[yocto] [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.

wenzong fan wenzong.fan at windriver.com
Mon Apr 11 22:54:06 PDT 2016 

On 04/12/2016 11:55 AM, Philip Tricca wrote:
> Hello,
>
> On 04/11/2016 05:54 AM, Joe MacDonald wrote:
>>> This causes do_populate_sysroot error if build two or more types of
>>> refpolicy:
>>>
>>> $ bitbake refpolicy-minimum && bitbake refpolicy-mls
>>>
>>> ERROR: refpolicy-mls-git-r0 do_populate_sysroot: The recipe refpolicy-mls is
>>> trying to install files into a shared area when those files already exist.
>>> Those files and their manifest location are:
>>
>> I think this was always the intent with the series Philip submitted last
>> week (for reference, the thread is
>> https://www.mail-archive.com/yocto@yoctoproject.org/msg28530.html).
>> Isn't this (part of) the expected behaviour of the virtual provider
>> mechanism?
>
> This is the question I think we need to figure out. My understanding
> (quite possibly wrong) is that the virtual provider stuff would prevent
> the installation of more than one provider. I hadn't considered the
> implications for the sysroot.
>
> Is the ability to install multiple providers in the sysroot expected? I
> imagine that this problem must have been solved before in another
> package with virtual providers that install the same file. I'm happy to
> doing some digging here but if anyone knows of a good example I'd
> appreciate a pointer.
>
>> We did discuss what it would mean to be trying out multiple
>> policies on a system at the same time and at the time it seemed like the
>> "just works" angle was more important than "buffet style" when it came
>> to providing policy on the image.
>
> I guess the thing I like the most about setting the policy package up as
> a virtual package is the ability to select the policy type as a distro
> config. The virtual provider seemed like a natural fit as it's a pattern
> that similar packages (kernel etc) use extensively.
>
>> It might be worth considering extending the changes to only do some
>> install steps at, say, do_rootfs but I don't know if that even makes
>> sense, this is really the first I've thought of it.  I think Philip's
>> original changes are good, though, for our maintenance and for clients
>> of meta-selinux.
>
> There may be a middle ground and I think that would be leaving the
> configuration file as a separate package. Personally I liked the idea of
> rolling the config file into the policy package as it was always a bit
> awkward requiring coordination of some variables across the policy and
> the config package which made it a bit brittle.
>
> Wenzong: A few questions: What's your use case for building multiple
> policy packages? Would you suggest just backing out the removal of the
> config package or the whole virtual provider thing?

Hi Philip,

The virtual provider is OK, just restore the config package is the 
simplest ways for fixing such issue I think.

My use cases include:
a. update refpolicy and build each type to make sure patch/build/install 
work;
b. run world build with meta-selinux layer.

