From ba4f7ac7be9f2b47c019e2edfd58ff1de4b9c265 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Sat, 15 Mar 2014 13:15:58 -0400
Subject: [PATCH] Remove custom SELinux policy

This was a temporary hack until the requisite bits landed upstream in
the Fedora SELinux policy.
---
 Makefile.am              |  4 ----
 configure.ac             |  7 -------
 packaging/ostree.spec.in | 25 -------------------------
 selinux/.gitignore       |  2 --
 selinux/Makefile.am      | 24 ------------------------
 selinux/ostree.fc        |  9 ---------
 selinux/ostree.if        |  1 -
 selinux/ostree.te        | 33 ---------------------------------
 8 files changed, 105 deletions(-)
 delete mode 100644 selinux/.gitignore
 delete mode 100644 selinux/Makefile.am
 delete mode 100644 selinux/ostree.fc
 delete mode 100644 selinux/ostree.if
 delete mode 100644 selinux/ostree.te

diff --git a/Makefile.am b/Makefile.am
index 719dbd01..b20738a0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -31,10 +31,6 @@ endif
 
 SUBDIRS += .
 
-if BUILD_SELINUX_CUSTOM_POLICY
-SUBDIRS += selinux
-endif
-
 if ENABLE_GTK_DOC
 SUBDIRS += doc
 endif
diff --git a/configure.ac b/configure.ac
index 02b03694..439d291d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -164,12 +164,6 @@ AS_IF([ test x$with_selinux != xno ], [
 if test x$with_selinux != xno; then OSTREE_FEATURES="$OSTREE_FEATURES +selinux"; fi
 AM_CONDITIONAL(USE_SELINUX, test $with_selinux != no)
 
-dnl FIXME remove this
-AC_ARG_ENABLE(selinux-custom-policy,
-	    AS_HELP_STRING([--enable-selinux-custom-policy], [Custom policy overrides]),,
-	    enable_selinux_custom_policy=no)
-AM_CONDITIONAL(BUILD_SELINUX_CUSTOM_POLICY, test x$enable_selinux_custom_policy = xyes)
-
 AC_ARG_WITH(dracut,
             AS_HELP_STRING([--with-dracut],
                            [Install dracut module (default: no)]),,
@@ -209,7 +203,6 @@ AC_CONFIG_FILES([
 Makefile
 embedded-dependencies/Makefile
 doc/Makefile
-selinux/Makefile
 src/libostree/ostree-1.pc
 ])
 AC_OUTPUT
diff --git a/packaging/ostree.spec.in b/packaging/ostree.spec.in
index 9d4c9795..f791e2a8 100644
--- a/packaging/ostree.spec.in
+++ b/packaging/ostree.spec.in
@@ -44,19 +44,6 @@ Requires: %{name} = %{version}-%{release}
 %description devel
 The %{name}-devel package includes the header files for the %{name} library.
 
-%package        selinux
-Summary:        SELinux policy module for %{name}
-Group:          System Environment/Base
-Requires:       %{name} = %{version}-%{release}
-Requires:       policycoreutils, libselinux-utils
-Requires(post): selinux-policy-base, policycoreutils
-Requires(postun): policycoreutils
-BuildRequires:  selinux-policy-devel
-BuildArch:      noarch
-
-%description    selinux
-This package installs and sets up the SELinux policy security module for %{name}.
-
 %prep
 %setup -q -n ostree-%{version}
 
@@ -65,7 +52,6 @@ env NOCONFIGURE=1 ./autogen.sh
 %configure --disable-silent-rules \
 	   --enable-gtk-doc \
 	   --with-selinux \
-	   --enable-selinux-custom-policy \
 	   --with-dracut
 make %{?_smp_mflags}
 
@@ -83,14 +69,6 @@ rm -rf $RPM_BUILD_ROOT
 %preun
 %systemd_preun ostree-remount.service
 
