Debian Bug report logs - #473067
refpolicy: Need to build MLS policy too

version graph

Package: refpolicy; Maintainer for refpolicy is Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>;

Reported by: Russell Coker <russell@coker.com.au>

Date: Fri, 28 Mar 2008 04:42:01 UTC

Severity: normal

Found in version 0.0.20080314-1

Fixed in version 2:0.0.20080702

Done: Manoj Srivastava <srivasta@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#473067; Package refpolicy. Full text and rfc822 format available.

Acknowledgement sent to Russell Coker <russell@coker.com.au>:
New Bug report received and forwarded. Copy sent to Manoj Srivastava <srivasta@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: refpolicy: Need to build MLS policy too
Date: Fri, 28 Mar 2008 15:38:38 +1100
Package: refpolicy
Version: 0.0.20080314-1
Severity: normal

diff ./debian/build.conf.strict ./debian/build.conf.mls
17c17
< TYPE = mcs
---
> TYPE = mls
23c23
< NAME = refpolicy-strict
---
> NAME = refpolicy-mls

To build an MLS policy too we need a build.conf.mls file which has the above
diff from the strict one, and the following patch seems to work (although it
may need some work, there are aspects of the make files that I don't
understand).  Note that I have given a different policy description, I think
that type of description is more useful and relevant than the form currently
in use.

Also it would be good if we could set an environment vaiable to skip some
policies when building (I guess that building a .deb file with no contents
would be the closest we could do).  If I want to test a quick change to the
MLS policy then I don't want to wait many minutes to build both strict and
targeted as well.

Only in refpolicy-0.0.20080314-mls/debian: build.conf.mls
diff -ru refpolicy-0.0.20080314/debian/build.conf.strict refpolicy-0.0.20080314-mls/debian/build.conf.strict
--- refpolicy-0.0.20080314/debian/build.conf.strict	2008-03-28 13:48:10.000000000 +1100
+++ refpolicy-0.0.20080314-mls/debian/build.conf.strict	2008-03-28 09:45:38.000000000 +1100
@@ -14,7 +14,7 @@
 # strict, targeted,
 # strict-mls, targeted-mls,
 # strict-mcs, targeted-mcs
-TYPE ?= mcs
+TYPE = mcs
 
 # Policy Name
 # If set, this will be used as the policy
diff -ru refpolicy-0.0.20080314/debian/build.conf.targeted refpolicy-0.0.20080314-mls/debian/build.conf.targeted
--- refpolicy-0.0.20080314/debian/build.conf.targeted	2008-03-28 13:48:10.000000000 +1100
+++ refpolicy-0.0.20080314-mls/debian/build.conf.targeted	2008-03-28 09:45:47.000000000 +1100
@@ -12,7 +12,7 @@
 
 # Policy Type
 # standard, mls, mcs
-TYPE ?= mcs
+TYPE = mcs
 
 # Policy Name
 # If set, this will be used as the policy
diff -ru refpolicy-0.0.20080314/debian/control refpolicy-0.0.20080314-mls/debian/control
--- refpolicy-0.0.20080314/debian/control	2008-03-28 13:48:10.000000000 +1100
+++ refpolicy-0.0.20080314-mls/debian/control	2008-03-28 09:44:13.000000000 +1100
@@ -9,6 +9,22 @@
 Standards-Version: 3.7.3.0
 Build-Depends: policycoreutils (>= 2.0.27), checkpolicy (>= 2.0.4), python, m4, bzip2, gawk
 
