Difference between revisions of "RPM"

From SELinux Wiki
Jump to: navigation, search
(Building and installing the code)
(Getting the Code)
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Introduction =  
+
== Introduction ==
  
 
This is the project page for the integration of SELinux policy into RPM 4. Specifically the project is focused on adding infrastructure to RPM to install and manage SELinux policies and reduce the error-prone scriptlets that have been used up to now to install policy from RPM's.
 
This is the project page for the integration of SELinux policy into RPM 4. Specifically the project is focused on adding infrastructure to RPM to install and manage SELinux policies and reduce the error-prone scriptlets that have been used up to now to install policy from RPM's.
  
= Getting the Code =  
+
== Quick Setup ==
 +
 
 +
=== Getting the Code ===
  
 
First clone the upstream RPM git repo. Instructions are available on the [http://rpm.org/wiki/GetSource RPM get source page].
 
First clone the upstream RPM git repo. Instructions are available on the [http://rpm.org/wiki/GetSource RPM get source page].
  
The current patch set XXX CURRENT PATCH SET LINKS XXX
+
The current patch set is at [http://oss.tresys.com/files/rpm/add_selinux_support_to_rpm_v3.tar.bz2].
  
 
Apply the patches to the RPM repo.
 
Apply the patches to the RPM repo.
  
= Building and installing the code =
+
You need an up to date copy of libsemanage and libselinux to compile the RPM patchset. To check out these libraries use git:
 +
 
 +
# git clone http://oss.tresys.com/git/selinux.git
 +
 
 +
and build and install them with make:
 +
 
 +
# make && make install
 +
 
 +
=== Building and Installing RPM ===
  
 
  # ./autogen.sh --noconfigure
 
  # ./autogen.sh --noconfigure
  # ./configure CPPFLAGS="-I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/db4" --with-external-db --prefix=/u sr --sysconfdir=/etc --localstatedir=/var --sharedstatedir=/var/lib --with-lua --with-selinux
+
  # ./configure CPPFLAGS="-I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/db4" \
 +
    --with-external-db \
 +
    --prefix=/usr \
 +
    --sysconfdir=/etc \
 +
    --localstatedir=/var \
 +
    --sharedstatedir=/var/lib \
 +
    --with-lua \
 +
    --with-selinux
 
  # make
 
  # make
 
  # make install
 
  # make install
  
= Adding a policy to an RPM =
+
=== Adding Policy to an RPM ===
  
 
You'll want a source module with the te, if and fc files. You can get one from the Reference Policy or use the one in the repo at rpm/tests/data/SOURCES/poltest-policy-1.0.tar.bz2
 
You'll want a source module with the te, if and fc files. You can get one from the Reference Policy or use the one in the repo at rpm/tests/data/SOURCES/poltest-policy-1.0.tar.bz2
Line 28: Line 45:
 
  make -f /usr/share/selinux/devel/Makefile -C poltest-policy-%{version}
 
  make -f /usr/share/selinux/devel/Makefile -C poltest-policy-%{version}
  
and specify the policy options using a %policy block:
+
and specify the policy options using a %policy section:
  
 
  %policy
 
  %policy
 
  %module poltest-policy-%{version}/foo.pp
 
  %module poltest-policy-%{version}/foo.pp
        Name: foo
+
    Name: foo
  
 +
For a detailed explanation of the %policy section and the tags/options that can be used, see [[#%policy section]].
  
The name field is optional and if omitted will use the basename minus the extension for the name, however it is recommended that you use the name field and it must match the name of the module specified in the policy.
+
=== Installing an RPM with Policy ===
 
+
= Installing an RPM with a policy =  
+
  
 
Installing an RPM will also install its policy.
 
Installing an RPM will also install its policy.
Line 43: Line 59:
 
  # rpm -i <rpm>
 
  # rpm -i <rpm>
  
= Verifying the policy is installed =
+
=== Verifying the Policy is installed ===
  
 
  # semodule -l | grep foo
 
  # semodule -l | grep foo
 
  foo    1.0.0
 
  foo    1.0.0
  
= Specifying policy type =
 
  
If your policy only works with a specific policy type (eg., targeted, mls, etc) you can specify that with Types:
+
== %policy section ==
 +
 
 +
The %policy tag is used to define SELinux policy modules that should be included in the package. A string following the %policy tag indicates that policy should be included in a subpackage.
 +
 
 +
%policy targeted
 +
 
 +
This indicates that all policy defined in this section will be included in the targeted subpackage. Similar to %package and %files, the -n option can be given to modify the final name of the subpackage.
 +
 
 +
A typical %policy section with multiple modules and options looks like this:
  
