From 6ac03ab27e2b6c9d8b1d821a2955ac6f4dd2bd4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20Gr=C3=BCnewald?= <leon.gruenewald@kreativrudel.de>
Date: Mon, 8 Feb 2021 00:13:19 +0100
Subject: [PATCH] Add basic spec file and selinux module source

---
 ly.spec                 | 42 +++++++++++++++++++++++++
 selinux/ly.fc           |  1 +
 selinux/ly.if           | 40 +++++++++++++++++++++++
 selinux/ly.sh           | 52 ++++++++++++++++++++++++++++++
 selinux/ly.te           | 32 +++++++++++++++++++
 selinux/ly_selinux.spec | 70 +++++++++++++++++++++++++++++++++++++++++
 6 files changed, 237 insertions(+)
 create mode 100644 ly.spec
 create mode 100755 selinux/ly.fc
 create mode 100755 selinux/ly.if
 create mode 100755 selinux/ly.sh
 create mode 100755 selinux/ly.te
 create mode 100755 selinux/ly_selinux.spec

diff --git a/ly.spec b/ly.spec
new file mode 100644
index 0000000..7897935
--- /dev/null
+++ b/ly.spec
@@ -0,0 +1,42 @@
+Name:       ly
+Version:    0.5
+Release:    2
+Summary:    A TUI display manager
+License:    WTFPL
+BuildRequires: libxcb-devel
+BuildRequires: pam-devel
+Requires: libxcb
+Requires: pam
+
+%description
+Ly is a lightweight TUI (ncurses-like) display manager for Linux and BSD.
+
+%prep
+make github
+
+%build
+make
+
+%install
+cd src
+mkdir -p %{buildroot}/etc/
+mkdir -p %{buildroot}/usr/bin/
+mkdir -p %{buildroot}/usr/lib/systemd/system/
+mkdir -p %{buildroot}/etc/pam.d/
+DESTDIR="%{buildroot}" make install
+
+%files
+/usr/bin/ly
+/usr/lib/systemd/system/ly.service
+/etc/ly/lang/es.ini
+/etc/ly/lang/pt.ini
+/etc/ly/lang/ru.ini
+/etc/ly/lang/en.ini
+/etc/ly/lang/fr.ini
+/etc/ly/lang/ro.ini
+/etc/ly/xsetup.sh
+/etc/ly/wsetup.sh
+/etc/ly/config.ini
+/etc/pam.d/ly
+
+%changelog
diff --git a/selinux/ly.fc b/selinux/ly.fc
new file mode 100755
index 0000000..4a96a7b
--- /dev/null
+++ b/selinux/ly.fc
@@ -0,0 +1 @@
+/usr/bin/ly		--	gen_context(system_u:object_r:ly_exec_t,s0)
diff --git a/selinux/ly.if b/selinux/ly.if
new file mode 100755
index 0000000..f546adc
--- /dev/null
+++ b/selinux/ly.if
@@ -0,0 +1,40 @@
+
+## <summary>policy for ly</summary>
+
+########################################
+## <summary>
+##	Execute ly_exec_t in the ly domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ly_domtrans',`
+	gen_require(`
+		type ly_t, ly_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ly_exec_t, ly_t)
+')
+
+######################################
+## <summary>
+##	Execute ly in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ly_exec',`
+	gen_require(`
+		type ly_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ly_exec_t)
+')
diff --git a/selinux/ly.sh b/selinux/ly.sh
new file mode 100755
index 0000000..dabb6f7
--- /dev/null
+++ b/selinux/ly.sh
@@ -0,0 +1,52 @@
+#!/bin/sh -e
+
+DIRNAME=`dirname $0`
+cd $DIRNAME
+USAGE="$0 [ --update ]"
+if [ `id -u` != 0 ]; then
+echo 'You must be root to run this script'
+exit 1
+fi
+
+if [ $# -eq 1 ]; then
+	if [ "$1" = "--update" ] ; then
+		time=`ls -l --time-style="+%x %X" ly.te | awk '{ printf "%s %s", $6, $7 }'`
+		rules=`ausearch --start $time -m avc --raw -se ly`
+		if [ x"$rules" != "x" ] ; then
+			echo "Found avc's to update policy with"
+			echo -e "$rules" | audit2allow -R
+			echo "Do you want these changes added to policy [y/n]?"
