diff --git a/.gitmodules b/.gitmodules index e69de29..779644c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "upstream"] + path = upstream + url = ssh://git@git.merproject.org:2222/mirror/selinux.git diff --git a/rpm/disable_awk_sandbox_policycoreutils.patch b/rpm/disable_awk_sandbox_policycoreutils.patch new file mode 100644 index 0000000..73ae430 --- /dev/null +++ b/rpm/disable_awk_sandbox_policycoreutils.patch @@ -0,0 +1,13 @@ +diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile +index e9432768..449bd7f7 100644 +--- a/policycoreutils/setfiles/Makefile ++++ b/policycoreutils/setfiles/Makefile +@@ -4,7 +4,7 @@ SBINDIR ?= /sbin + MANDIR = $(PREFIX)/share/man + AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y) + +-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }') ++ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk '{ print $$3 }') + + CFLAGS ?= -g -Werror -Wall -W + override LDLIBS += -lselinux -lsepol diff --git a/rpm/fix_systemd_path.patch b/rpm/fix_systemd_path.patch new file mode 100644 index 0000000..0259100 --- /dev/null +++ b/rpm/fix_systemd_path.patch @@ -0,0 +1,15 @@ +diff --git a/restorecond/Makefile b/restorecond/Makefile +index 25be18d4..65bd1775 100644 +--- a/restorecond/Makefile ++++ b/restorecond/Makefile +@@ -51,8 +51,8 @@ install: all + install -m 644 restorecond.desktop $(DESTDIR)$(AUTOSTARTDIR)/restorecond.desktop + -mkdir -p $(DESTDIR)$(DBUSSERVICEDIR) + install -m 600 org.selinux.Restorecond.service $(DESTDIR)$(DBUSSERVICEDIR)/org.selinux.Restorecond.service +- -mkdir -p $(DESTDIR)$(SYSTEMDDIR)/system +- install -m 644 restorecond.service $(DESTDIR)$(SYSTEMDDIR)/system/ ++ -mkdir -p $(DESTDIR)$(SYSTEMDDIR)/ ++ install -m 644 restorecond.service $(DESTDIR)$(SYSTEMDDIR)/ + relabel: install + /sbin/restorecon $(DESTDIR)$(SBINDIR)/restorecond + diff --git a/rpm/policycoreutils.spec b/rpm/policycoreutils.spec new file mode 100644 index 0000000..d6c87f8 --- /dev/null +++ b/rpm/policycoreutils.spec @@ -0,0 +1,350 @@ +# based on work by The Fedora Project (2017) +# Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be included +# in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +%global libauditver 2.1.3 +%global libsepolver 2.8 +%global libsemanagever 2.8 +%global libselinuxver 2.8 +%global sepolgenver 2.8 + +%global generatorsdir /lib/systemd/system-generators + +%if ! %{defined python3_sitearch} +%define python3_sitearch /%{_libdir}/python3.?/site-packages +%endif + +%if ! %{defined python3_sitelib} +%define python3_sitelib /%{_libdir}/python3.?/site-packages +%endif + +Summary: SELinux policy core utilities +Name: policycoreutils +Version: 2.8 +Release: 1 +License: GPLv2 +Group: System Environment/Base +Source: %{name}-%{version}.tar.bz2 +URL: https://github.com/SELinuxProject +Source15: selinux-autorelabel +Source16: selinux-autorelabel.service +Source17: selinux-autorelabel-mark.service +Source18: selinux-autorelabel.target +Source19: selinux-autorelabel-generator.sh +Patch0: disable_awk_sandbox_policycoreutils.patch +Patch1: fix_systemd_path.patch +Provides: /sbin/fixfiles +Provides: /sbin/restorecon + +BuildRequires: audit-libs-devel >= %{libauditver} +BuildRequires: dbus-devel +BuildRequires: dbus-glib-devel +BuildRequires: gettext +BuildRequires: libcap-ng-devel +BuildRequires: libsepol-static >= %{libsepolver} +BuildRequires: libsemanage-static >= %{libsemanagever} +BuildRequires: libselinux-devel >= %{libselinuxver} +BuildRequires: libcap-devel +BuildRequires: pam-devel +BuildRequires: python +BuildRequires: python3-devel +BuildRequires: systemd + +Requires: util-linux +Requires: grep +Requires: gawk +Requires: diffutils +Requires: rpm +Requires: sed +Requires: libsepol >= %{libsepolver} +Requires: coreutils +Requires: libselinux-utils >= %{libselinuxver} + +%description +Security-enhanced Linux is a feature of the Linux® kernel and a number +of utilities with enhanced security functionality designed to add +mandatory access controls to Linux. The Security-enhanced Linux +kernel contains new architectural components originally developed to +improve the security of the Flask operating system. These +architectural components provide general support for the enforcement +of many kinds of mandatory access control policies, including those +based on the concepts of Type Enforcement®, Role-based Access +Control, and Multi-level Security. + +policycoreutils contains the policy core utilities that are required +for basic operation of a SELinux system. These utilities include +load_policy to load policies, setfiles to label filesystems, newrole +to switch roles. + +%prep +%setup -q -n %{name}-%{version}/upstream +%patch0 -p1 +%patch1 -p1 + +%build +make -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SEMODULE_PATH="%{_sbindir}" LIBSEPOLA="%{_libdir}/libsepol.a" all + +make -C python SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" LIBSEPOLA="%{_libdir}/libsepol.a" all + +make -C dbus SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" LIBSEPOLA="%{_libdir}/libsepol.a" all + +make -C semodule-utils SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" LIBSEPOLA="%{_libdir}/libsepol.a" all + +make -C restorecond SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" LIBSEPOLA="%{_libdir}/libsepol.a" all + +%install +mkdir -p %{buildroot}%{_bindir} +mkdir -p %{buildroot}%{_sbindir} +mkdir -p %{buildroot}%{_mandir}/man1 +mkdir -p %{buildroot}%{_mandir}/man5 +mkdir -p %{buildroot}%{_mandir}/man8 +%{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}/ + +make -C policycoreutils LSPP_PRIV=y DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="%{_sbindir}" LIBSEPOLA="%{_libdir}/libsepol.a" install + +make -C python PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install + +make -C dbus PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install + +make -C semodule-utils PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install + +make -C restorecond PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SYSTEMDDIR="%{_unitdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install + + +# Systemd +rm -rf %{buildroot}/%{_sysconfdir}/rc.d/init.d/restorecond + +rm -f %{buildroot}/usr/share/man/man8/open_init_pty.8 +rm -f %{buildroot}%{_sbindir}/open_init_pty +rm -f %{buildroot}%{_sbindir}/run_init +rm -f %{buildroot}/etc/pam.d/run_init* +rm -f %{buildroot}/usr/share/man/man8/sepolicy-gui.8* +rm -f %{buildroot}/usr/share/man/man8/run_init.8* +rm -f %{buildroot}/usr/lib/python3.4/site-packages/sepolicy/sepolicy.glade +rm -f %{buildroot}/usr/lib/python3.4/site-packages/sepolicy/gui.py + +# https://bugzilla.redhat.com/show_bug.cgi?id=1328825 +mkdir -m 755 -p %{buildroot}/%{_unitdir}/basic.target.wants/ +mkdir -m 755 -p %{buildroot}/%{generatorsdir} +install -m 644 -p %{SOURCE16} %{buildroot}/%{_unitdir}/ +install -m 644 -p %{SOURCE17} %{buildroot}/%{_unitdir}/ +install -m 644 -p %{SOURCE18} %{buildroot}/%{_unitdir}/ +install -m 755 -p %{SOURCE19} %{buildroot}/%{generatorsdir}/ +install -m 755 -p %{SOURCE15} %{buildroot}/%{_libexecdir}/selinux/ +ln -s ../selinux-autorelabel-mark.service %{buildroot}/%{_unitdir}/basic.target.wants/ + +# change /usr/bin/python to %%{__python3} in policycoreutils-python3 +find %{buildroot}%{python3_sitelib} %{buildroot}%{python3_sitearch} -type f | xargs \ + sed -i '1s%\(#! *\)/usr/bin/python\([^3].