WIP SELinux

2025-12-21 03:34:54 +00:00 · 2021-02-10 01:21:16 +01:00
parent dfe918358e
commit 3deedba040
6 changed files with 31 additions and 163 deletions
--- a/ly.spec.rpkg
+++ b/ly.spec.rpkg
@@ -1,3 +1,8 @@
+%define relabel_files() \
+restorecon -R /usr/bin/ly; \
+
+%define selinux_policyver 3.14.6-34
+
 Name:           {{{ git_dir_name }}}
 Version:        {{{ git_dir_version }}}
 Release:        1%{?dist}
@@ -37,6 +42,26 @@ DESTDIR="%{buildroot}" make install
 chmod -x %{buildroot}/etc/ly/config.ini
 chmod -x %{buildroot}/etc/ly/lang/*

+%post
+semodule -n -i %{_datadir}/selinux/packages/ly.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %relabel_files
+
+fi;
+exit 0
+
+%postun
+if [ $1 -eq 0 ]; then
+    semodule -n -r ly
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       %relabel_files
+
+    fi;
+fi;
+exit 0
+
 %files
 /usr/bin/ly
 /usr/lib/systemd/system/ly.service
@@ -50,6 +75,7 @@ chmod -x %{buildroot}/etc/ly/lang/*
 /etc/ly/wsetup.sh
 /etc/ly/config.ini
 /etc/pam.d/ly
+/etc/selinux/packages/ly.pp

 %changelog
 {{{ git_dir_changelog }}}
--- a/5
+++ b/5
@@ -92,6 +92,11 @@ installnoconf: $(BIND)/$(NAME)
 	@install -DZ $(RESD)/ly.service -m 644 -t ${DESTDIR}/usr/lib/systemd/system
 	@install -DZ $(RESD)/pam.d/ly -m 644 -t ${DESTDIR}/etc/pam.d

+makeselinux:
+	@echo "installing selinux modules"
+	@checkmodule -M -m -o ly.mod selinux/ly.te
+	@semodule_package -o ly.pp -m ly.mod
+
 uninstall:
 	@echo "uninstalling"
 	@rm -rf ${DESTDIR}/etc/ly
--- a/selinux/ly.fc
+++ b/selinux/ly.fc
@@ -1 +0,0 @@
-/usr/bin/ly		--	gen_context(system_u:object_r:ly_exec_t,s0)
--- a/selinux/ly.if
+++ b/selinux/ly.if
@@ -1,40 +0,0 @@
-
-## <summary>policy for ly</summary>
-
-########################################
-## <summary>
-##	Execute ly_exec_t in the ly domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`ly_domtrans',`
-	gen_require(`
-		type ly_t, ly_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, ly_exec_t, ly_t)
-')
-
-######################################
-## <summary>
-##	Execute ly in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`ly_exec',`
-	gen_require(`
-		type ly_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, ly_exec_t)
-')
--- a/selinux/ly.sh
+++ b/selinux/ly.sh
@@ -1,52 +0,0 @@
-#!/bin/sh -e
-
-DIRNAME=`dirname $0`
-cd $DIRNAME
-USAGE="$0 [ --update ]"
-if [ `id -u` != 0 ]; then
-echo 'You must be root to run this script'
-exit 1
-fi
-
-if [ $# -eq 1 ]; then
-	if [ "$1" = "--update" ] ; then
-		time=`ls -l --time-style="+%x %X" ly.te | awk '{ printf "%s %s", $6, $7 }'`
-		rules=`ausearch --start $time -m avc --raw -se ly`
-		if [ x"$rules" != "x" ] ; then
-			echo "Found avc's to update policy with"
-			echo -e "$rules" | audit2allow -R
-			echo "Do you want these changes added to policy [y/n]?"
-			read ANS
-			if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
-				echo "Updating policy"
-				echo -e "$rules" | audit2allow -R >> ly.te
-				# Fall though and rebuild policy
-			else
-				exit 0
-			fi
-		else
-			echo "No new avcs found"
-			exit 0
-		fi
-	else
-		echo -e $USAGE
-		exit 1
-	fi
-elif [ $# -ge 2 ] ; then
-	echo -e $USAGE
-	exit 1
-fi
-
-echo "Building and Loading Policy"
-set -x
-make -f /usr/share/selinux/devel/Makefile ly.pp || exit
-/usr/sbin/semodule -i ly.pp
-
-# Generate a man page off the installed module
-sepolicy manpage -p . -d ly_t
-# Fixing the file context on /usr/bin/ly
-/sbin/restorecon -F -R -v /usr/bin/ly
-# Generate a rpm package for the newly generated policy
-
-pwd=$(pwd)
-rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build"  -ba ly_selinux.spec
--- a/selinux/ly_selinux.spec
+++ b/selinux/ly_selinux.spec
@@ -1,70 +0,0 @@
-# vim: sw=4:ts=4:et
-
-
-%define relabel_files() \
-restorecon -R /usr/bin/ly; \
-
-%define selinux_policyver 3.14.6-34
-
-Name:   ly_selinux
-Version:	1.0
-Release:	1%{?dist}
-Summary:	SELinux policy module for ly
-
-Group:	System Environment/Base		
-License:	WTFPL
-# This is an example. You will need to change it.
-URL:		https://github.com/nullgemm/ly
-Source0:	ly.pp
-Source1:	ly.if
-Source2:	ly_selinux.8
-
-
-Requires: policycoreutils, libselinux-utils
-Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
-Requires(postun): policycoreutils
-BuildArch: noarch
-
-%description
-This package installs and sets up the  SELinux policy security module for ly.
-
-%install
-install -d %{buildroot}%{_datadir}/selinux/packages
-install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
-install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
-install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
-install -d %{buildroot}%{_mandir}/man8/
-install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/ly_selinux.8
-install -d %{buildroot}/etc/selinux/targeted/contexts/users/
-
-
-%post
-semodule -n -i %{_datadir}/selinux/packages/ly.pp
-if /usr/sbin/selinuxenabled ; then
-    /usr/sbin/load_policy
-    %relabel_files
-
-fi;
-exit 0
-
-%postun
-if [ $1 -eq 0 ]; then
-    semodule -n -r ly
-    if /usr/sbin/selinuxenabled ; then
-       /usr/sbin/load_policy
-       %relabel_files
-
-    fi;
-fi;
-exit 0
-
-%files
-%attr(0600,root,root) %{_datadir}/selinux/packages/ly.pp
-%{_datadir}/selinux/devel/include/contrib/ly.if
-%{_mandir}/man8/ly_selinux.8.*
-
-
-%changelog
-* Wed Feb  3 2021 YOUR NAME <YOUR@EMAILADDRESS> 1.0-1
- Initial version
-
				`@@ -1 +0,0 @@`
				`/usr/bin/ly -- gen_context(system_u:object_r:ly_exec_t,s0)`