+Package: selinux-policy-refpolicy-mls
+Architecture: all
+Depends: policycoreutils (>= 2.0.42), libpam-modules (>= 0.77-0.se5), python, libselinux1 (>= 2.0.35)
+Recommends: checkpolicy, setools
+Suggests: logcheck, syslog-summary
+Conflicts: cron (<< 3.0pl1-87.2sel), fcron (<< 2.9.3-3), logrotate (<< 3.7.1-1), selinux, procps (<< 1:3.1.15-1), sysvinit (<< 2.86.ds1-1.se1), selinux-policy-default
+Homepage: http://serefpolicy.sourceforge.net/
+Description: MLS variant of the SELinux reference policy.
+ This is the MLS variant of the reference policy. This provides 
+ the highest level of confidentiality, but will never work with
+ all programs.
+ .
+ MLS (Multi-Level Security) aka the Bell la Padula model
+ only allows data to flow to processes and files with an equal
+ or lower security clearance.
+
 Package: selinux-policy-refpolicy-strict
 Architecture: all
 Depends: policycoreutils (>= 2.0.42), libpam-modules (>= 0.77-0.se5), python, libselinux1 (>= 2.0.35)
Only in refpolicy-0.0.20080314-mls/debian: files
diff -ru refpolicy-0.0.20080314/debian/local.mk refpolicy-0.0.20080314-mls/debian/local.mk
--- refpolicy-0.0.20080314/debian/local.mk	2008-03-28 13:48:10.000000000 +1100
+++ refpolicy-0.0.20080314-mls/debian/local.mk	2008-03-28 09:55:18.000000000 +1100
@@ -19,6 +19,11 @@
 	$(testdir)
 CONFIG-common:: stamp-conf/selinux-policy-refpolicy-src
 
+BUILD/selinux-policy-refpolicy-mls::    build/selinux-policy-refpolicy-mls
+INST/selinux-policy-refpolicy-mls::     install/selinux-policy-refpolicy-mls
+BIN/selinux-policy-refpolicy-mls::      binary/selinux-policy-refpolicy-mls
+
+
 BUILD/selinux-policy-refpolicy-strict::    build/selinux-policy-refpolicy-strict
 INST/selinux-policy-refpolicy-strict::     install/selinux-policy-refpolicy-strict
 BIN/selinux-policy-refpolicy-strict::      binary/selinux-policy-refpolicy-strict
@@ -42,7 +47,7 @@
 INST/selinux-policy-refpolicy-doc::     install/selinux-policy-refpolicy-doc
 BIN/selinux-policy-refpolicy-doc::      binary/selinux-policy-refpolicy-doc
 
-CLEAN/selinux-policy-refpolicy-strict CLEAN/selinux-policy-refpolicy-targeted CLEAN/selinux-policy-refpolicy-src CLEAN/selinux-policy-refpolicy-src::
+CLEAN/selinux-policy-refpolicy-mls CLEAN/selinux-policy-refpolicy-strict CLEAN/selinux-policy-refpolicy-targeted CLEAN/selinux-policy-refpolicy-src CLEAN/selinux-policy-refpolicy-src::
 	$(REASON)
 	make bare
 	test ! -d $(TMPTOP) || rm -rf $(TMPTOP)
@@ -51,11 +56,38 @@
 
 stamp-conf/selinux-policy-refpolicy-src:
 	$(REASON)
+	test -d $(SRCTOP)/config/appconfig-strict-mls  || \
+            cp -a $(SRCTOP)/config/appconfig-mls $(SRCTOP)/config/appconfig-strict-mls
 	test -d $(SRCTOP)/config/appconfig-strict-mcs  || \
             cp -a $(SRCTOP)/config/appconfig-mcs $(SRCTOP)/config/appconfig-strict-mcs
 	test -d $(SRCTOP)/config/appconfig-targeted-mcs  || \
             cp -a $(SRCTOP)/config/appconfig-mcs $(SRCTOP)/config/appconfig-targeted-mcs
 
+CONFIG/selinux-policy-refpolicy-mls::
+	$(REASON)
+	test -e debian/stamp-config-mls  ||                             \
+	  test ! -d $(SRCTOP)/debian/build-$(package) ||                   \
+            rm -rf $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-mls  ||                             \
+	  mkdir -p    $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-mls  ||                             \
+	  cp -lr policy support Makefile Rules.modular  doc                \
+               Rules.monolithic config VERSION Changelog COPYING INSTALL   \
+                README man $(SRCTOP)/debian/build-$(package)
+	test -e debian/stamp-config-mls  ||                             \
+	  cp debian/build.conf.mls $(SRCTOP)/debian/build-$(package)/build.conf
+	test -e debian/stamp-config-mls  ||                             \
+	  $(MAKE) -C $(SRCTOP)/debian/build-$(package)                     \
+                   NAME=refpolicy-mls TYPE=mls $(OPTIONS) bare
+	test -e debian/stamp-config-mls  ||                             \
+	  (cd $(SRCTOP)/debian/build-$(package) ;                          \
+           $(MAKE) NAME=refpolicy-mls TYPE=mls $(OPTIONS) conf)
+	cp debian/modules.conf.mls                                      \
+                     $(SRCTOP)/debian/build-$(package)/policy/modules.conf
+	echo done > debian/stamp-config-mls
+STAMPS_TO_CLEAN += debian/stamp-config-mls
+DIRS_TO_CLEAN  += debian/build-selinux-policy-refpolicy-mls
+
 CONFIG/selinux-policy-refpolicy-strict::
 	$(REASON)
 	test -e debian/stamp-config-strict  ||                             \
@@ -162,6 +194,14 @@
 BUILD-common::
 	perl -wc debian/postinst.policy
 