-%post selinux
-semodule -n -i %{_datadir}/selinux/packages/%{name}.pp
-
-%postun selinux
-if [ $1 -eq 0 ]; then
-    semodule -n -r %{name}
-fi
-
 %files
 %doc COPYING README.md
 %{_bindir}/ostree
@@ -113,6 +91,3 @@ fi
 %dir %{_datadir}/gtk-doc/html/ostree
 %{_datadir}/gtk-doc/html/ostree
 %{_datadir}/gir-1.0/OSTree-1.0.gir
-
-%files selinux
-%attr(0600,root,root) %{_datadir}/selinux/packages/%{name}.pp
diff --git a/selinux/.gitignore b/selinux/.gitignore
deleted file mode 100644
index cbefb9da..00000000
--- a/selinux/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-ostree.pp
-tmp
diff --git a/selinux/Makefile.am b/selinux/Makefile.am
deleted file mode 100644
index 498f9df8..00000000
--- a/selinux/Makefile.am
+++ /dev/null
@@ -1,24 +0,0 @@
-# Copyright (C) 2014 Colin Walters <walters@verbum.org>
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2 of the License, or (at your option) any later version.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the
-# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
-# Boston, MA 02111-1307, USA.
-
-ostree.pp: ostree.fc ostree.if ostree.te
-	make -f /usr/share/selinux/devel/Makefile
-
-selinuxpkgdir = $(datadir)/selinux/packages
-selinuxpkg_DATA = ostree.pp
-
-EXTRA_DIST = ostree.fc ostree.if ostree.te
diff --git a/selinux/ostree.fc b/selinux/ostree.fc
deleted file mode 100644
index 56b9c4f8..00000000
--- a/selinux/ostree.fc
+++ /dev/null
@@ -1,9 +0,0 @@
-# Core definitions
-
-/sysroot	-d	gen_context(system_u:object_r:usr_t,s0)
-/ostree		-d	gen_context(system_u:object_r:usr_t,s0)
-/ostree		-l	gen_context(system_u:object_r:usr_t,s0)
-/media		-l	gen_context(system_u:object_r:mnt_t,s0)
-/mnt		-l	gen_context(system_u:object_r:mnt_t,s0)
-/var/roothome	-d	gen_context(system_u:object_r:admin_home_t,s0)
-/var/home	-d	gen_context(system_u:object_r:home_root_t,s0)
diff --git a/selinux/ostree.if b/selinux/ostree.if
deleted file mode 100644
index 996cee9a..00000000
--- a/selinux/ostree.if
+++ /dev/null
@@ -1 +0,0 @@
-# Empty.
diff --git a/selinux/ostree.te b/selinux/ostree.te
deleted file mode 100644
index 8d34940a..00000000
--- a/selinux/ostree.te
+++ /dev/null
@@ -1,33 +0,0 @@
-policy_module(ostree, 1.3.0)
-
-require {
-        type init_t;
-        type root_t;
-        type var_log_t;
-        type games_data_t;
-        type var_yp_t;
-        type systemd_tmpfiles_t;
-        type local_login_t;
-        type admin_home_t;
-        type ldconfig_cache_t;
-        type var_t;
-        type var_run_t;
-        class lnk_file { relabelfrom relabelto read getattr };
-        class dir { relabelfrom relabelto create setattr write };
-}
-
-# init_t
-allow init_t admin_home_t:lnk_file { read getattr };
-allow init_t root_t:dir { write };
-
-#============= systemd_tmpfiles_t ==============
-allow systemd_tmpfiles_t games_data_t:dir relabelto;
-allow systemd_tmpfiles_t var_log_t:dir create;
-allow systemd_tmpfiles_t var_run_t:lnk_file { relabelfrom relabelto };
-allow systemd_tmpfiles_t var_t:dir { create relabelfrom relabelto setattr };
-allow systemd_tmpfiles_t var_yp_t:dir relabelto;
-allow systemd_tmpfiles_t ldconfig_cache_t:dir { relabelfrom relabelto setattr };
-allow systemd_tmpfiles_t var_t:dir { relabelfrom relabelto setattr };
-
-#============= local_login_t ==============
-allow local_login_t admin_home_t:lnk_file read;