Drop SELinux subpackage

All SELinux policy needed by FreeIPA server is now part of the global
system SELinux policy which makes the subpackage redundant and slowing
down the installation. This patch drops it.

https://fedorahosted.org/freeipa/ticket/3683
https://fedorahosted.org/freeipa/ticket/3684

Makefile

@@ -228,7 +228,6 @@ distclean: version-update
 
 maintainer-clean: clean
 	rm -fr $(RPMBUILD) dist build
-	cd selinux && $(MAKE) maintainer-clean
 	cd daemons && $(MAKE) maintainer-clean
 	cd install && $(MAKE) maintainer-clean
 	cd ipa-client && $(MAKE) maintainer-clean

freeipa.spec.in

@@ -19,7 +19,6 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.0
 BuildRequires:  svrcore-devel
-BuildRequires:  /usr/share/selinux/devel/Makefile
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
 BuildRequires:  systemd-units
 %if 0%{?fedora} >= 18
@@ -90,7 +89,6 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: %{name}-server-selinux = %{version}-%{release}
 Requires: 389-ds-base >= 1.3.0.5
 Requires: openldap-clients > 2.4.35-4
 %if 0%{?fedora} == 18
@@ -149,6 +147,10 @@ Requires: tar
 Requires(pre): certmonger >= 0.65
 Requires(pre): 389-ds-base >= 1.3.0.5
 
+# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
+# entire SELinux policy is stored in the system policy
+Obsoletes: freeipa-server-selinux < 3.3.0
+
 # We have a soft-requires on bind. It is an optional part of
 # IPA but if it is configured we need a way to require versions
 # that work for us.
@@ -178,22 +180,6 @@ to install this package (in other words, most people should NOT install
 this package).
 
 
-%package server-selinux
-Summary: SELinux rules for freeipa-server daemons
-Group: System Environment/Base
-Requires(post): %{name}-server = %{version}-%{release}
-Requires(postun): %{name}-server = %{version}-%{release}
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
-
-Obsoletes: ipa-server-selinux >= 1.0
-
-%description server-selinux
-IPA is an integrated solution to provide centrally managed Identity (machine,
-user, virtual machines, groups, authentication credentials), Policy
-(configuration settings, access control information) and Audit (events,
-logs, analysis thereof). This package provides SELinux rules for the
-daemons included in freeipa-server
-
 %package server-trust-ad
 Summary: Virtual package to install packages required for Active Directory trusts
 Group: System Environment/Base
@@ -328,9 +314,6 @@ cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localst
 
 %if ! %{ONLY_CLIENT}
 make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all
-cd selinux
-# This isn't multi-process make capable yet
-make all
 %else
 make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
 %endif  # ! %{ONLY_CLIENT}
@@ -348,9 +331,6 @@ export SUPPORTED_PLATFORM=fedora16
 rm -f ipapython/services.py
 %if ! %{ONLY_CLIENT}
 make install DESTDIR=%{buildroot}
-cd selinux
-make install DESTDIR=%{buildroot}
-cd ..
 %else
 make client-install DESTDIR=%{buildroot}
 %endif  # ! %{ONLY_CLIENT}
@@ -497,48 +477,6 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
 # END
 fi
 
-%pre server-selinux
-if [ -s /etc/selinux/config ]; then
-       . %{_sysconfdir}/selinux/config
-       FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
-       if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \
-               cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}
-       fi
-fi
-
-%post server-selinux
-semodule -s targeted -i /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp
-. %{_sysconfdir}/selinux/config
-FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
-selinuxenabled
-if [ $? == 0  -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then
-       fixfiles -C ${FILE_CONTEXT}.%{name} restore
-       rm -f ${FILE_CONTEXT}.%name
-fi
-
-%preun server-selinux
-if [ $1 = 0 ]; then
-if [ -s /etc/selinux/config ]; then
-       . %{_sysconfdir}/selinux/config
-       FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
-       if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \
-               cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}
-       fi
-fi
-fi
-
-%postun server-selinux
-if [ $1 = 0 ]; then
-semodule -s targeted -r ipa_httpd ipa_dogtag
-. %{_sysconfdir}/selinux/config
-FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
-selinuxenabled
-if [ $? == 0  -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then
-       fixfiles -C ${FILE_CONTEXT}.%{name} restore
-       rm -f ${FILE_CONTEXT}.%name
-fi
-fi
-
 %postun server-trust-ad
 if [ "$1" -ge "1" ]; then
 	if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
@@ -771,12 +709,6 @@ fi
 %{_mandir}/man1/ipa-backup.1.gz
 %{_mandir}/man1/ipa-restore.1.gz
 
