On 25/10/16 09:56PM, Rahul Sandhu wrote: > Currently, a manual rebuild using the `@selinux-rebuild` set is needed > upon update of the POLICY_TYPES variable. This means that portage can't > track changes to it with `emerge --changed-use`. By making POLICY_TYPES > the new USE expand, REFPOLICY_TYPES, `--changed-use` will be triggered > upon changes to it. >
I think this would be better if we called it SELINUX_POLICY_TYPES instead. This has 2 advantages: 1) even though Gentoo's policy is a downstream of refpolicy, this helps avoid any confusion if we keep it generic and it keeps the door open to using a different policy base (though this likely will never happen). 2) it makes the variable's name consistent with the other existing variables like SELINUX_GIT_REPO and SELINUX_GIT_BRANCH. > However, make REFPOLICY_TYPES different such that the old POLICY_TYPES > variable remains intact for EAPI 7, providing backwards compat with the > EAPI. This patch only bumps the eclass; sec-policy/selinux-* and other > related ebuilds are to be migrated to EAPI 8 later. This also gives us > time to put out a news article for this migration. > > Signed-off-by: Rahul Sandhu <[email protected]> Does this also fix the spurious issues[1] that have been reported relating to switching POLICY_TYPES and toggling USE=unconfined? I still haven't found a reliable reproducer for that yet... [1] https://bugs.gentoo.org/905371 There's also this issue[2] where it seems like switching to USE_EXPAND would mitigate it, where switching POLICY_TYPES did not cause a rebuild of sec-policy/selinux-base and then caused cascading failures. [2] https://bugs.gentoo.org/952104 There's probably more issues like this which your patch will fix, but again we lack reproducers to verify. Overall I think this looks good, and this change is something that's been needed for many years now. > --- > eclass/selinux-policy-2.eclass | 169 ++++++++++++++++++++--------- > profiles/base/make.defaults | 2 +- > profiles/desc/refpolicy_types.desc | 10 ++ > 3 files changed, 129 insertions(+), 52 deletions(-) > create mode 100644 profiles/desc/refpolicy_types.desc > > diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass > index 5ec7ff99e..6381cdf52 100644 > --- a/eclass/selinux-policy-2.eclass > +++ b/eclass/selinux-policy-2.eclass > @@ -7,7 +7,7 @@ > # @ECLASS: selinux-policy-2.eclass > # @MAINTAINER: > # [email protected] > -# @SUPPORTED_EAPIS: 7 > +# @SUPPORTED_EAPIS: 7 8 > # @BLURB: This eclass supports the deployment of the various SELinux modules > in sec-policy > # @DESCRIPTION: > # The selinux-policy-2.eclass supports deployment of the various SELinux > modules > @@ -19,7 +19,7 @@ > # manageable. > > case ${EAPI} in > - 7) ;; > + 7|8) ;; > *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;; > esac > > @@ -55,14 +55,16 @@ _SELINUX_POLICY_2_ECLASS=1 > # (space-separated) or a bash array. > : "${POLICY_FILES:=""}" > > -# @ECLASS_VARIABLE: POLICY_TYPES > -# @DESCRIPTION: > -# This variable informs the eclass for which SELinux policies the module > should > -# be built. Currently, Gentoo supports targeted, strict, mcs and mls. > -# This variable is the same POLICY_TYPES variable that we tell SELinux > -# users to set in make.conf. Therefore, it is not the module that should > -# override it, but the user. > -: "${POLICY_TYPES:="targeted strict mcs mls"}" > +if [[ ${EAPI} == 7 ]]; then > + # @ECLASS_VARIABLE: POLICY_TYPES > + # @DESCRIPTION: > + # This variable informs the eclass for which SELinux policies the > module should > + # be built. Currently, Gentoo supports targeted, strict, mcs and mls. > + # This variable is the same POLICY_TYPES variable that we tell SELinux > + # users to set in make.conf. Therefore, it is not the module that should > + # override it, but the user. > + : "${POLICY_TYPES:="targeted strict mcs mls"}" > +fi > > # @ECLASS_VARIABLE: SELINUX_GIT_REPO > # @DESCRIPTION: > @@ -89,7 +91,12 @@ case ${BASEPOL} in > EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy";; > esac > > -IUSE="" > +if [[ ${EAPI} == 7 ]]; then > + IUSE="" > +else > + # Build all policy types by default > + IUSE="+refpolicy_types_targeted +refpolicy_types_strict > +refpolicy_types_mcs +refpolicy_types_mls" > +fi > > HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"; > if [[ -n ${BASEPOL} ]] && [[ "${BASEPOL}" != "9999" ]]; then > @@ -197,14 +204,26 @@ selinux-policy-2_src_prepare() { > fi > done > > - for i in ${POLICY_TYPES}; do > - mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}" > - cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \ > - || die "Failed to copy Makefile.example to > ${S}/${i}/Makefile" > + _selinux_prepare_modules() { > + mkdir "${S}"/${1} || die "Failed to create directory ${S}/${1}" > + cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${1}/Makefile \ > + || die "Failed to copy Makefile.example to > ${S}/${1}/Makefile" > > - cp ${modfiles} "${S}"/${i} \ > - || die "Failed to copy the module files to ${S}/${i}" > - done > + cp ${modfiles} "${S}"/${1} \ > + || die "Failed to copy the module files to ${S}/${1}" > + } > + > + if [[ ${EAPI} == 7 ]]; then > + for i in ${POLICY_TYPES}; do > + _selinux_prepare_modules $i > + done > + else > + for i in targeted strict mcs mls; do > + if use refpolicy_types_${i}; then > + _selinux_prepare_modules $i > + fi > + done > + fi > } > > # @FUNCTION: selinux-policy-2_src_compile > @@ -218,11 +237,23 @@ selinux-policy-2_src_compile() { > use ${useflag} && makeuse="${makeuse} -D use_${useflag}" > done > > - for i in ${POLICY_TYPES}; do > + _selinux_compile_modules() { > # Support USE flags in builds > export M4PARAM="${makeuse}" > - emake NAME=$i SHAREDIR="${EPREFIX}"/usr/share/selinux -C > "${S}"/${i} > - done > + emake NAME=$1 SHAREDIR="${EPREFIX}"/usr/share/selinux -C > "${S}"/${1} > + } > + > + if [[ ${EAPI} == 7 ]]; then > + for i in ${POLICY_TYPES}; do > + _selinux_compile_modules $i > + done > + else > + for i in targeted strict mcs mls; do > + if use refpolicy_types_${i}; then > + _selinux_compile_modules $i > + fi > + done > + fi > } > > # @FUNCTION: selinux-policy-2_src_install > @@ -232,22 +263,34 @@ selinux-policy-2_src_compile() { > selinux-policy-2_src_install() { > local BASEDIR="/usr/share/selinux" > > - for i in ${POLICY_TYPES}; do > - for j in ${MODS}; do > - einfo "Installing ${i} ${j} policy package" > - insinto ${BASEDIR}/${i} > - if [[ -f "${S}/${i}/${j}.pp" ]] ; then > - doins "${S}"/${i}/${j}.pp || die "Failed to add > ${j}.pp to ${i}" > - elif [[ -f "${S}/${i}/${j}.cil" ]] ; then > - doins "${S}"/${i}/${j}.cil || die "Failed to add > ${j}.cil to ${i}" > + _selinux_install_modules() { > + for i in ${MODS}; do > + einfo "Installing ${1} ${i} policy package" > + insinto ${BASEDIR}/${1} > + if [[ -f "${S}/${1}/${i}.pp" ]] ; then > + doins "${S}"/${1}/${i}.pp || die "Failed to add > ${i}.pp to ${1}" > + elif [[ -f "${S}/${1}/${i}.cil" ]] ; then > + doins "${S}"/${1}/${i}.cil || die "Failed to add > ${i}.cil to ${1}" > + fi > + > + if [[ "${POLICY_FILES[@]}" == *"${i}.if"* ]]; then > + insinto ${BASEDIR}/${1}/include/3rd_party > + doins "${S}"/${1}/${i}.if || die "Failed to add > ${i}.if to ${1}" > fi > + done > + } > > - if [[ "${POLICY_FILES[@]}" == *"${j}.if"* ]]; then > - insinto ${BASEDIR}/${i}/include/3rd_party > - doins "${S}"/${i}/${j}.if || die "Failed to add > ${j}.if to ${i}" > + if [[ ${EAPI} == 7 ]]; then > + for i in ${POLICY_TYPES}; do > + _selinux_install_modules $i > + done > + else > + for i in targeted strict mcs mls; do > + if use refpolicy_types_${i}; then > + _selinux_install_modules $i > fi > done > - done > + fi > } > > # @FUNCTION: selinux-policy-2_pkg_postinst > @@ -264,31 +307,31 @@ selinux-policy-2_pkg_postinst() { > # build up the command in the case of multiple modules > local COMMAND > > - for i in ${POLICY_TYPES}; do > - if [[ "${i}" == "strict" ]] && [[ "${MODS}" = "unconfined" ]]; > then > + _selinux_postinst() { > + if [[ "${1}" == "strict" ]] && [[ "${MODS}" = "unconfined" ]]; > then > einfo "Ignoring loading of unconfined module in strict > module store."; > continue; > fi > > einfo "Inserting the following modules into the $i module > store: ${MODS}" > > - cd "${ROOT}/usr/share/selinux/${i}" || die "Could not enter > /usr/share/selinux/${i}" > - for j in ${MODS} ; do > - if [[ -f "${j}.pp" ]] ; then > - COMMAND="${j}.pp ${COMMAND}" > - elif [[ -f "${j}.cil" ]] ; then > - COMMAND="${j}.cil ${COMMAND}" > + cd "${ROOT}/usr/share/selinux/${1}" || die "Could not enter > /usr/share/selinux/${1}" > + for i in ${MODS} ; do > + if [[ -f "${i}.pp" ]] ; then > + COMMAND="${i}.pp ${COMMAND}" > + elif [[ -f "${i}.cil" ]] ; then > + COMMAND="${i}.cil ${COMMAND}" > fi > done > > - semodule ${root_opts} -s ${i} -i ${COMMAND} > + semodule ${root_opts} -s ${1} -i ${COMMAND} > if [[ $? -ne 0 ]]; then > ewarn "SELinux module load failed. Trying full > reload..."; > > - if [[ "${i}" == "targeted" ]]; then > - semodule ${root_opts} -s ${i} -i *.pp > + if [[ "${1}" == "targeted" ]]; then > + semodule ${root_opts} -s ${1} -i *.pp > else > - semodule ${root_opts} -s ${i} -i $(ls *.pp | > grep -v unconfined.pp); > + semodule ${root_opts} -s ${1} -i $(ls *.pp | > grep -v unconfined.pp); > fi > if [[ $? -ne 0 ]]; then > ewarn "Failed to reload SELinux policies." > @@ -302,7 +345,7 @@ selinux-policy-2_pkg_postinst() { > ewarn "action since the new SELinux policies > are not loaded until the" > ewarn "command finished successfully." > ewarn "" > - ewarn "To reload, run the following command > from within /usr/share/selinux/${i}:" > + ewarn "To reload, run the following command > from within /usr/share/selinux/${1}:" > ewarn " semodule -i *.pp" > ewarn "or" > ewarn " semodule -i \$(ls *.pp | grep -v > unconfined.pp)" > @@ -314,7 +357,19 @@ selinux-policy-2_pkg_postinst() { > einfo "SELinux modules loaded successfully." > fi > COMMAND=""; > - done > + } > + > + if [[ ${EAPI} == 7 ]]; then > + for i in ${POLICY_TYPES}; do > + _selinux_postinst $i > + done > + else > + for i in targeted strict mcs mls; do > + if use refpolicy_types_${i}; then > + _selinux_postinst $i > + fi > + done > + fi > > # Don't relabel when cross compiling > if [[ -z ${ROOT} ]]; then > @@ -350,16 +405,28 @@ selinux-policy-2_pkg_postrm() { > COMMAND="-r ${i} ${COMMAND}" > done > > - for i in ${POLICY_TYPES}; do > - einfo "Removing the following modules from the $i > module store: ${MODS}" > + _selinux_postrm() { > + einfo "Removing the following modules from the $1 > module store: ${MODS}" > > - semodule ${root_opts} -s ${i} ${COMMAND} > + semodule ${root_opts} -s ${1} ${COMMAND} > if [[ $? -ne 0 ]]; then > ewarn "SELinux module unload failed."; > else > einfo "SELinux modules unloaded successfully." > fi > - done > + } > + > + if [[ ${EAPI} == 7 ]]; then > + for i in ${POLICY_TYPES}; do > + _selinux_postrm $i > + done > + else > + for i in targeted strict mcs mls; do > + if use refpolicy_types_${i}; then > + _selinux_postrm $i > + fi > + done > + fi > fi > } > > diff --git a/profiles/base/make.defaults b/profiles/base/make.defaults > index 8f203780d..cf8c3c09a 100644 > --- a/profiles/base/make.defaults > +++ b/profiles/base/make.defaults > @@ -12,7 +12,7 @@ USE_EXPAND_VALUES_KERNEL="Darwin linux SunOS" > > # Env vars to expand into USE vars. Modifying this requires prior > # discussion on [email protected]. > -USE_EXPAND="ABI_MIPS ABI_S390 ABI_X86 ADA_TARGET ALSA_CARDS AMDGPU_TARGETS > APACHE2_MODULES APACHE2_MPMS CALLIGRA_FEATURES CAMERAS COLLECTD_PLUGINS > CPU_FLAGS_ARM CPU_FLAGS_PPC CPU_FLAGS_X86 CURL_SSL CURL_QUIC ELIBC FFTOOLS > GPSD_PROTOCOLS GRUB_PLATFORMS GUILE_SINGLE_TARGET GUILE_TARGETS INPUT_DEVICES > KERNEL L10N LCD_DEVICES LIBREOFFICE_EXTENSIONS LLVM_SLOT LLVM_TARGETS > LUA_SINGLE_TARGET LUA_TARGETS NGINX_MODULES_HTTP NGINX_MODULES_MAIL > NGINX_MODULES_STREAM OFFICE_IMPLEMENTATION OPENMPI_FABRICS > OPENMPI_OFED_FEATURES OPENMPI_RM PERL_FEATURES PHP_TARGETS POSTGRES_TARGETS > PYTHON_SINGLE_TARGET PYTHON_TARGETS RUST_SYSROOTS QEMU_SOFTMMU_TARGETS > QEMU_USER_TARGETS RUBY_TARGETS SANE_BACKENDS RUST_SYSROOTS UWSGI_PLUGINS > VIDEO_CARDS VOICEMAIL_STORAGE XTABLES_ADDONS" > +USE_EXPAND="ABI_MIPS ABI_S390 ABI_X86 ADA_TARGET ALSA_CARDS AMDGPU_TARGETS > APACHE2_MODULES APACHE2_MPMS CALLIGRA_FEATURES CAMERAS COLLECTD_PLUGINS > CPU_FLAGS_ARM CPU_FLAGS_PPC CPU_FLAGS_X86 CURL_SSL CURL_QUIC ELIBC FFTOOLS > GPSD_PROTOCOLS GRUB_PLATFORMS GUILE_SINGLE_TARGET GUILE_TARGETS INPUT_DEVICES > KERNEL L10N LCD_DEVICES LIBREOFFICE_EXTENSIONS LLVM_SLOT LLVM_TARGETS > LUA_SINGLE_TARGET LUA_TARGETS NGINX_MODULES_HTTP NGINX_MODULES_MAIL > NGINX_MODULES_STREAM OFFICE_IMPLEMENTATION OPENMPI_FABRICS > OPENMPI_OFED_FEATURES OPENMPI_RM PERL_FEATURES PHP_TARGETS POSTGRES_TARGETS > PYTHON_SINGLE_TARGET PYTHON_TARGETS RUST_SYSROOTS QEMU_SOFTMMU_TARGETS > QEMU_USER_TARGETS RUBY_TARGETS SANE_BACKENDS RUST_SYSROOTS UWSGI_PLUGINS > VIDEO_CARDS VOICEMAIL_STORAGE XTABLES_ADDONS REFPOLICY_TYPES" > > # USE_EXPAND variables whose contents are not shown in package manager > # output. Changes need discussion on gentoo-dev. > diff --git a/profiles/desc/refpolicy_types.desc > b/profiles/desc/refpolicy_types.desc > new file mode 100644 > index 000000000..6cd4b2ba0 > --- /dev/null > +++ b/profiles/desc/refpolicy_types.desc > @@ -0,0 +1,10 @@ > +# Copyright 2007-2025 Gentoo Authors > +# Distributed under the terms of the GNU General Public License v2 > + > +# This file contains descriptions of REFPOLICY_TYPES USE_EXPAND flags. > + > +# Keep it sorted. > +targeted - Targeted policy > +strict - Strict policy > +mcs - Multi-Category Security policy > +mls - Multi-Level Security policy > -- > 2.51.0 > > -- Kenton Groombridge Gentoo Linux Developer, SELinux Project
signature.asc
Description: PGP signature