 
  %policy
 
  %policy
  %module poltest-policy-%{version}/foo.pp
+
  %module policies/foo.pp
        Name: foo
+
    Name: foo
        Type: mls targeted
+
    Types: mls targeted
 +
%module policies/bar.pp
 +
    Name: bar
 +
    Types: targeted
 +
    Obsoletes: baz
  
This will only install the module if the current active policy type is "mls" or "targeted" (you can check by looking at the SELINUXTYPE variable in /etc/selinux/config.
+
The %policy section can contain the following tags:
  
If Type is omitted the policy will install on whatever the current policy type is.
+
=== %module ===
  
= Obsoleting a policy module =
+
The %module tag specifies an SELinux module to be included in the package. The format for the %module tag is
  
To obsolete a module you specify which modules are obsoleted with Obsoletes:
+
%module path/to/selinux/module
 +
 
 +
with the path relative to the rpm build directory. The module can be either a policy package (.pp) or a bzip2 compressed policy package (.pp.bz2).
 +
This specifies two policy modules (foo.pp and bar.pp) to be included in the package. Each module has several options which describe various characteristics of the preceding module. Each option is of the form Option: value, with each option applying to the most recent %module tag. In the following examples, the options are indented for readability only. Leading spaces are ignored when parsing the options.
 +
 
 +
==== Name ====
 +
 
 +
The Name option specifies the name of the policy module. This must match the name of the module specified inside the policy.
  
 
  %policy
 
  %policy
  %module poltest-policy-%{version}/foo.pp
+
  %module policies/foo.pp
        Name: foo
+
    Name: foo
        Obsoletes: baz
+
  
This will remove the baz module at the same time as installing the foo module.
+
If Name is not provided, the basename minus the extension will be used. However, it is recommended that you provide the option.
  
= Multiple modules =
+
==== Types ====
  
You can specify as many modules as necessary in the %policy block
+
The Types option is a space-separated list of policy types the module can be installed into. The special type 'default' can be used to specify that the module can be installed into any type. If the Types option is not specified, 'default' is assumed.
  
 
  %policy
 
  %policy
  %module poltest-policy-%{version}/foo.pp
+
  %module policies/foo.pp
        Name: foo
+
    Name: foo
        Types: default
+
    Types: mls targeted
%module poltest-policy-%{version}/bar.pp
+
        Name: bar
+
        Types: mls targeted
+
  
= PolicyRequires =
+
This specifies that the foo.pp module can be installed in both mls and targeted policy types.
 +
 
 +
==== Obsoletes ====
 +
 
 +
The Obsoletes option is a space-separated list of policy names that are obsoleted by a module. Any modules listed in Obsoletes will be removed (or ignored if installed, but in the current transaction) upon module installation. If not specified, it is assumed that the module does not obsolete anything.
 +
 +
%policy
 +
%module policies/foo.pp
 +
    Name: foo
 +
    Obsoletes: bar
 +
 
 +
This will remove the baz module at the same time as installing the foo module.
 +
 
 +
==== Base ====
 +
 
 +
The Base option is a boolean value (Yes/1 or No/0) that specifies whether or not a module is a base module. If not specified, it is assumed that the module is not a base module.
 +
 +
%policy
 +
%module policies/base.pp
 +
    Name: base
 +
    Base: yes
  
You can specify a dependency that is used only when policy is being installed with %PolicyRequires
+
This specifies that the module base.pp is a base module.
  
PolicyRequires: policycoreutils
+
== PolicyRequires ==
  
PolicyRequires is part of the rpm preamble and has the same syntax as the Requires tag.
+
The PolicyRequires tag is added to the preamble to specify that the current system must meet certain capabilities before policy can be installed. This tag has the same syntax as Requires, Obsoletes, and similar tags, and will usually contain SElinux libraries that may be necessary to install/load policy:
  
= nopolicy and root =
+
PolicyRequires: libselinux >= 2.0.90
  
If you specify the --nopolicy flag when running RPM the policy will not get installed. Additionally if you are installing RPM's into a chroot with --root the policies will be installed in the chroot but the policy _will not_ be reloaded.
+
Unlike Requires, which can be met by both currently installed packages and to-be-installed packages, PolicyRequires must be met by currently installed packages only, ignoring any to-be-installed packages during dependency checks. If PolicyRequires capabilities are not met by the existing packages, but are met by to-be-installed packages, policy can still be installed, but is performed at the end of the transaction, rather than the beginning, and is followed by a full filesystem relabel. Because of the expense of a full relabel, it is recommended that this be used carefully.

Latest revision as of 20:17, 2 February 2010

Introduction

This is the project page for the integration of SELinux policy into RPM 4. Specifically the project is focused on adding infrastructure to RPM to install and manage SELinux policies and reduce the error-prone scriptlets that have been used up to now to install policy from RPM's.

