Enable support for unconfined USE flag

(Portage version: 2.1.11.31/cvs/Linux x86_64, signed Manifest commit with key 0xCDBA2FDB)

6 files changed, 32 insertions, 21 deletions

diff --git a/sec-policy/selinux-base-policy/ChangeLog b/sec-policy/selinux-base-policy/ChangeLog
index 510497107fa4..e283d5ef1fe8 100644
--- a/sec-policy/selinux-base-policy/ChangeLog
+++ b/sec-policy/selinux-base-policy/ChangeLog
@@ -1,6 +1,10 @@
 # ChangeLog for sec-policy/selinux-base-policy
 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/ChangeLog,v 1.115 2012/12/03 08:52:14 swift Exp $
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/ChangeLog,v 1.116 2012/12/04 20:21:53 swift Exp $
+
+  04 Dec 2012; <swift@gentoo.org> selinux-base-policy-9999.ebuild,
+  metadata.xml:
+  Add in support for unconfined USE flag
 
 *selinux-base-policy-2.20120725-r8 (03 Dec 2012)
 
diff --git a/sec-policy/selinux-base-policy/metadata.xml b/sec-policy/selinux-base-policy/metadata.xml
index 9f87a21d4a74..4adcb401b0bb 100644
--- a/sec-policy/selinux-base-policy/metadata.xml
+++ b/sec-policy/selinux-base-policy/metadata.xml
@@ -6,4 +6,7 @@
 		Gentoo SELinux base policy.  This contains policy for a system at the end of system installation.
 		There is no extra policy in this package.
 	</longdescription>
+	<use>
+		<flag name='unconfined'>Enable support for the unconfined SELinux policy module</flag>
+	</use>
 </pkgmetadata>
diff --git a/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild b/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild
index de6cc4601c29..728a75a5632a 100644
--- a/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild
+++ b/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild,v 1.1 2012/10/13 16:30:52 swift Exp $
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/selinux-base-policy-9999.ebuild,v 1.2 2012/12/04 20:21:53 swift Exp $
 EAPI="4"
 
 inherit eutils git-2
@@ -8,16 +8,17 @@ inherit eutils git-2
 HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
 DESCRIPTION="SELinux policy for core modules"
 
-IUSE=""
+IUSE="unconfined"
 BASEPOL="9999"
 
-RDEPEND="=sec-policy/selinux-base-9999"
+RDEPEND="=sec-policy/selinux-base-9999
+		unconfined? ( sec-policy/selinux-unconfined )"
 DEPEND=""
 EGIT_REPO_URI="git://git.overlays.gentoo.org/proj/hardened-refpolicy.git"
 EGIT_SOURCEDIR="${WORKDIR}/refpolicy"
 KEYWORDS=""
 
-MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil ssh staff storage su sysadm sysnetwork udev userdomain usermanage unprivuser xdg unconfined"
+MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil ssh staff storage su sysadm sysnetwork udev userdomain usermanage unprivuser xdg"
 LICENSE="GPL-2"
 SLOT="0"
 S="${WORKDIR}/"
@@ -92,19 +93,10 @@ pkg_postinst() {
 	done
 
 	for i in ${POLICY_TYPES}; do
-		local LOCCOMMAND
-		local LOCMODS
-		if [[ "${i}" != "targeted" ]]; then
-			LOCCOMMAND=$(echo "${COMMAND}" | sed -e 's:-i unconfined.pp::g');
-			LOCMODS=$(echo "${MODS}" | sed -e 's: unconfined::g');
-		else
-			LOCCOMMAND="${COMMAND}"
-			LOCMODS="${MODS}"
-		fi
-		einfo "Inserting the following modules, with base, into the $i module store: ${LOCMODS}"
+		einfo "Inserting the following modules, with base, into the $i module store: ${MODS}"
 
 		cd /usr/share/selinux/${i} || die "Could not enter /usr/share/selinux/${i}"
 
