Add internal SELinux policy overrides

In the future, this will likely include an ostree_t domain.  For now,
this is just a few additional allow rules.
This commit is contained in:
Colin Walters 2014-02-19 08:37:54 -05:00
parent 53bd648dac
commit cc49096044
8 changed files with 96 additions and 0 deletions

View File

@ -31,6 +31,10 @@ endif
SUBDIRS += .
if USE_SELINUX
SUBDIRS += selinux
endif
if ENABLE_GTK_DOC
SUBDIRS += doc
endif

View File

@ -203,6 +203,7 @@ AC_CONFIG_FILES([
Makefile
embedded-dependencies/Makefile
doc/Makefile
selinux/Makefile
src/libostree/ostree-1.pc
])
AC_OUTPUT

View File

@ -44,6 +44,19 @@ Requires: %{name} = %{version}-%{release}
%description devel
The %{name}-devel package includes the header files for the %{name} library.
%package selinux
Summary: SELinux policy module for %{name}
Group: System Environment/Base
Requires: %{name} = %{version}-%{release}
Requires: policycoreutils, libselinux-utils
Requires(post): selinux-policy-base, policycoreutils
Requires(postun): policycoreutils
BuildRequires: selinux-policy-devel
BuildArch: noarch
%description selinux
This package installs and sets up the SELinux policy security module for %{name}.
%prep
%setup -q -n ostree-%{version}
@ -69,6 +82,14 @@ rm -rf $RPM_BUILD_ROOT
%preun
%systemd_preun ostree-remount.service
%post selinux
semodule -n -i %{_datadir}/selinux/packages/%{name}.pp
%postun selinux
if [ $1 -eq 0 ]; then
semodule -n -r %{name}
fi
%files
%doc COPYING README.md
%{_bindir}/ostree
@ -91,3 +112,6 @@ rm -rf $RPM_BUILD_ROOT
%dir %{_datadir}/gtk-doc/html/ostree
%{_datadir}/gtk-doc/html/ostree
%{_datadir}/gir-1.0/OSTree-1.0.gir
%files selinux
%attr(0600,root,root) %{_datadir}/selinux/packages/%{name}.pp

2
selinux/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
ostree.pp
tmp

22
selinux/Makefile.am Normal file
View File

@ -0,0 +1,22 @@
# Copyright (C) 2014 Colin Walters <walters@verbum.org>
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
ostree.pp: ostree.fc ostree.if ostree.te
make -f /usr/share/selinux/devel/Makefile
selinuxpkgdir = $(datadir)/selinux/packages
selinuxpkg_DATA = ostree.pp

9
selinux/ostree.fc Normal file
View File

@ -0,0 +1,9 @@
# Core definitions
/sysroot -d gen_context(system_u:object_r:usr_t,s0)
/ostree -d gen_context(system_u:object_r:usr_t,s0)
/ostree -l gen_context(system_u:object_r:usr_t,s0)
/media -l gen_context(system_u:object_r:mnt_t,s0)
/mnt -l gen_context(system_u:object_r:mnt_t,s0)
/var/roothome -d gen_context(system_u:object_r:admin_home_t,s0)
/var/home -d gen_context(system_u:object_r:home_root_t,s0)

1
selinux/ostree.if Normal file
View File

@ -0,0 +1 @@
# Empty.

33
selinux/ostree.te Normal file
View File

@ -0,0 +1,33 @@
policy_module(ostree, 1.3.0)
require {
type init_t;
type root_t;
type var_log_t;
type games_data_t;
type var_yp_t;
type systemd_tmpfiles_t;
type local_login_t;
type admin_home_t;
type ldconfig_cache_t;
type var_t;
type var_run_t;
class lnk_file { relabelfrom relabelto read getattr };
class dir { relabelfrom relabelto create setattr write };
}
# init_t
allow init_t admin_home_t:lnk_file { read getattr };
allow init_t root_t:dir { write };
#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t games_data_t:dir relabelto;
allow systemd_tmpfiles_t var_log_t:dir create;
allow systemd_tmpfiles_t var_run_t:lnk_file { relabelfrom relabelto };
allow systemd_tmpfiles_t var_t:dir { create relabelfrom relabelto setattr };
allow systemd_tmpfiles_t var_yp_t:dir relabelto;
allow systemd_tmpfiles_t ldconfig_cache_t:dir { relabelfrom relabelto setattr };
allow systemd_tmpfiles_t var_t:dir { relabelfrom relabelto setattr };
#============= local_login_t ==============
allow local_login_t admin_home_t:lnk_file read;