Thanks
Wenzong

>
> Thanks,
> Philip
>
>>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/sepolgen.conf
>>>   Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>>>
>>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/config
>>>   Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>>>
>>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/sysroot-providers/virtual_refpolicy
>>>   Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>>> Please verify which recipe should provide the above files.
>>>
>>> Philip,
>>>
>>> Can you consider to withdraw the integration?
>>>
>>> Thanks
>>> Wenzong
>>>
>>> On 04/04/2016 08:21 AM, Philip Tricca wrote:
>>>> With the virutal package there's no need for a separate recipe to build
>>>> the config. This can be generated and included as part of the policy
>>>> package.
>>>>
>>>> Signed-off-by: Philip Tricca <flihp at twobit.us>
>>>> ---
>>>>   .../packagegroups/packagegroup-core-selinux.bb     |  1 -
>>>>   .../packagegroups/packagegroup-selinux-minimal.bb  |  1 -
>>>>   recipes-security/refpolicy/refpolicy_common.inc    | 30 ++++++++++++++--
>>>>   recipes-security/selinux/selinux-config_0.1.bb     | 40 ----------------------
>>>>   4 files changed, 28 insertions(+), 44 deletions(-)
>>>>   delete mode 100644 recipes-security/selinux/selinux-config_0.1.bb
>>>>
>>>> diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>>> index 62c5a76..c6d22b7 100644
>>>> --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>>> +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>>> @@ -22,7 +22,6 @@ RDEPENDS_${PN} = " \
>>>>   	packagegroup-selinux-policycoreutils \
>>>>   	setools \
>>>>   	setools-console \
>>>> -	selinux-config \
>>>>   	selinux-autorelabel \
>>>>   	selinux-init \
>>>>   	selinux-labeldev \
>>>> diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>>> index 87ae686..451ae8b 100644
>>>> --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>>> +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>>> @@ -21,7 +21,6 @@ RDEPENDS_${PN} = "\
>>>>   	policycoreutils-semodule \
>>>>   	policycoreutils-sestatus \
>>>>   	policycoreutils-setfiles \
>>>> -	selinux-config \
>>>>   	selinux-labeldev \
>>>>   	virtual/refpolicy \
>>>>   "
>>>> diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
>>>> index ba887e4..305675f 100644
>>>> --- a/recipes-security/refpolicy/refpolicy_common.inc
>>>> +++ b/recipes-security/refpolicy/refpolicy_common.inc
>>>> @@ -1,3 +1,5 @@
>>>> +DEFAULT_ENFORCING ??= "enforcing"
>>>> +
>>>>   SECTION = "base"
>>>>   LICENSE = "GPLv2"
>>>>
>>>> @@ -14,7 +16,8 @@ SRC_URI += "file://customizable_types \
>>>>
>>>>   S = "${WORKDIR}/refpolicy"
>>>>
>>>> -FILES_${PN} = " \
>>>> +CONFFILES_${PN} += "${sysconfdir}/selinux/config"
>>>> +FILES_${PN} += " \
>>>>   	${sysconfdir}/selinux/${POLICY_NAME}/ \
>>>>   	${datadir}/selinux/${POLICY_NAME}/*.pp \
>>>>   	${localstatedir}/lib/selinux/${POLICY_NAME}/ \
>>>> @@ -25,7 +28,6 @@ FILES_${PN}-dev =+ " \
>>>>   "
>>>>
>>>>   DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
>>>> -RDEPENDS_${PN} += "selinux-config"
>>>>
>>>>   PACKAGE_ARCH = "${MACHINE_ARCH}"
>>>>
>>>> @@ -137,13 +139,37 @@ install_misc_files () {
>>>>   	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
>>>>   }
>>>>
>>>> +install_config () {
>>>> +	echo "\
>>>> +# This file controls the state of SELinux on the system.
>>>> +# SELINUX= can take one of these three values:
>>>> +#     enforcing - SELinux security policy is enforced.
>>>> +#     permissive - SELinux prints warnings instead of enforcing.
>>>> +#     disabled - No SELinux policy is loaded.
>>>> +SELINUX=${DEFAULT_ENFORCING}
>>>> +# SELINUXTYPE= can take one of these values:
>>>> +#     standard - Standard Security protection.
>>>> +#     mls - Multi Level Security protection.
>>>> +#     targeted - Targeted processes are protected.
>>>> +#     mcs - Multi Category Security protection.
>>>> +SELINUXTYPE=${POLICY_TYPE}
>>>> +" > ${WORKDIR}/config
>>>> +	install -d ${D}/${sysconfdir}/selinux
>>>> +	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
>>>> +}
>>>> +
>>>>   do_install () {
>>>>   	prepare_policy_store
>>>>   	rebuild_policy
>>>>   	install_misc_files
>>>> +	install_config
>>>>   }
>>>>
>>>>   do_install_append(){
>>>>   	# While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
>>>>   	echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
>>>>   }
>>>> +
>>>> +sysroot_stage_all_append () {
>>>> +	sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
>>>> +}
>>>> diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
>>>> deleted file mode 100644
>>>> index e902e98..0000000
>>>> --- a/recipes-security/selinux/selinux-config_0.1.bb
>>>> +++ /dev/null
>>>> @@ -1,40 +0,0 @@
>>>> -DEFAULT_ENFORCING ??= "enforcing"
>>>> -
>>>> -SUMMARY = "SELinux configuration"
>>>> -DESCRIPTION = "\
>>>> -SELinux configuration files for Yocto. \
>>>> -"
>>>> -
>>>> -SECTION = "base"
>>>> -LICENSE = "MIT"
>>>> -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
>>>> -PR = "r4"
>>>> -
>>>> -S = "${WORKDIR}"
>>>> -
>>>> -CONFFILES_${PN} += "${sysconfdir}/selinux/config"
>>>> -
>>>> -PACKAGE_ARCH = "${MACHINE_ARCH}"
>>>> -
>>>> -do_install () {
>>>> -	echo "\
>>>> -# This file controls the state of SELinux on the system.
>>>> -# SELINUX= can take one of these three values:
>>>> -#     enforcing - SELinux security policy is enforced.
>>>> -#     permissive - SELinux prints warnings instead of enforcing.
>>>> -#     disabled - No SELinux policy is loaded.
>>>> -SELINUX=${DEFAULT_ENFORCING}
>>>> -# SELINUXTYPE= can take one of these values:
>>>> -#     standard - Standard Security protection.
>>>> -#     mls - Multi Level Security protection.
>>>> -#     targeted - Targeted processes are protected.
>>>> -#     mcs - Multi Category Security protection.
>>>> -SELINUXTYPE=${@d.getVar("PREFERRED_PROVIDER_virtual/refpolicy", False)[len("refpolicy-"):]}
>>>> -" > ${WORKDIR}/config
>>>> -	install -d ${D}/${sysconfdir}/selinux
>>>> -	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
>>>> -}
>>>> -
>>>> -sysroot_stage_all_append () {
>>>> -	sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
>>>> -}
>>>>
>>
>
>

More information about the yocto mailing list