Move misc policies into their own module

Also avoid depending on a specific policy type
QubesOS · Dec 23, 2022 · e20cb8f · e20cb8f
1 parent 1b1711a
commit e20cb8f
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 20 deletions.
diff --git a/Makefile b/Makefile
@@ -8,22 +8,23 @@ release := $(shell lsb_release -is)
 
 # This makefile uses some bash-isms, make uses /bin/sh by default.
 SHELL = /bin/bash
+selinux_policies ::= qubes-qfile-unpacker.pp qubes-xendriverdomain.pp \
+	qubes-misc.pp
 
 all:
 	$(MAKE) -C misc VERSION=$(VERSION)
 	$(MAKE) -C qubes-rpc
-ifdef WITH_SELINUX
-ifeq ($(WITH_SELINUX),1)
-	$(MAKE) -C selinux -f /usr/share/selinux/devel/Makefile qubes-qfile-unpacker.pp qubes-xendriverdomain.pp
+ifdef ENABLE_SELINUX
+ifeq ($(ENABLE_SELINUX),1)
+	$(MAKE) -C selinux -f /usr/share/selinux/devel/Makefile -- $(selinux_policies)
 
 install-rh: install-selinux
 
 install-selinux:
-	install -D -m 0644 -t $(DESTDIR)/usr/share/selinux/packages/targeted -- \
-		selinux/qubes-qfile-unpacker.pp selinux/qubes-xendriverdomain.pp
+	install -D -m 0644 -t $(DESTDIR)/usr/share/selinux/packages -- $(patsubst %,selinux/%,$(selinux_policies))
 .PHONY: install-selinux
-else ifneq ($(WITH_SELINUX),0)
-$(error bad value for WITH_SELINUX)
+else ifneq ($(ENABLE_SELINUX),0)
+$(error bad value for $$(ENABLE_SELINUX))
 endif
 endif
 

diff --git a/rpm_spec/core-agent.spec.in b/rpm_spec/core-agent.spec.in
@@ -320,13 +320,8 @@ License: GPLv2+
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-%if 0%fedora
-Requires: selinux-policy >= %fedora
-Requires(post): selinux-policy-base >= %fedora
-%else
 Requires: selinux-policy
 Requires(post): selinux-policy-base
-%endif
 Requires(post): libselinux-utils
 BuildRequires: selinux-policy
 BuildRequires: selinux-policy-devel
@@ -336,8 +331,22 @@ SELinux policy for the Qubes VM tools.  This allows the Qubes VM tools to run in
 a VM with SELinux enforcing, as is the default on Red Hat-family distributions.
 
 %files selinux
-%_datadir/selinux/packages/targeted/qubes-qfile-unpacker.pp
-%_datadir/selinux/packages/targeted/qubes-xendriverdomain.pp
+%_datadir/selinux/packages/qubes-qfile-unpacker.pp
+%_datadir/selinux/packages/qubes-xendriverdomain.pp
+%_datadir/selinux/packages/qubes-misc.pp
+
+%postun selinux
+if [ "$1" -eq 0 ]; then
+    %selinux_modules_uninstall \
+        %{_datadir}/selinux/packages/qubes-qfile-unpacker.pp \
+        %{_datadir}/selinux/packages/qubes-xendriverdomain.pp \
+        %{_datadir}/selinux/packages/qubes-misc.pp
+fi || :
+
+%posttrans selinux
+%selinux_relabel_post
+exit 0
+
 
 %endif
 
@@ -349,7 +358,7 @@ a VM with SELinux enforcing, as is the default on Red Hat-family distributions.
 
 %build
 %{?set_build_flags}
-make BACKEND_VMM=@BACKEND_VMM@ WITH_SELINUX=%with_selinux
+make BACKEND_VMM=@BACKEND_VMM@ ENABLE_SELINUX=%with_selinux
 make -C doc manpages
 
 %pre
@@ -378,7 +387,7 @@ usermod -L root
 
 %install
 
-make install-vm PYTHON=%{__python3} DESTDIR=$RPM_BUILD_ROOT SYSTEM_DROPIN_DIR=%{_unitdir} SYSLIBDIR=/usr/lib WITH_SELINUX=%with_selinux
+make install-vm PYTHON=%{__python3} DESTDIR=$RPM_BUILD_ROOT SYSTEM_DROPIN_DIR=%{_unitdir} SYSLIBDIR=/usr/lib ENABLE_SELINUX=%with_selinux
 make -C app-menu DESTDIR=$RPM_BUILD_ROOT install
 make -C boot/redhat DESTDIR=$RPM_BUILD_ROOT install
 make -C config-overrides DESTDIR=$RPM_BUILD_ROOT install
@@ -618,7 +627,7 @@ fi
 %if %{with selinux}
 %post selinux
 
-%selinux_modules_install %{_datadir}/selinux/packages/targeted/qubes-qfile-unpacker.pp %{_datadir}/selinux/packages/targeted/qubes-xendriverdomain.pp
+%selinux_modules_install %{_datadir}/selinux/packages/qubes-qfile-unpacker.pp %{_datadir}/selinux/packages/qubes-xendriverdomain.pp %{_datadir}/selinux/packages/qubes-misc.pp
 
 contexts='### QUBES START ###\
 /rw/home /home\
@@ -642,7 +651,7 @@ d
 }
 \$a\
 $contexts
-" /etc/selinux/targeted/contexts/files/file_contexts.subs
+" /etc/selinux/*/contexts/files/file_contexts.subs
 
 %preun selinux
 if [ "$1" -eq 0 ] && ! grep -E '^SELINUX=(disabled|permissive)$' /etc/selinux/config; then

diff --git a/selinux/qubes-misc.fc b/selinux/qubes-misc.fc
@@ -0,0 +1,12 @@
+define(`slash_run',`dnl
+/var/run/$1     $3       gen_context(system_u:object_r:$2_t,s0)
+/run/$1     $3       gen_context(system_u:object_r:$2_t,s0)
+')dnl
+/usr/lib/modules/firmware(/.*)?         gen_context(system_u:object_r:lib_t,s0)
+/usr/lib/modules/[0-9][^/]*/build    -d gen_context(system_u:object_r:usr_t,s0)
+/usr/lib/modules/[0-9][^/]*/build/.*    gen_context(system_u:object_r:usr_t,s0)
+/usr/lib/qubes(/.*)?                    gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/qubes/init(/.*)?            -d gen_context(system_u:object_r:etc_t,s0)
+/usr/lib/qubes/init(/.*)?            -- gen_context(system_u:object_r:initrc_exec_t,s0)
+slash_run(`qubes(/.*)?',`qubes_var_run')
+slash_run(`qubes-service',`initrc_var_run',`-d')
diff --git a/selinux/qubes-misc.te b/selinux/qubes-misc.te
@@ -0,0 +1,3 @@
+policy_module(qubes-misc,0.0.1)
+
+type qubes_var_run_t;
diff --git a/selinux/qubes-qfile-unpacker.fc b/selinux/qubes-qfile-unpacker.fc
@@ -1,4 +1,2 @@
 `/usr/lib/\.modules_work(/.*)? <<none>>'
-`/usr/lib/modules/[0-9][^/]*/build' -d gen_context(system_u:object_r:usr_t,s0)
-`/usr/lib/modules/[0-9][^/]*/build/.*' gen_context(system_u:object_r:usr_t,s0)
 `/usr/lib/qubes/qfile-unpacker' -- gen_context(system_u:object_r:qubes_qfile_unpacker_exec_t,s0)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		policy_module(qubes-misc,0.0.1)

		type qubes_var_run_t;