RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'mount_module' of git://github.com/cgzones/refpolicy

This commit is contained in:
Chris PeBenito 2017-01-09 18:10:57 -05:00
parent 1497fe2f54 2526c96a2c
commit 4f34f6d220
4 changed files with 42 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
.travis.yml
View File

@ -33,6 +33,10 @@ sudo: false
#sudo: required #sudo: required
#dist: trusty #dist: trusty
cache:
directories:
- ${TRAVIS_BUILD_DIR}/selinux
addons: addons:
apt: apt:
packages: packages:
@ -54,33 +58,39 @@ before_install:
- python -V - python -V
install: install:
# Download current SELinux userspace tools and libraries - SELINUX_USERSPACE_VERSION=20161014
- curl -sS -L https://github.com/SELinuxProject/selinux/archive/20161014.tar.gz | tar xz
- mv selinux-20161014 selinux-src
# Ubuntu 12.04 coreutils is too old to provide "ln --relative" :( - |
- sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile if [[ "${SELINUX_USERSPACE_VERSION}" != "$(cat ${TRAVIS_BUILD_DIR}/selinux/travis.version)" ]]; then
- sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile # Download current SELinux userspace tools and libraries
curl -sS -L "https://github.com/SELinuxProject/selinux/archive/${SELINUX_USERSPACE_VERSION}.tar.gz" | tar xz
mv "selinux-${SELINUX_USERSPACE_VERSION}" selinux-src
# Drop secilc to break xmlto dependence (secilc isn't used here anyway) # Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
- sed -i -e 's/secilc//' selinux-src/Makefile sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway) # Drop secilc to break xmlto dependence (secilc isn't used here anyway)
- sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile sed -i -e 's/secilc//' selinux-src/Makefile
# Drop restorecond to break glib dependence # Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
- sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
# Drop sandbox to break libcap-ng dependence # Drop restorecond to break glib dependence
- sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile
# Compile and install SELinux toolchain into ~/selinux # Drop sandbox to break libcap-ng dependence
# On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with: sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile
# error: declaration of 'index' shadows a global declarationo
- make "DESTDIR=$TRAVIS_BUILD_DIR/selinux" CFLAGS="-O2 -Wall" -C selinux-src install # Compile and install SELinux toolchain into ~/selinux
# On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
# error: declaration of 'index' shadows a global declarationo
make "DESTDIR=${TRAVIS_BUILD_DIR}/selinux" CFLAGS="-O2 -Wall" -C selinux-src install
echo "${SELINUX_USERSPACE_VERSION}" > "${TRAVIS_BUILD_DIR}/selinux/travis.version"
fi
# Use TEST_TOOLCHAIN variable to tell refpolicy Makefile about the installed location # Use TEST_TOOLCHAIN variable to tell refpolicy Makefile about the installed location
- export TEST_TOOLCHAIN="$TRAVIS_BUILD_DIR/selinux" - export TEST_TOOLCHAIN="${TRAVIS_BUILD_DIR}/selinux"
# Drop build.conf settings to listen to env vars # Drop build.conf settings to listen to env vars
- sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD)/d' build.conf - sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD)/d' build.conf

3
Makefile
View File

@ -516,7 +516,8 @@ install-headers: $(layerxml) $(tunxml) $(boolxml)
@echo "Installing $(NAME) policy headers." @echo "Installing $(NAME) policy headers."
$(verbose) $(INSTALL) -m 644 $^ $(headerdir) $(verbose) $(INSTALL) -m 644 $^ $(headerdir)
$(verbose) mkdir -p $(headerdir)/support $(verbose) mkdir -p $(headerdir)/support
$(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support $(verbose) $(INSTALL) -m 644 $(m4support) $(xmldtd) $(headerdir)/support
$(verbose) $(INSTALL) -m 755 $(word $(words $(genxml)),$(genxml)) $(headerdir)/support
$(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt $(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
$(verbose) for i in $(notdir $(all_layers)); do \ $(verbose) for i in $(notdir $(all_layers)); do \
mkdir -p $(headerdir)/$$i ;\ mkdir -p $(headerdir)/$$i ;\

4
policy/modules/system/mount.fc
View File

@ -2,7 +2,7 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0) /bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0) /sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0) /sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0) /sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
@ -14,4 +14,4 @@
/usr/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0) /usr/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
/usr/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0) /usr/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) /run/mount(/.*)? gen_context(system_u:object_r:mount_runtime_t,s0)

19
policy/modules/system/mount.te
View File

@ -23,12 +23,13 @@ role mount_roles types mount_t;
type mount_loopback_t; # customizable type mount_loopback_t; # customizable
files_type(mount_loopback_t) files_type(mount_loopback_t)
type mount_runtime_t;
typealias mount_runtime_t alias mount_var_run_t;
files_pid_file(mount_runtime_t)
type mount_tmp_t; type mount_tmp_t;
files_tmp_file(mount_tmp_t) files_tmp_file(mount_tmp_t)
type mount_var_run_t;
files_pid_file(mount_var_run_t)
# causes problems with interfaces when # causes problems with interfaces when
# this is optionally declared in monolithic # this is optionally declared in monolithic
# policy--duplicate type declaration # policy--duplicate type declaration
@ -52,10 +53,10 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t) create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t) rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount") files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount")
kernel_read_system_state(mount_t) kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t) kernel_read_kernel_sysctls(mount_t)
@ -65,9 +66,6 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module # To load binfmt_misc kernel module
kernel_request_load_module(mount_t) kernel_request_load_module(mount_t)
# for when /etc/mtab loses its type
# cjp: this seems wrong, the type should probably be etc
kernel_read_unlabeled_files(mount_t)
# required for mount.smbfs # required for mount.smbfs
corecmd_exec_bin(mount_t) corecmd_exec_bin(mount_t)
@ -139,6 +137,7 @@ miscfiles_read_localization(mount_t)
sysnet_use_portmap(mount_t) sysnet_use_portmap(mount_t)
seutil_read_config(mount_t) seutil_read_config(mount_t)
selinux_getattr_fs(mount_t)
userdom_use_all_users_fds(mount_t) userdom_use_all_users_fds(mount_t)