From patchwork Mon Jul 25 21:09:26 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Joe Stringer <joe@ovn.org>
X-Patchwork-Id: 652403
Return-Path: <dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (archives.nicira.com [96.126.127.54])
	by ozlabs.org (Postfix) with ESMTP id 3ryv5l6vvyz9t1W
	for <incoming@patchwork.ozlabs.org>;
	Tue, 26 Jul 2016 07:09:47 +1000 (AEST)
Received: from archives.nicira.com (localhost [127.0.0.1])
	by archives.nicira.com (Postfix) with ESMTP id 31BF610904;
	Mon, 25 Jul 2016 14:09:47 -0700 (PDT)
X-Original-To: dev@openvswitch.org
Delivered-To: dev@openvswitch.org
Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5])
	by archives.nicira.com (Postfix) with ESMTPS id 12C2910901
	for <dev@openvswitch.org>; Mon, 25 Jul 2016 14:09:46 -0700 (PDT)
Received: from bar6.cudamail.com (localhost [127.0.0.1])
	by mx3v3.cudamail.com (Postfix) with ESMTPS id 9E6DA1622C8
	for <dev@openvswitch.org>; Mon, 25 Jul 2016 15:09:45 -0600 (MDT)
X-ASG-Debug-ID: 1469480984-0b323703fb4d2a40001-byXFYA
Received: from mx1-pf2.cudamail.com ([192.168.24.2]) by bar6.cudamail.com
	with
	ESMTP id atFSNBPng7G8H1Jn (version=TLSv1 cipher=DHE-RSA-AES256-SHA
	bits=256 verify=NO) for <dev@openvswitch.org>;
	Mon, 25 Jul 2016 15:09:44 -0600 (MDT)
X-Barracuda-Envelope-From: joe@ovn.org
X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.2
Received: from unknown (HELO relay2-d.mail.gandi.net) (217.70.183.194)
	by mx1-pf2.cudamail.com with ESMTPS (DHE-RSA-AES256-SHA encrypted);
	25 Jul 2016 21:09:44 -0000
Received-SPF: pass (mx1-pf2.cudamail.com: SPF record at ovn.org designates
	217.70.183.194 as permitted sender)
X-Barracuda-Apparent-Source-IP: 217.70.183.194
X-Barracuda-RBL-IP: 217.70.183.194
Received: from mfilter38-d.gandi.net (mfilter38-d.gandi.net [217.70.178.169])
	by relay2-d.mail.gandi.net (Postfix) with ESMTP id C2F57C5A5C;
	Mon, 25 Jul 2016 23:09:41 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mfilter38-d.gandi.net
Received: from relay2-d.mail.gandi.net ([IPv6:::ffff:217.70.183.194])
	by mfilter38-d.gandi.net (mfilter38-d.gandi.net [::ffff:10.0.15.180])
	(amavisd-new, port 10024)
	with ESMTP id xijDLZkPRywY; Mon, 25 Jul 2016 23:09:40 +0200 (CEST)
X-Originating-IP: 208.91.1.34
Received: from archer.eng.vmware.com (unknown [208.91.1.34])
	(Authenticated sender: joe@ovn.org)
	by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 34CB7C5A63;
	Mon, 25 Jul 2016 23:09:37 +0200 (CEST)
X-CudaMail-Envelope-Sender: joe@ovn.org
From: Joe Stringer <joe@ovn.org>
To: dev@openvswitch.org
X-CudaMail-Whitelist-To: dev@openvswitch.org
X-CudaMail-MID: CM-E2-724064837
X-CudaMail-DTE: 072516
X-CudaMail-Originating-IP: 217.70.183.194
Date: Mon, 25 Jul 2016 14:09:26 -0700
X-ASG-Orig-Subj: [##CM-E2-724064837##][PATCH] rhel/openvswitch.spec: Add
	SELinux policy.
Message-Id: <20160725210926.3366-1-joe@ovn.org>
X-Mailer: git-send-email 2.9.0
X-Barracuda-Connect: UNKNOWN[192.168.24.2]
X-Barracuda-Start-Time: 1469480984
X-Barracuda-Encrypted: DHE-RSA-AES256-SHA
X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi
X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?=
X-Virus-Scanned: by bsmtpd at cudamail.com
X-Barracuda-BRTS-Status: 1
Cc: Flavio Leitner <fbl@sysclose.org>
Subject: [ovs-dev] [PATCH] rhel/openvswitch.spec: Add SELinux policy.
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: <dev.openvswitch.org>
List-Unsubscribe: <http://openvswitch.org/mailman/options/dev>,
	<mailto:dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://openvswitch.org/pipermail/dev>
List-Post: <mailto:dev@openvswitch.org>
List-Help: <mailto:dev-request@openvswitch.org?subject=help>
List-Subscribe: <http://openvswitch.org/mailman/listinfo/dev>,
	<mailto:dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dev-bounces@openvswitch.org
Sender: "dev" <dev-bounces@openvswitch.org>

