[Rpm-maint] [PATCH 00/19] Add SELinux support to RPM
Steve Lawrence
slawrence at tresys.com
Tue Feb 2 20:25:03 UTC 2010
This patchset has been tested against the master branch (commit 38291e1).
It contains the same patches sent to the list in December [1] with minor
cleanup changes and the following modifications:
- Excludes our changes if --with-selinux is not provided during
configuration
- Replaces the check-policy script with one that performs better module
validation using libsepol
- Replaces matchpathcon with the newer selabel interfaces
- Adds callbacks for policy installation and filesystem relabeling
Unless there are any concerns, we feel this patchset is ready for upstream
inclusion. As always, we look forward to your comments.
---
SELinux policy is currently installed through %post scripts. This
presents several problems. First, this means that policy for a given
application may not be loaded at the time the files are written to disk,
preventing those files from being labeled properly, because the symbols
used to label files need to be in the policy loaded into the kernel.
Secondly, this means that if multiple packages install policy, each of
their %post scripts will reload the policy, which is a very expensive
operation. Consequently, policy is generally kept in a single package to
avoid this, despite containing many application specific policy modules
that would be more suited to be included in their application package.
By integrating SELinux policy into RPM, this patchset solves these
problems and makes policy installation easier. At a high-level, this
patchset changes the spec file format, adding a new %policy section and
a new PolicyRequires preamble tag to describe the attributes of policy
modules. New header tags are added to store the new policy information,
and new structures are added to manage the policies and their
installations.
Documentation of the new spec file format and how to include
policy in an rpm package has been added to the SELinux project wiki [2].
Note: This patchset requires the latest SELinux userspace from [3].
[1] http://lists.rpm.org/pipermail/rpm-maint/2009-December/002611.html
[2] http://selinuxproject.org/page/RPM
[3] http://userspace.selinuxproject.org/
Steve Lawrence (19):
Execute matchpathcon_init in a chroot
Add test sources and spec file for %policy
Remove existing %policy directive
Add new %policy section to the spec file format
Add rpmpol struct and helper functions
Add rpmpoltrans struct and helper functions
Add rpmpols struct plus some helper functions
Remove duplicates when preparing the policy set
Install policies using the new structures
Add new policy requires tag to spec file format
Parse new policy requires header and check policy dependencies
Determine how policy should be installed based on SELinux state
Relabel files using restorecon
Detect possible policy module conflicts
Remember that a package was installed with --nopolicy
Update %policy parsing to allow for more tags
Add hook for verifying policy modules
Use selabel interfaces instead of matchpathcon
Add callback notification for policy and relabeling
Makefile.am | 1 +
build/Makefile.am | 4 +-
build/build.c | 4 +
build/files.c | 14 +-
build/parsePolicies.c | 88 ++
build/parsePreamble.c | 8 +
build/parseReqs.c | 4 +
build/parseSpec.c | 5 +
build/policies.c | 592 +++++++++++
build/reqprov.c | 5 +
build/rpmbuild.h | 18 +-
build/rpmfc.c | 3 +
build/rpmspec.h | 1 +
build/spec.c | 2 +
configure.ac | 84 ++-
lib/Makefile.am | 2 +-
lib/fsm.c | 8 +-
lib/poptI.c | 2 +
lib/psm.c | 4 +
lib/rpmcallback.h | 6 +-
lib/rpmds.c | 4 +
lib/rpmds.h | 4 +-
lib/rpmfi.h | 1 -
lib/rpminstall.c | 40 +
lib/rpmpol.c | 1347 +++++++++++++++++++++++++
lib/rpmpol.h | 386 +++++++
lib/rpmtag.h | 11 +
lib/rpmte.c | 20 +
lib/rpmte_internal.h | 3 +
lib/rpmts.c | 57 +
lib/rpmts.h | 36 +
lib/rpmts_internal.h | 3 +
lib/rpmtypes.h | 6 +-
lib/transaction.c | 383 +++++++-
macros.in | 4 +
preinstall.am | 4 +
python/rpmmodule.c | 4 +
scripts/Makefile.am | 8 +
scripts/check-policies.c | 200 ++++
system.h | 4 +
tests/data/SOURCES/poltest-1.0.tar.bz2 | Bin 0 -> 409 bytes
tests/data/SOURCES/poltest-policy-1.0.tar.bz2 | Bin 0 -> 553 bytes
tests/data/SPECS/poltest.spec | 45 +
tests/rpmgeneral.at | 11 +
44 files changed, 3395 insertions(+), 41 deletions(-)
create mode 100644 build/parsePolicies.c
create mode 100644 build/policies.c
create mode 100644 lib/rpmpol.c
create mode 100644 lib/rpmpol.h
create mode 100644 scripts/check-policies.c
create mode 100644 tests/data/SOURCES/poltest-1.0.tar.bz2
create mode 100644 tests/data/SOURCES/poltest-policy-1.0.tar.bz2
create mode 100644 tests/data/SPECS/poltest.spec
More information about the Rpm-maint
mailing list