*\|\)$%\1%{__python3}\2%' + +# change /usr/bin/python to %%{__python3} in python-utils +sed -i '1s%\(#! *\)/usr/bin/python\([^3].*\|\)$%\1%{__python3}\2%' \ + %{buildroot}%{_sbindir}/semanage \ + %{buildroot}%{_bindir}/chcat \ + %{buildroot}%{_bindir}/audit2allow \ + %{buildroot}%{_bindir}/audit2why \ + %{buildroot}%{_bindir}/sepolicy \ + %{buildroot}%{_bindir}/sepolgen{,-ifgen} \ + %nil + +%find_lang %{name} + +%package python-utils +Summary: SELinux policy core python utilities +Requires: policycoreutils-python3 = %{version}-%{release} + +%description python-utils +The policycoreutils-python-utils package contains the management tools use to manage +an SELinux environment. + +%files python-utils +%{_sbindir}/semanage +%{_bindir}/chcat +%{_bindir}/audit2allow +%{_bindir}/audit2why +%{_bindir}/semodule_package +%{_sysconfdir}/dbus-1/system.d/org.selinux.conf +%{_datadir}/bash-completion/completions/semanage +%{_datadir}/bash-completion/completions/setsebool + +%package dbus +Summary: SELinux policy core DBUS api +Requires: policycoreutils-python3 = %{version}-%{release} +Requires: python3-slip-dbus + +%description dbus +The policycoreutils-dbus package contains the management DBUS API use to manage +an SELinux environment. + +%files dbus +%{_sysconfdir}/dbus-1/system.d/org.selinux.conf +%{_datadir}/dbus-1/system-services/org.selinux.service +%{_datadir}/polkit-1/actions/org.selinux.policy +%{_datadir}/system-config-selinux/selinux_server.py* + +%package python3 +Summary: SELinux policy core python3 interfaces +Group: System Environment/Base +Requires:policycoreutils = %{version}-%{release} +Requires:libsemanage-python3 >= %{libsemanagever} libselinux-python3 libcgroup +Requires:audit-libs-python3 >= %{libauditver} +Requires: python3-IPy +Requires: checkpolicy +Requires: setools-python3 >= 4.1.1 + +%description python3 +The policycoreutils-python3 package contains the interfaces that can be used +by python 3 in an SELinux environment. + +%files python3 +%{python3_sitearch}/seobject.py* +%{python3_sitearch}/__pycache__ +%{python3_sitearch}/sepolgen +%dir %{python3_sitelib}/sepolicy +%{python3_sitelib}/sepolicy/templates +%dir %{python3_sitelib}/sepolicy/help +%{python3_sitelib}/sepolicy/help/* +%{python3_sitelib}/sepolicy/__init__.py* +%{python3_sitelib}/sepolicy/booleans.py* +%{python3_sitelib}/sepolicy/communicate.py* +%{python3_sitelib}/sepolicy/generate.py* +%{python3_sitelib}/sepolicy/interface.py* +%{python3_sitelib}/sepolicy/manpage.py* +%{python3_sitelib}/sepolicy/network.py* +%{python3_sitelib}/sepolicy/transition.py* +%{python3_sitelib}/sepolicy/sedbus.py* +%{python3_sitelib}/sepolicy*.egg-info +%{python3_sitelib}/sepolicy/__pycache__ + +%package devel +Summary: SELinux policy core policy devel utilities +Group: System Environment/Base +Requires: policycoreutils-python-utils = %{version}-%{release} +Requires: /usr/bin/make +Requires: selinux-policy-devel + +%description devel +The policycoreutils-devel package contains the management tools use to develop policy in an SELinux environment. + +%files devel +%{_bindir}/sepolgen +%{_bindir}/sepolgen-ifgen +%{_bindir}/sepolgen-ifgen-attr-helper +%dir /var/lib/sepolgen +/var/lib/sepolgen/perm_map +%{_bindir}/sepolicy +%{_mandir}/man8/sepolgen.8* +%{_mandir}/man8/sepolicy-booleans.8* +%{_mandir}/man8/sepolicy-generate.8* +%{_mandir}/man8/sepolicy-interface.8* +%{_mandir}/man8/sepolicy-network.8* +%{_mandir}/man8/sepolicy.8* +%{_mandir}/man8/sepolicy-communicate.8* +%{_mandir}/man8/sepolicy-manpage.8* +%{_mandir}/man8/sepolicy-transition.8* +%{_usr}/share/bash-completion/completions/sepolicy +%{_bindir}/semodule_expand +%{_bindir}/semodule_link +%{_bindir}/semodule_unpackage +%{_mandir}/man8/semodule_expand.8* +%{_mandir}/man8/semodule_link.8* +%{_mandir}/man8/semodule_unpackage.8* +%{_mandir}/man5/selinux_config.5.gz +%{_mandir}/man5/sestatus.conf.5.gz +%{_mandir}/man8/fixfiles.8* +%{_mandir}/man8/load_policy.8* +%{_mandir}/man8/restorecon.8* +%{_mandir}/man8/restorecon_xattr.8* +%{_mandir}/man8/semodule.8* +%{_mandir}/man8/sestatus.8* +%{_mandir}/man8/setfiles.8* +%{_mandir}/man8/setsebool.8* +%{_mandir}/man1/secon.1* +%{_mandir}/man8/genhomedircon.8* +%{_mandir}/man1/newrole.1.gz +%{_mandir}/man8/restorecond.8* +%{_mandir}/man1/audit2allow.1* +%{_mandir}/man8/semodule_package.8* +%{_mandir}/man1/audit2why.1* +%{_mandir}/man8/chcat.8* +%{_mandir}/man8/semanage*.8* + +%package newrole +Summary: The newrole application for RBAC/MLS +Group: System Environment/Base +Requires: policycoreutils = %{version}-%{release} + +%description newrole +RBAC/MLS policy machines require newrole as a way of changing the role +or level of a logged in user. + +%files newrole +%attr(0755,root,root) %caps(cap_dac_read_search,cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole +%config(noreplace) %{_sysconfdir}/pam.d/newrole + +%files -f %{name}.lang +%{_sbindir}/restorecon +%{_sbindir}/restorecon_xattr +%{_sbindir}/fixfiles +%{_sbindir}/setfiles +%{_sbindir}/load_policy +%{_sbindir}/genhomedircon +%{_sbindir}/setsebool +%{_sbindir}/semodule +%{_sbindir}/sestatus +%{_bindir}/secon +%{_libexecdir}/selinux/hll +%{_libexecdir}/selinux/selinux-autorelabel +%{_unitdir}/selinux-autorelabel-mark.service +%{_unitdir}/basic.target.wants/selinux-autorelabel-mark.service +%{_unitdir}/selinux-autorelabel.service +%{_unitdir}/selinux-autorelabel.target +%{generatorsdir}/selinux-autorelabel-generator.sh +%config(noreplace) %{_sysconfdir}/sestatus.conf +# selinux-policy Requires: policycoreutils, so we own this set of directories and our files within them +%doc policycoreutils/COPYING +%doc %{_usr}/share/doc/%{name} + +%package restorecond +Summary: SELinux restorecond utilities +Group: System Environment/Base +#BuildRequires: systemd-units + +%description restorecond +The policycoreutils-restorecond package contains the restorecond service. + +%files restorecond +%{_sbindir}/restorecond +%{_unitdir}/restorecond.service +%config(noreplace) %{_sysconfdir}/selinux/restorecond.conf +%config(noreplace) %{_sysconfdir}/selinux/restorecond_user.conf +%{_sysconfdir}/xdg/autostart/restorecond.desktop +%{_datadir}/dbus-1/services/org.selinux.Restorecond.service +%doc policycoreutils/COPYING + +%post restorecond +%systemd_post restorecond.service + +%preun restorecond +%systemd_preun restorecond.service + +%postun restorecond +%systemd_postun_with_restart restorecond.service diff --git a/rpm/selinux-autorelabel b/rpm/selinux-autorelabel new file mode 100644 index 0000000..6269c05 --- /dev/null +++ b/rpm/selinux-autorelabel @@ -0,0 +1,42 @@ +#!