File policycoreutils.spec of Package policycoreutils.6935
#
# spec file for package policycoreutils
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define libaudit_ver 2.2
%define libsepol_ver 2.5
%define libsemanage_ver 2.5
%define libselinux_ver 2.5
%define sepolgen_ver 1.2.3
Name: policycoreutils
Version: 2.5
Release: 0
Summary: SELinux policy core utilities
License: GPL-2.0+
Group: Productivity/Security
Url: https://github.com/SELinuxProject/selinux
Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/%{name}-%{version}.tar.gz
Source1: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/sepolgen-%{sepolgen_ver}.tar.gz
Source2: system-config-selinux.png
Source3: system-config-selinux.desktop
Source4: system-config-selinux.pam
Source5: system-config-selinux.console
Source6: selinux-polgengui.desktop
Source7: selinux-polgengui.console
Source8: policycoreutils_man_ru2.tar.bz2
Patch4: policycoreutils-initscript.patch
Patch5: policycoreutils-pam-common.patch
Patch10: loadpolicy_path.patch
Patch11: CVE-2016-7545_sandbox_escape.patch
Patch12: policycoreutils-version-numbers.patch
Patch13: CVE-2018-1063.patch
BuildRequires: audit-devel >= %{libaudit_ver}
BuildRequires: dbus-1-glib-devel
BuildRequires: fdupes
BuildRequires: gettext
BuildRequires: hicolor-icon-theme
BuildRequires: libcap-devel
BuildRequires: libcap-ng-devel
BuildRequires: libcgroup-devel
BuildRequires: libselinux-devel >= %{libselinux_ver}
BuildRequires: libsemanage-devel >= %{libsemanage_ver}
BuildRequires: libsepol-devel-static >= %{libsepol_ver}
BuildRequires: pam-devel
BuildRequires: python-devel
BuildRequires: setools-devel
BuildRequires: update-desktop-files
Requires: audit-libs-python
Requires: checkpolicy
Requires: gawk
Requires: python-selinux
Requires: rpm
Requires: util-linux
# we need selinuxenabled
Requires(post): selinux-tools
Requires(pre): %fillup_prereq permissions
Recommends: %{name}-lang
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if 0%{?suse_version} > 1140
BuildRequires: systemd
%{?systemd_requires}
%else
Requires(pre): %insserv_prereq
%endif
%description
Security-enhanced Linux is a feature of the Linux(R) kernel and a number
of utilities with enhanced security functionality designed to add
mandatory access controls to Linux. The Security-enhanced Linux
kernel contains new architectural components originally developed to
improve the security of the Flask operating system. These
architectural components provide general support for the enforcement
of many kinds of mandatory access control policies, including those
based on the concepts of Type Enforcement(R), Role-based Access
Control, and Multi-level Security.
policycoreutils contains the policy core utilities that are required
for basic operation of a SELinux system. These utilities include
load_policy to load policies, setfiles to label filesystems, newrole
to switch roles, and run_init to run %{_initddir} scripts in the proper
context.
%lang_package
%package python
Summary: SELinux policy core python utilities
Group: Productivity/Security
Requires: audit-libs-python >= %{libaudit_ver}
Requires: policycoreutils = %{version}
Requires: python-ipy
Requires: python-selinux >= %{libselinux_ver}
Requires: python-semanage >= %{libsemanage_ver}
Requires: python-setools
Requires: python-xml
Requires: python-yum
Requires: yum-metadata-parser
%description python
The policycoreutils-python package contains the management tools used to manage an SELinux environment.
%package sandbox
Summary: SELinux sandbox utilities
Group: Productivity/Security
Requires: policycoreutils-python = %{version}
Requires: xorg-x11-server-extra
# Requires: matchbox-window-manager
%description sandbox
The sandbox package contains the scripts to create graphical sandboxes
%package newrole
Summary: The newrole application for RBAC/MLS
Group: Productivity/Security
Requires: policycoreutils = %{version}
Requires(pre): permissions
%description newrole
RBAC/MLS policy machines require newrole as a way of changing the role
or level of a logged in user.