-		semodule -s ${i} -b base.pp ${LOCCOMMAND} || die "Failed to load in base and modules ${LOCMODS} in the $i policy store"
+		semodule -s ${i} -b base.pp ${COMMAND} || die "Failed to load in base and modules ${MODS} in the $i policy store"
 	done
 }
diff --git a/sec-policy/selinux-base/ChangeLog b/sec-policy/selinux-base/ChangeLog
index 4735246f4a7c..514a206d15c6 100644
--- a/sec-policy/selinux-base/ChangeLog
+++ b/sec-policy/selinux-base/ChangeLog
@@ -1,6 +1,9 @@
 # ChangeLog for sec-policy/selinux-base
 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base/ChangeLog,v 1.14 2012/12/03 08:52:45 swift Exp $
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base/ChangeLog,v 1.15 2012/12/04 20:21:53 swift Exp $
+
+  04 Dec 2012; <swift@gentoo.org> selinux-base-9999.ebuild, metadata.xml:
+  Add in support for unconfined USE flag and fix #445978
 
 *selinux-base-2.20120725-r8 (03 Dec 2012)
 
diff --git a/sec-policy/selinux-base/metadata.xml b/sec-policy/selinux-base/metadata.xml
index 393f3bb02965..39f241587154 100644
--- a/sec-policy/selinux-base/metadata.xml
+++ b/sec-policy/selinux-base/metadata.xml
@@ -10,5 +10,6 @@
 		<flag name='peer_perms'>Enable the labeled networking peer permissions (SELinux policy capability).</flag>
 		<flag name='open_perms'>Enable the open permissions for file object classes (SELinux policy capability).</flag>
 		<flag name='ubac'>Enable User Based Access Control (UBAC) in the SELinux policy</flag>
+		<flag name='unconfined'>Enable support for the unconfined SELinux module</flag>
 	</use>
 </pkgmetadata>
diff --git a/sec-policy/selinux-base/selinux-base-9999.ebuild b/sec-policy/selinux-base/selinux-base-9999.ebuild
index c2c7084df1e9..d760869d5258 100644
--- a/sec-policy/selinux-base/selinux-base-9999.ebuild
+++ b/sec-policy/selinux-base/selinux-base-9999.ebuild
@@ -1,11 +1,11 @@
 # Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base/selinux-base-9999.ebuild,v 1.1 2012/10/13 16:30:53 swift Exp $
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base/selinux-base-9999.ebuild,v 1.2 2012/12/04 20:21:53 swift Exp $
 EAPI="4"
 
 inherit eutils git-2
 
-IUSE="+peer_perms +open_perms +ubac doc"
+IUSE="+peer_perms +open_perms +ubac unconfined doc"
 
 DESCRIPTION="Gentoo base policy for SELinux"
 HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
@@ -63,13 +63,15 @@ src_configure() {
 
 	echo "DISTRO = gentoo" >> "${S}/refpolicy/build.conf"
 
+	# Prepare initial configuration
+	cd "${S}/refpolicy";
+	make conf || die "Make conf failed"
+
 	# Setup the policies based on the types delivered by the end user.
 	# These types can be "targeted", "strict", "mcs" and "mls".
 	for i in ${POLICY_TYPES}; do
 		cp -a "${S}/refpolicy" "${S}/${i}"
-
 		cd "${S}/${i}";
-		make conf || die "Make conf in ${i} failed"
 
 		#cp "${FILESDIR}/modules-2.20120215.conf" "${S}/${i}/policy/modules.conf"
 		sed -i -e "/= module/d" "${S}/${i}/policy/modules.conf"
@@ -89,6 +91,12 @@ src_configure() {
 			"${S}/${i}/config/appconfig-standard/seusers" \
 			|| die "targeted seusers setup failed."
 		fi
+
+		if [ "${i}" != "targeted" ] && [ "${i}" != "strict" ] && use unconfined; then
+			sed -i -e '/root/d' -e 's/user_u/unconfined_u/' \
+			"${S}/${i}/config/appconfig-${i}/seusers" \
+			|| die "policy seusers setup failed."
+		fi
 	done
 }