Quick Setup

Getting the Code

First clone the upstream RPM git repo. Instructions are available on the RPM get source page.

The current patch set is at [1].

Apply the patches to the RPM repo.

You need an up to date copy of libsemanage and libselinux to compile the RPM patchset. To check out these libraries use git:

# git clone http://oss.tresys.com/git/selinux.git

and build and install them with make:

# make && make install

Building and Installing RPM

# ./autogen.sh --noconfigure
# ./configure CPPFLAGS="-I/usr/include/nspr4 -I/usr/include/nss3 -I/usr/include/db4" \
    --with-external-db \
    --prefix=/usr \
    --sysconfdir=/etc \
    --localstatedir=/var \
    --sharedstatedir=/var/lib \
    --with-lua \
    --with-selinux
# make
# make install

Adding Policy to an RPM

You'll want a source module with the te, if and fc files. You can get one from the Reference Policy or use the one in the repo at rpm/tests/data/SOURCES/poltest-policy-1.0.tar.bz2

Add a Source line to your RPM:

Source1: poltest-policy-%{version}.tar.bz2

Build the policy during %build:

make -f /usr/share/selinux/devel/Makefile -C poltest-policy-%{version}

and specify the policy options using a %policy section:

%policy
%module poltest-policy-%{version}/foo.pp
    Name: foo

For a detailed explanation of the %policy section and the tags/options that can be used, see #%policy section.

Installing an RPM with Policy

Installing an RPM will also install its policy.

# rpm -i <rpm>

Verifying the Policy is installed

# semodule -l | grep foo
foo    1.0.0


%policy section

The %policy tag is used to define SELinux policy modules that should be included in the package. A string following the %policy tag indicates that policy should be included in a subpackage.

%policy targeted

This indicates that all policy defined in this section will be included in the targeted subpackage. Similar to %package and %files, the -n option can be given to modify the final name of the subpackage.

A typical %policy section with multiple modules and options looks like this:

%policy
%module policies/foo.pp
   Name: foo
   Types: mls targeted
%module policies/bar.pp
   Name: bar
   Types: targeted
   Obsoletes: baz

The %policy section can contain the following tags:

%module

The %module tag specifies an SELinux module to be included in the package. The format for the %module tag is

%module path/to/selinux/module

with the path relative to the rpm build directory. The module can be either a policy package (.pp) or a bzip2 compressed policy package (.pp.bz2). This specifies two policy modules (foo.pp and bar.pp) to be included in the package. Each module has several options which describe various characteristics of the preceding module. Each option is of the form Option: value, with each option applying to the most recent %module tag. In the following examples, the options are indented for readability only. Leading spaces are ignored when parsing the options.

Name

The Name option specifies the name of the policy module. This must match the name of the module specified inside the policy.

%policy
%module policies/foo.pp
    Name: foo

If Name is not provided, the basename minus the extension will be used. However, it is recommended that you provide the option.

Types

The Types option is a space-separated list of policy types the module can be installed into. The special type 'default' can be used to specify that the module can be installed into any type. If the Types option is not specified, 'default' is assumed.

%policy
%module policies/foo.pp
    Name: foo
    Types: mls targeted

This specifies that the foo.pp module can be installed in both mls and targeted policy types.

Obsoletes

The Obsoletes option is a space-separated list of policy names that are obsoleted by a module. Any modules listed in Obsoletes will be removed (or ignored if installed, but in the current transaction) upon module installation. If not specified, it is assumed that the module does not obsolete anything.

%policy
%module policies/foo.pp
    Name: foo
    Obsoletes: bar

This will remove the baz module at the same time as installing the foo module.

Base

The Base option is a boolean value (Yes/1 or No/0) that specifies whether or not a module is a base module. If not specified, it is assumed that the module is not a base module.

%policy
%module policies/base.pp
    Name: base
    Base: yes

This specifies that the module base.pp is a base module.

PolicyRequires

The PolicyRequires tag is added to the preamble to specify that the current system must meet certain capabilities before policy can be installed. This tag has the same syntax as Requires, Obsoletes, and similar tags, and will usually contain SElinux libraries that may be necessary to install/load policy:

PolicyRequires: libselinux >= 2.0.90

Unlike Requires, which can be met by both currently installed packages and to-be-installed packages, PolicyRequires must be met by currently installed packages only, ignoring any to-be-installed packages during dependency checks. If PolicyRequires capabilities are not met by the existing packages, but are met by to-be-installed packages, policy can still be installed, but is performed at the end of the transaction, rather than the beginning, and is followed by a full filesystem relabel. Because of the expense of a full relabel, it is recommended that this be used carefully.