+build/selinux-policy-refpolicy-mls:
+	$(REASON)
+	test -e debian/stamp-build-mls                    ||            \
+	  (cd $(SRCTOP)/debian/build-$(package) ;                          \
+           $(MAKE) NAME=refpolicy-mls TYPE=mls $(OPTIONS) policy all)
+	echo done > debian/stamp-build-mls   
+STAMPS_TO_CLEAN += debian/stamp-build-mls   
+
 build/selinux-policy-refpolicy-strict:
 	$(REASON)
 	test -e debian/stamp-build-strict                    ||            \
@@ -188,6 +228,35 @@
 	$(REASON)
 
 
+install/selinux-policy-refpolicy-mls:
+	$(REASON)
+	rm -rf               $(TMPTOP) $(TMPTOP).deb
+	$(make_directory)    $(DOCDIR)/
+	$(make_directory)    $(TMPTOP)/etc/selinux/refpolicy-mls/modules/active
+	$(make_directory)    $(TMPTOP)/etc/selinux/refpolicy-mls/policy
+	test -f $(TMPTOP)/etc/selinux/refpolicy-mls/modules/active/file_contexts.local || \
+	touch $(TMPTOP)/etc/selinux/refpolicy-mls/modules/active/file_contexts.local
+	(cd $(SRCTOP)/debian/build-$(package);                                  \
+            $(MAKE) NAME=refpolicy-mls TYPE=mls $(OPTIONS) \
+                    DESTDIR=$(TMPTOP) install  install-headers                  \
+          $(TMPTOP)/etc/selinux/refpolicy-mls/users/local.users              \
+          $(TMPTOP)/etc/selinux/refpolicy-mls/users/system.users)
+	for module in $(NON_MODULES); do                                         \
+           test ! -f $(TMPTOP)/usr/share/selinux/refpolicy-mls/$$module.pp || \
+              rm -f $(TMPTOP)/usr/share/selinux/refpolicy-mls/$$module.pp;    \
+        done
+	$(install_file)      debian/setrans.conf  $(TMPTOP)/etc/selinux/refpolicy-mls/
+	$(install_file)      VERSION               $(DOCDIR)/
+	$(install_file)      README                $(DOCDIR)/
+	$(install_file)      debian/README.Debian  $(DOCDIR)/
+	$(install_file)      debian/localStrict.te $(DOCDIR)/
+	$(install_file)      debian/NEWS.Debian    $(DOCDIR)/NEWS.Debian 
+	$(install_file)      Changelog             $(DOCDIR)/changelog
+	$(install_file)      debian/changelog      $(DOCDIR)/changelog.Debian
+	gzip -9fqr           $(DOCDIR)
+	$(install_file)      debian/copyright      $(DOCDIR)/
+DIRS_TO_CLEAN  += debian/selinux-policy-refpolicy-mls
+
 install/selinux-policy-refpolicy-strict:
 	$(REASON)
 	rm -rf               $(TMPTOP) $(TMPTOP).deb
@@ -284,21 +353,26 @@
 	$(install_file)      debian/copyright     $(DOCDIR)/
 DIRS_TO_CLEAN  += debian/selinux-policy-refpolicy-src
 