-%files server-selinux
-%defattr(-,root,root,-)
-%doc COPYING README Contributors.txt
-%{_usr}/share/selinux/targeted/ipa_httpd.pp
-%{_usr}/share/selinux/targeted/ipa_dogtag.pp
-
 %files server-trust-ad
 %{_sbindir}/ipa-adtrust-install
 %attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
@@ -848,6 +780,9 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Thu Jun 13 2013 Martin Kosek <mkosek@redhat.com> - 3.2.99-1
+- Drop freeipa-server-selinux subpackage
+
 * Fri May 10 2013 Martin Kosek <mkosek@redhat.com> - 3.1.99-13
 - Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for
   socket based connections (#960222)

selinux/Makefile

@@ -1,28 +0,0 @@
-SUBDIRS = ipa_httpd ipa_dogtag
-POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
-POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
-
-all:
-	if [ ! -e $(POLICY_MAKEFILE) ]; then echo "You need to install the SELinux development tools (selinux-policy-devel)" && exit 1; fi
-
-	@for subdir in $(SUBDIRS); do \
-		(cd $$subdir && $(MAKE) -f $(POLICY_MAKEFILE) $@) || exit 1; \
-	done
-
-clean:
-	@for subdir in $(SUBDIRS); do \
-		(cd $$subdir && $(MAKE) -f $(POLICY_MAKEFILE) $@) || exit 1; \
-	done
-
-distclean: clean
-	rm -f ipa-server-selinux.spec
-
-maintainer-clean: distclean
-
-install: all
-	install -d $(POLICY_DIR)
-	install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR)
-	install -m 644 ipa_dogtag/ipa_dogtag.pp $(POLICY_DIR)
-
-load:
-	/usr/sbin/semodule -i ipa_httpd/ipa_httpd.pp

selinux/ipa-server-selinux.spec.in

@@ -1,85 +0,0 @@
-%define POLICYCOREUTILSVER 1.33.12-1
-
-Name:           ipa-server-selinux
-Version:        __VERSION__
-Release:        __RELEASE__%{?dist}
-Summary:        IPA server SELinux policies
-
-Group:          System Environment/Base
-License:        GPLv2
-URL:            http://www.freeipa.org
-Source0:        ipa-server-%{version}.tgz
-BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildArch:      noarch
-
-BuildRequires: selinux-policy-devel m4 make policycoreutils >= %{POLICYCOREUTILSVER}
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage
-
-%description
-SELinux policy for ipa-server
-
-%prep
-%setup -n ipa-server-%{version} -q
-
-%build
-cd selinux
-make
-
-%clean
-%{__rm} -fR %{buildroot}
-
-%install
-%{__rm} -fR %{buildroot}
-cd selinux
-install -d %{buildroot}/%{_usr}/share/selinux/targeted/
-make DESTDIR=%{buildroot} install
-
-%files
-%{_usr}/share/selinux/targeted/ipa_webgui.pp
-
-
-%define saveFileContext() \
-if [ -s /etc/selinux/config ]; then \
-	. %{_sysconfdir}/selinux/config; \
-	FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
-	if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \
-		cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \
-	fi \
-fi;
-
-%define relabel() \
-. %{_sysconfdir}/selinux/config; \
-FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
-selinuxenabled; \
-if [ $? == 0  -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \
-	fixfiles -C ${FILE_CONTEXT}.%{name} restore; \
-	rm -f ${FILE_CONTEXT}.%name; \
-fi;
-
-%pre
-%saveFileContext targeted
-
-%post
-semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp
-%relabel targeted
-
-%preun
-if [ $1 = 0 ]; then
-%saveFileContext targeted
-fi
-
-%postun
-if [ $1 = 0 ]; then
-semodule -s targeted -r ipa_webgui
-%relabel targeted
-fi
-
-%changelog
-* Thu Apr  3 2008 Rob Crittenden <rcritten@redhat.com> - 1.0.0-1
-- Version bump for release
-
-* Thu Feb 21 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-1
-- Version bump for release
-
-* Thu Jan 17 2008 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1
-- Initial version

