[Rpm-maint] [PATCH 00/12] Add SELinux support to RPM
Steve Lawrence
slawrence at tresys.com
Thu Oct 22 18:25:37 UTC 2009
SELinux policy is currently installed through %post scripts. This
presents several problems. First, this means that policy for a given
application may not be loaded at the time the files are written to disk,
preventing those files from being labeled properly, because the symbols
used to label files need to be in the policy loaded into the kernel.
Secondly, this means that if multiple packages install policy, each of
their %post scripts will reload the policy, which is a very expensive
operation. Consequently, policy is generally kept in a single package to
avoid this, despite containing many application specific policy modules
that would be more suited to be included in their application package.
By integrating SELinux policy into RPM, this patchset solves these
problems and makes policy installation easier. At a high-level, this
patchset changes the spec file format, adding a new %policy section and
a new PolicyRequires preamble tag to describe the attributes of policy
modules. New header tags are added to store the new policy information,
and new structures are added to manage the policies and their
installations.
Documentation of the new spec file format and how to include
policy in an rpm package has been added to the SELinux project wiki at:
http://selinuxproject.org/page/RPM
Note: This patchset requires the latest SELinux userspace from
http://userspace.selinuxproject.org/
Steve Lawrence (12):
Execute matchpathcon_init in a chroot
Add test sources and spec file for %policy
Remove existing %policy directive
Add new %policy section to the spec file format
Add rpmpol struct and helper functions
Add rpmpoltrans struct and helper functions
Add rpmpols struct plus some helper functions
Remove duplicates when preparing the policy set
Install policies using the new structures
Add new policy requires tag to spec file format
Parse new policy requires header and check policy dependencies
Relabel files using fixfiles
Makefile.am | 1 +
build/Makefile.am | 4 +-
build/build.c | 4 +
build/files.c | 14 +-
build/parsePolicies.c | 88 ++
build/parsePreamble.c | 2 +
build/parseReqs.c | 4 +
build/parseSpec.c | 5 +
build/policies.c | 444 +++++++++
build/reqprov.c | 5 +
build/rpmbuild.h | 18 +-
build/rpmfc.c | 3 +
build/rpmspec.h | 1 +
build/spec.c | 2 +
configure.ac | 51 +-
lib/Makefile.am | 2 +-
lib/poptI.c | 2 +
lib/rpmds.c | 4 +
lib/rpmds.h | 4 +-
lib/rpmfi.h | 1 -
lib/rpmpol.c | 1206 +++++++++++++++++++++++++
lib/rpmpol.h | 358 ++++++++
lib/rpmtag.h | 10 +
lib/rpmte.c | 14 +
lib/rpmte_internal.h | 3 +
lib/rpmts.h | 1 +
lib/rpmtypes.h | 6 +-
lib/transaction.c | 307 ++++++-
macros.in | 2 +
preinstall.am | 4 +
tests/data/SOURCES/poltest-1.0.tar.bz2 | Bin 0 -> 409 bytes
tests/data/SOURCES/poltest-policy-1.0.tar.bz2 | Bin 0 -> 553 bytes
tests/data/SPECS/poltest.spec | 45 +
33 files changed, 2584 insertions(+), 31 deletions(-)
create mode 100644 build/parsePolicies.c
create mode 100644 build/policies.c
create mode 100644 lib/rpmpol.c
create mode 100644 lib/rpmpol.h
create mode 100644 tests/data/SOURCES/poltest-1.0.tar.bz2
create mode 100644 tests/data/SOURCES/poltest-policy-1.0.tar.bz2
create mode 100644 tests/data/SPECS/poltest.spec
More information about the Rpm-maint
mailing list