[yocto] [PATCH][meta-selinux] refpolicy-minimum: port changes for prepare_policy_store

wenzong fan wenzong.fan at windriver.com
Mon Apr 18 00:34:17 PDT 2016 

On 04/18/2016 05:02 AM, Philip Tricca wrote:
> Hello Wenzong,
>
> On 04/08/2016 01:19 AM, wenzong.fan at windriver.com wrote:
>> From: Wenzong Fan <wenzong.fan at windriver.com>
>>
>> Apply the changes to refpolicy-minimum_2.20151208.bb:
>>
>>    commit bfaf278116e6c3a04bb82c9f8a4f8629a0a85df8
>>    Author: Wenzong Fan <wenzong.fan at windriver.com>
>>    Date:   Tue Oct 27 06:25:04 2015 -0400
>>
>>      refpolicy-minimum: update prepare_policy_store
>>
>>      * update prepare_policy_store() for supporting SELinux 2.4 & CIL, the
>>        logic is from refpolicy_common.inc but with minimum set of policy
>>        modules;
>>
>>      * add extra policy modules that required by sysnetwork, without those
>>        modules the install process will fail with error:
>>
>>          | Failed to resolve roletype statement at 62 of \
>>            .../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil
>>          | Failed to resolve ast
>>          | semodule:  Failed!
>>
>>      Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
>>      Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
>>
>> Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
>> ---
>
> This looks great but in testing it I'm unable to use the 'minimum'
> refpolicy recipe in any image. The recipe builds fine but the do_rootfs
> fails trying to label the filesystem. I haven't been able to find the
> root cause for this yet, but I'm seeing this behavior both before and
> after adding this patch so it may be a preexisting issue?
>
> Given all of that, I've merged this patch into master since it doesn't
> seem related to the issue I'm seeing. Still, some help in resolving the
> issue I'm seeing with the minimum refpolicy recipe would be appreciated.

Hi Philip,

Thanks for getting the change merged.

I did a test and see errors about:

 
/.../core-image-selinux/1.0-r0/rootfs//etc/selinux/mcs/contexts/files/file_contexts: 
No such file or directory

That should be the SELINUXTYPE in /etc/selinux/config is not correct, 
below patches could fix it:

--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -162,7 +162,8 @@ SELINUX=${DEFAULT_ENFORCING}
  #     mls - Multi Level Security protection.
  #     targeted - Targeted processes are protected.
  #     mcs - Multi Category Security protection.
-SELINUXTYPE=${POLICY_TYPE}
+#     minimum - Minimum Security protection.
+SELINUXTYPE=${POLICY_NAME}

It works in my test, please feel free to integrate it if you think it 
makes sense.

Thanks
Wenzong

>
> Thanks,
> Philip
>
>>   .../refpolicy/refpolicy-minimum_2.20151208.bb      | 41 ++++++++++++++++------
>>   1 file changed, 30 insertions(+), 11 deletions(-)
>>
>> diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>> index b275821..47ed558 100644
>> --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>> +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>> @@ -26,23 +26,42 @@ EXTRA_POLICY_MODULES += "nscd"
>>   # "login", so "login" process will access to /var/spool/mail.
>>   EXTRA_POLICY_MODULES += "mta"
>>
>> +# sysnetwork requires type definitions (insmod_t, consoletype_t,
>> +# hostname_t, ping_t, netutils_t) from modules:
>> +EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
>> +
>>   POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
>>
>>   # re-write the same func from refpolicy_common.inc
>>   prepare_policy_store () {
>>   	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
>> +	POL_PRIORITY=100
>> +	POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
>> +	POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
>> +	POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
>>
>>   	# Prepare to create policy store
>> -	mkdir -p ${D}${sysconfdir}/selinux/
>> -	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
>> -	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
>> -	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
>> -	touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
>> -	for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
>> -		bzip2 -f $i && mv -f $i.bz2 $i
>> -	done
>> -	cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
>> -	for i in ${POLICY_MODULES_MIN}; do
>> -		cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp`
>> +	mkdir -p ${POL_STORE}
>> +	mkdir -p ${POL_ACTIVE_MODS}
>> +
>> +	# get hll type from suffix on base policy module
>> +	HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
>> +	HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
>> +
>> +	for i in base ${POLICY_MODULES_MIN}; do
>> +		MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
>> +		MOD_DIR=${POL_ACTIVE_MODS}/${i}
>> +		mkdir -p ${MOD_DIR}
>> +		echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
>> +
>> +		if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
>> +			${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
>> +			bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE}
>> +		else
>> +			bunzip2 --stdout ${MOD_FILE} | \
>> +				${HLL_BIN} | \
>> +				bzip2 --stdout > ${MOD_DIR}/cil
>> +		fi
>> +		cp ${MOD_FILE} ${MOD_DIR}/hll
>>   	done
>>   }
>>
>
>
>

More information about the yocto mailing list