From 3deedba040daf154700c391d46993b1c8e92c8d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20Gr=C3=BCnewald?= <leon.gruenewald@kreativrudel.de>
Date: Wed, 10 Feb 2021 01:21:16 +0100
Subject: [PATCH] WIP SELinux

---
 ly.spec.rpkg            | 26 +++++++++++++++
 makefile                |  5 +++
 selinux/ly.fc           |  1 -
 selinux/ly.if           | 40 -----------------------
 selinux/ly.sh           | 52 ------------------------------
 selinux/ly_selinux.spec | 70 -----------------------------------------
 6 files changed, 31 insertions(+), 163 deletions(-)
 delete mode 100755 selinux/ly.fc
 delete mode 100755 selinux/ly.if
 delete mode 100755 selinux/ly.sh
 delete mode 100755 selinux/ly_selinux.spec

diff --git a/ly.spec.rpkg b/ly.spec.rpkg
index 334ef86..ea32a9b 100644
--- a/ly.spec.rpkg
+++ b/ly.spec.rpkg
@@ -1,3 +1,8 @@
+%define relabel_files() \
+restorecon -R /usr/bin/ly; \
+
+%define selinux_policyver 3.14.6-34
+
 Name:           {{{ git_dir_name }}}
 Version:        {{{ git_dir_version }}}
 Release:        1%{?dist}
@@ -37,6 +42,26 @@ DESTDIR="%{buildroot}" make install
 chmod -x %{buildroot}/etc/ly/config.ini
 chmod -x %{buildroot}/etc/ly/lang/*
 
+%post
+semodule -n -i %{_datadir}/selinux/packages/ly.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %relabel_files
+
+fi;
+exit 0
+
+%postun
+if [ $1 -eq 0 ]; then
+    semodule -n -r ly
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       %relabel_files
+
+    fi;
+fi;
+exit 0
+
 %files
 /usr/bin/ly
 /usr/lib/systemd/system/ly.service
@@ -50,6 +75,7 @@ chmod -x %{buildroot}/etc/ly/lang/*
 /etc/ly/wsetup.sh
 /etc/ly/config.ini
 /etc/pam.d/ly
+/etc/selinux/packages/ly.pp
 
 %changelog
 {{{ git_dir_changelog }}}
diff --git a/makefile b/makefile
index eef31ad..8dfc145 100644
--- a/makefile
+++ b/makefile
@@ -92,6 +92,11 @@ installnoconf: $(BIND)/$(NAME)
 	@install -DZ $(RESD)/ly.service -m 644 -t ${DESTDIR}/usr/lib/systemd/system
 	@install -DZ $(RESD)/pam.d/ly -m 644 -t ${DESTDIR}/etc/pam.d
 
