-
Notifications
You must be signed in to change notification settings - Fork 0
/
refpolicy_split.sh
executable file
·102 lines (80 loc) · 2.51 KB
/
refpolicy_split.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#!/bin/bash
# SPDX-FileCopyrightText: 2021 Markus Linnala <[email protected]>
#
# SPDX-License-Identifier: Apache-2.0
# To ensure split_te works for all kinds of policies, this iterates over
# refpolicy variant for example:
# - SELinuxProject/refpolicy
# - fedora-selinux/selinux-policy
# If pass is fully done, then we can deduct our parsing is reasonable
# fleshed out.
set -epux -o pipefail
tgt=(dupes.txt)
(( $# ))
D="$1"
[ "$D" ]
[ -d "$D" ]
mkdir -p "$D"/tmp/install
DESTDIR="$(readlink -f -- "$D"/tmp/install)"
export DESTDIR
[ "$DESTDIR" ]
[ -d "$DESTDIR" ]
mkdir -p "$DESTDIR"/var/lib/selinux/targeted
make_refpolicy() {
make DESTDIR="$DESTDIR" 'SEMODULE=/usr/sbin/semodule -v -p '"$DESTDIR"' -X 100 ' "$@"
}
if [ ! -f "$DESTDIR"/usr/share/selinux/devel/Makefile ]; then
pushd "$D"
case "$DESTDIR" in
*/fedora-selinux-policy)
# Fedora selinux-policy has already good build.conf so no need to
# fix it again.
;;
*)
sed -ri '
s/^[# ]*?(TYPE *=).*/\1 mcs/;
s/^[# ]*?(NAME *=).*/\1 targeted/;
s/^[# ]*?(DISTRO *=).*/\1 redhat/;
s/^[# ]*?(UNK_PERMS *=).*/\1 allow/;
s/^[# ]*?(DIRECT_INITRC *=).*/\1 n/;
s/^[# ]*?(SYSTEMD *=).*/\1 y/;
s/^[# ]*?(MONOLITHIC *=).*/\1 n/;
s/^[# ]*?(UBAC *=).*/\1 n/;
s/^[# ]*?(WERROR *=).*/\1 y/;
' build.conf
if [ -f Changelog.contrib ]; then
make_refpolicy conf
fi
;;
esac
make_refpolicy -j"$(nproc)" load
make_refpolicy NAME=devel install-headers
cp /usr/share/selinux/devel/Makefile "$DESTDIR"/usr/share/selinux/devel/Makefile
sed -ri 's,(SHAREDIR :=).*,\1 '"$DESTDIR"/usr/share/selinux',' "$DESTDIR"/usr/share/selinux/devel/Makefile
popd
./export.sh "$DESTDIR"
fi
rm -rf sl
make DESTDIR="$DESTDIR" -j"$(nproc)" -k
while IFS='' read -d '' -r a && [ "$a" ]; do
ok=export/"${a##*/}".ok
[ ! -f "$ok" ] || continue
err=export/"${a##*/}".err
[ ! -f "$err" ] || continue
rm -rf sl tmp/all_interfaces.conf tmp/*.cil tmp/*.tmp tmp/*.cil.tosum
make DESTDIR="$DESTDIR" tmp/all_interfaces.conf
declare -i rc=0
./split_te.sh -- "$a" || rc=$?
if (( rc )); then
./split_te.sh -- "$a" > "$err" 2>&1 || :
fi
if (( ! rc )); then
make DESTDIR="$DESTDIR" -j"$(nproc)" -k "${tgt[@]}" || rc=$?
if (( rc )); then
make DESTDIR="$DESTDIR" "${tgt[@]}" > "$err" 2>&1 || :
fi
fi
if (( ! rc )); then
touch "$ok"
fi
done < <((find "$D" -name '*.te' -type f -print0;find "$DESTDIR"/usr/share/selinux/devel -name '*.if' -type f -print0) | shuf -z)