Merge branch 'mount_module' of git://github.com/cgzones/refpolicy

This commit is contained in:
Chris PeBenito 2017-01-09 18:10:57 -05:00
commit 4f34f6d220
4 changed files with 42 additions and 32 deletions

View File

@ -33,6 +33,10 @@ sudo: false
#sudo: required
#dist: trusty
cache:
directories:
- ${TRAVIS_BUILD_DIR}/selinux
addons:
apt:
packages:
@ -54,33 +58,39 @@ before_install:
- python -V
install:
# Download current SELinux userspace tools and libraries
- curl -sS -L https://github.com/SELinuxProject/selinux/archive/20161014.tar.gz | tar xz
- mv selinux-20161014 selinux-src
- SELINUX_USERSPACE_VERSION=20161014
# Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
- sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
- sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
- |
if [[ "${SELINUX_USERSPACE_VERSION}" != "$(cat ${TRAVIS_BUILD_DIR}/selinux/travis.version)" ]]; then
# Download current SELinux userspace tools and libraries
curl -sS -L "https://github.com/SELinuxProject/selinux/archive/${SELINUX_USERSPACE_VERSION}.tar.gz" | tar xz
mv "selinux-${SELINUX_USERSPACE_VERSION}" selinux-src
# Drop secilc to break xmlto dependence (secilc isn't used here anyway)
- sed -i -e 's/secilc//' selinux-src/Makefile
# Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
- sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
# Drop secilc to break xmlto dependence (secilc isn't used here anyway)
sed -i -e 's/secilc//' selinux-src/Makefile
# Drop restorecond to break glib dependence
- sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
# Drop sandbox to break libcap-ng dependence
- sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile
# Drop restorecond to break glib dependence
sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile
# Compile and install SELinux toolchain into ~/selinux
# On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
# error: declaration of 'index' shadows a global declarationo
- make "DESTDIR=$TRAVIS_BUILD_DIR/selinux" CFLAGS="-O2 -Wall" -C selinux-src install
# Drop sandbox to break libcap-ng dependence
sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile
# Compile and install SELinux toolchain into ~/selinux
# On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
# error: declaration of 'index' shadows a global declarationo
make "DESTDIR=${TRAVIS_BUILD_DIR}/selinux" CFLAGS="-O2 -Wall" -C selinux-src install
echo "${SELINUX_USERSPACE_VERSION}" > "${TRAVIS_BUILD_DIR}/selinux/travis.version"
fi
# Use TEST_TOOLCHAIN variable to tell refpolicy Makefile about the installed location
- export TEST_TOOLCHAIN="$TRAVIS_BUILD_DIR/selinux"
- export TEST_TOOLCHAIN="${TRAVIS_BUILD_DIR}/selinux"
# Drop build.conf settings to listen to env vars
- sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD)/d' build.conf

View File

@ -516,7 +516,8 @@ install-headers: $(layerxml) $(tunxml) $(boolxml)
@echo "Installing $(NAME) policy headers."
$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
$(verbose) mkdir -p $(headerdir)/support
$(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support
$(verbose) $(INSTALL) -m 644 $(m4support) $(xmldtd) $(headerdir)/support
$(verbose) $(INSTALL) -m 755 $(word $(words $(genxml)),$(genxml)) $(headerdir)/support
$(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
$(verbose) for i in $(notdir $(all_layers)); do \
mkdir -p $(headerdir)/$$i ;\

View File

@ -2,7 +2,7 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
@ -14,4 +14,4 @@
/usr/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
/usr/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
/run/mount(/.*)? gen_context(system_u:object_r:mount_runtime_t,s0)

View File

@ -23,12 +23,13 @@ role mount_roles types mount_t;
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
type mount_runtime_t;
typealias mount_runtime_t alias mount_var_run_t;
files_pid_file(mount_runtime_t)
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
type mount_var_run_t;
files_pid_file(mount_var_run_t)
# causes problems with interfaces when
# this is optionally declared in monolithic
# policy--duplicate type declaration
@ -52,10 +53,10 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount")
kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
@ -65,9 +66,6 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
kernel_request_load_module(mount_t)
# for when /etc/mtab loses its type
# cjp: this seems wrong, the type should probably be etc
kernel_read_unlabeled_files(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@ -139,6 +137,7 @@ miscfiles_read_localization(mount_t)
sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
selinux_getattr_fs(mount_t)
userdom_use_all_users_fds(mount_t)