Package: refpolicy Version: 0.0.20080314-1 Severity: normal diff ./debian/build.conf.strict ./debian/build.conf.mls 17c17 < TYPE = mcs --- > TYPE = mls 23c23 < NAME = refpolicy-strict --- > NAME = refpolicy-mls
To build an MLS policy too we need a build.conf.mls file which has the above diff from the strict one, and the following patch seems to work (although it may need some work, there are aspects of the make files that I don't understand). Note that I have given a different policy description, I think that type of description is more useful and relevant than the form currently in use. Also it would be good if we could set an environment vaiable to skip some policies when building (I guess that building a .deb file with no contents would be the closest we could do). If I want to test a quick change to the MLS policy then I don't want to wait many minutes to build both strict and targeted as well. Only in refpolicy-0.0.20080314-mls/debian: build.conf.mls diff -ru refpolicy-0.0.20080314/debian/build.conf.strict refpolicy-0.0.20080314-mls/debian/build.conf.strict --- refpolicy-0.0.20080314/debian/build.conf.strict 2008-03-28 13:48:10.000000000 +1100 +++ refpolicy-0.0.20080314-mls/debian/build.conf.strict 2008-03-28 09:45:38.000000000 +1100 @@ -14,7 +14,7 @@ # strict, targeted, # strict-mls, targeted-mls, # strict-mcs, targeted-mcs -TYPE ?= mcs +TYPE = mcs # Policy Name # If set, this will be used as the policy diff -ru refpolicy-0.0.20080314/debian/build.conf.targeted refpolicy-0.0.20080314-mls/debian/build.conf.targeted --- refpolicy-0.0.20080314/debian/build.conf.targeted 2008-03-28 13:48:10.000000000 +1100 +++ refpolicy-0.0.20080314-mls/debian/build.conf.targeted 2008-03-28 09:45:47.000000000 +1100 @@ -12,7 +12,7 @@ # Policy Type # standard, mls, mcs -TYPE ?= mcs +TYPE = mcs # Policy Name # If set, this will be used as the policy diff -ru refpolicy-0.0.20080314/debian/control refpolicy-0.0.20080314-mls/debian/control --- refpolicy-0.0.20080314/debian/control 2008-03-28 13:48:10.000000000 +1100 +++ refpolicy-0.0.20080314-mls/debian/control 2008-03-28 09:44:13.000000000 +1100 @@ -9,6 +9,22 @@ Standards-Version: 3.7.3.0 Build-Depends: policycoreutils (>= 2.0.27), checkpolicy (>= 2.0.4), python, m4, bzip2, gawk +Package: selinux-policy-refpolicy-mls +Architecture: all +Depends: policycoreutils (>= 2.0.42), libpam-modules (>= 0.77-0.se5), python, libselinux1 (>= 2.0.35) +Recommends: checkpolicy, setools +Suggests: logcheck, syslog-summary +Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate (<< 3.7.1-1), selinux, procps (<< 1:3.1.15-1), sysvinit (<< 2.86.ds1-1.se1), selinux-policy-default +Homepage: http://serefpolicy.sourceforge.net/ +Description: MLS variant of the SELinux reference policy. + This is the MLS variant of the reference policy. This provides + the highest level of confidentiality, but will never work with + all programs. + . + MLS (Multi-Level Security) aka the Bell la Padula model + only allows data to flow to processes and files with an equal + or lower security clearance. + Package: selinux-policy-refpolicy-strict Architecture: all Depends: policycoreutils (>= 2.0.42), libpam-modules (>= 0.77-0.se5), python, libselinux1 (>= 2.0.35) Only in refpolicy-0.0.20080314-mls/debian: files diff -ru refpolicy-0.0.20080314/debian/local.mk refpolicy-0.0.20080314-mls/debian/local.mk --- refpolicy-0.0.20080314/debian/local.mk 2008-03-28 13:48:10.000000000 +1100 +++ refpolicy-0.0.20080314-mls/debian/local.mk 2008-03-28 09:55:18.000000000 +1100 @@ -19,6 +19,11 @@ $(testdir) CONFIG-common:: stamp-conf/selinux-policy-refpolicy-src +BUILD/selinux-policy-refpolicy-mls:: build/selinux-policy-refpolicy-mls +INST/selinux-policy-refpolicy-mls:: install/selinux-policy-refpolicy-mls +BIN/selinux-policy-refpolicy-mls:: binary/selinux-policy-refpolicy-mls + + BUILD/selinux-policy-refpolicy-strict:: build/selinux-policy-refpolicy-strict INST/selinux-policy-refpolicy-strict:: install/selinux-policy-refpolicy-strict BIN/selinux-policy-refpolicy-strict:: binary/selinux-policy-refpolicy-strict @@ -42,7 +47,7 @@ INST/selinux-policy-refpolicy-doc:: install/selinux-policy-refpolicy-doc BIN/selinux-policy-refpolicy-doc:: binary/selinux-policy-refpolicy-doc -CLEAN/selinux-policy-refpolicy-strict CLEAN/selinux-policy-refpolicy-targeted CLEAN/selinux-policy-refpolicy-src CLEAN/selinux-policy-refpolicy-src:: +CLEAN/selinux-policy-refpolicy-mls CLEAN/selinux-policy-refpolicy-strict CLEAN/selinux-policy-refpolicy-targeted CLEAN/selinux-policy-refpolicy-src CLEAN/selinux-policy-refpolicy-src:: $(REASON) make bare test ! -d $(TMPTOP) || rm -rf $(TMPTOP) @@ -51,11 +56,38 @@ stamp-conf/selinux-policy-refpolicy-src: $(REASON) + test -d $(SRCTOP)/config/appconfig-strict-mls || \ + cp -a $(SRCTOP)/config/appconfig-mls $(SRCTOP)/config/appconfig-strict-mls test -d $(SRCTOP)/config/appconfig-strict-mcs || \ cp -a $(SRCTOP)/config/appconfig-mcs $(SRCTOP)/config/appconfig-strict-mcs test -d $(SRCTOP)/config/appconfig-targeted-mcs || \ cp -a $(SRCTOP)/config/appconfig-mcs $(SRCTOP)/config/appconfig-targeted-mcs +CONFIG/selinux-policy-refpolicy-mls:: + $(REASON) + test -e debian/stamp-config-mls || \ + test ! -d $(SRCTOP)/debian/build-$(package) || \ + rm -rf $(SRCTOP)/debian/build-$(package) + test -e debian/stamp-config-mls || \ + mkdir -p $(SRCTOP)/debian/build-$(package) + test -e debian/stamp-config-mls || \ + cp -lr policy support Makefile Rules.modular doc \ + Rules.monolithic config VERSION Changelog COPYING INSTALL \ + README man $(SRCTOP)/debian/build-$(package) + test -e debian/stamp-config-mls || \ + cp debian/build.conf.mls $(SRCTOP)/debian/build-$(package)/build.conf + test -e debian/stamp-config-mls || \ + $(MAKE) -C $(SRCTOP)/debian/build-$(package) \ + NAME=refpolicy-mls TYPE=mls $(OPTIONS) bare + test -e debian/stamp-config-mls || \ + (cd $(SRCTOP)/debian/build-$(package) ; \ + $(MAKE) NAME=refpolicy-mls TYPE=mls $(OPTIONS) conf) + cp debian/modules.conf.mls \ + $(SRCTOP)/debian/build-$(package)/policy/modules.conf + echo done > debian/stamp-config-mls +STAMPS_TO_CLEAN += debian/stamp-config-mls +DIRS_TO_CLEAN += debian/build-selinux-policy-refpolicy-mls + CONFIG/selinux-policy-refpolicy-strict:: $(REASON) test -e debian/stamp-config-strict || \ @@ -162,6 +194,14 @@ BUILD-common:: perl -wc debian/postinst.policy +build/selinux-policy-refpolicy-mls: + $(REASON) + test -e debian/stamp-build-mls || \ + (cd $(SRCTOP)/debian/build-$(package) ; \ + $(MAKE) NAME=refpolicy-mls TYPE=mls $(OPTIONS) policy all) + echo done > debian/stamp-build-mls +STAMPS_TO_CLEAN += debian/stamp-build-mls + build/selinux-policy-refpolicy-strict: $(REASON) test -e debian/stamp-build-strict || \ @@ -188,6 +228,35 @@ $(REASON) +install/selinux-policy-refpolicy-mls: + $(REASON) + rm -rf $(TMPTOP) $(TMPTOP).deb + $(make_directory) $(DOCDIR)/ + $(make_directory) $(TMPTOP)/etc/selinux/refpolicy-mls/modules/active + $(make_directory) $(TMPTOP)/etc/selinux/refpolicy-mls/policy + test -f $(TMPTOP)/etc/selinux/refpolicy-mls/modules/active/file_contexts.local || \ + touch $(TMPTOP)/etc/selinux/refpolicy-mls/modules/active/file_contexts.local + (cd $(SRCTOP)/debian/build-$(package); \ + $(MAKE) NAME=refpolicy-mls TYPE=mls $(OPTIONS) \ + DESTDIR=$(TMPTOP) install install-headers \ + $(TMPTOP)/etc/selinux/refpolicy-mls/users/local.users \ + $(TMPTOP)/etc/selinux/refpolicy-mls/users/system.users) + for module in $(NON_MODULES); do \ + test ! -f $(TMPTOP)/usr/share/selinux/refpolicy-mls/$$module.pp || \ + rm -f $(TMPTOP)/usr/share/selinux/refpolicy-mls/$$module.pp; \ + done + $(install_file) debian/setrans.conf $(TMPTOP)/etc/selinux/refpolicy-mls/ + $(install_file) VERSION $(DOCDIR)/ + $(install_file) README $(DOCDIR)/ + $(install_file) debian/README.Debian $(DOCDIR)/ + $(install_file) debian/localStrict.te $(DOCDIR)/ + $(install_file) debian/NEWS.Debian $(DOCDIR)/NEWS.Debian + $(install_file) Changelog $(DOCDIR)/changelog + $(install_file) debian/changelog $(DOCDIR)/changelog.Debian + gzip -9fqr $(DOCDIR) + $(install_file) debian/copyright $(DOCDIR)/ +DIRS_TO_CLEAN += debian/selinux-policy-refpolicy-mls + install/selinux-policy-refpolicy-strict: $(REASON) rm -rf $(TMPTOP) $(TMPTOP).deb @@ -284,21 +353,26 @@ $(install_file) debian/copyright $(DOCDIR)/ DIRS_TO_CLEAN += debian/selinux-policy-refpolicy-src -install/selinux-policy-refpolicy-dev: install/selinux-policy-refpolicy-strict install/selinux-policy-refpolicy-targeted +install/selinux-policy-refpolicy-dev: install/selinux-policy-refpolicy-mls install/selinux-policy-refpolicy-strict install/selinux-policy-refpolicy-targeted $(REASON) rm -rf $(TMPTOP) $(TMPTOP).deb $(make_directory) $(DOCDIR)/examples $(make_directory) $(MAN1DIR) $(make_directory) $(TMPTOP)/usr/bin + $(make_directory) $(TMPTOP)/usr/share/selinux/refpolicy-mls/include $(make_directory) $(TMPTOP)/usr/share/selinux/refpolicy-strict/include $(make_directory) $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include find $(TMPTOP) -type d -name .arch-ids -print0 | xargs -0r rm -rf + (cd $(SRCTOP)/debian/selinux-policy-refpolicy-mls/usr/share/selinux/refpolicy-mls; \ + tar cfh - include | (cd $(TMPTOP)/usr/share/selinux/refpolicy-mls; umask 000; \ + tar xpsf -)) (cd $(SRCTOP)/debian/selinux-policy-refpolicy-strict/usr/share/selinux/refpolicy-strict; \ tar cfh - include | (cd $(TMPTOP)/usr/share/selinux/refpolicy-strict; umask 000; \ tar xpsf -)) (cd $(SRCTOP)/debian/selinux-policy-refpolicy-targeted/usr/share/selinux/refpolicy-targeted; \ tar cfh - include | (cd $(TMPTOP)/usr/share/selinux/refpolicy-targeted; umask 000; \ tar xpsf -)) + rm -rf $(SRCTOP)/debian/selinux-policy-refpolicy-mls/usr/share/selinux/refpolicy-mls/include rm -rf $(SRCTOP)/debian/selinux-policy-refpolicy-strict/usr/share/selinux/refpolicy-strict/include rm -rf $(SRCTOP)/debian/selinux-policy-refpolicy-targeted/usr/share/selinux/refpolicy-targeted/include $(install_file) policy/rolemap \ @@ -317,8 +391,17 @@ $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/support $(install_file) debian/build.conf.strict \ $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/build.conf + $(install_file) policy/rolemap \ + $(TMPTOP)/usr/share/selinux/refpolicy-mls/include/support + $(install_file) debian/global_booleans.xml \ + $(TMPTOP)/usr/share/selinux/refpolicy-mls/include/support + $(install_file) debian/global_tunables.xml \ + $(TMPTOP)/usr/share/selinux/refpolicy-mls/include/support + $(install_file) debian/build.conf.mls \ + $(TMPTOP)/usr/share/selinux/refpolicy-mls/include/build.conf chmod +x $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include/support/segenxml.py chmod +x $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/support/segenxml.py + chmod +x $(TMPTOP)/usr/share/selinux/refpolicy-mls/include/support/segenxml.py $(install_file) VERSION $(DOCDIR)/ $(install_file) README $(DOCDIR)/ $(install_file) debian/README.Debian $(DOCDIR)/ @@ -358,6 +441,22 @@ $(install_file) debian/docentry $(DOCBASEDIR)/$(package) DIRS_TO_CLEAN += debian/selinux-policy-refpolicy-doc +binary/selinux-policy-refpolicy-mls: + $(REASON) + $(checkdir) + $(make_directory) $(TMPTOP)/DEBIAN + (cd $(TMPTOP); find etc -type f | sed 's,^,/,' > DEBIAN/conffiles) + test ! -f DEBIAN/conffiles || test -s DEBIAN/conffiles || rm DEBIAN/conffiles + sed -e 's/=T/mls/g' debian/postinst.policy > $(TMPTOP)/DEBIAN/postinst + chmod 755 $(TMPTOP)/DEBIAN/postinst + $(install_program) debian/mls.postrm $(TMPTOP)/DEBIAN/postrm + dpkg-gencontrol -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \ + -p$(package) -isp -P$(TMPTOP) + $(create_md5sum) $(TMPTOP) + chown -R root:root $(TMPTOP) + chmod -R u+w,go=rX $(TMPTOP) + dpkg --build $(TMPTOP) .. + binary/selinux-policy-refpolicy-strict: $(REASON) $(checkdir) diff -ru refpolicy-0.0.20080314/debian/local-vars.mk refpolicy-0.0.20080314-mls/debian/local-vars.mk --- refpolicy-0.0.20080314/debian/local-vars.mk 2008-03-28 13:48:10.000000000 +1100 +++ refpolicy-0.0.20080314-mls/debian/local-vars.mk 2008-03-28 09:55:42.000000000 +1100 @@ -17,7 +17,7 @@ FILES_TO_CLEAN = debian/files STAMPS_TO_CLEAN = -DIRS_TO_CLEAN = config/appconfig-strict-mcs config/appconfig-targeted-mcs +DIRS_TO_CLEAN = config/appconfig-strict-mls config/appconfig-strict-mcs config/appconfig-targeted-mcs # Location of the source dir SRCTOP := $(shell if [ "$$PWD" != "" ]; then echo $$PWD; else pwd; fi) Only in refpolicy-0.0.20080314-mls/debian: mls.postrm Only in refpolicy-0.0.20080314-mls/debian: modules.conf.mls Only in refpolicy-0.0.20080314-mls/debian: stamp-build-mls Only in refpolicy-0.0.20080314-mls/debian: stamp-build-strict Only in refpolicy-0.0.20080314-mls/debian: stamp-build-targeted Only in refpolicy-0.0.20080314-mls/debian: stamp-config-dev Only in refpolicy-0.0.20080314-mls/debian: stamp-config-doc Only in refpolicy-0.0.20080314-mls/debian: stamp-config-mls Only in refpolicy-0.0.20080314-mls/debian: stamp-config-src Only in refpolicy-0.0.20080314-mls/debian: stamp-config-strict Only in refpolicy-0.0.20080314-mls/debian: stamp-config-targeted Only in refpolicy-0.0.20080314/doc: global_booleans.xml Only in refpolicy-0.0.20080314/doc: global_tunables.xml Only in refpolicy-0.0.20080314/doc: policy.xml Only in refpolicy-0.0.20080314-mls: install-arch-stamp Only in refpolicy-0.0.20080314-mls: install-indep-stamp Only in refpolicy-0.0.20080314/policy: booleans.conf Only in refpolicy-0.0.20080314/policy/modules/kernel: corenetwork.if Only in refpolicy-0.0.20080314/policy/modules/kernel: corenetwork.te Only in refpolicy-0.0.20080314/policy: modules.conf Only in refpolicy-0.0.20080314-mls: POST-BUILD-arch-stamp Only in refpolicy-0.0.20080314-mls: POST-BUILD-indep-stamp Only in refpolicy-0.0.20080314/support: pyplate.pyc -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-5-686 Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
