diff -durN gcl-2.6.8.ORIG/clcs/makefile gcl-2.6.8/clcs/makefile --- gcl-2.6.8.ORIG/clcs/makefile 2005-05-06 15:56:55.000000000 -0600 +++ gcl-2.6.8/clcs/makefile 2009-10-20 16:00:21.608387999 -0600 @@ -9,6 +9,9 @@ saved_clcs_gcl: ../unixport/saved_pcl_gcl echo '(load "package.lisp")(load "myload.lisp")(si::save-system "$@")' | $< $(<D)/ + if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \ + chcon -t gcl_exec_t $@; \ + fi %.h %.data %.c : %.lisp saved_clcs_gcl cp ../h/cmpinclude.h . @@ -31,6 +34,9 @@ saved_full_gcl: ${LISP} echo '(load "package.lisp")(load "loading.lisp")(jamie-load-clcs :compiled)(system::save-system "saved_full_gcl")' | ${LISP} + if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \ + chcon -t gcl_exec_t $@; \ + fi clean: rm -f *.o *.fn saved_full_gcl$(EXE) saved_full_gcl cmpinclude.h *.c *.h *.data saved_clcs_gcl diff -durN gcl-2.6.8.ORIG/makefile gcl-2.6.8/makefile --- gcl-2.6.8.ORIG/makefile 2007-11-30 09:59:33.000000000 -0700 +++ gcl-2.6.8/makefile 2009-10-20 16:00:21.609347326 -0600 @@ -187,6 +187,9 @@ if gcc --version | grep -i mingw >/dev/null 2>&1 ; then if grep -i oncrpc makedefs >/dev/null 2>&1 ; then cp /mingw/bin/oncrpc.dll $(DESTDIR)$(INSTALL_LIB_DIR)/$(PORTDIR); fi ; fi cd $(DESTDIR)$(INSTALL_LIB_DIR)/$(PORTDIR) && \ mv $(FLISP)$(EXE) temp$(EXE) && \ + if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \ + chcon -t gcl_exec_t temp$(EXE); \ + fi && \ echo '(reset-sys-paths "$(INSTALL_LIB_DIR)/")(si::save-system "$(FLISP)$(EXE)")' | ./temp$(EXE) && \ rm -f temp$(EXE) if [ -e "unixport/rsym$(EXE)" ] ; then cp unixport/rsym$(EXE) $(DESTDIR)$(INSTALL_LIB_DIR)/unixport/ ; fi diff -durN gcl-2.6.8.ORIG/selinux/gcl.fc gcl-2.6.8/selinux/gcl.fc --- gcl-2.6.8.ORIG/selinux/gcl.fc 1969-12-31 17:00:00.000000000 -0700 +++ gcl-2.6.8/selinux/gcl.fc 2009-10-20 16:00:52.173119081 -0600 @@ -0,0 +1,5 @@ +/usr/lib64/gcl-[^/]+/unixport/saved_.* -- gen_context(system_u:object_r:gcl_exec_t,s0) +/usr/lib/gcl-[^/]+/unixport/saved_.* -- gen_context(system_u:object_r:gcl_exec_t,s0) +/usr/lib/maxima/[^/]+/binary-gcl -- gen_context(system_u:object_r:gcl_exec_t,s0) +/usr/lib64/maxima/[^/]+/binary-gcl -- gen_context(system_u:object_r:gcl_exec_t,s0) + diff -durN gcl-2.6.8.ORIG/selinux/gcl.if gcl-2.6.8/selinux/gcl.if --- gcl-2.6.8.ORIG/selinux/gcl.if 1969-12-31 17:00:00.000000000 -0700 +++ gcl-2.6.8/selinux/gcl.if 2009-10-20 16:00:21.622010253 -0600 @@ -0,0 +1,146 @@ + +## <summary>policy for gcl</summary> + +######################################## +## <summary> +## Execute a domain transition to run gcl. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gcl_domtrans',` + gen_require(` + type gcl_t; + type gcl_exec_t; + ') + + domtrans_pattern($1,gcl_exec_t,gcl_t) +') + + +######################################## +## <summary> +## Do not audit attempts to read, +## gcl tmp files +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`gcl_dontaudit_read_tmp_files',` + gen_require(` + type gcl_tmp_t; + ') + + dontaudit $1 gcl_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Allow domain to read, gcl tmp files +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`gcl_read_tmp_files',` + gen_require(` + type gcl_tmp_t; + ') + + allow $1 gcl_tmp_t:file read_file_perms; +') + +######################################## +## <summary> +## Allow domain to manage gcl tmp files +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`gcl_manage_tmp',` + gen_require(` + type gcl_tmp_t; + ') + + manage_dirs_pattern($1,gcl_tmp_t,gcl_tmp_t) + manage_files_pattern($1,gcl_tmp_t,gcl_tmp_t) + manage_lnk_files_pattern($1,gcl_tmp_t,gcl_tmp_t) +') + +######################################## +## <summary> +## Execute gcl in the gcl domain, and +## allow the specified role the gcl domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed the gcl domain. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the role's terminal. +## </summary> +## </param> +# +interface(`gcl_run',` + gen_require(` + type gcl_t; + ') + + gcl_domtrans($1) + role $2 types gcl_t; + dontaudit gcl_t $3:chr_file rw_term_perms; +') + + +######################################## +## <summary> +## All of the rules required to administrate +## an gcl environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the gcl domain. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the user terminal. +## </summary> +## </param> +## <rolecap/> +# +interface(`gcl_admin',` + gen_require(` + type gcl_t; + ') + + allow $1 gcl_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, gcl_t, gcl_t) + + + gcl_manage_tmp($1) + +') diff -durN gcl-2.6.8.ORIG/selinux/gcl.te gcl-2.6.8/selinux/gcl.te --- gcl-2.6.8.ORIG/selinux/gcl.te 1969-12-31 17:00:00.000000000 -0700 +++ gcl-2.6.8/selinux/gcl.te 2009-10-20 15:52:31.702057692 -0600 @@ -0,0 +1,45 @@ +policy_module(gcl,1.0.1) + +######################################## +# +# Declarations +# + +type gcl_t; +type gcl_exec_t; +application_domain(gcl_t, gcl_exec_t) +role system_r types gcl_t; + +######################################## +# +# gcl local policy +# + +## internal communication is often done using fifo and unix sockets. +allow gcl_t self:fifo_file rw_file_perms; +allow gcl_t self:unix_stream_socket create_stream_socket_perms; + +libs_use_ld_so(gcl_t) +libs_use_shared_libs(gcl_t) + +miscfiles_read_localization(gcl_t) + +## The GCL memory management and executable dumping routines manipulate memory +## in various (usually forbidden) ways. +allow gcl_t self:process { execmem execheap }; + +optional_policy(` + unconfined_domain(gcl_t) +') + +optional_policy(` + gen_require(` + type unconfined_t; + type unconfined_devpts_t; + type unconfined_tty_device_t; + role unconfined_r; + ') + + gcl_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t }) + allow gcl_t gcl_exec_t:file execmod; +') diff -durN gcl-2.6.8.ORIG/unixport/makefile gcl-2.6.8/unixport/makefile --- gcl-2.6.8.ORIG/unixport/makefile 2006-08-23 12:14:22.000000000 -0600 +++ gcl-2.6.8/unixport/makefile 2009-10-20 16:00:21.622998021 -0600 @@ -118,6 +118,9 @@ cp init_$*.lsp foo echo " (in-package \"USER\")(system:save-system \"$@\")" >>foo $(PORTDIR)/raw_$*$(EXE) $(PORTDIR)/ -libdir $(GCLDIR)/ < foo + if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \ + chcon -t gcl_exec_t $@; \ + fi $(RSYM): $(SPECIAL_RSYM) $(HDIR)/mdefs.h $(CC) $(CFLAGS) -I$(HDIR) -I$(ODIR) -o $(RSYM) $(SPECIAL_RSYM) @@ -157,6 +160,9 @@ $(CC) -o raw_$*$(EXE) $(filter %.o,$^) \ -L. $(EXTRA_LD_LIBS) $(LD_LIBS_PRE) -l$* $(LD_LIBS_POST) endif + if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then \ + chcon -t gcl_exec_t raw_$*$(EXE); \ + fi # diff map_$* map_$*.old >/dev/null || (cp map_$* map_$*.old && rm -f $@ && $(MAKE) $@) # cp map_$*.old map_$*