index 0000000..1d69949
--- /dev/null
+++ b/selinux/Makefile.am
@@ -0,0 +1,22 @@
+# Copyright (C) 2014 Colin Walters <walters verbum org>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+ostree.pp: ostree.fc ostree.if ostree.te
+ make -f /usr/share/selinux/devel/Makefile
+
+selinuxpkgdir = $(datadir)/selinux/packages
+selinuxpkg_DATA = ostree.pp
diff --git a/selinux/ostree.fc b/selinux/ostree.fc
new file mode 100644
index 0000000..56b9c4f
--- /dev/null
+++ b/selinux/ostree.fc
@@ -0,0 +1,9 @@
+# Core definitions
+
+/sysroot -d gen_context(system_u:object_r:usr_t,s0)
+/ostree -d gen_context(system_u:object_r:usr_t,s0)
+/ostree -l gen_context(system_u:object_r:usr_t,s0)
+/media -l gen_context(system_u:object_r:mnt_t,s0)
+/mnt -l gen_context(system_u:object_r:mnt_t,s0)
+/var/roothome -d gen_context(system_u:object_r:admin_home_t,s0)
+/var/home -d gen_context(system_u:object_r:home_root_t,s0)
diff --git a/selinux/ostree.if b/selinux/ostree.if
new file mode 100644
index 0000000..996cee9
--- /dev/null
+++ b/selinux/ostree.if
@@ -0,0 +1 @@
+# Empty.
diff --git a/selinux/ostree.te b/selinux/ostree.te
new file mode 100644
index 0000000..8d34940
--- /dev/null
+++ b/selinux/ostree.te
@@ -0,0 +1,33 @@
+policy_module(ostree, 1.3.0)
+
+require {
+ type init_t;
+ type root_t;
+ type var_log_t;
+ type games_data_t;
+ type var_yp_t;
+ type systemd_tmpfiles_t;
+ type local_login_t;
+ type admin_home_t;
+ type ldconfig_cache_t;
+ type var_t;
+ type var_run_t;
+ class lnk_file { relabelfrom relabelto read getattr };
+ class dir { relabelfrom relabelto create setattr write };
+}
+
+# init_t
+allow init_t admin_home_t:lnk_file { read getattr };
+allow init_t root_t:dir { write };
+
+#============= systemd_tmpfiles_t ==============
+allow systemd_tmpfiles_t games_data_t:dir relabelto;
+allow systemd_tmpfiles_t var_log_t:dir create;
+allow systemd_tmpfiles_t var_run_t:lnk_file { relabelfrom relabelto };
+allow systemd_tmpfiles_t var_t:dir { create relabelfrom relabelto setattr };
+allow systemd_tmpfiles_t var_yp_t:dir relabelto;
+allow systemd_tmpfiles_t ldconfig_cache_t:dir { relabelfrom relabelto setattr };
+allow systemd_tmpfiles_t var_t:dir { relabelfrom relabelto setattr };
+
+#============= local_login_t ==============
+allow local_login_t admin_home_t:lnk_file read;
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
