diff options
| author | Steve Lawrence <slawrence@tresys.com> | 2010-08-30 16:32:29 -0400 |
|---|---|---|
| committer | Panu Matilainen <pmatilai@redhat.com> | 2010-09-01 09:04:27 +0300 |
| commit | 383e27564853fd4c387ca1d4a69f223140a0daca (patch) | |
| tree | 571b403fff31673d43b75b25f31a43b39291fbe9 /preinstall.am | |
| parent | 5779fb12e26ca1793df7ee50972de80dbf26992e (diff) | |
| download | rpm-383e27564853fd4c387ca1d4a69f223140a0daca.tar.gz | |
Add new %sepolicy section to the spec file format
The %sepolicy section is used to describe SELinux policy to be included
in a package. It's syntax is similar to other sections (%files, %pre,
%post, etc.) in that you can provide a string and -n after the
declaration to specify policy should be added to a subpackage.
For example:
%sepolicy
# policy in this section will be added to the main package
%sepolicy foo
# policy in this section will be added to the '<mainpackage>-foo' subpackage
%sepolicy -n bar
# policy in this section will be added to the 'bar' subpackage
The %sepolicy section contains zero or more %semodule directives, with the
following format:
%semodule [OPTIONS] path/to/module.pp
The available options are:
-b, --base
The module is a base module
-n, --name=NAME
The name of the module. If not given, assumes the name is the basename of
the module file with file extensions removed.
-t, --types=TYPES
One or more comma-separated strings specifying which policy types the
module can work with. To explicitly state that a module can work with any
policy type, "default" can be specified as the value. If not specified,
assumes the module can work with any policy type, and assigns the types as
"default".
Below is an example of this new format:
%sepolicy
%semodule -n foo -t mls policy/foo.pp
%semodule -n bar -t strict,targeted,mls -b policy/bar.pp
This also adds new header tags to store the new information:
RPMTAG_POLICYNAMES (string array)
RPMTAG_POLICYTYPES (string array)
RPMTAG_POLICYTYPESINDEXES (uint32 array)
RPMTAG_POLICYFLAGS (uint32 array)
The index of NAMES and FLAGS maps directly to the index of RPMTAG_POLICIES.
However, because a single policy can have multiple types, the mapping for
TYPES is not direct. For this, the index maps to TYPESINDEXES, which
contains the index of the policy that the type maps to. This is similar to
how DIRINDEXES is used to map DIRNAMES and BASENAMES. As an example, the
previous %sepolicy section would have the following header tags:
RPMTAG_POLICIES:
0: <foo.pp data, base64 encoded>
1: <bar.pp data, base64 encoded>
RPMTAG_POLICYNAMES:
0: foo
1: bar
RPMTAG_POLICYFLAGS:
0: 0
1: 1 # assumes flag 1 == BASE
RPMTAG_POILCYTYPES: RPMTAG_POLICYTYPESINDEXES:
0: mls 0: 0
1: strict 1: 1
2: targeted 2: 1
3: mls 3: 1
Diffstat (limited to 'preinstall.am')
| -rw-r--r-- | preinstall.am | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/preinstall.am b/preinstall.am index 7f64837b0..39cf3f87d 100644 --- a/preinstall.am +++ b/preinstall.am @@ -78,6 +78,10 @@ include/rpm/rpmlegacy.h: lib/rpmlegacy.h include/rpm/$(dirstamp) $(INSTALL_DATA) $(top_srcdir)/lib/rpmlegacy.h include/rpm/rpmlegacy.h BUILT_SOURCES += include/rpm/rpmlegacy.h CLEANFILES += include/rpm/rpmlegacy.h +include/rpm/rpmpol.h: lib/rpmpol.h include/rpm/$(dirstamp) + $(INSTALL_DATA) $(top_srcdir)/lib/rpmpol.h include/rpm/rpmpol.h +BUILT_SOURCES += include/rpm/rpmpol.h +CLEANFILES += include/rpm/rpmpol.h include/rpm/rpmps.h: lib/rpmps.h include/rpm/$(dirstamp) $(INSTALL_DATA) $(top_srcdir)/lib/rpmps.h include/rpm/rpmps.h BUILT_SOURCES += include/rpm/rpmps.h |