I'm trying to get selinux working in a different linux distribution where the directory structure differs from the fedora / redhat pattern. I'm attempting to use the fedora selinux src rpm as a starting point, but of course lots of files are being labelled incorrectly due to the directory differences. I can identify the incorrectly labelled files and I know how to get them labelled correctly. But I need to be able to make a new source rpm based on the fedora selinux src rpm, including the necessary changes, so I can distribute and maintain the policy over time.
I can execute "rpmbuild -bp SPECS/selinux-policy.spec" to generate the fedora patched policy source in the BUILD directory. Then I can make my changes there. But I need to be able to regenerate the src rpm including those changes. And I need to be able to maintain this over time as the reference policy evolves, by dropping in a new reference policy tgz and regenerating the patch files. Surely there's a better way than "vi policy-F12.patch"!
I presume there are tools / scripts / instructions to help with this. Can someone point me in the right direction?
Thanks!
On Fri, Apr 23, 2010 at 07:15:47AM -0400, Alan Rouse wrote:
I'm trying to get selinux working in a different linux distribution where the directory structure differs from the fedora / redhat pattern. I'm attempting to use the fedora selinux src rpm as a starting point, but of course lots of files are being labelled incorrectly due to the directory differences. I can identify the incorrectly labelled files and I know how to get them labelled correctly. But I need to be able to make a new source rpm based on the fedora selinux src rpm, including the necessary changes, so I can distribute and maintain the policy over time.
I can execute "rpmbuild -bp SPECS/selinux-policy.spec" to generate the fedora patched policy source in the BUILD directory. Then I can make my changes there. But I need to be able to regenerate the src rpm including those changes. And I need to be able to maintain this over time as the reference policy evolves, by dropping in a new reference policy tgz and regenerating the patch files. Surely there's a better way than "vi policy-F12.patch"!
I also maintain my own policy which you can find here: git clone git://217.19.27.98/refpolicy.git. The repository has 3 branches: master, fedora and refpolicy.
basically i merge changes in from refpolicy and fedora.
merging refpolicy changes is (usually) as easy as:
git checkout refpolicy git pull http://oss.tresys.com/git/refpolicy.git master git checkout master git merge -s recursive -X theirs refpolicy
That merges refpolicy into master and prefers refpolicy changes. The problem is that it does not resolve conflicts very nice. Often i have to fix those later
As for merging Fedora changes i have a script that fetches the lastest policy source rpm, then preps it. I basically copy its content to the fedora branch commit it and use the diff (vs. previous commit) to manually merge changes in to master.
In the master branch i created a dir called redhat with redhat specific modifications and the spec file.
When i build a new source rpm this is what i do:
git archive --format=tar --prefix=refpolicy-3.7.19/ refpolicy | gzip >/home/dgrift/rpmbuild/SOURCES/refpolicy-3.7.19.tar.gz git diff refpolicy master > /home/dgrift/rpmbuild/SOURCES/refpolicy-3.7.19.patch cp redhat/selinux-policy.spec /home/dgrift/rpmbuild/SPECS/ rpmbuild -ba /home/dgrift/rpmbuild/SPECS/selinux-policy.spec
All in all usually a daily task which , with merging differences usually takes an hour or more.
I presume there are tools / scripts / instructions to help with this. Can someone point me in the right direction?
Thanks!
My PGP public key: http://rouses.net/public_key/alan.asc
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/23/2010 07:15 AM, Alan Rouse wrote:
I'm trying to get selinux working in a different linux distribution where the directory structure differs from the fedora / redhat pattern. I'm attempting to use the fedora selinux src rpm as a starting point, but of course lots of files are being labelled incorrectly due to the directory differences. I can identify the incorrectly labelled files and I know how to get them labelled correctly. But I need to be able to make a new source rpm based on the fedora selinux src rpm, including the necessary changes, so I can distribute and maintain the policy over time.
I can execute "rpmbuild -bp SPECS/selinux-policy.spec" to generate the fedora patched policy source in the BUILD directory. Then I can make my changes there. But I need to be able to regenerate the src rpm including those changes. And I need to be able to maintain this over time as the reference policy evolves, by dropping in a new reference policy tgz and regenerating the patch files. Surely there's a better way than "vi policy-F12.patch"!
I presume there are tools / scripts / instructions to help with this. Can someone point me in the right direction?
Thanks!
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
If the alternative labels are fairly simple, why not set up file context equivalence?
semanage fcontext -a -e -t /home /myhome semanage fcontext -a -e -t /var/www /src/myweb
...
On Fri, 2010-04-23 at 07:15 -0400, Alan Rouse wrote:
I'm trying to get selinux working in a different linux distribution where the directory structure differs from the fedora / redhat pattern. I'm attempting to use the fedora selinux src rpm as a starting point, but of course lots of files are being labelled incorrectly due to the directory differences. I can identify the incorrectly labelled files and I know how to get them labelled correctly. But I need to be able to make a new source rpm based on the fedora selinux src rpm, including the necessary changes, so I can distribute and maintain the policy over time.
I can execute "rpmbuild -bp SPECS/selinux-policy.spec" to generate the fedora patched policy source in the BUILD directory. Then I can make my changes there. But I need to be able to regenerate the src rpm including those changes. And I need to be able to maintain this over time as the reference policy evolves, by dropping in a new reference policy tgz and regenerating the patch files. Surely there's a better way than "vi policy-F12.patch"!
I presume there are tools / scripts / instructions to help with this. Can someone point me in the right direction?
Typically you'd make a copy of the serefpolicy-x.y.z directory under the BUILD directory, modify that copy, generate a diff, and add that to the .spec file as a further patch on top of the existing ones (not as a replacement for them). Then use rpmbuild to regenerate the .src.rpm with your modifications.
A quick google search found this: http://bradthemad.org/tech/notes/patching_rpms.php
But fundamentally it isn't any different than creating a src rpm in the first place.
Ideally you'd upstream your changes to the refpolicy, although you may need to regenerate your patches relative to it then.
You can wrap your entries with an ifdef(`distro_xxx', `...') and build with DISTRO=xxx to enable them so that they are only applied for that distro.
selinux@lists.fedoraproject.org
-
Alan Rouse -
Daniel J Walsh -
Dominick Grift -
Stephen Smalley