Package: refpolicy Version: 2:2.20221101-4 Tags: patch Dear Maintainer,
attached are three patches to be more rigorous about policy building. Patch 1: Drop duplicate declaration of file context for /var/log/rspamd(/.*)? Patch 2: Build policy and verify file contexts within autopkgtest Patch 3: Validate the policy at build time Best regards, Christian Göttsche
From 5d21e5f3f27dcd06fcf85f0148324c300efb9046 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <Christian Göttsche cgzo...@googlemail.com> Date: Tue, 7 Feb 2023 15:35:59 +0100 Subject: [PATCH 1/4] d/patches: drop addition of existent file context Found conflicting filecon rules at policy_root/var/lib/selinux/mls/tmp/modules/400/spamassassin/cil:1738 at policy_root/var/lib/selinux/mls/tmp/modules/400/spamassassin/cil:1740 Problems processing filecon rules Failed post db handling Post process failed /usr/sbin/semodule: Failed! --- debian/patches/0027-services | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/debian/patches/0027-services b/debian/patches/0027-services index 11351d5..1d44c14 100644 --- a/debian/patches/0027-services +++ b/debian/patches/0027-services @@ -1520,18 +1520,6 @@ Index: refpolicy-2.20221101/policy/modules/services/mta.te + postfix_read_config(admin_mail_t) + postfix_list_spool(admin_mail_t) +') -Index: refpolicy-2.20221101/policy/modules/services/spamassassin.fc -=================================================================== ---- refpolicy-2.20221101.orig/policy/modules/services/spamassassin.fc -+++ refpolicy-2.20221101/policy/modules/services/spamassassin.fc -@@ -39,6 +39,7 @@ HOME_DIR/\.spamd(/.*)? gen_context(sys - /var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) - /var/log/rspamd(/.*)? gen_context(system_u:object_r:spamd_log_t,s0) - /var/log/rspamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) -+/var/log/rspamd(/.*)? gen_context(system_u:object_r:spamd_log_t,s0) - /var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0) - - /var/vmail/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0) Index: refpolicy-2.20221101/policy/modules/services/courier.fc =================================================================== --- refpolicy-2.20221101.orig/policy/modules/services/courier.fc -- 2.39.1
From a7ff170f9a4a8105e5193a98361b92b505a8875a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <Christian Göttsche cgzo...@googlemail.com> Date: Tue, 7 Feb 2023 15:37:30 +0100 Subject: [PATCH 2/4] d/tests: simulate policy building Simulate building the policy via semodule and verify the resulting file contexts and kernel policy against each other. --- debian/tests/validate-default | 9 +++++++++ debian/tests/validate-mls | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/debian/tests/validate-default b/debian/tests/validate-default index 503c53a..ced63c9 100755 --- a/debian/tests/validate-default +++ b/debian/tests/validate-default @@ -14,3 +14,12 @@ mv base.pp base semodule_link -o test.lnk base *.pp semodule_expand test.lnk policy.bin + +mv base base.pp + +mkdir -p policy_root/var/lib/selinux/default + +# ignore 'FAIL stderr: libsemanage.add_user: user sddm not in password file' +/usr/sbin/semodule --noreload --store default --path policy_root --verbose --install *.pp 2>&1 + +/sbin/setfiles -c policy_root/etc/selinux/default/policy/policy.* policy_root/etc/selinux/default/contexts/files/file_contexts diff --git a/debian/tests/validate-mls b/debian/tests/validate-mls index d281e89..c9f5529 100755 --- a/debian/tests/validate-mls +++ b/debian/tests/validate-mls @@ -14,3 +14,12 @@ mv base.pp base semodule_link -o test.lnk base *.pp semodule_expand test.lnk policy.bin + +mv base base.pp + +mkdir -p policy_root/var/lib/selinux/mls + +# igore 'FAIL stderr: libsemanage.add_user: user sddm not in password file' +/usr/sbin/semodule --noreload --store mls --path policy_root --verbose --install *.pp 2>&1 + +/sbin/setfiles -c policy_root/etc/selinux/mls/policy/policy.* policy_root/etc/selinux/mls/contexts/files/file_contexts -- 2.39.1
From 9efc0bc669bd935adc6d4aae5f7f6a0211cef96b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <Christian Göttsche cgzo...@googlemail.com> Date: Tue, 7 Feb 2023 16:07:16 +0100 Subject: [PATCH 3/4] d/rules: validate build policy --- debian/rules | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/rules b/debian/rules index 32d70d6..4cbc64b 100755 --- a/debian/rules +++ b/debian/rules @@ -65,6 +65,8 @@ override_dh_auto_build: $(patsubst %, build-%-policy, $(FLAVOURS)) override_dh_auto_install: $(patsubst %, install-%-policy, $(FLAVOURS)) install-default-dev install-docs install-src +override_dh_auto_test: $(patsubst %, test-%-policy, $(FLAVOURS)) + conf-%-policy: test ! -d $(CURDIR)/debian/build-$* || \ rm -rf $(CURDIR)/debian/build-$* @@ -113,6 +115,11 @@ build-%-policy: conf-%-policy $(MAKE) NAME=$* TYPE=$(TYPE_$*) UBAC=$(UBAC_$*) UNK_PERMS=$(UNK_PERMS_$*) $(COMMON_OPTIONS) policy) touch $@ +test-%-policy: build-%-policy + (cd $(CURDIR)/debian/build-$*; \ + $(MAKE) NAME=$* TYPE=$(TYPE_$*) UBAC=$(UBAC_$*) UNK_PERMS=$(UNK_PERMS_$*) $(COMMON_OPTIONS) validate) + touch $@ + install-%-policy: build-%-policy (cd $(CURDIR)/debian/build-$*; \ $(MAKE) NAME=$* TYPE=$(TYPE_$*) UBAC=$(UBAC_$*) UNK_PERMS=$(UNK_PERMS_$*) $(COMMON_OPTIONS) DESTDIR=$(CURDIR)/debian/tmp install) -- 2.39.1
_______________________________________________ SELinux-devel mailing list SELinux-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/selinux-devel