From eb2b07ef27bc8f790e2ab280bbd19a012841f9cf Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Mon, 30 Jan 2006 04:19:01 +0000 Subject: Chris PeBenito writes in #110857 for SELinux updates: 1) change ebuild.sh code to use selinux configuration to determine where the file contexts are, rather than a setting in make.conf. 2) change portage support to a FEATURE rather than USE. This enables the user to disable the portage support if their setup is broken, while still enabling selinux support in any packages they might merge. I was going to submit a patch for portage.py, but the place it needs to be changed (line 7234 in rev 1.524.2.76/2.0.53_rc6), features (the variable) isn't filled yet, so I was unsure of the proper fix. svn path=/main/trunk/; revision=2606 --- bin/ebuild.sh | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/bin/ebuild.sh b/bin/ebuild.sh index d64969e65..ff11a8b58 100755 --- a/bin/ebuild.sh +++ b/bin/ebuild.sh @@ -1332,20 +1332,19 @@ dyn_preinst() { fi # SELinux file labeling (needs to always be last in dyn_preinst) - if useq selinux; then + if hasq selinux ${FEATURES} ; then # only attempt to label if setfiles is executable # and 'context' is available on selinuxfs. - if [ -f /selinux/context -a -x /usr/sbin/setfiles ]; then + if [ -f /selinux/context -a -x /usr/sbin/setfiles -a -x /usr/sbin/selinuxconfig ]; then echo ">>> Setting SELinux security labels" - if [ -f ${POLICYDIR}/file_contexts/file_contexts ]; then - cp -f "${POLICYDIR}/file_contexts/file_contexts" "${T}" - else - make -C "${POLICYDIR}" FC=${T}/file_contexts "${T}/file_contexts" - fi + ( + eval "$(/usr/sbin/selinuxconfig)" || \ + die "Failed to determine SELinux policy paths."; + + addwrite /selinux/context; - addwrite /selinux/context - /usr/sbin/setfiles -r "${IMAGE}" "${T}/file_contexts" "${IMAGE}" \ - || die "Failed to set SELinux security labels." + /usr/sbin/setfiles "${file_contexts_path}" -r "${IMAGE}" "${IMAGE}"; + ) || die "Failed to set SELinux security labels." else # nonfatal, since merging can happen outside a SE kernel # like during a recovery situation -- cgit v1.2.3-1-g7c22