[yocto] [meta-selinux][PATCH 04/21] libsemanage: uprev to 2.7 (20170804)
wenzong fan
wenzong.fan at windriver.com
Thu Sep 14 03:31:57 PDT 2017
On 09/14/2017 08:07 AM, Mark Hatle wrote:
> On 9/12/17 9:19 PM, Mark Hatle wrote:
>> On 9/12/17 9:06 PM, wenzong fan wrote:
>>> On 09/12/2017 06:59 PM, Chanho Park wrote:
>>>> Hi,
>>>>
>>>> I can't apply this patch on top of the master branch. Which revision did
>>>> you make the patches?
>>>
>>> Oops, that's my fault. I did a "sed -i -e 's/Subject: [/Subject:
>>> [meta-selinux][/g' 00*" to add prefix for mail subjects, that also
>>> changed the removed patch files in libsemanage.
>>>
>>> I'll send v2.
>>>
>>> Thanks
>>> Wenzong
>>
>> I don't see the original set of patches in my archives. When you rebase, please
>> rebase on top of mgh/master-next.
>
> My mailer finally loaded the original set. I saw the same problems, but was
> able to get them merged.
>
> I have updated 'mgh/master-next'. Please verify the contents include all of
> your changes.
All my changes are there now.
>
> I tried to build a system and boot it, but it didn't work. I'm guessing I
> forgot something simple, but I can't make master-next into master without
> knowing I can boot.. Any clue would be useful. Thanks!
>
>
> My configuration is:
>
> bblayers.conf:
>
> oe-core (master) & meta-selinux (mgh/master-next)
>
>
> local.conf:
>
> IMAGE_FEATURES_append = " debug-tweaks ssh-server-openssh"
>
> DISTRO_FEATURES_append = " opengl x11 wayland acl xattr pam selinux"
>
> PREFERRED_PROVIDER_virtual/refpolicy = "refpolicy-mls"
> PREFERRED_VERSION_refpolicy-mls = "2.20170204"
Above configs are OK, you can simply use:
DISTRO = "poky-selinux"
PREFERRED_VERSION_refpolicy-mls ?= "2.20170204"
>
>
> I ran QEMU using:
>
>
> runqemu qemux86 core-image-selinux ext4 nographic
>
>
Please run QEMU with:
$ runqemu qemux86 core-image-selinux ext4 nographic
bootparams="selinux=1 enforcing=0"
>
> Trying to login I get:
>
> qemux86 login: root
> [ 23.960609] kauditd_printk_skb: 13 callbacks suppressed
> Cannot execute /bin/sh: Permission denied
> [ 23.973922] audit: type=1400 audit(1505347190.805:29): avc: denied {
> execute } for pid=671 comm="login" name="bash.bash" dev="vda" ino=8163
> scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
> [ 23.975463] audit: type=1400 audit(1505347190.813:30): avc: denied {
> execute } for pid=671 comm="login" name="bash.bash" dev="vda" ino=8163
> scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
>
>
This should be blocked by refpolicy-mls, please boot with "selinux=1
enforcing=0" to verify if SELinux tools work. For example:
$ sestatus
OR:
$ semanage login -l
Actually this doesn't work since runtime dependencies, I commented off
this from setools_4.1.1.bb:
# TODO: depends on meta-python, disable the RDEPENDS for now:
# RDEPENDS_${PN} += "python-networkx python-enum34 python-decorator
python-setuptools"
For community, we need to discuss if we can get meta-selinux depend on
meta-python by default? Or just get users to do that?
Thanks
Wenzong
>
>> --Mark
>>
>
>
More information about the yocto
mailing list