%package gui
Summary: SELinux configuration GUI
Group: Productivity/Security
Requires: policycoreutils-python = %{version}
# Requires: gnome-python2-canvas
# Requires: usermode-gtk
Requires: python
Requires: python-gnome
Requires: python-gtk
Requires: selinux-policy
Requires: setools-console
%description gui
system-config-selinux is a utility for managing the SELinux environment
%prep
%setup -q -a 1
%patch4
%patch5
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13
%build
export SUSE_ASNEEDED=0
make %{?_smp_mflags} LSPP_PRIV=y LIBDIR="%{_libdir}" LIBEXECDIR="%{_libexecdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
make %{?_smp_mflags} -C sepolgen-%{sepolgen_ver} LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
%install
mkdir -p %{buildroot}%{_localstatedir}/lib/selinux
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_sbindir}
mkdir -p %{buildroot}/sbin
mkdir -p %{buildroot}%{_mandir}/man1
mkdir -p %{buildroot}%{_mandir}/man8
mkdir -p %{buildroot}%{_sysconfdir}/pam.d
mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps
make LSPP_PRIV=y DESTDIR=%{buildroot} LIBDIR="%{buildroot}%{_libdir}" LIBEXECDIR="%{buildroot}%{_libexecdir}" INITDIR="%{buildroot}%{_initddir}" install
make -C sepolgen-%{sepolgen_ver} DESTDIR=%{buildroot} LIBDIR="%{buildroot}%{_libdir}" install
install -D -m 644 %{SOURCE2} %{buildroot}%{_datadir}/pixmaps/system-config-selinux.png
# Don't install initscript if systemd is available
%if 0%{?suse_version} > 1140
rm -r %{buildroot}%{_initddir}
ln -sf /sbin/service %{buildroot}%{_sbindir}/rcrestorecond
%else
rm -r %{buildroot}%{_unitdir}
ln -sf %{_initddir}/restorecond %{buildroot}%{_sbindir}/rcrestorecond
%endif
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/system-config-selinux
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/selinux-polgengui
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/console.apps/system-config-selinux
install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/security/console.apps/selinux-polgengui
tar -jxf %{SOURCE8} -C %{buildroot}/
rm -f %{buildroot}%{_mandir}/ru/man8/genhomedircon.8.gz
ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux
ln -sf consolehelper %{buildroot}%{_bindir}/selinux-polgengui
mkdir -p %{buildroot}%{_localstatedir}/adm/fillup-templates/
mv %{buildroot}/%{_sysconfdir}/sysconfig/sandbox %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.sandbox
rmdir %{buildroot}/%{_sysconfdir}/sysconfig
%suse_update_desktop_file -i system-config-selinux System Security Settings
%suse_update_desktop_file -i sepolicy System Security Settings
%suse_update_desktop_file -i selinux-polgengui System Security Settings
%find_lang %{name}
%fdupes -s %{buildroot}/%{_datadir}
%pre
%if 0%{?suse_version} > 1140
%service_add_pre restorecond.service
%endif
%post
%if 0%{?suse_version} > 1140
%service_add_post restorecond.service
%fillup_only
%else
%fillup_and_insserv restorecond
%endif
%preun
%if 0%{?suse_version} > 1140
%service_del_preun restorecond.service
%else
if [ "$1" -eq "0" ]; then
%stop_on_removal restorecond
