From 2315912719dca2ad5ea35c0567cc3ff87c93e000 Mon Sep 17 00:00:00 2001 From: cgzones Date: Sun, 1 Jan 2017 22:48:37 +0100 Subject: [PATCH 1/3] fix permission of installed segenxml.py by install-headers --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 50e55135d..154beb57c 100644 --- a/Makefile +++ b/Makefile @@ -516,7 +516,8 @@ install-headers: $(layerxml) $(tunxml) $(boolxml) @echo "Installing $(NAME) policy headers." $(verbose) $(INSTALL) -m 644 $^ $(headerdir) $(verbose) mkdir -p $(headerdir)/support - $(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support + $(verbose) $(INSTALL) -m 644 $(m4support) $(xmldtd) $(headerdir)/support + $(verbose) $(INSTALL) -m 755 $(word $(words $(genxml)),$(genxml)) $(headerdir)/support $(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt $(verbose) for i in $(notdir $(all_layers)); do \ mkdir -p $(headerdir)/$$i ;\ From 79ff2a45bfbedc3ae1c99e84ae13823fdd6ad9c3 Mon Sep 17 00:00:00 2001 From: cgzones Date: Fri, 6 Jan 2017 19:45:09 +0100 Subject: [PATCH 2/3] use travis cache cache SELinux userspace build --- .travis.yml | 48 +++++++++++++++++++++++++++++------------------- 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/.travis.yml b/.travis.yml index 55151a78d..8de9ea6cc 100755 --- a/.travis.yml +++ b/.travis.yml @@ -33,6 +33,10 @@ sudo: false #sudo: required #dist: trusty +cache: + directories: + - ${TRAVIS_BUILD_DIR}/selinux + addons: apt: packages: @@ -54,33 +58,39 @@ before_install: - python -V install: - # Download current SELinux userspace tools and libraries - - curl -sS -L https://github.com/SELinuxProject/selinux/archive/20161014.tar.gz | tar xz - - mv selinux-20161014 selinux-src + - SELINUX_USERSPACE_VERSION=20161014 - # Ubuntu 12.04 coreutils is too old to provide "ln --relative" :( - - sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile - - sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile + - | + if [[ "${SELINUX_USERSPACE_VERSION}" != "$(cat ${TRAVIS_BUILD_DIR}/selinux/travis.version)" ]]; then + # Download current SELinux userspace tools and libraries + curl -sS -L "https://github.com/SELinuxProject/selinux/archive/${SELINUX_USERSPACE_VERSION}.tar.gz" | tar xz + mv "selinux-${SELINUX_USERSPACE_VERSION}" selinux-src - # Drop secilc to break xmlto dependence (secilc isn't used here anyway) - - sed -i -e 's/secilc//' selinux-src/Makefile + # Ubuntu 12.04 coreutils is too old to provide "ln --relative" :( + sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile + sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile - # Drop sepolicy to break setools dependence (sepolicy isn't used anyway) - - sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile + # Drop secilc to break xmlto dependence (secilc isn't used here anyway) + sed -i -e 's/secilc//' selinux-src/Makefile - # Drop restorecond to break glib dependence - - sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile + # Drop sepolicy to break setools dependence (sepolicy isn't used anyway) + sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile - # Drop sandbox to break libcap-ng dependence - - sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile + # Drop restorecond to break glib dependence + sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile - # Compile and install SELinux toolchain into ~/selinux - # On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with: - # error: declaration of 'index' shadows a global declarationo - - make "DESTDIR=$TRAVIS_BUILD_DIR/selinux" CFLAGS="-O2 -Wall" -C selinux-src install + # Drop sandbox to break libcap-ng dependence + sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile + + # Compile and install SELinux toolchain into ~/selinux + # On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with: + # error: declaration of 'index' shadows a global declarationo + make "DESTDIR=${TRAVIS_BUILD_DIR}/selinux" CFLAGS="-O2 -Wall" -C selinux-src install + echo "${SELINUX_USERSPACE_VERSION}" > "${TRAVIS_BUILD_DIR}/selinux/travis.version" + fi # Use TEST_TOOLCHAIN variable to tell refpolicy Makefile about the installed location - - export TEST_TOOLCHAIN="$TRAVIS_BUILD_DIR/selinux" + - export TEST_TOOLCHAIN="${TRAVIS_BUILD_DIR}/selinux" # Drop build.conf settings to listen to env vars - sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD)/d' build.conf From 2526c96a2ced8a4870c46cb7b229ab0096566b01 Mon Sep 17 00:00:00 2001 From: cgzones Date: Fri, 6 Jan 2017 15:05:00 +0100 Subject: [PATCH 3/3] update mount module * rename mount_var_run_t to mount_runtime_t * delete kernel_read_unlabeled_files(mount_t) * add selinux_getattr_fs(mount_t) --- policy/modules/system/mount.fc | 4 ++-- policy/modules/system/mount.te | 19 +++++++++---------- 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc index 9cfb93a62..182d0fdb7 100644 --- a/policy/modules/system/mount.fc +++ b/policy/modules/system/mount.fc @@ -2,7 +2,7 @@ /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) -/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0) +/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0) /sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0) /sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0) @@ -14,4 +14,4 @@ /usr/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0) /usr/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0) -/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/run/mount(/.*)? gen_context(system_u:object_r:mount_runtime_t,s0) diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 59c8fe8b1..cd237c8e5 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -23,12 +23,13 @@ role mount_roles types mount_t; type mount_loopback_t; # customizable files_type(mount_loopback_t) +type mount_runtime_t; +typealias mount_runtime_t alias mount_var_run_t; +files_pid_file(mount_runtime_t) + type mount_tmp_t; files_tmp_file(mount_tmp_t) -type mount_var_run_t; -files_pid_file(mount_var_run_t) - # causes problems with interfaces when # this is optionally declared in monolithic # policy--duplicate type declaration @@ -52,10 +53,10 @@ can_exec(mount_t, mount_exec_t) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) -create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t) -create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) -rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) -files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount") +create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t) +create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t) +rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t) +files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount") kernel_read_system_state(mount_t) kernel_read_kernel_sysctls(mount_t) @@ -65,9 +66,6 @@ kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module kernel_request_load_module(mount_t) -# for when /etc/mtab loses its type -# cjp: this seems wrong, the type should probably be etc -kernel_read_unlabeled_files(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -139,6 +137,7 @@ miscfiles_read_localization(mount_t) sysnet_use_portmap(mount_t) seutil_read_config(mount_t) +selinux_getattr_fs(mount_t) userdom_use_all_users_fds(mount_t)