Package: refpolicy
Version: 2:2.20221101-4
Tags: patch
Dear Maintainer,
attached are three patches to be more rigorous about policy building.
Patch 1: Drop duplicate declaration of file context for /var/log/rspamd(/.*)?
Patch 2: Build policy and verify file contexts within autopkgtest
Patch 3: Validate the policy at build time
Best regards,
Christian Göttsche
From 5d21e5f3f27dcd06fcf85f0148324c300efb9046 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?=
Date: Tue, 7 Feb 2023 15:35:59 +0100
Subject: [PATCH 1/4] d/patches: drop addition of existent file context
Found conflicting filecon rules
at policy_root/var/lib/selinux/mls/tmp/modules/400/spamassassin/cil:1738
at policy_root/var/lib/selinux/mls/tmp/modules/400/spamassassin/cil:1740
Problems processing filecon rules
Failed post db handling
Post process failed
/usr/sbin/semodule: Failed!
---
debian/patches/0027-services | 12
1 file changed, 12 deletions(-)
diff --git a/debian/patches/0027-services b/debian/patches/0027-services
index 11351d5..1d44c14 100644
--- a/debian/patches/0027-services
+++ b/debian/patches/0027-services
@@ -1520,18 +1520,6 @@ Index: refpolicy-2.20221101/policy/modules/services/mta.te
+ postfix_read_config(admin_mail_t)
+ postfix_list_spool(admin_mail_t)
+')
-Index: refpolicy-2.20221101/policy/modules/services/spamassassin.fc
-===
refpolicy-2.20221101.orig/policy/modules/services/spamassassin.fc
-+++ refpolicy-2.20221101/policy/modules/services/spamassassin.fc
-@@ -39,6 +39,7 @@ HOME_DIR/\.spamd(/.*)? gen_context(sys
- /var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
- /var/log/rspamd(/.*)? gen_context(system_u:object_r:spamd_log_t,s0)
- /var/log/rspamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
-+/var/log/rspamd(/.*)? gen_context(system_u:object_r:spamd_log_t,s0)
- /var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
-
- /var/vmail/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
Index: refpolicy-2.20221101/policy/modules/services/courier.fc
===
--- refpolicy-2.20221101.orig/policy/modules/services/courier.fc
--
2.39.1
From a7ff170f9a4a8105e5193a98361b92b505a8875a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?=
Date: Tue, 7 Feb 2023 15:37:30 +0100
Subject: [PATCH 2/4] d/tests: simulate policy building
Simulate building the policy via semodule and verify the resulting file
contexts and kernel policy against each other.
---
debian/tests/validate-default | 9 +
debian/tests/validate-mls | 9 +
2 files changed, 18 insertions(+)
diff --git a/debian/tests/validate-default b/debian/tests/validate-default
index 503c53a..ced63c9 100755
--- a/debian/tests/validate-default
+++ b/debian/tests/validate-default
@@ -14,3 +14,12 @@ mv base.pp base
semodule_link -o test.lnk base *.pp
semodule_expand test.lnk policy.bin
+
+mv base base.pp
+
+mkdir -p policy_root/var/lib/selinux/default
+
+# ignore 'FAIL stderr: libsemanage.add_user: user sddm not in password file'
+/usr/sbin/semodule --noreload --store default --path policy_root --verbose --install *.pp 2>&1
+
+/sbin/setfiles -c policy_root/etc/selinux/default/policy/policy.* policy_root/etc/selinux/default/contexts/files/file_contexts
diff --git a/debian/tests/validate-mls b/debian/tests/validate-mls
index d281e89..c9f5529 100755
--- a/debian/tests/validate-mls
+++ b/debian/tests/validate-mls
@@ -14,3 +14,12 @@ mv base.pp base
semodule_link -o test.lnk base *.pp
semodule_expand test.lnk policy.bin
+
+mv base base.pp
+
+mkdir -p policy_root/var/lib/selinux/mls
+
+# igore 'FAIL stderr: libsemanage.add_user: user sddm not in password file'
+/usr/sbin/semodule --noreload --store mls --path policy_root --verbose --install *.pp 2>&1
+
+/sbin/setfiles -c policy_root/etc/selinux/mls/policy/policy.* policy_root/etc/selinux/mls/contexts/files/file_contexts
--
2.39.1
From 9efc0bc669bd935adc6d4aae5f7f6a0211cef96b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?=
Date: Tue, 7 Feb 2023 16:07:16 +0100
Subject: [PATCH 3/4] d/rules: validate build policy
---
debian/rules | 7 +++
1 file changed, 7 insertions(+)
diff --git a/debian/rules b/debian/rules
index 32d70d6..4cbc64b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -65,6 +65,8 @@ override_dh_auto_build: $(patsubst %, build-%-policy, $(FLAVOURS))
override_dh_auto_install: $(patsubst %, install-%-policy, $(FLAVOURS)) install-default-dev install-docs install-src
+override_dh_auto_test: $(patsubst %, test-%-policy, $(FLAVOURS))
+
conf-%-policy:
test ! -d $(CURDIR)/debian/build-$* || \
rm -rf $(CURDIR)/debian/build-$*
@@ -113,6 +115,11 @@ build-%-policy: conf-%-policy
$(MAKE) NAME=$* TYPE=$(TYPE_$*) UBAC=$(UBAC_$*)