-install/selinux-policy-refpolicy-dev: install/selinux-policy-refpolicy-strict install/selinux-policy-refpolicy-targeted
+install/selinux-policy-refpolicy-dev: install/selinux-policy-refpolicy-mls install/selinux-policy-refpolicy-strict install/selinux-policy-refpolicy-targeted
 	$(REASON)
 	rm -rf               $(TMPTOP) $(TMPTOP).deb
 	$(make_directory)    $(DOCDIR)/examples
 	$(make_directory)    $(MAN1DIR)
 	$(make_directory)    $(TMPTOP)/usr/bin
+	$(make_directory)    $(TMPTOP)/usr/share/selinux/refpolicy-mls/include
 	$(make_directory)    $(TMPTOP)/usr/share/selinux/refpolicy-strict/include
 	$(make_directory)    $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include
 	find $(TMPTOP) -type d -name .arch-ids -print0 | xargs -0r rm -rf
+	(cd $(SRCTOP)/debian/selinux-policy-refpolicy-mls/usr/share/selinux/refpolicy-mls; \
+         tar cfh - include | (cd $(TMPTOP)/usr/share/selinux/refpolicy-mls; umask 000;        \
+           tar xpsf -))
 	(cd $(SRCTOP)/debian/selinux-policy-refpolicy-strict/usr/share/selinux/refpolicy-strict; \
          tar cfh - include | (cd $(TMPTOP)/usr/share/selinux/refpolicy-strict; umask 000;        \
            tar xpsf -))
 	(cd $(SRCTOP)/debian/selinux-policy-refpolicy-targeted/usr/share/selinux/refpolicy-targeted; \
          tar cfh - include | (cd $(TMPTOP)/usr/share/selinux/refpolicy-targeted; umask 000;      \
              tar xpsf -))
+	rm -rf $(SRCTOP)/debian/selinux-policy-refpolicy-mls/usr/share/selinux/refpolicy-mls/include
 	rm -rf $(SRCTOP)/debian/selinux-policy-refpolicy-strict/usr/share/selinux/refpolicy-strict/include
 	rm -rf $(SRCTOP)/debian/selinux-policy-refpolicy-targeted/usr/share/selinux/refpolicy-targeted/include
 	$(install_file)      policy/rolemap                                                   \
@@ -317,8 +391,17 @@
                              $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/support
 	$(install_file)      debian/build.conf.strict                                         \
                              $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/build.conf
+	$(install_file)      policy/rolemap                                                   \
+                             $(TMPTOP)/usr/share/selinux/refpolicy-mls/include/support
+	$(install_file)      debian/global_booleans.xml                                       \
+                             $(TMPTOP)/usr/share/selinux/refpolicy-mls/include/support
+	$(install_file)      debian/global_tunables.xml                                       \
+                             $(TMPTOP)/usr/share/selinux/refpolicy-mls/include/support
+	$(install_file)      debian/build.conf.mls                                         \
+                             $(TMPTOP)/usr/share/selinux/refpolicy-mls/include/build.conf
 	chmod +x             $(TMPTOP)/usr/share/selinux/refpolicy-targeted/include/support/segenxml.py
 	chmod +x             $(TMPTOP)/usr/share/selinux/refpolicy-strict/include/support/segenxml.py
+	chmod +x             $(TMPTOP)/usr/share/selinux/refpolicy-mls/include/support/segenxml.py
 	$(install_file)      VERSION                $(DOCDIR)/
 	$(install_file)      README                 $(DOCDIR)/
 	$(install_file)      debian/README.Debian   $(DOCDIR)/
@@ -358,6 +441,22 @@
 	$(install_file)      debian/docentry         $(DOCBASEDIR)/$(package)
 DIRS_TO_CLEAN  += debian/selinux-policy-refpolicy-doc
 
+binary/selinux-policy-refpolicy-mls:
+	$(REASON)
+	$(checkdir)
+	$(make_directory)    $(TMPTOP)/DEBIAN
+	(cd $(TMPTOP); find etc -type f | sed 's,^,/,' > DEBIAN/conffiles)
+	test ! -f DEBIAN/conffiles || test -s DEBIAN/conffiles || rm DEBIAN/conffiles
+	sed -e 's/=T/mls/g' debian/postinst.policy  > $(TMPTOP)/DEBIAN/postinst
+	chmod 755                                      $(TMPTOP)/DEBIAN/postinst
+	$(install_program)   debian/mls.postrm      $(TMPTOP)/DEBIAN/postrm
+	dpkg-gencontrol    -V'debconf-depends=debconf (>= $(MINDEBCONFVER))' \
+                              -p$(package) -isp   -P$(TMPTOP)
+	$(create_md5sum)     $(TMPTOP)
+	chown -R root:root $(TMPTOP)
+	chmod -R u+w,go=rX $(TMPTOP)
+	dpkg --build       $(TMPTOP) ..
+
 binary/selinux-policy-refpolicy-strict:
 	$(REASON)
 	$(checkdir)
diff -ru refpolicy-0.0.20080314/debian/local-vars.mk refpolicy-0.0.20080314-mls/debian/local-vars.mk
--- refpolicy-0.0.20080314/debian/local-vars.mk	2008-03-28 13:48:10.000000000 +1100
+++ refpolicy-0.0.20080314-mls/debian/local-vars.mk	2008-03-28 09:55:42.000000000 +1100
@@ -17,7 +17,7 @@
 
