From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 34E551581FB for ; Sun, 25 Aug 2024 00:49:10 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 70775E29F3; Sun, 25 Aug 2024 00:49:09 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4B685E29F3 for ; Sun, 25 Aug 2024 00:49:09 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 480BF343052 for ; Sun, 25 Aug 2024 00:49:08 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id A4C8F1F10 for ; Sun, 25 Aug 2024 00:49:06 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1724546899.75d12a333e1866ad6affa62b95fe88be48f5b118.perfinion@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: eclass/ X-VCS-Repository: repo/gentoo X-VCS-Files: eclass/selinux-policy-2.eclass X-VCS-Directories: eclass/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 75d12a333e1866ad6affa62b95fe88be48f5b118 X-VCS-Branch: master Date: Sun, 25 Aug 2024 00:49:06 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 8bcf4c3c-f463-45da-9ce9-d23c76eb4cd1 X-Archives-Hash: 99e60431553cfa19566ce8b811590e46 commit: 75d12a333e1866ad6affa62b95fe88be48f5b118 Author: Rahul Sandhu sandhuservices dev> AuthorDate: Fri Aug 2 19:37:54 2024 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Aug 25 00:48:19 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=75d12a33 selinux-policy-2.eclass: Load unconfined module for mcs/mls policy types Currently, there doesn't seem to be a reason to block the loading of the unconfined policy module on the mcs and mls policy types. Let's ensure we load the unconfined policy module unconditionally in the eclass. The loading of the unconfined policy module was initially blocked in 82e30f21ab85b6de3ebc45ae10b28b9bd280e4a1, however as far as I can tell, there is no longer a reason to do this. Considering there are use flags for sec-policy/selinux-base and sec-policy/selinux-base-policy for the unconfined policy module, and using the unconfined policy module is supported for the mcs and mls policy types, it makes sense to no longer block the loading of the policy module. It is also worth mentioning that grabbing an selinux stage3 has the unconfined policy module already loaded. As the strict policy is effectively the targeted policy without support for the unconfined domain, it makes sense to not load the unconfined module for strict policy types. Let's keep a conitional check for the strict policy to ensure we don't load the unconfined module in that case. Closes: https://bugs.gentoo.org/933709 Closes: https://github.com/gentoo/gentoo/pull/37931 Signed-off-by: Rahul Sandhu sandhuservices.dev> Signed-off-by: Jason Zaman gentoo.org> eclass/selinux-policy-2.eclass | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/eclass/selinux-policy-2.eclass b/eclass/selinux-policy-2.eclass index ad760673cab1..e7d6cd9a9e5f 100644 --- a/eclass/selinux-policy-2.eclass +++ b/eclass/selinux-policy-2.eclass @@ -1,4 +1,4 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # Eclass for installing SELinux policy, and optionally @@ -260,13 +260,9 @@ selinux-policy-2_pkg_postinst() { local COMMAND for i in ${POLICY_TYPES}; do - if [[ "${MODS}" = "unconfined" ]]; then - case ${i} in - strict|mcs|mls) - einfo "Ignoring loading of unconfined module in ${i} module store."; - continue - ;; - esac + if [[ "${i}" == "strict" ]] && [[ "${MODS}" = "unconfined" ]]; then + einfo "Ignoring loading of unconfined module in strict module store."; + continue; fi einfo "Inserting the following modules into the $i module store: ${MODS}"