[yocto] [PATCH][meta-selinux] refpolicy-minimum: port changes for prepare_policy_store
George McCollister
george.mccollister at gmail.com
Tue Apr 19 11:34:30 PDT 2016
On Mon, Apr 18, 2016 at 2:34 AM, wenzong fan <wenzong.fan at windriver.com> wrote:
> On 04/18/2016 05:02 AM, Philip Tricca wrote:
>>
>> Hello Wenzong,
>>
>> On 04/08/2016 01:19 AM, wenzong.fan at windriver.com wrote:
>>>
>>> From: Wenzong Fan <wenzong.fan at windriver.com>
>>>
>>> Apply the changes to refpolicy-minimum_2.20151208.bb:
>>>
>>> commit bfaf278116e6c3a04bb82c9f8a4f8629a0a85df8
>>> Author: Wenzong Fan <wenzong.fan at windriver.com>
>>> Date: Tue Oct 27 06:25:04 2015 -0400
>>>
>>> refpolicy-minimum: update prepare_policy_store
>>>
>>> * update prepare_policy_store() for supporting SELinux 2.4 & CIL,
>>> the
>>> logic is from refpolicy_common.inc but with minimum set of policy
>>> modules;
>>>
>>> * add extra policy modules that required by sysnetwork, without
>>> those
>>> modules the install process will fail with error:
>>>
>>> | Failed to resolve roletype statement at 62 of \
>>>
>>> .../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil
>>> | Failed to resolve ast
>>> | semodule: Failed!
>>>
>>> Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
>>> Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
>>>
>>> Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
>>> ---
>>
>>
>> This looks great but in testing it I'm unable to use the 'minimum'
>> refpolicy recipe in any image. The recipe builds fine but the do_rootfs
>> fails trying to label the filesystem. I haven't been able to find the
>> root cause for this yet, but I'm seeing this behavior both before and
>> after adding this patch so it may be a preexisting issue?
>>
>> Given all of that, I've merged this patch into master since it doesn't
>> seem related to the issue I'm seeing. Still, some help in resolving the
>> issue I'm seeing with the minimum refpolicy recipe would be appreciated.
>
>
> Hi Philip,
>
> Thanks for getting the change merged.
>
> I did a test and see errors about:
>
>
> /.../core-image-selinux/1.0-r0/rootfs//etc/selinux/mcs/contexts/files/file_contexts:
> No such file or directory
>
> That should be the SELINUXTYPE in /etc/selinux/config is not correct, below
> patches could fix it:
>
> --- a/recipes-security/refpolicy/refpolicy_common.inc
> +++ b/recipes-security/refpolicy/refpolicy_common.inc
> @@ -162,7 +162,8 @@ SELINUX=${DEFAULT_ENFORCING}
> # mls - Multi Level Security protection.
> # targeted - Targeted processes are protected.
> # mcs - Multi Category Security protection.
> -SELINUXTYPE=${POLICY_TYPE}
> +# minimum - Minimum Security protection.
> +SELINUXTYPE=${POLICY_NAME}
>
> It works in my test, please feel free to integrate it if you think it makes
> sense.
>
With this change my refpolicy-targeted build completes again.
Thanks,
George
> Thanks
> Wenzong
>
>
>>
>> Thanks,
>> Philip
>>
>>> .../refpolicy/refpolicy-minimum_2.20151208.bb | 41
>>> ++++++++++++++++------
>>> 1 file changed, 30 insertions(+), 11 deletions(-)
>>>
>>> diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>> b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>> index b275821..47ed558 100644
>>> --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>> +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>> @@ -26,23 +26,42 @@ EXTRA_POLICY_MODULES += "nscd"
>>> # "login", so "login" process will access to /var/spool/mail.
>>> EXTRA_POLICY_MODULES += "mta"
>>>
>>> +# sysnetwork requires type definitions (insmod_t, consoletype_t,
>>> +# hostname_t, ping_t, netutils_t) from modules:
>>> +EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
>>> +
>>> POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
>>>
>>> # re-write the same func from refpolicy_common.inc
>>> prepare_policy_store () {
>>> oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
>>> + POL_PRIORITY=100
>>> + POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
>>> + POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
>>> + POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
>>>
>>> # Prepare to create policy store
>>> - mkdir -p ${D}${sysconfdir}/selinux/
>>> - mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
>>> - mkdir -p
>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
>>> - mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
>>> - touch
>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
>>> - for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
>>> - bzip2 -f $i && mv -f $i.bz2 $i
>>> - done
>>> - cp base.pp
>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
>>> - for i in ${POLICY_MODULES_MIN}; do
>>> - cp ${i}.pp
>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename
>>> $i.pp`
>>> + mkdir -p ${POL_STORE}
>>> + mkdir -p ${POL_ACTIVE_MODS}
>>> +
>>> + # get hll type from suffix on base policy module
>>> + HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print
>>> $NF}}')
>>> +
>>> HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
>>> +
>>> + for i in base ${POLICY_MODULES_MIN}; do
>>> + MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
>>> + MOD_DIR=${POL_ACTIVE_MODS}/${i}
>>> + mkdir -p ${MOD_DIR}
>>> + echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
>>> +
>>> + if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
>>> + ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout >
>>> ${MOD_DIR}/cil
>>> + bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2
>>> ${MOD_FILE}
>>> + else
>>> + bunzip2 --stdout ${MOD_FILE} | \
>>> + ${HLL_BIN} | \
>>> + bzip2 --stdout > ${MOD_DIR}/cil
>>> + fi
>>> + cp ${MOD_FILE} ${MOD_DIR}/hll
>>> done
>>> }
>>>
>>
>>
>>
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
More information about the yocto
mailing list