Change how SELinux policies are compiled

To take advantage of macros, the custom policies are now compiled using make. To use macros, selinux-policy-devel needs to be installed. Change-Id: I803291c01af709f39edcbf2f366808443233d7b3
2014-10-22 19:48:37 -07:00 · 2014-10-22 19:48:37 -07:00 · bfe92523ff
parent 5e4edf4b2b
commit bfe92523ff
2 changed files with 12 additions and 5 deletions
--- a/elements/selinux/install.d/100-install-custom-selinux-policies
+++ b/elements/selinux/install.d/100-install-custom-selinux-policies
@ -8,6 +8,13 @@ set -eux
 set -o pipefail

 install-packages checkpolicy
+
+DISTRO=`lsb_release -si` || true
+
+if [[ "RedHatEnterpriseServer CentOS Fedora" =~ "$DISTRO" ]]; then
+    install-packages selinux-policy-devel
+fi
+
 mkdir -p /opt/stack/selinux-policy

 for file in $(ls $(dirname $0)/../custom-policies/*.te); do
--- a/elements/selinux/os-refresh-config/configure.d/20-compile-and-install-selinux-policies
+++ b/elements/selinux/os-refresh-config/configure.d/20-compile-and-install-selinux-policies
@ -6,15 +6,15 @@ set -eux
 set -o pipefail

 if [ -x /usr/sbin/semanage ]; then
+    cd /tmp
    for file in $(ls /opt/stack/selinux-policy/*.te); do
        filename=$(basename $file)
        filename_no_ext=${filename%.*}
        # compile policy
-        checkmodule -M -m -o "/tmp/$filename_no_ext.mod" \
-           "/opt/stack/selinux-policy/$filename"
-        semodule_package -o "/tmp/$filename_no_ext.pp" \
-            -m "/tmp/$filename_no_ext.mod"
+        cp $file /tmp
+        make -f /usr/share/selinux/devel/Makefile $filename_no_ext.pp
        # install policy
-        semodule -i "/tmp/$filename_no_ext.pp"
+        semodule -i /tmp/$filename_no_ext.pp
+        rm /tmp/$filename_no_ext.*
    done
 fi