 FILES_TO_CLEAN  = debian/files
 STAMPS_TO_CLEAN = 
-DIRS_TO_CLEAN   = config/appconfig-strict-mcs config/appconfig-targeted-mcs 
+DIRS_TO_CLEAN   = config/appconfig-strict-mls config/appconfig-strict-mcs config/appconfig-targeted-mcs 
 
 # Location of the source dir
 SRCTOP    := $(shell if [ "$$PWD" != "" ]; then echo $$PWD; else pwd; fi)
Only in refpolicy-0.0.20080314-mls/debian: mls.postrm
Only in refpolicy-0.0.20080314-mls/debian: modules.conf.mls
Only in refpolicy-0.0.20080314-mls/debian: stamp-build-mls
Only in refpolicy-0.0.20080314-mls/debian: stamp-build-strict
Only in refpolicy-0.0.20080314-mls/debian: stamp-build-targeted
Only in refpolicy-0.0.20080314-mls/debian: stamp-config-dev
Only in refpolicy-0.0.20080314-mls/debian: stamp-config-doc
Only in refpolicy-0.0.20080314-mls/debian: stamp-config-mls
Only in refpolicy-0.0.20080314-mls/debian: stamp-config-src
Only in refpolicy-0.0.20080314-mls/debian: stamp-config-strict
Only in refpolicy-0.0.20080314-mls/debian: stamp-config-targeted
Only in refpolicy-0.0.20080314/doc: global_booleans.xml
Only in refpolicy-0.0.20080314/doc: global_tunables.xml
Only in refpolicy-0.0.20080314/doc: policy.xml
Only in refpolicy-0.0.20080314-mls: install-arch-stamp
Only in refpolicy-0.0.20080314-mls: install-indep-stamp
Only in refpolicy-0.0.20080314/policy: booleans.conf
Only in refpolicy-0.0.20080314/policy/modules/kernel: corenetwork.if
Only in refpolicy-0.0.20080314/policy/modules/kernel: corenetwork.te
Only in refpolicy-0.0.20080314/policy: modules.conf
Only in refpolicy-0.0.20080314-mls: POST-BUILD-arch-stamp
Only in refpolicy-0.0.20080314-mls: POST-BUILD-indep-stamp
Only in refpolicy-0.0.20080314/support: pyplate.pyc

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)




Information forwarded to debian-bugs-dist@lists.debian.org, Manoj Srivastava <srivasta@debian.org>:
Bug#473067; Package refpolicy. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Manoj Srivastava <srivasta@debian.org>. Full text and rfc822 format available.

Message #10 received at 473067@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: 473067@bugs.debian.org
Subject: also
Date: Fri, 28 Mar 2008 23:27:00 +1100
debian/modules.conf.mls is needed.  It can be a copy of 
debian/modules.conf.strict.

debian/mls.postrm is needed.  It can be a copy of debian/strict.postrm with 
s/strict/mls/ done.





Reply sent to Manoj Srivastava <srivasta@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Russell Coker <russell@coker.com.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 473067-done@bugs.debian.org (full text, mbox):

From: Manoj Srivastava <srivasta@debian.org>
To: 333441-done@bugs.debian.org, 378632-done@bugs.debian.org, 233777-done@bugs.debian.org, 340926-done@bugs.debian.org, 340928-done@bugs.debian.org, 340929-done@bugs.debian.org, 360658-done@bugs.debian.org, 473067-done@bugs.debian.org
Subject: selinux-policy-default has been resurrected with a new source package
Date: Wed, 03 Sep 2008 23:52:30 -0500
Version: 2:0.0.20080702

Hi,

        selinux-policy-default is now created from a brand new source
 package, and is a far newer version than the older incarnation of the
 package. So all the bugs related to the older version are inapplicable,
 (this has been tested for several of the bugs listed), and thus are
 being closed.

        manoj
-- 
Who is John Galt?
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 31 Dec 2009 07:41:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 03:16:10 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.