/bin/bash +# +# Do automatic relabelling +# + +# . /etc/init.d/functions + +relabel_selinux() { + # if /sbin/init is not labeled correctly this process is running in the + # wrong context, so a reboot will be required after relabel + AUTORELABEL= + . /etc/selinux/config + echo "0" > /sys/fs/selinux/enforce + + if [ "$AUTORELABEL" = "0" ]; then + echo + echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. " + echo $"*** /etc/selinux/config indicates you want to manually fix labeling" + echo $"*** problems. Dropping you to a shell; the system will reboot" + echo $"*** when you leave the shell." + sulogin + + else + echo + echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required." + echo $"*** Relabeling could take a very long time, depending on file" + echo $"*** system size and speed of hard drives." + + FORCE=`cat /.autorelabel` + [ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug + /sbin/fixfiles $FORCE restore + fi + rm -f /.autorelabel + #/usr/lib/dracut/dracut-initramfs-restore + systemctl --force reboot +} + +# Check to see if a full relabel is needed +if [ "$READONLY" != "yes" ]; then + restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1 + relabel_selinux +fi diff --git a/rpm/selinux-autorelabel-generator.sh b/rpm/selinux-autorelabel-generator.sh new file mode 100644 index 0000000..a43d235 --- /dev/null +++ b/rpm/selinux-autorelabel-generator.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +# This systemd.generator(7) detects if SELinux is running and if the +# user requested an autorelabel, and if so sets the default target to +# selinux-autorelabel.target, which will cause the filesystem to be +# relabelled and then the system will reboot again and boot into the +# real default target. + +PATH=/usr/sbin:$PATH +unitdir=/lib/systemd/system + +# If invoked with no arguments (for testing) write to /tmp. +earlydir="/tmp" +if [ -n "$2" ]; then + earlydir="$2" +fi + +set_target () +{ + ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target" +} + +if selinuxenabled; then + if test -f /.autorelabel; then + set_target + elif grep -sqE "\bautorelabel\b" /proc/cmdline; then + set_target + fi +fi diff --git a/rpm/selinux-autorelabel-mark.service b/rpm/selinux-autorelabel-mark.service new file mode 100644 index 0000000..33b5147 --- /dev/null +++ b/rpm/selinux-autorelabel-mark.service @@ -0,0 +1,15 @@ +[Unit] +Description=Mark the need to relabel after reboot +DefaultDependencies=no +Requires=local-fs.target +Conflicts=shutdown.target +After=local-fs.target +Before=sysinit.target shutdown.target +ConditionSecurity=!selinux +ConditionPathIsDirectory=/etc/selinux +ConditionPathExists=!/.autorelabel + +[Service] +ExecStart=-/bin/touch /.autorelabel +Type=oneshot +RemainAfterExit=yes diff --git a/rpm/selinux-autorelabel.service b/rpm/selinux-autorelabel.service new file mode 100644 index 0000000..b8461e6 --- /dev/null +++ b/rpm/selinux-autorelabel.service @@ -0,0 +1,14 @@ +[Unit] +Description=Relabel all filesystems +DefaultDependencies=no +Conflicts=shutdown.target +After=sysinit.target +Before=shutdown.target +ConditionSecurity=selinux + +[Service] +ExecStart=/usr/libexec/selinux/selinux-autorelabel +Type=oneshot +TimeoutSec=0 +RemainAfterExit=yes +StandardInput=tty diff --git a/rpm/selinux-autorelabel.target b/rpm/selinux-autorelabel.target new file mode 100644 index 0000000..a4f63ab --- /dev/null +++ b/rpm/selinux-autorelabel.target @@ -0,0 +1,7 @@ +[Unit] +Description=Relabel all filesystems and reboot +DefaultDependencies=no +Requires=sysinit.target selinux-autorelabel.service +Conflicts=shutdown.target +After=sysinit.target selinux-autorelabel.service +ConditionSecurity=selinux diff --git a/upstream b/upstream new file mode 160000 index 0000000..a9f8a10 --- /dev/null +++ b/upstream @@ -0,0 +1 @@ +Subproject commit a9f8a101fd2c475b3dcffbcc76b86355d956a095