[yocto] [meta-selinux] Updated meta-selinux -- master-next

Joe MacDonald joe at deserted.net
Fri Sep 27 12:58:53 PDT 2013 

[[yocto] [meta-selinux] Updated meta-selinux -- master-next] On 13.09.19 (Thu 13:41) Mark Hatle wrote:

> I have updated meta-selinux, and placed the update into the 'master-next' branch.
> 
> This was locally tested with Poky as of commit
> 853bc53cd58a621918f0e5ce662dba263d1befb4.
> 
> Note, when building the core-image-selinux, the internal refpolicies
> cause a lot of failures.  I'm not an expert on how this should be
> configured, so I'm looking for help/patches from others.
> 
> If you know of any other additional patches that should be applied,
> or are able to help with the refpolicies, please let me know!
> 
> Thanks!
> --Mark

I just pushed a new (non-ff!) update to master-next.  It includes the
following:

   - Mark Hatle: policycoreutils: avoid shell for checking target-special actions
   - Mark Hatle: setools: Uprev setools
   - Mark Hatle: README: Update status
   - Mark Hatle: libcap-ng: Uprev libcap-ng
   - Mark Hatle: audit: Uprev to audit 2.3.2
   - Mark Hatle: swig: Update to latest swig from meta-openembedded
   - Mark Hatle: python-ipy: Uprev to latest 0.81 version
   - Mark Hatle: distro/*: Update the distro files
   - Christopher Larson: layer.conf: avoid unnecessary early expansion with :=
   - Qiang Chen: selinux: remove reference to locale env files from login
   - Mark Hatle: linux-yocto: Add support for the 3.10 kernel
   - Xin Ouyang: kernel: add BBAPPEND for linux 3.10
   - Xin Ouyang: busybox: alternatives link to sh wrappers for commands
   - Xin Ouyang: refpolicy*: remove old version recipes and patches.
   - Xin Ouyang: refpolicy*: add new version 2.20130424
   - Joe MacDonald: udev/init: work around dev-cache restore problems
   - Mark Hatle: udev/init: sync to latest poky version
   - Xin Ouyang: always force to restore file contexts in initscripts
   - Xin Ouyang: policycoreutils: fix wrong newrole/run_init pam config
   - Xin Ouyang: sepolgen: migrate SRC_URI to 1.1.9
   - Xin Ouyang: policycoreutils: migrate SRC_URI and patches to 2.1.14
   - Xin Ouyang: libsepol: migrate SRC_URI to 2.1.9
   - Xin Ouyang: libsemanage: migrate SRC_URI to 2.1.10
   - Xin Ouyang: libselinux: migrate SRC_URI and patches to 2.1.13
   - Xin Ouyang: checkpolicy: migrate SRC_URI to 2.1.12
   - Xin Ouyang: selinux userspace: uprev packages to release 20130423
   - Philip Tricca: Add ${bindir}/sepolgen to system-config-selinux package.
   - Philip Tricca: Check for the availability of 'secon' and 'setenforce' in the selinux-init.sh script.
   - Philip Tricca: Resend: Install policy headers and include them in the refpolicy dev package.
   - Joe Slater: openssh: add PACKAGECONFIG data regarding audit
   - Philip Tricca: Add util-linux-agetty to core-image-selinux IMAGE_INSTALL.
   - Joe MacDonald: documentation: update guidance for runqemu
   - Philip Tricca: Stage SELinux config file in the sysroot.
   - Philip Tricca: Add leading whitespace to DISTRO_FEATURES_append in oe-selinux.conf

It's still not as clean as I would like it, but at least I understand
(most of) the current failures.  I'll probably not get another chance to
look at this until Monday, though.

First boot and auto-relabel works fine.

Second boot generates the following audit warnings:

   type=1401 audit(1380309719.391:4): security_validate_transition:  denied for oldcontext=system_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:framebuf_device_t:s0 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
   udevd[135]: setfilecon /dev/fb0 failed: Operation not permitted

   type=1401 audit(1380309729.653:5): security_validate_transition:  denied for oldcontext=system_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:tty_device_t:s0 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
   type=1401 audit(1380309729.663:6): security_validate_transition:  denied for oldcontext=system_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:tty_device_t:s0 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
   udevd[86]: setfilecon /dev/vcs2 failed: Operation not permitted

   udevd[93]: setfilecon /dev/vcsa2 failed: Operation not permitted

I initially sunk a lot of time into these until I realized the problem
is present (and just not reported) in master.  I haven't yet opened a
bug on it, but I intend to unless I can fix it myself (or someone sends
me a patch) in the very short term.

Subsequent boots are less happy:

   type=1401 audit(1380310608.155:5): security_validate_transition:  denied for oldcontext=system_u:object_r:device_t:s0 newcontext=system_u:object_r:memory_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
   type=1401 audit(1380310608.164:6): security_validate_transition:  denied for oldcontext=system_u:object_r:device_t:s0 newcontext=system_u:object_r:memory_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
   type=1401 audit(1380310608.178:7): security_validate_transition:  denied for oldcontext=system_u:object_r:device_t:s0 newcontext=system_u:object_r:memory_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
   type=1401 audit(1380310608.203:8): security_validate_transition:  denied for oldcontext=system_u:object_r:device_t:s0 newcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
   type=1401 audit(1380310608.783:9): security_validate_transition:  denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
   type=1401 audit(1380310608.789:10): security_validate_transition:  denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
   type=1401 audit(1380310608.793:11): security_validate_transition:  denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
   type=1401 audit(1380310608.798:12): security_validate_transition:  denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
   type=1401 audit(1380310608.802:13): security_validate_transition:  denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
   udevd[86]: starting version 182
   Starting Bootlog daemon: bootlogd.
   Populating dev cache
   ALSA: Restoring mixer settings...
   audit_printk_skb: 87 callbacks suppressed
   type=1400 audit(1380310625.861:43): avc:  denied  { read write } for  pid=249 comm="alsactl" path="/dev/ttyS0" dev="devtmpfs" ino=6092 scontext=system_u:system_r:alsa_t:s0-s15:c0.c1023 tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file
   Configuring network interfaces... done.
   Starting rpcbind daemon...type=1400 audit(1380310628.230:44): avc:  denied  { read write } for  pid=265 comm="rpcbind" path="/dev/ttyS0" dev="devtmpfs" ino=6092 scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file
   done.

But these are all due to problems I detail in "udev/init: work around
dev-cache restore problems".  There's a simple workaround for it, but
it's hacky (less hacky than not using the dev cache at all? more? not
sure) so I'd rather come up with a cleaner solution.

Anyway, that's the state of meta-selinux's master-next as of right now.

As mentioned (somewhere) elsewhere, master-next will continue to be
non-ff for the foreseeable future, so anyone else should use it with
caution.  master is, of course, perfectly stable (and I hope up-to-date
with all current submissions merged).

-- 
-Joe MacDonald.
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20130927/5a36eaf8/attachment.pgp>

More information about the yocto mailing list