+makeselinux:
+	@echo "installing selinux modules"
+	@checkmodule -M -m -o ly.mod selinux/ly.te
+	@semodule_package -o ly.pp -m ly.mod
+
 uninstall:
 	@echo "uninstalling"
 	@rm -rf ${DESTDIR}/etc/ly
diff --git a/selinux/ly.fc b/selinux/ly.fc
deleted file mode 100755
index 4a96a7b..0000000
--- a/selinux/ly.fc
+++ /dev/null
@@ -1 +0,0 @@
-/usr/bin/ly		--	gen_context(system_u:object_r:ly_exec_t,s0)
diff --git a/selinux/ly.if b/selinux/ly.if
deleted file mode 100755
index f546adc..0000000
--- a/selinux/ly.if
+++ /dev/null
@@ -1,40 +0,0 @@
-
-## <summary>policy for ly</summary>
-
-########################################
-## <summary>
-##	Execute ly_exec_t in the ly domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`ly_domtrans',`
-	gen_require(`
-		type ly_t, ly_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, ly_exec_t, ly_t)
-')
-
-######################################
-## <summary>
-##	Execute ly in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ly_exec',`
-	gen_require(`
-		type ly_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, ly_exec_t)
-')
diff --git a/selinux/ly.sh b/selinux/ly.sh
deleted file mode 100755
index dabb6f7..0000000
--- a/selinux/ly.sh
+++ /dev/null
@@ -1,52 +0,0 @@
-#!/bin/sh -e
-
-DIRNAME=`dirname $0`
-cd $DIRNAME
-USAGE="$0 [ --update ]"
-if [ `id -u` != 0 ]; then
-echo 'You must be root to run this script'
-exit 1
-fi
-
-if [ $# -eq 1 ]; then
-	if [ "$1" = "--update" ] ; then
-		time=`ls -l --time-style="+%x %X" ly.te | awk '{ printf "%s %s", $6, $7 }'`
-		rules=`ausearch --start $time -m avc --raw -se ly`
-		if [ x"$rules" != "x" ] ; then
-			echo "Found avc's to update policy with"
-			echo -e "$rules" | audit2allow -R
-			echo "Do you want these changes added to policy [y/n]?"
-			read ANS
-			if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
-				echo "Updating policy"
-				echo -e "$rules" | audit2allow -R >> ly.te
-				# Fall though and rebuild policy
-			else
-				exit 0
-			fi
-		else
-			echo "No new avcs found"
-			exit 0
-		fi
-	else
-		echo -e $USAGE
-		exit 1
-	fi
-elif [ $# -ge 2 ] ; then
-	echo -e $USAGE
-	exit 1
-fi
-
-echo "Building and Loading Policy"
-set -x
-make -f /usr/share/selinux/devel/Makefile ly.pp || exit
-/usr/sbin/semodule -i ly.pp
-
-# Generate a man page off the installed module
-sepolicy manpage -p . -d ly_t
-# Fixing the file context on /usr/bin/ly
-/sbin/restorecon -F -R -v /usr/bin/ly
-# Generate a rpm package for the newly generated policy
-
-pwd=$(pwd)
-rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build"  -ba ly_selinux.spec
diff --git a/selinux/ly_selinux.spec b/selinux/ly_selinux.spec
deleted file mode 100755
index ee6cb98..0000000
--- a/selinux/ly_selinux.spec
+++ /dev/null
@@ -1,70 +0,0 @@
-# vim: sw=4:ts=4:et
-
-
-%define relabel_files() \
-restorecon -R /usr/bin/ly; \
-
-%define selinux_policyver 3.14.6-34
-
-Name:   ly_selinux
-Version:	1.0
-Release:	1%{?dist}
-Summary:	SELinux policy module for ly
-
-Group:	System Environment/Base		
-License:	WTFPL
-# This is an example. You will need to change it.
-URL:		https://github.com/nullgemm/ly
-Source0:	ly.pp
-Source1:	ly.if
-Source2:	ly_selinux.8
-
-
-Requires: policycoreutils, libselinux-utils
-Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
-Requires(postun): policycoreutils
-BuildArch: noarch
-
-%description
-This package installs and sets up the  SELinux policy security module for ly.
-
-%install
-install -d %{buildroot}%{_datadir}/selinux/packages
-install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
-install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
-install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
-install -d %{buildroot}%{_mandir}/man8/
-install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/ly_selinux.8
-install -d %{buildroot}/etc/selinux/targeted/contexts/users/
-
-
-%post
-semodule -n -i %{_datadir}/selinux/packages/ly.pp
-if /usr/sbin/selinuxenabled ; then
-    /usr/sbin/load_policy
-    %relabel_files
-
-fi;
-exit 0
-
-%postun
-if [ $1 -eq 0 ]; then
-    semodule -n -r ly
-    if /usr/sbin/selinuxenabled ; then
-       /usr/sbin/load_policy
-       %relabel_files
-
-    fi;
-fi;
-exit 0
-
-%files
-%attr(0600,root,root) %{_datadir}/selinux/packages/ly.pp
-%{_datadir}/selinux/devel/include/contrib/ly.if
-%{_mandir}/man8/ly_selinux.8.*
-
-
-%changelog
-* Wed Feb  3 2021 YOUR NAME <YOUR@EMAILADDRESS> 1.0-1
-- Initial version
-