[yocto] [PATCH][meta-selinux] refpolicy-minimum: port changes for prepare_policy_store
Philip Tricca
flihp at twobit.us
Tue Apr 19 22:30:12 PDT 2016
On 04/19/2016 11:34 AM, George McCollister wrote:
> On Mon, Apr 18, 2016 at 2:34 AM, wenzong fan <wenzong.fan at windriver.com> wrote:
>> On 04/18/2016 05:02 AM, Philip Tricca wrote:
>>>
>>> Hello Wenzong,
>>>
>>> On 04/08/2016 01:19 AM, wenzong.fan at windriver.com wrote:
>>>>
>>>> From: Wenzong Fan <wenzong.fan at windriver.com>
>>>>
>>>> Apply the changes to refpolicy-minimum_2.20151208.bb:
>>>>
>>>> commit bfaf278116e6c3a04bb82c9f8a4f8629a0a85df8
>>>> Author: Wenzong Fan <wenzong.fan at windriver.com>
>>>> Date: Tue Oct 27 06:25:04 2015 -0400
>>>>
>>>> refpolicy-minimum: update prepare_policy_store
>>>>
>>>> * update prepare_policy_store() for supporting SELinux 2.4 & CIL,
>>>> the
>>>> logic is from refpolicy_common.inc but with minimum set of policy
>>>> modules;
>>>>
>>>> * add extra policy modules that required by sysnetwork, without
>>>> those
>>>> modules the install process will fail with error:
>>>>
>>>> | Failed to resolve roletype statement at 62 of \
>>>>
>>>> .../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil
>>>> | Failed to resolve ast
>>>> | semodule: Failed!
>>>>
>>>> Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
>>>> Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
>>>>
>>>> Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
>>>> ---
>>>
>>>
>>> This looks great but in testing it I'm unable to use the 'minimum'
>>> refpolicy recipe in any image. The recipe builds fine but the do_rootfs
>>> fails trying to label the filesystem. I haven't been able to find the
>>> root cause for this yet, but I'm seeing this behavior both before and
>>> after adding this patch so it may be a preexisting issue?
>>>
>>> Given all of that, I've merged this patch into master since it doesn't
>>> seem related to the issue I'm seeing. Still, some help in resolving the
>>> issue I'm seeing with the minimum refpolicy recipe would be appreciated.
>>
>>
>> Hi Philip,
>>
>> Thanks for getting the change merged.
>>
>> I did a test and see errors about:
>>
>>
>> /.../core-image-selinux/1.0-r0/rootfs//etc/selinux/mcs/contexts/files/file_contexts:
>> No such file or directory
>>
>> That should be the SELINUXTYPE in /etc/selinux/config is not correct, below
>> patches could fix it:
>>
>> --- a/recipes-security/refpolicy/refpolicy_common.inc
>> +++ b/recipes-security/refpolicy/refpolicy_common.inc
>> @@ -162,7 +162,8 @@ SELINUX=${DEFAULT_ENFORCING}
>> # mls - Multi Level Security protection.
>> # targeted - Targeted processes are protected.
>> # mcs - Multi Category Security protection.
>> -SELINUXTYPE=${POLICY_TYPE}
>> +# minimum - Minimum Security protection.
>> +SELINUXTYPE=${POLICY_NAME}
>>
>> It works in my test, please feel free to integrate it if you think it makes
>> sense.
>>
>
> With this change my refpolicy-targeted build completes again.
Problem solved. Thanks!
> Thanks,
> George
>
>> Thanks
>> Wenzong
>>
>>
>>>
>>> Thanks,
>>> Philip
>>>
>>>> .../refpolicy/refpolicy-minimum_2.20151208.bb | 41
>>>> ++++++++++++++++------
>>>> 1 file changed, 30 insertions(+), 11 deletions(-)
>>>>
>>>> diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>>> b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>>> index b275821..47ed558 100644
>>>> --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>>> +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>>> @@ -26,23 +26,42 @@ EXTRA_POLICY_MODULES += "nscd"
>>>> # "login", so "login" process will access to /var/spool/mail.
>>>> EXTRA_POLICY_MODULES += "mta"
>>>>
>>>> +# sysnetwork requires type definitions (insmod_t, consoletype_t,
>>>> +# hostname_t, ping_t, netutils_t) from modules:
>>>> +EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
>>>> +
>>>> POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
>>>>
>>>> # re-write the same func from refpolicy_common.inc
>>>> prepare_policy_store () {
>>>> oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
>>>> + POL_PRIORITY=100
>>>> + POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
>>>> + POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
>>>> + POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
>>>>
>>>> # Prepare to create policy store
>>>> - mkdir -p ${D}${sysconfdir}/selinux/
>>>> - mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
>>>> - mkdir -p
>>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
>>>> - mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
>>>> - touch
>>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
>>>> - for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
>>>> - bzip2 -f $i && mv -f $i.bz2 $i
>>>> - done
>>>> - cp base.pp
>>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
>>>> - for i in ${POLICY_MODULES_MIN}; do
>>>> - cp ${i}.pp
>>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename
>>>> $i.pp`
>>>> + mkdir -p ${POL_STORE}
>>>> + mkdir -p ${POL_ACTIVE_MODS}
>>>> +
>>>> + # get hll type from suffix on base policy module
>>>> + HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print
>>>> $NF}}')
>>>> +
>>>> HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
>>>> +
>>>> + for i in base ${POLICY_MODULES_MIN}; do
>>>> + MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
>>>> + MOD_DIR=${POL_ACTIVE_MODS}/${i}
>>>> + mkdir -p ${MOD_DIR}
>>>> + echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
>>>> +
>>>> + if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
>>>> + ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout >
>>>> ${MOD_DIR}/cil
>>>> + bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2
>>>> ${MOD_FILE}
>>>> + else
>>>> + bunzip2 --stdout ${MOD_FILE} | \
>>>> + ${HLL_BIN} | \
>>>> + bzip2 --stdout > ${MOD_DIR}/cil
>>>> + fi
>>>> + cp ${MOD_FILE} ${MOD_DIR}/hll
>>>> done
>>>> }
>>>>
>>>
>>>
>>>
>> --
>> _______________________________________________
>> yocto mailing list
>> yocto at yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto
More information about the yocto
mailing list