[yocto] [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.

wenzong fan wenzong.fan at windriver.com
Fri Apr 8 01:27:53 PDT 2016 

This causes do_populate_sysroot error if build two or more types of 
refpolicy:

$ bitbake refpolicy-minimum && bitbake refpolicy-mls

ERROR: refpolicy-mls-git-r0 do_populate_sysroot: The recipe 
refpolicy-mls is trying to install files into a shared area when those 
files already exist. Those files and their manifest location are:
 
/buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/sepolgen.conf
  Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
 
/buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/config
  Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
 
/buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/sysroot-providers/virtual_refpolicy
  Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
Please verify which recipe should provide the above files.

Philip,

Can you consider to withdraw the integration?

Thanks
Wenzong

On 04/04/2016 08:21 AM, Philip Tricca wrote:
> With the virutal package there's no need for a separate recipe to build
> the config. This can be generated and included as part of the policy
> package.
>
> Signed-off-by: Philip Tricca <flihp at twobit.us>
> ---
>   .../packagegroups/packagegroup-core-selinux.bb     |  1 -
>   .../packagegroups/packagegroup-selinux-minimal.bb  |  1 -
>   recipes-security/refpolicy/refpolicy_common.inc    | 30 ++++++++++++++--
>   recipes-security/selinux/selinux-config_0.1.bb     | 40 ----------------------
>   4 files changed, 28 insertions(+), 44 deletions(-)
>   delete mode 100644 recipes-security/selinux/selinux-config_0.1.bb
>
> diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
> index 62c5a76..c6d22b7 100644
> --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
> +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
> @@ -22,7 +22,6 @@ RDEPENDS_${PN} = " \
>   	packagegroup-selinux-policycoreutils \
>   	setools \
>   	setools-console \
> -	selinux-config \
>   	selinux-autorelabel \
>   	selinux-init \
>   	selinux-labeldev \
> diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> index 87ae686..451ae8b 100644
> --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> @@ -21,7 +21,6 @@ RDEPENDS_${PN} = "\
>   	policycoreutils-semodule \
>   	policycoreutils-sestatus \
>   	policycoreutils-setfiles \
> -	selinux-config \
>   	selinux-labeldev \
>   	virtual/refpolicy \
>   "
> diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
> index ba887e4..305675f 100644
> --- a/recipes-security/refpolicy/refpolicy_common.inc
> +++ b/recipes-security/refpolicy/refpolicy_common.inc
> @@ -1,3 +1,5 @@
> +DEFAULT_ENFORCING ??= "enforcing"
> +
>   SECTION = "base"
>   LICENSE = "GPLv2"
>
> @@ -14,7 +16,8 @@ SRC_URI += "file://customizable_types \
>
>   S = "${WORKDIR}/refpolicy"
>
> -FILES_${PN} = " \
> +CONFFILES_${PN} += "${sysconfdir}/selinux/config"
> +FILES_${PN} += " \
>   	${sysconfdir}/selinux/${POLICY_NAME}/ \
>   	${datadir}/selinux/${POLICY_NAME}/*.pp \
>   	${localstatedir}/lib/selinux/${POLICY_NAME}/ \
> @@ -25,7 +28,6 @@ FILES_${PN}-dev =+ " \
>   "
>
>   DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
> -RDEPENDS_${PN} += "selinux-config"
>
>   PACKAGE_ARCH = "${MACHINE_ARCH}"
>
> @@ -137,13 +139,37 @@ install_misc_files () {
>   	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
>   }
>
> +install_config () {
> +	echo "\
> +# This file controls the state of SELinux on the system.
> +# SELINUX= can take one of these three values:
> +#     enforcing - SELinux security policy is enforced.
> +#     permissive - SELinux prints warnings instead of enforcing.
> +#     disabled - No SELinux policy is loaded.
> +SELINUX=${DEFAULT_ENFORCING}
> +# SELINUXTYPE= can take one of these values:
> +#     standard - Standard Security protection.
> +#     mls - Multi Level Security protection.
> +#     targeted - Targeted processes are protected.
> +#     mcs - Multi Category Security protection.
> +SELINUXTYPE=${POLICY_TYPE}
> +" > ${WORKDIR}/config
> +	install -d ${D}/${sysconfdir}/selinux
> +	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
> +}
> +
>   do_install () {
>   	prepare_policy_store
>   	rebuild_policy
>   	install_misc_files
> +	install_config
>   }
>
>   do_install_append(){
>   	# While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
>   	echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
>   }
> +
> +sysroot_stage_all_append () {
> +	sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
> +}
> diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
> deleted file mode 100644
> index e902e98..0000000
> --- a/recipes-security/selinux/selinux-config_0.1.bb
> +++ /dev/null
> @@ -1,40 +0,0 @@
> -DEFAULT_ENFORCING ??= "enforcing"
> -
> -SUMMARY = "SELinux configuration"
> -DESCRIPTION = "\
> -SELinux configuration files for Yocto. \
> -"
> -
> -SECTION = "base"
> -LICENSE = "MIT"
> -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
> -PR = "r4"
> -
> -S = "${WORKDIR}"
> -
> -CONFFILES_${PN} += "${sysconfdir}/selinux/config"
> -
> -PACKAGE_ARCH = "${MACHINE_ARCH}"
> -
> -do_install () {
> -	echo "\
> -# This file controls the state of SELinux on the system.
> -# SELINUX= can take one of these three values:
> -#     enforcing - SELinux security policy is enforced.
> -#     permissive - SELinux prints warnings instead of enforcing.
> -#     disabled - No SELinux policy is loaded.
> -SELINUX=${DEFAULT_ENFORCING}
> -# SELINUXTYPE= can take one of these values:
> -#     standard - Standard Security protection.
> -#     mls - Multi Level Security protection.
> -#     targeted - Targeted processes are protected.
> -#     mcs - Multi Category Security protection.
> -SELINUXTYPE=${@d.getVar("PREFERRED_PROVIDER_virtual/refpolicy", False)[len("refpolicy-"):]}
> -" > ${WORKDIR}/config
> -	install -d ${D}/${sysconfdir}/selinux
> -	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
> -}
> -
> -sysroot_stage_all_append () {
> -	sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
> -}
>

More information about the yocto mailing list