+			read ANS
+			if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
+				echo "Updating policy"
+				echo -e "$rules" | audit2allow -R >> ly.te
+				# Fall though and rebuild policy
+			else
+				exit 0
+			fi
+		else
+			echo "No new avcs found"
+			exit 0
+		fi
+	else
+		echo -e $USAGE
+		exit 1
+	fi
+elif [ $# -ge 2 ] ; then
+	echo -e $USAGE
+	exit 1
+fi
+
+echo "Building and Loading Policy"
+set -x
+make -f /usr/share/selinux/devel/Makefile ly.pp || exit
+/usr/sbin/semodule -i ly.pp
+
+# Generate a man page off the installed module
+sepolicy manpage -p . -d ly_t
+# Fixing the file context on /usr/bin/ly
+/sbin/restorecon -F -R -v /usr/bin/ly
+# Generate a rpm package for the newly generated policy
+
+pwd=$(pwd)
+rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build"  -ba ly_selinux.spec
diff --git a/selinux/ly.te b/selinux/ly.te
new file mode 100755
index 0000000..8df62fc
--- /dev/null
+++ b/selinux/ly.te
@@ -0,0 +1,32 @@
+policy_module(ly, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ly_t;
+type ly_exec_t;
+init_daemon_domain(ly_t, ly_exec_t)
+
+permissive ly_t;
+
+########################################
+#
+# ly local policy
+#
+allow ly_t self:capability { setgid setuid };
+allow ly_t self:process { fork signal_perms };
+allow ly_t self:process transition;
+allow ly_t self:fifo_file rw_fifo_file_perms;
+allow ly_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(ly_t)
+
+files_read_etc_files(ly_t)
+
+auth_use_nsswitch(ly_t)
+
+logging_send_audit_msgs(ly_t)
+
+miscfiles_read_localization(ly_t)
diff --git a/selinux/ly_selinux.spec b/selinux/ly_selinux.spec
new file mode 100755
index 0000000..ee6cb98
--- /dev/null
+++ b/selinux/ly_selinux.spec
@@ -0,0 +1,70 @@
+# vim: sw=4:ts=4:et
+
+
+%define relabel_files() \
+restorecon -R /usr/bin/ly; \
+
+%define selinux_policyver 3.14.6-34
+
+Name:   ly_selinux
+Version:	1.0
+Release:	1%{?dist}
+Summary:	SELinux policy module for ly
+
+Group:	System Environment/Base		
+License:	WTFPL
+# This is an example. You will need to change it.
+URL:		https://github.com/nullgemm/ly
+Source0:	ly.pp
+Source1:	ly.if
+Source2:	ly_selinux.8
+
+
+Requires: policycoreutils, libselinux-utils
+Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
+Requires(postun): policycoreutils
+BuildArch: noarch
+
+%description
+This package installs and sets up the  SELinux policy security module for ly.
+
+%install
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
+install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
+install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
+install -d %{buildroot}%{_mandir}/man8/
+install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/ly_selinux.8
+install -d %{buildroot}/etc/selinux/targeted/contexts/users/
+
+
+%post
+semodule -n -i %{_datadir}/selinux/packages/ly.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %relabel_files
+
+fi;
+exit 0
+
+%postun
+if [ $1 -eq 0 ]; then
+    semodule -n -r ly
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       %relabel_files
+
+    fi;
+fi;
+exit 0
+
+%files
+%attr(0600,root,root) %{_datadir}/selinux/packages/ly.pp
+%{_datadir}/selinux/devel/include/contrib/ly.if
+%{_mandir}/man8/ly_selinux.8.*
+
+
+%changelog
+* Wed Feb  3 2021 YOUR NAME <YOUR@EMAILADDRESS> 1.0-1
+- Initial version
+