selinux/ipa_dogtag/ipa_dogtag.fc

@@ -1 +0,0 @@
-/var/lib/ipa/pki-ca/publish(/.*)?	 gen_context(system_u:object_r:cert_t,s0)

selinux/ipa_dogtag/ipa_dogtag.te

@@ -1,35 +0,0 @@
-module ipa_dogtag 2.0;
-
-require {
-	type cert_t;
-	type pki_tomcat_t;
-	class dir write;
-	class dir add_name;
-	class dir remove_name;
-	class dir search;
-	class dir getattr;
-	class file read;
-	class file getattr;
-	class file open;
-	class file create;
-	class file write;
-	class file rename;
-	class lnk_file create;
-	class lnk_file rename;
-	class lnk_file unlink;
-}
-
-# Let dogtag write to cert_t directories
-allow pki_tomcat_t cert_t:dir write;
-allow pki_tomcat_t cert_t:dir add_name;
-allow pki_tomcat_t cert_t:dir remove_name;
-
-# Let dogtag write cert_t files
-allow pki_tomcat_t cert_t:file create;
-allow pki_tomcat_t cert_t:file write;
-allow pki_tomcat_t cert_t:file rename;
-
-# Let dogtag manage cert_t symbolic links
-allow pki_tomcat_t cert_t:lnk_file create;
-allow pki_tomcat_t cert_t:lnk_file rename;
-allow pki_tomcat_t cert_t:lnk_file unlink;

selinux/ipa_httpd/ipa_httpd.fc

@@ -1,9 +0,0 @@
-#
-# /var
-#
-/var/cache/ipa/sessions(/.*)?  gen_context(system_u:object_r:httpd_sys_content_t,s0)
-
-# Make these files writable so the selfsign plugin can operate
-/etc/httpd/alias/cert8.db       --      gen_context(system_u:object_r:cert_t,s0)
-/etc/httpd/alias/key3.db        --      gen_context(system_u:object_r:cert_t,s0)
-/var/lib/ipa/ca_serialno        --      gen_context(system_u:object_r:cert_t,s0)

selinux/ipa_httpd/ipa_httpd.te

@@ -1,11 +0,0 @@
-module ipa_httpd 2.0;
-
-require {
-        type httpd_t;
-        type cert_t;
-        class file write;
-}
-
-# Let Apache access the NSS certificate database so it can issue certs
-# See ipa_httpd.fc for the list of files that are granted write access
-allow httpd_t cert_t:file write;

selinux/ipa_webgui/ipa_webgui.fc

@@ -1,11 +0,0 @@
-#
-# /usr
-#
-/usr/sbin/ipa_webgui		--	gen_context(system_u:object_r:ipa_webgui_exec_t,s0)
-
-
-#
-# /var
-#
-/var/log/ipa_error\.log		--	gen_context(system_u:object_r:ipa_webgui_log_t,s0)
-/var/cache/ipa/sessions(/.*)?  gen_context(system_u:object_r:ipa_cache_t,s0)

selinux/ipa_webgui/ipa_webgui.if

@@ -1,8 +0,0 @@
-## <summary></summary>
-
-ifdef(`userdom_dontaudit_search_admin_dir', `', ` dnl
-interface(`userdom_dontaudit_search_admin_dir', `
-    userdom_dontaudit_search_sysadm_home_dirs($1)
-')
-')
-

