[yocto] [meta-selinux] refpolicy update in master-next

Pascal Ouyang xin.ouyang at windriver.com
Mon Sep 22 01:29:35 PDT 2014 

于 14-9-20 上午5:17, Joe MacDonald 写道:
> [Re: [meta-selinux] refpolicy update in master-next] On 14.09.18 (Thu 15:06) Mark Hatle wrote:
>
>> On 9/18/14, 2:57 PM, Joe MacDonald wrote:
>>> Hey all,
>>>
>>> As we'd all discussed at different times in the past, we're well behind
>>> the curve on a refpolicy update for meta-selinux.  With the 1.7 release
>>> of Yocto coming up, we thought it was important to update the policy
>>> sooner rather than later, so I'm starting that work now.
>>>
>>> It's being done in master-next and currently the only recipe that has
>>> been updated is the -mls one.  Over the next few days I'll be updating
>>> the others, then working through testing and trying to make sure they're
>>> all sane.  It would help me out immensely if you had time to kick the
>>> tires as well on your favourite policy variant.
>>>
>>> Depending on how long this takes, the next step is updating the
>>> userspace.  Fortunately this time around, though, the current userspace
>>> is still officially up to the task of managing the current policy, so a
>>> full update isn't strictly required.  It'd be a really nice thing to
>>> have done, though.  :-)
>>>
>>
>> I spoke with Joe about this work this morning, and I think
>> master-next is the right place to do this.  So if you have immediate
>> bug fixes, we'll try to apply them to both master and master-next.
>> And then continue to use master-next to stage the policy changes (or
>> anything else that requires a bit more 'soak' time) before merging.
>>
>> I'd like to try to get 'master' of meta-selinux fully synced and
>> working with the 'master' of Poky around the time of Poky's release
>> (within a week or so of the release at least)..  then we can branch
>> and let the master continue to flow with any "new" work.  (It's a
>> plan, I'm not sure if it'll happen or not.)
>>
>> If anyone has any concerns let me know.. otherwise I think this is the plan!
>
> The plan proceeds!  :-)
>
> Anyway, so I've now updated all of the policies in refpolicy/ and I'm
> starting in on the testing.
>
> Pascal:  Can you pay particular attention to refpolicy-minimum?  The
> straight forward-port of it failed to install the unconfined module
> (obviously kind of important to r-min) due to some failure inside
> prepare_policy_store().  I started debugging it, then saw that there was
> a copy in the refpolicy-minimum recipe as well as one in
> refpolicy_common.inc.  Both of them need to be cleaned up, but they both
> appeared to be doing the same thing in slightly different ways.  Given
> that, I turfed the one from refpolicy-minimum and it looks like the
> unconfined.pp is installed properly using the version from
> refpolicy_common.  It wasn't clear looking at either the function or the
> commit log why a duplicate version of the function was placed in
> refpolicy-minimum, so please have a look to see why it was there and if
> it's still needed.

Hi Joe,

The original prepare_policy_store() has a naming bug for 
compressed_policy, and I have fixed it.
A "clear compressed_policy distro feature" commit is also pushed, as I 
have mentioned to you.

Thanks. :)

- Pascal

>
> Thanks.
>


-- 
- Pascal

More information about the yocto mailing list