[Rpm-maint] [PATCH 00/18] Add SELinux support to RPM

Steve Lawrence slawrence at tresys.com
Wed Dec 23 20:57:20 UTC 2009


Note: This patchset has been tested against the rpm-4.8.x branch (76a82dd)

Patches 1 through 11 are the same patches (with minor changes) sent to
this list in October [1]. The rest of the patches are added to solve issues
raised during the discussions, including better policy existence checking,
policy module validation, and using restorecon rather than fixfiles to
perform relabeling.

---

SELinux policy is currently installed through %post scripts. This
presents several problems. First, this means that policy for a given
application may not be loaded at the time the files are written to disk,
preventing those files from being labeled properly, because the symbols
used to label files need to be in the policy loaded into the kernel.
Secondly, this means that if multiple packages install policy, each of
their %post scripts will reload the policy, which is a very expensive
operation. Consequently, policy is generally kept in a single package to
avoid this, despite containing many application specific policy modules
that would be more suited to be included in their application package.

By integrating SELinux policy into RPM, this patchset solves these
problems and makes policy installation easier. At a high-level, this
patchset changes the spec file format, adding a new %policy section and
a new PolicyRequires preamble tag to describe the attributes of policy
modules. New header tags are added to store the new policy information,
and new structures are added to manage the policies and their
installations.

Documentation of the new spec file format and how to include
policy in an rpm package has been added to the SELinux project wiki at:
http://selinuxproject.org/page/RPM

Note: This patchset requires the latest SELinux userspace from 
http://userspace.selinuxproject.org/

[1] http://lists.rpm.org/pipermail/rpm-maint/2009-October/002561.html

Steve Lawrence (18):
  Execute matchpathcon_init in a chroot
  Add test sources and spec file for %policy
  Remove existing %policy directive
  Add new %policy section to the spec file format
  Add rpmpol struct and helper functions
  Add rpmpoltrans struct and helper functions
  Add rpmpols struct plus some helper functions
  Remove duplicates when preparing the policy set
  Install policies using the new structures
  Add new policy requires tag to spec file format
  Parse new policy requires header and check policy dependencies
  Determine how policy should be installed based on SELinux state
  Relabel files using restorecon
  Detect possible policy module conflicts
  Remember that a package was installed with --nopolicy
  Update %policy parsing to allow for more tags
  Add hook for verifying policy modules
  Keep track if matchpathcon_init has succeeded

 Makefile.am                                   |    1 +
 build/Makefile.am                             |    4 +-
 build/build.c                                 |    4 +
 build/files.c                                 |   14 +-
 build/parsePolicies.c                         |   88 ++
 build/parsePreamble.c                         |    2 +
 build/parseReqs.c                             |    4 +
 build/parseSpec.c                             |    5 +
 build/policies.c                              |  590 +++++++++++
 build/reqprov.c                               |    5 +
 build/rpmbuild.h                              |   18 +-
 build/rpmfc.c                                 |    3 +
 build/rpmspec.h                               |    1 +
 build/spec.c                                  |    2 +
 configure.ac                                  |   51 +-
 lib/Makefile.am                               |    2 +-
 lib/fsm.c                                     |    4 +-
 lib/poptI.c                                   |    2 +
 lib/psm.c                                     |    4 +
 lib/rpmds.c                                   |    4 +
 lib/rpmds.h                                   |    4 +-
 lib/rpmfi.h                                   |    1 -
 lib/rpmpol.c                                  | 1336 +++++++++++++++++++++++++
 lib/rpmpol.h                                  |  383 +++++++
 lib/rpmtag.h                                  |   11 +
 lib/rpmte.c                                   |   14 +
 lib/rpmte_internal.h                          |    3 +
 lib/rpmts.c                                   |   25 +
 lib/rpmts.h                                   |   29 +
 lib/rpmts_internal.h                          |    3 +
 lib/rpmtypes.h                                |    6 +-
 lib/transaction.c                             |  334 ++++++-
 macros.in                                     |    4 +
 preinstall.am                                 |    4 +
 scripts/Makefile.am                           |    4 +-
 scripts/check-policies                        |   49 +
 tests/data/SOURCES/poltest-1.0.tar.bz2        |  Bin 0 -> 409 bytes
 tests/data/SOURCES/poltest-policy-1.0.tar.bz2 |  Bin 0 -> 553 bytes
 tests/data/SPECS/poltest.spec                 |   45 +
 39 files changed, 3024 insertions(+), 39 deletions(-)
 create mode 100644 build/parsePolicies.c
 create mode 100644 build/policies.c
 create mode 100644 lib/rpmpol.c
 create mode 100644 lib/rpmpol.h
 create mode 100755 scripts/check-policies
 create mode 100644 tests/data/SOURCES/poltest-1.0.tar.bz2
 create mode 100644 tests/data/SOURCES/poltest-policy-1.0.tar.bz2
 create mode 100644 tests/data/SPECS/poltest.spec



More information about the Rpm-maint mailing list