%insserv_cleanup
fi
%endif
%postun
%if 0%{?suse_version} > 1140
%service_del_postun restorecond.service
%else
if [ "$1" -ge "1" ]; then
%restart_on_update restorecond
%insserv_cleanup
fi
%endif
%post python
selinuxenabled && [ -f %{_datadir}/selinux/devel/include/build.conf ] && %{_bindir}/sepolgen-ifgen 2>/dev/null
exit 0
%post newrole
%set_permissions %{_bindir}/newrole
%verifyscript
%verify_permissions -e %{_bindir}/newrole
%files
%defattr(-,root,root)
/sbin/restorecon
/sbin/fixfiles
/sbin/setfiles
/sbin/load_policy
%{_sbindir}/genhomedircon
%{_sbindir}/load_policy
%{_sbindir}/restorecond
%{_sbindir}/setsebool
%{_sbindir}/semodule
%{_sbindir}/sestatus
%{_sbindir}/run_init
%{_sbindir}/open_init_pty
%{_bindir}/secon
%{_bindir}/semodule_deps
%{_bindir}/semodule_expand
%{_bindir}/semodule_link
%{_bindir}/semodule_package
%{_bindir}/semodule_unpackage
%if 0%{?suse_version} > 1140
%attr(644,root,root) %{_unitdir}/restorecond.service
%else
%attr(755,root,root) %{_initddir}/restorecond
%endif
%config(noreplace) %{_sysconfdir}/pam.d/run_init
%config(noreplace) %{_sysconfdir}/sestatus.conf
%{_sbindir}/rcrestorecond
%config(noreplace) %{_sysconfdir}/selinux/restorecond.conf
%config(noreplace) %{_sysconfdir}/selinux/restorecond_user.conf
%{_sysconfdir}/xdg/autostart/restorecond.desktop
%dir %{_libexecdir}/selinux
%dir %{_libexecdir}/selinux/hll
%{_libexecdir}/selinux/hll/pp
%{_datadir}/dbus-1/services/org.selinux.Restorecond.service
%{_datadir}/dbus-1/system-services/org.selinux.service
# selinux-policy Requires: policycoreutils, so we own this set of directories and our files within them
%dir %{_mandir}/ru
%dir %{_mandir}/ru/man1
%dir %{_mandir}/ru/man8
%{_mandir}/man5/selinux_config.5*
%{_mandir}/man5/sestatus.conf.5*
%{_mandir}/man8/semodule_unpackage.8*
%{_mandir}/man8/fixfiles.8*
%{_mandir}/ru/man8/fixfiles.8*
%{_mandir}/man8/load_policy.8*
%{_mandir}/ru/man8/load_policy.8*
%{_mandir}/man8/open_init_pty.8*
%{_mandir}/ru/man8/open_init_pty.8*
%{_mandir}/man8/restorecon.8*
%{_mandir}/ru/man8/restorecon.8*
%{_mandir}/man8/restorecond.8*
%{_mandir}/ru/man8/restorecond.8*
%{_mandir}/man8/run_init.8*
%{_mandir}/ru/man8/run_init.8*
%{_mandir}/man8/semodule.8*
%{_mandir}/ru/man8/semodule.8*
%{_mandir}/man8/semodule_deps.8*
%{_mandir}/ru/man8/semodule_deps.8*
%{_mandir}/man8/semodule_expand.8*
%{_mandir}/ru/man8/semodule_expand.8*
%{_mandir}/man8/semodule_link.8*
%{_mandir}/ru/man8/semodule_link.8*
%{_mandir}/man8/semodule_package.8*
%{_mandir}/ru/man8/semodule_package.8*
%{_mandir}/man8/sestatus.8*
%{_mandir}/ru/man8/sestatus.8*
%{_mandir}/man8/setfiles.8*
%{_mandir}/ru/man8/setfiles.8*
%{_mandir}/man8/setsebool.8*
%{_mandir}/ru/man8/setsebool.8*
%{_mandir}/man1/secon.1*
%{_mandir}/ru/man1/secon.1*
%{_mandir}/man8/genhomedircon.8*
%files lang -f %{name}.lang
%defattr(-,root,root)
%files python
%defattr(-,root,root,-)
%{_sbindir}/semanage
%{_bindir}/audit2allow
%{_bindir}/audit2why
%{_bindir}/chcat
%{_bindir}/sandbox
%{_bindir}/sepolicy
%{_bindir}/sepolgen-ifgen
%{_bindir}/sepolgen-ifgen-attr-helper
