Skip to content

Commit 90fb2dc

Browse files
Conan-KudoConan-Kudo
committed
Introduce SELinux policy module for kiwi
This simple policy module ensures that the kiwi executable is labeled such that it works properly in SELinux enforcing mode.
1 parent 5af510a commit 90fb2dc

File tree

6 files changed

+486
-0
lines changed

6 files changed

+486
-0
lines changed

package/python-kiwi-spec-template

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,12 @@
5555
%global develsuffix devel
5656
%endif
5757

58+
%if 0%{?fedora} || 0%{?rhel} || 0%{?suse_version} >= 1600
59+
%bcond_without selinux
60+
%else
61+
%bcond_with selinux
62+
%endif
63+
5864
Name: python-kiwi
5965
Version: %%VERSION
6066
Provides: kiwi-schema = 8.1
@@ -684,6 +690,21 @@ BuildArch: noarch
684690
Bash command line completion support for python-kiwi - completion
685691
of subcommands, parameters and keywords for the kiwi-ng command.
686692

693+
%if %{with selinux}
694+
%package -n kiwi-selinux
695+
Summary: SELinux module for kiwi-ng
696+
License: GPL-2.0-or-later
697+
BuildArch: noarch
698+
BuildRequires: selinux-policy
699+
BuildRequires: selinux-policy-devel
700+
BuildRequires: make
701+
%{?selinux_requires}
702+
703+
%description -n kiwi-selinux
704+
This package provides the SELinux policy module to ensure kiwi-ng
705+
runs properly under an environment with SELinux enabled.
706+
%endif
707+
687708
%prep
688709
%setup -q -n kiwi-%{version}
689710

@@ -705,6 +726,11 @@ sed -e "s|#!/usr/bin/env python||" -i kiwi/xml_parse.py
705726
# Build documentation
706727
make -C doc man
707728

729+
%if %{with selinux}
730+
# Build SELinux module
731+
make -C selinux SHARE="%{_datadir}" TARGETS="kiwi"
732+
%endif
733+
708734
# Build application wheel
709735
%{__python3} -m build --no-isolation --wheel
710736

@@ -731,6 +757,11 @@ make buildroot=%{buildroot}/ docdir=%{_defaultdocdir}/ python=%{__python3} insta
731757
ln -sr %{buildroot}%{_bindir}/kiwi-ng %{buildroot}%{_bindir}/kiwi
732758
ln -sr %{buildroot}%{_bindir}/kiwi-ng %{buildroot}%{_bindir}/kiwi-ng-3
733759

760+
%if %{with selinux}
761+
# Install SELinux module
762+
install -t %{buildroot}%{_datadir}/selinux/packages -Dpm 0644 selinux/kiwi.pp.bz2
763+
%endif
764+
734765
%if "%{_vendor}" != "debbuild"
735766
# kiwi pxeboot directory structure to be packed in kiwi-pxeboot
736767
%ifarch %{ix86} x86_64
@@ -759,6 +790,24 @@ fi
759790
%endif
760791
%endif
761792

793+
%if %{with selinux}
794+
%pre -n kiwi-selinux
795+
%selinux_relabel_pre
796+
797+
%post -n kiwi-selinux
798+
%selinux_modules_install %{_datadir}/selinux/packages/kiwi.pp.bz2
799+
%selinux_relabel_post
800+
801+
%posttrans -n kiwi-selinux
802+
%selinux_relabel_post
803+
804+
%postun -n kiwi-selinux
805+
%selinux_modules_uninstall kiwi
806+
if [ $1 -eq 0 ]; then
807+
%selinux_relabel_post
808+
fi
809+
%endif
810+
762811
%files -n kiwi-systemdeps-core
763812
# Empty metapackage
764813

@@ -838,4 +887,11 @@ fi
838887
%endif
839888
%endif
840889

890+
%if %{with selinux}
891+
%files -n kiwi-selinux
892+
%license selinux/COPYING
893+
%doc selinux/README.md
894+
%{_datadir}/selinux/packages/kiwi.pp.bz2
895+
%endif
896+
841897
%changelog

0 commit comments

Comments
 (0)