Merge branch 'mount_module' of git://github.com/cgzones/refpolicy
This commit is contained in:
commit
4f34f6d220
48
.travis.yml
48
.travis.yml
|
@ -33,6 +33,10 @@ sudo: false
|
|||
#sudo: required
|
||||
#dist: trusty
|
||||
|
||||
cache:
|
||||
directories:
|
||||
- ${TRAVIS_BUILD_DIR}/selinux
|
||||
|
||||
addons:
|
||||
apt:
|
||||
packages:
|
||||
|
@ -54,33 +58,39 @@ before_install:
|
|||
- python -V
|
||||
|
||||
install:
|
||||
# Download current SELinux userspace tools and libraries
|
||||
- curl -sS -L https://github.com/SELinuxProject/selinux/archive/20161014.tar.gz | tar xz
|
||||
- mv selinux-20161014 selinux-src
|
||||
- SELINUX_USERSPACE_VERSION=20161014
|
||||
|
||||
# Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
|
||||
- sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
|
||||
- sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
|
||||
- |
|
||||
if [[ "${SELINUX_USERSPACE_VERSION}" != "$(cat ${TRAVIS_BUILD_DIR}/selinux/travis.version)" ]]; then
|
||||
# Download current SELinux userspace tools and libraries
|
||||
curl -sS -L "https://github.com/SELinuxProject/selinux/archive/${SELINUX_USERSPACE_VERSION}.tar.gz" | tar xz
|
||||
mv "selinux-${SELINUX_USERSPACE_VERSION}" selinux-src
|
||||
|
||||
# Drop secilc to break xmlto dependence (secilc isn't used here anyway)
|
||||
- sed -i -e 's/secilc//' selinux-src/Makefile
|
||||
# Ubuntu 12.04 coreutils is too old to provide "ln --relative" :(
|
||||
sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libsepol/src/Makefile
|
||||
sed 's/ln -sf --relative /ln -sf /' -i selinux-src/libselinux/src/Makefile
|
||||
|
||||
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
|
||||
- sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
|
||||
# Drop secilc to break xmlto dependence (secilc isn't used here anyway)
|
||||
sed -i -e 's/secilc//' selinux-src/Makefile
|
||||
|
||||
# Drop restorecond to break glib dependence
|
||||
- sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile
|
||||
# Drop sepolicy to break setools dependence (sepolicy isn't used anyway)
|
||||
sed -i -e 's/sepolicy//' selinux-src/policycoreutils/Makefile
|
||||
|
||||
# Drop sandbox to break libcap-ng dependence
|
||||
- sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile
|
||||
# Drop restorecond to break glib dependence
|
||||
sed -i -e 's/ restorecond//' selinux-src/policycoreutils/Makefile
|
||||
|
||||
# Compile and install SELinux toolchain into ~/selinux
|
||||
# On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
|
||||
# error: declaration of 'index' shadows a global declarationo
|
||||
- make "DESTDIR=$TRAVIS_BUILD_DIR/selinux" CFLAGS="-O2 -Wall" -C selinux-src install
|
||||
# Drop sandbox to break libcap-ng dependence
|
||||
sed -i -e 's/ sandbox//' selinux-src/policycoreutils/Makefile
|
||||
|
||||
# Compile and install SELinux toolchain into ~/selinux
|
||||
# On Ubuntu 12.04, default CFLAGS make the build fail in libsepol/cil with:
|
||||
# error: declaration of 'index' shadows a global declarationo
|
||||
make "DESTDIR=${TRAVIS_BUILD_DIR}/selinux" CFLAGS="-O2 -Wall" -C selinux-src install
|
||||
echo "${SELINUX_USERSPACE_VERSION}" > "${TRAVIS_BUILD_DIR}/selinux/travis.version"
|
||||
fi
|
||||
|
||||
# Use TEST_TOOLCHAIN variable to tell refpolicy Makefile about the installed location
|
||||
- export TEST_TOOLCHAIN="$TRAVIS_BUILD_DIR/selinux"
|
||||
- export TEST_TOOLCHAIN="${TRAVIS_BUILD_DIR}/selinux"
|
||||
|
||||
# Drop build.conf settings to listen to env vars
|
||||
- sed -r -i -e '/(MONOLITHIC|TYPE|DISTRO|SYSTEMD)/d' build.conf
|
||||
|
|
3
Makefile
3
Makefile
|
@ -516,7 +516,8 @@ install-headers: $(layerxml) $(tunxml) $(boolxml)
|
|||
@echo "Installing $(NAME) policy headers."
|
||||
$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
|
||||
$(verbose) mkdir -p $(headerdir)/support
|
||||
$(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support
|
||||
$(verbose) $(INSTALL) -m 644 $(m4support) $(xmldtd) $(headerdir)/support
|
||||
$(verbose) $(INSTALL) -m 755 $(word $(words $(genxml)),$(genxml)) $(headerdir)/support
|
||||
$(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
|
||||
$(verbose) for i in $(notdir $(all_layers)); do \
|
||||
mkdir -p $(headerdir)/$$i ;\
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
|
||||
/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
|
||||
|
@ -14,4 +14,4 @@
|
|||
/usr/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/usr/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
|
||||
/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
|
||||
/run/mount(/.*)? gen_context(system_u:object_r:mount_runtime_t,s0)
|
||||
|
|
|
@ -23,12 +23,13 @@ role mount_roles types mount_t;
|
|||
type mount_loopback_t; # customizable
|
||||
files_type(mount_loopback_t)
|
||||
|
||||
type mount_runtime_t;
|
||||
typealias mount_runtime_t alias mount_var_run_t;
|
||||
files_pid_file(mount_runtime_t)
|
||||
|
||||
type mount_tmp_t;
|
||||
files_tmp_file(mount_tmp_t)
|
||||
|
||||
type mount_var_run_t;
|
||||
files_pid_file(mount_var_run_t)
|
||||
|
||||
# causes problems with interfaces when
|
||||
# this is optionally declared in monolithic
|
||||
# policy--duplicate type declaration
|
||||
|
@ -52,10 +53,10 @@ can_exec(mount_t, mount_exec_t)
|
|||
|
||||
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
|
||||
|
||||
create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
|
||||
create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
|
||||
rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
|
||||
files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
|
||||
create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
|
||||
create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
|
||||
rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
|
||||
files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount")
|
||||
|
||||
kernel_read_system_state(mount_t)
|
||||
kernel_read_kernel_sysctls(mount_t)
|
||||
|
@ -65,9 +66,6 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
|
|||
kernel_dontaudit_write_proc_dirs(mount_t)
|
||||
# To load binfmt_misc kernel module
|
||||
kernel_request_load_module(mount_t)
|
||||
# for when /etc/mtab loses its type
|
||||
# cjp: this seems wrong, the type should probably be etc
|
||||
kernel_read_unlabeled_files(mount_t)
|
||||
|
||||
# required for mount.smbfs
|
||||
corecmd_exec_bin(mount_t)
|
||||
|
@ -139,6 +137,7 @@ miscfiles_read_localization(mount_t)
|
|||
sysnet_use_portmap(mount_t)
|
||||
|
||||
seutil_read_config(mount_t)
|
||||
selinux_getattr_fs(mount_t)
|
||||
|
||||
userdom_use_all_users_fds(mount_t)
|
||||
|
||||
|
|
Loading…
Reference in New Issue