#
# $Id: oracle-selinux.spec 1712 2008-10-20 14:30:41Z rm153 $
#

#
# change oracle_base in case of non-standard installation path
#
%define oracle_base /opt/oracle

%define selinux_variants mls strict targeted 
%define selinux_policyver %(sed -e 's,.*selinux-policy-\\([^/]*\\)/.*,\\1,' /usr/share/selinux/devel/policyhelp)
%define modulename oracle
%define moduletype apps
%define default_oracle_base /opt/oracle

#
# tag to be used in release to differentiate rpms with the same policy but
# with different oracle_bases
#
%if "%{oracle_base}" != "%{default_oracle_base}"
%define obtag %(echo %{?oracle_base} | sed 's#/#.#g' 2>/dev/null)
%endif

Name:            oracle-selinux
Version:         0.1
Release:         56%{?obtag}%{?dist}%{?repo}
Summary:         SELinux policy module supporting Oracle
Group:           System Environment/Base
License:         GPLv2+
URL:             http://rmyers.fedorapeople.org/oracle-selinux/
Source1:         %{modulename}.if
Source2:         %{modulename}.te
Source3:         %{modulename}.fc
BuildRoot:       %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires:   checkpolicy, selinux-policy-devel, hardlink
BuildRequires:   audit-archive-selinux, rsync-ssh-selinux
BuildArch:       noarch

%if "%{selinux_policyver}" != ""
Requires:         selinux-policy >= %{selinux_policyver}
%endif
Requires:         audit-archive-selinux, rsync-ssh-selinux
Requires(post):   /usr/sbin/semodule, /sbin/restorecon
Requires(postun): /usr/sbin/semodule, /sbin/restorecon
Obsoletes:        oracle-10gR2-selinux

%description
SELinux policy module supporting Oracle.

%prep
mkdir -p SELinux
cp -p %{SOURCE1} %{SOURCE2} %{SOURCE3} SELinux

# Make file contexts relative to oracle_base
perl -pi -e 's#%{default_oracle_base}#%{oracle_base}#g' SELinux/%{modulename}.fc

%build
# Build SELinux policy modules
cd SELinux
for selinuxvariant in %{selinux_variants}
do
    make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
    mv %{modulename}.pp %{modulename}.pp.${selinuxvariant}
    make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
done
cd -

%install
rm -rf %{buildroot}

# Install SELinux policy modules
cd SELinux
for selinuxvariant in %{selinux_variants}
  do
    install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
    install -p -m 644 %{modulename}.pp.${selinuxvariant} \
           %{buildroot}%{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp
  done
cd -

# Install SELinux interfaces
install -d %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
install -p -m 644 SELinux/%{modulename}.if \
  %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if

# Hardlink identical policy module packages together
/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux

%clean
rm -rf %{buildroot}

%post
# Install SELinux policy modules
for selinuxvariant in %{selinux_variants}
  do
    /usr/sbin/semodule -s ${selinuxvariant} -i \
      %{_datadir}/selinux/${selinuxvariant}/%{modulename}.pp &> /dev/null || :
  done

# add an oracle port if it does not already exist
SEPORT_STATUS=`semanage port -l | grep -c ^oracle`
test ${SEPORT_STATUS} -lt 1 && semanage port -a -t oracle_port_t -p tcp 1521 || :

# Fix up non-standard file contexts
/sbin/restorecon -R -v %{oracle_base} || :
/sbin/restorecon -R -v /u0? || :
/sbin/restorecon -R -v /etc || :
/sbin/restorecon -R -v /var/tmp || :

# Create an oracle_u user and map logins if:
# - it doesn't already exist
# - the system is not running targeted policy
# - it shouldn't hurt to run this repeatedly as semanage should fail gracefully
USER_STATUS=`/usr/sbin/semanage user -l | grep -c oracle_u`
SE_TYPE=`seinfo | grep file | awk -F/ '{print $4}'`

if [ ${USER_STATUS} -lt 1 -a ${SE_TYPE} != "targeted" ]; then
  # add the oracle_u SELinux user
  semanage user -a -R oracle_r -P oracle -L s0:c0.c1023 oracle_u || :
  # map oracle accounts to the oracle_u SELinux user
  for oracle_user in `awk -F: '{print $1}' /etc/passwd | grep oracle`
    do
      semanage login -a -s oracle_u $oracle_user || :
    done
  # add oracle role to root and staff_u SELinux users
  # NB: this may cause problems if root or staff_u have been modified
  semanage user -m -R system_r -R sysadm_r -R staff_r -R oracle_r -P sysadm -L s0:c0.c1023 root || :
  semanage user -m -R sysadm_r -R staff_r -R oracle_r -P staff -L s0:c0.c1023 staff_u || :