Commit 9b897c9125ef ("rhel: provide our own SELinux custom policy
package") added the SELinux policy to the fedora packaging as a
subpackage. This patch makes the corresponding change to
openvswitch.spec, so that users of that specfile can generate the
selinux policy package without having to build all of the fedora
packages.

Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Flavio Leitner <fbl@sysclose.org>
---
As per the reasoning in the link below, I've just duplicated the
subpackage lines from the fedora specfile rather than refactoring these
lines into a separate specfile.

http://openvswitch.org/pipermail/dev/2016-January/065134.html
---
 rhel/openvswitch.spec.in | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/rhel/openvswitch.spec.in b/rhel/openvswitch.spec.in
index ec555a74a901..fbca1efcd17f 100644
--- a/rhel/openvswitch.spec.in
+++ b/rhel/openvswitch.spec.in
@@ -24,6 +24,7 @@ Source: openvswitch-%{version}.tar.gz
 Buildroot: /tmp/openvswitch-rpm
 Requires: logrotate, python >= 2.7, python-six
 BuildRequires: openssl-devel
+BuildRequires: checkpolicy, selinux-policy-devel
 
 %bcond_without check
 
@@ -39,6 +40,15 @@ Group:          Development/Libraries
 %description devel
 This package provides openvswitch headers and libopenvswitch for developers.
 
+%package selinux-policy
+Summary: Open vSwitch SELinux policy
+License: ASL 2.0
+BuildArch: noarch
+Requires: selinux-policy-targeted
+
+%description selinux-policy
+Tailored Open vSwitch SELinux policy
+
 %prep
 %setup -q
 
@@ -46,6 +56,8 @@ This package provides openvswitch headers and libopenvswitch for developers.
 ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=%{_localstatedir} \
     --libdir=%{_libdir} --enable-ssl --enable-shared
 make %{_smp_mflags}
+cd selinux
+make -f %{_datadir}/selinux/devel/Makefile
 
 %install
 rm -rf $RPM_BUILD_ROOT
@@ -63,6 +75,9 @@ rhel_cp etc_sysconfig_network-scripts_ifup-ovs 0755
 rhel_cp etc_sysconfig_network-scripts_ifdown-ovs 0755
 rhel_cp usr_share_openvswitch_scripts_sysconfig.template 0644
 
+install -p -m 644 -D selinux/openvswitch-custom.pp \
+    $RPM_BUILD_ROOT%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp
+
 # Get rid of stuff we don't want to make RPM happy.
 rm \
     $RPM_BUILD_ROOT/usr/bin/ovs-testcontroller \
@@ -132,6 +147,9 @@ fi
 /sbin/chkconfig --add openvswitch
 /sbin/chkconfig openvswitch on
 
+%post selinux-policy
+/usr/sbin/semodule -i %{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp &> /dev/null || :
+
 %preun
 if [ "$1" = "0" ]; then     # $1 = 0 for uninstall
     /sbin/service openvswitch stop
@@ -145,6 +163,11 @@ if [ "$1" = "0" ]; then     # $1 = 0 for uninstall
     rm -f /etc/openvswitch/vswitchd.cacert
 fi
 
+%postun selinux-policy
+if [ $1 -eq 0 ] ; then
+  /usr/sbin/semodule -r openvswitch-custom &> /dev/null || :
+fi
+
 exit 0
 
 %files
@@ -216,3 +239,7 @@ exit 0
 %{_libdir}/lib*.a
 %{_libdir}/pkgconfig
 %{_includedir}/openvswitch/*
+
+%files selinux-policy
+%defattr(-,root,root)
+%{_datadir}/selinux/packages/%{name}/openvswitch-custom.pp