diff --git a/.gitignore b/.gitignore index 18892a31fe..d6ba0903ae 100644 --- a/.gitignore +++ b/.gitignore @@ -190,4 +190,7 @@ __pycache__ misc/selinux/cfengine-enterprise.pp misc/selinux/cfengine-enterprise.if misc/selinux/cfengine-enterprise.te +misc/selinux/cfengine-enterprise-unconfined.pp +misc/selinux/cfengine-enterprise-unconfined.if +misc/selinux/cfengine-enterprise-unconfined.te misc/selinux/tmp diff --git a/configure.ac b/configure.ac index 431a33c331..040b584ad3 100644 --- a/configure.ac +++ b/configure.ac @@ -1666,7 +1666,7 @@ AC_ARG_WITH(selinux-policy, AS_HELP_STRING([--with-selinux-policy], [Whether to build and install SELinux policy (default: no)]), [], [with_selinux_policy=no]) -AM_CONDITIONAL([WITH_SELINUX], [test "x$with_selinux_policy" != "xno"]) +AM_CONDITIONAL([WITH_SELINUX_POLICY], [test "x$with_selinux_policy" != "xno"]) if test "x$with_selinux_policy" != "xno"; then platform_id=$(sed -r -e '/PLATFORM_ID/!d;s/PLATFORM_ID="platform:(@<:@^"@:>@+)"/\1/' < /etc/os-release) diff --git a/misc/selinux/Makefile.am b/misc/selinux/Makefile.am index 870b866b30..12ca1a6a7f 100644 --- a/misc/selinux/Makefile.am +++ b/misc/selinux/Makefile.am @@ -1,14 +1,26 @@ -if WITH_SELINUX +if WITH_SELINUX_POLICY cfengine-enterprise.te: cfengine-enterprise.te.all $(PLATFORM_SELINUX_POLICIES) cat cfengine-enterprise.te.all $(PLATFORM_SELINUX_POLICIES) > cfengine-enterprise.te -cfengine-enterprise.pp: cfengine-enterprise.te cfengine-enterprise.fc - $(MAKE) -f /usr/share/selinux/devel/Makefile -j1 +cfengine-enterprise.pp cfengine-enterprise-unconfined.pp: cfengine-enterprise.te cfengine-enterprise.fc cfengine-enterprise-unconfined.te cfengine-enterprise-unconfined.fc + rpm -qa selinux-policy # debug output to see version + sudo dnf install -y ed + m4 --version + autoconf --version + automake --version + openssl sha256 * || true + $(MAKE) -f /usr/share/selinux/devel/Makefile -j1 2>&1 | tee log + test "$?" != "0" && ( \ + for line in $(grep m4: log | cut -d: -f3 | sort -u); do echo "$line-2;$line+2n" | ed -s tmp/all_interfaces.conf; done \ + ) selinuxdir = $(prefix)/selinux selinux_DATA = cfengine-enterprise.pp selinux_DATA += cfengine-enterprise.te selinux_DATA += cfengine-enterprise.fc +selinux_DATA += cfengine-enterprise-unconfined.pp +selinux_DATA += cfengine-enterprise-unconfined.te +selinux_DATA += cfengine-enterprise-unconfined.fc clean-local: rm -rf tmp @@ -18,5 +30,7 @@ endif # tarball even without running './configure --with-selinux-policy' DISTFILES = Makefile.in Makefile.am cfengine-enterprise.fc cfengine-enterprise.te.all DISTFILES += cfengine-enterprise.te.el9 +DISTFILES += cfengine-enterprise-unconfined.te +DISTFILES += cfengine-enterprise-unconfined.fc -CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if cfengine-enterprise.te +CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if cfengine-enterprise.te cfengine-enterprise-unconfined.pp cfengine-enterprise-unconfined.if diff --git a/misc/selinux/cfengine-enterprise-unconfined.fc b/misc/selinux/cfengine-enterprise-unconfined.fc new file mode 100644 index 0000000000..8448a4412d --- /dev/null +++ b/misc/selinux/cfengine-enterprise-unconfined.fc @@ -0,0 +1,4 @@ +/var/cfengine/bin/.* -- gen_context(system_u:object_r:cfengine_exec_t,s0) +/var/cfengine/notification_scripts(/.*)? -- gen_context(system_u:object_r:cfengine_exec_t,s0) +/var/cfengine/httpd/bin/.* -- gen_context(system_u:object_r:cfengine_exec_t,s0) +/var/cfengine/httpd/php/bin/.* -- gen_context(system_u:object_r:cfengine_exec_t,s0) diff --git a/misc/selinux/cfengine-enterprise-unconfined.te b/misc/selinux/cfengine-enterprise-unconfined.te new file mode 100644 index 0000000000..bc44203374 --- /dev/null +++ b/misc/selinux/cfengine-enterprise-unconfined.te @@ -0,0 +1,8 @@ +module cfengine-enterprise-unconfined 1.0; +require { + all_kernel_class_perms # required for unconfined_domain() +} +type cfengine_t; +type cfengine_exec_t; +unconfined_domain(cfengine_t) +domain_entry_file(cfengine_t, cfengine_exec_t)