[Rpm-maint] [PATCH 00/19] Add SELinux support to RPM

[Steve Lawrence]

This patchset has been tested against the master branch (commit 38291e1).
It contains the same patches sent to the list in December [1] with minor
cleanup changes and the following modifications:

- Excludes our changes if --with-selinux is not provided during 
  configuration
- Replaces the check-policy script with one that performs better module
  validation using libsepol
- Replaces matchpathcon with the newer selabel interfaces
- Adds callbacks for policy installation and filesystem relabeling

Unless there are any concerns, we feel this patchset is ready for upstream
inclusion. As always, we look forward to your comments.

---

SELinux policy is currently installed through %post scripts. This
presents several problems. First, this means that policy for a given
application may not be loaded at the time the files are written to disk,
preventing those files from being labeled properly, because the symbols
used to label files need to be in the policy loaded into the kernel.
Secondly, this means that if multiple packages install policy, each of
their %post scripts will reload the policy, which is a very expensive
operation. Consequently, policy is generally kept in a single package to
avoid this, despite containing many application specific policy modules
that would be more suited to be included in their application package.

By integrating SELinux policy into RPM, this patchset solves these
problems and makes policy installation easier. At a high-level, this
patchset changes the spec file format, adding a new %policy section and
a new PolicyRequires preamble tag to describe the attributes of policy
modules. New header tags are added to store the new policy information,
and new structures are added to manage the policies and their
installations.

Documentation of the new spec file format and how to include
policy in an rpm package has been added to the SELinux project wiki [2].

Note: This patchset requires the latest SELinux userspace from [3].

[1] http://lists.rpm.org/pipermail/rpm-maint/2009-December/002611.html
[2] http://selinuxproject.org/page/RPM
[3] http://userspace.selinuxproject.org/

Steve Lawrence (19):
  Execute matchpathcon_init in a chroot
  Add test sources and spec file for %policy
  Remove existing %policy directive
  Add new %policy section to the spec file format
  Add rpmpol struct and helper functions
  Add rpmpoltrans struct and helper functions
  Add rpmpols struct plus some helper functions
  Remove duplicates when preparing the policy set
  Install policies using the new structures
  Add new policy requires tag to spec file format
  Parse new policy requires header and check policy dependencies
  Determine how policy should be installed based on SELinux state
  Relabel files using restorecon
  Detect possible policy module conflicts
  Remember that a package was installed with --nopolicy
  Update %policy parsing to allow for more tags
  Add hook for verifying policy modules
  Use selabel interfaces instead of matchpathcon
  Add callback notification for policy and relabeling

 Makefile.am                                   |    1 +
 build/Makefile.am                             |    4 +-
 build/build.c                                 |    4 +
 build/files.c                                 |   14 +-
 build/parsePolicies.c                         |   88 ++
 build/parsePreamble.c                         |    8 +
 build/parseReqs.c                             |    4 +
 build/parseSpec.c                             |    5 +
 build/policies.c                              |  592 +++++++++++
 build/reqprov.c                               |    5 +
 build/rpmbuild.h                              |   18 +-
 build/rpmfc.c                                 |    3 +
 build/rpmspec.h                               |    1 +
 build/spec.c                                  |    2 +
 configure.ac                                  |   84 ++-
 lib/Makefile.am                               |    2 +-
 lib/fsm.c                                     |    8 +-
 lib/poptI.c                                   |    2 +
 lib/psm.c                                     |    4 +
 lib/rpmcallback.h                             |    6 +-
 lib/rpmds.c                                   |    4 +
 lib/rpmds.h                                   |    4 +-
 lib/rpmfi.h                                   |    1 -
 lib/rpminstall.c                              |   40 +
 lib/rpmpol.c                                  | 1347 +++++++++++++++++++++++++
 lib/rpmpol.h                                  |  386 +++++++
 lib/rpmtag.h                                  |   11 +
 lib/rpmte.c                                   |   20 +
 lib/rpmte_internal.h                          |    3 +
 lib/rpmts.c                                   |   57 +
 lib/rpmts.h                                   |   36 +
 lib/rpmts_internal.h                          |    3 +
 lib/rpmtypes.h                                |    6 +-
 lib/transaction.c                             |  383 +++++++-
 macros.in                                     |    4 +
 preinstall.am                                 |    4 +
 python/rpmmodule.c                            |    4 +
 scripts/Makefile.am                           |    8 +
 scripts/check-policies.c                      |  200 ++++
 system.h                                      |    4 +
 tests/data/SOURCES/poltest-1.0.tar.bz2        |  Bin 0 -> 409 bytes
 tests/data/SOURCES/poltest-policy-1.0.tar.bz2 |  Bin 0 -> 553 bytes
 tests/data/SPECS/poltest.spec                 |   45 +
 tests/rpmgeneral.at                           |   11 +
 44 files changed, 3395 insertions(+), 41 deletions(-)
 create mode 100644 build/parsePolicies.c
 create mode 100644 build/policies.c
 create mode 100644 lib/rpmpol.c
 create mode 100644 lib/rpmpol.h
 create mode 100644 scripts/check-policies.c
 create mode 100644 tests/data/SOURCES/poltest-1.0.tar.bz2
 create mode 100644 tests/data/SOURCES/poltest-policy-1.0.tar.bz2
 create mode 100644 tests/data/SPECS/poltest.spec