%{python_sitearch}/seobject.py*
%{python_sitearch}/sepolgen
%{python_sitearch}/sepolicy
%{python_sitearch}/sepolicy*.egg-info
#%{python_sitearch}/%{name}*.egg-info
%dir %{_localstatedir}/lib/sepolgen
%dir %{_localstatedir}/lib/selinux
%{_localstatedir}/lib/sepolgen/perm_map
%{_mandir}/man1/audit2allow.1*
%{_mandir}/ru/man1/audit2allow.1*
%{_mandir}/man1/audit2why.1*
%{_mandir}/man8/chcat.8*
%{_mandir}/ru/man8/chcat.8*
%{_mandir}/man8/sandbox.8*
%{_mandir}/man5/sandbox*
%{_mandir}/man8/semanage*.8*
%{_mandir}/man8/sepolicy*.8*
%{_mandir}/man8/sepolgen.8*
%{_mandir}/ru/man8/semanage.8*
%{_datadir}/bash-completion/completions/semanage
%{_datadir}/bash-completion/completions/sepolicy
%{_datadir}/bash-completion/completions/setsebool
%files sandbox
%defattr(-,root,root,-)
%attr(0755,root,root) %{_sbindir}/seunshare
%dir %{_datadir}/sandbox
%{_datadir}/sandbox/sandboxX.sh
%{_datadir}/sandbox/start
%{_localstatedir}/adm/fillup-templates/sysconfig.sandbox
%{_mandir}/man8/seunshare.8*
%files newrole
%defattr(-,root,root)
%verify(not mode) %attr(0755,root,root) %{_bindir}/newrole
%{_mandir}/man1/newrole.1%{ext_man}
%config(noreplace) %{_sysconfdir}/pam.d/newrole
%files gui
%defattr(-,root,root)
%{_bindir}/system-config-selinux
%{_bindir}/selinux-polgengui
%{_datadir}/applications/system-config-selinux.desktop
%{_datadir}/system-config-selinux/system-config-selinux.desktop
%{_bindir}/sepolgen
%{_datadir}/applications/selinux-polgengui.desktop
%{_datadir}/applications/sepolicy.desktop
%{_datadir}/system-config-selinux/selinux-polgengui.desktop
%{_datadir}/system-config-selinux/sepolicy.desktop
#%dir %{_datadir}/icons
#%dir %{_datadir}/icons/hicolor
#%dir %{_datadir}/icons/hicolor/24x24
#%dir %{_datadir}/icons/hicolor/24x24/apps
%{_datadir}/icons/hicolor/24x24/apps/system-config-selinux.png
%{_datadir}/icons/hicolor/16x16/apps/sepolicy.png
%{_datadir}/icons/hicolor/22x22/apps/sepolicy.png
%{_datadir}/icons/hicolor/256x256/apps/sepolicy.png
%{_datadir}/icons/hicolor/32x32/apps/sepolicy.png
%{_datadir}/icons/hicolor/48x48/apps/sepolicy.png
%{_datadir}/pixmaps/sepolicy.png
%{_datadir}/pixmaps/system-config-selinux.png
%{_datadir}/polkit-1/actions/org.selinux.config.policy
%{_datadir}/polkit-1/actions/org.selinux.policy
%dir %{_datadir}/system-config-selinux
#%dir %{_datadir}/system-config-selinux/templates
%{_datadir}/system-config-selinux/system-config-selinux.png
%{_datadir}/system-config-selinux/*.py*
#%{_datadir}/system-config-selinux/selinux.tbl
%{_datadir}/system-config-selinux/*.glade
%{_mandir}/man8/selinux-polgengui.8%{ext_man}
%{_mandir}/man8/system-config-selinux.8%{ext_man}
#%%{_datadir}/system-config-selinux/templates/*.py*
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.selinux.conf
%config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux
%config(noreplace) %{_sysconfdir}/pam.d/selinux-polgengui
%dir %{_sysconfdir}/security/console.apps
%config(noreplace) %{_sysconfdir}/security/console.apps/selinux-polgengui
%config(noreplace) %{_sysconfdir}/security/console.apps/system-config-selinux
%changelog