selinux/ipa_webgui/ipa_webgui.te

@@ -1,92 +0,0 @@
-policy_module(ipa_webgui, 1.0)
-
-########################################
-#
-# Declarations
-#
-
-type ipa_webgui_t;
-type ipa_webgui_exec_t;
-type ipa_webgui_var_run_t;
-type ipa_cache_t;
-files_type(ipa_cache_t)
-init_daemon_domain(ipa_webgui_t, ipa_webgui_exec_t)
-
-type ipa_webgui_log_t;
-logging_log_file(ipa_webgui_log_t)
-
-require {
-        type httpd_tmp_t;
-}
-
-########################################
-#
-# IPA webgui local policy
-#
-
-allow ipa_webgui_t self:tcp_socket create_stream_socket_perms;
-allow ipa_webgui_t self:udp_socket create_socket_perms;
-allow ipa_webgui_t self:process setfscreate;
-
-# This is how the kerberos credential cache is passed to
-# the ipa_webgui process. Unfortunately, the kerberos
-# libraries seem to insist that it be open rw. To top it
-# all off there is no interface for this either.
-allow ipa_webgui_t httpd_tmp_t:file read_file_perms;
-dontaudit ipa_webgui_t httpd_tmp_t:file write;
-
-apache_search_sys_content(ipa_webgui_t)
-apache_read_config(ipa_webgui_t)
-
-corecmd_list_bin(ipa_webgui_t)
-
-miscfiles_read_localization(ipa_webgui_t)
-
-files_list_usr(ipa_webgui_t)
-files_read_etc_files(ipa_webgui_t)
-files_read_usr_files(ipa_webgui_t)
-files_read_usr_symlinks(ipa_webgui_t)
-files_search_etc(ipa_webgui_t)
-files_search_tmp(ipa_webgui_t)
-
-files_pid_file(ipa_webgui_var_run_t)
-allow ipa_webgui_t ipa_webgui_var_run_t:file manage_file_perms;
-files_pid_filetrans(ipa_webgui_t,ipa_webgui_var_run_t,file)
-
-kerberos_read_config(ipa_webgui_t)
-
-kernel_read_system_state(ipa_webgui_t)
-
-auth_use_nsswitch(ipa_webgui_t)
-
-libs_use_ld_so(ipa_webgui_t)
-libs_use_shared_libs(ipa_webgui_t)
-
-logging_search_logs(ipa_webgui_t)
-logging_log_filetrans(ipa_webgui_t,ipa_webgui_log_t,file)
-allow ipa_webgui_t ipa_webgui_log_t:file rw_file_perms;
-
-allow ipa_webgui_t self:capability { setgid setuid };
-
-# /var/cache/ipa/sessions
-files_type(ipa_cache_t)
-manage_dirs_pattern(ipa_webgui_t, ipa_cache_t, ipa_cache_t)
-manage_files_pattern(ipa_webgui_t, ipa_cache_t, ipa_cache_t)
-files_var_filetrans(ipa_webgui_t, ipa_cache_t,dir)
-
-userdom_dontaudit_search_admin_dir(ipa_webgui_t)
-
-corenet_tcp_sendrecv_all_if(ipa_webgui_t)
-corenet_udp_sendrecv_all_if(ipa_webgui_t)
-corenet_raw_sendrecv_all_if(ipa_webgui_t)
-corenet_tcp_sendrecv_all_nodes(ipa_webgui_t)
-corenet_udp_sendrecv_all_nodes(ipa_webgui_t)
-corenet_raw_sendrecv_all_nodes(ipa_webgui_t)
-corenet_tcp_sendrecv_all_ports(ipa_webgui_t)
-corenet_udp_sendrecv_all_ports(ipa_webgui_t)
-corenet_all_recvfrom_unlabeled(ipa_webgui_t)
-corenet_tcp_bind_all_nodes(ipa_webgui_t)
-corenet_udp_bind_all_nodes(ipa_webgui_t)
-corenet_tcp_bind_http_cache_port(ipa_webgui_t)
-corenet_tcp_connect_http_cache_port(ipa_webgui_t)
-corenet_tcp_connect_ldap_port(ipa_webgui_t)