  # set up the default type for the oracle role
  DEFAULT_TYPE=`grep -c oracle_r /etc/selinux/${SE_TYPE}/contexts/default_type`
  test ${DEFAULT_TYPE} -lt 1 && echo "oracle_r:oracle_t" >> /etc/selinux/strict/contexts/default_type || :
fi

%postun
# Clean up after package removal
if [ $1 -eq 0 ]; then
 # remove an existing oracle port
 SEPORT_STATUS=`semanage port -l | grep -c ^oracle`
 test ${SEPORT_STATUS} -gt 0 && semanage port -d -t oracle_port_t -p tcp 1521 || :

  # remove oracle role to root and staff_u SELinux users
  # NB: this may cause problems if root or staff_u have been modified
  semanage user -m -R system_r -R sysadm_r -R staff_r -P sysadm -L s0:c0.c1023 root || :
  semanage user -m -R sysadm_r -R staff_r -P staff -L s0:c0.c1023 staff_u || :

  # unmap oracle accounts to the oracle_u SELinux user
  for oracle_user in `awk -F: '{print $1}' /etc/passwd | grep oracle`
    do
      semanage login -d -s oracle_u $oracle_user || :
    done

  # remove the oracle user
  /usr/sbin/semanage user -d -R oracle_r -P oracle -L s0:c0.c1023 oracle_u || :

  # Remove SELinux policy modules
  for selinuxvariant in %{selinux_variants}
    do
      /usr/sbin/semodule -s ${selinuxvariant} -r %{modulename} &> /dev/null || :
    done
  # Clean up any remaining file contexts (shouldn't be any really)
  [ -d %{oracle_base} ] && \
    /sbin/restorecon -R -v %{oracle_base} &> /dev/null || :
  /sbin/restorecon -R -v /u0? || :
  /sbin/restorecon -R -v /etc || :
  /sbin/restorecon -R -v /var/tmp || :
fi

%files
%defattr(-,root,root,0755)
%doc SELinux/%{modulename}.fc SELinux/%{modulename}.if SELinux/%{modulename}.te
%{_datadir}/selinux/*/%{modulename}.pp
%{_datadir}/selinux/devel/include/%{moduletype}/%{modulename}.if

%changelog
* Mon Oct 20 2008 Rob Myers <rob.myers@gtri.gatech.edu> - 0.1-56
- update URL

* Thu Oct 15 2008 Patrick Neely <patrick.neely@gtri.gatech.edu> - 0.1-55
- added oracle_t and oracle_r roles
- allow staff_r to transition to oracle_r
- remove staff_r as oracle management role
- oracle_t can run oracle scripts
- allow oracle domains to read oracle_tmp_t files
- added oracle_conf_t type for etc and pfile files
- /opt/oracle/admin is now oracle_conf_t
- oracle_t can manage oracle_conf_t
- fix targeted support

* Thu Apr 17 2008 Rob Myers <rob.myers@gtri.gatech.edu> - 0.1-23
- fix up file contexts for oracle_backup_exec_t

* Wed Apr 16 2008 Rob Myers <rob.myers@gtri.gatech.edu> - 0.1-22
- fix targeted policy
- allow sqlplus to read user home content on targeted policy

* Tue Apr 15 2008 Rob Myers <rob.myers@gtri.gatech.edu> - 0.1-21
- code cleanup
- update buildrequires and requires

* Tue Apr 8 2008 Patrick Neely <patrick.neely@gtri.gatech.edu> - 0.1-18
- added optional policy to work with targeted policy

* Tue Apr 8 2008 Patrick Neely <patrick.neely@gtri.gatech.edu> - 0.1-17
- allow backup scripts to create tars and rsync

* Fri Mar 14 2008 Rob Myers <rob.myers@gtri.gatech.edu> - 0.1-16
- allow sysadm_r to manage oracle files

* Tue Oct  9 2007 Rob Myers <rob.myers@gtri.gatech.edu> - 0.1-15
- allow sqlplus to name_connect to oracle_port_t

* Thu Oct  4 2007 Rob Myers <rob.myers@gtri.gatech.edu> - 0.1-14
- fixup requires in oracle.if

* Wed Sep 26 2007 Rob Myers <rob.myers@gtri.gatech.edu> - 0.1-11
- install interface

* Tue Sep 25 2007 Rob Myers <rob.myers@gtri.gatech.edu> - 0.1-9
- initial oracle 11gR1 support.  added oracle_11g_support which defaults to
  false.

* Wed Sep  9 2007 Rob Myers <rob.myers@gtri.gatech.edu> - 0.1-8
- split off from oracle-10gR2 package to support oracle-11gR1