[yocto] [meta-selinux][PATCH 04/21] libsemanage: uprev to 2.7 (20170804)

wenzong fan wenzong.fan at windriver.com
Thu Sep 14 03:31:57 PDT 2017 


On 09/14/2017 08:07 AM, Mark Hatle wrote:
> On 9/12/17 9:19 PM, Mark Hatle wrote:
>> On 9/12/17 9:06 PM, wenzong fan wrote:
>>> On 09/12/2017 06:59 PM, Chanho Park wrote:
>>>> Hi,
>>>>
>>>> I can't apply this patch on top of the master branch. Which revision did
>>>> you make the patches?
>>>
>>> Oops, that's my fault. I did a "sed -i -e 's/Subject: [/Subject:
>>> [meta-selinux][/g' 00*" to add prefix for mail subjects, that also
>>> changed the removed patch files in libsemanage.
>>>
>>> I'll send v2.
>>>
>>> Thanks
>>> Wenzong
>>
>> I don't see the original set of patches in my archives.  When you rebase, please
>> rebase on top of mgh/master-next.
> 
> My mailer finally loaded the original set.  I saw the same problems, but was
> able to get them merged.
> 
> I have updated 'mgh/master-next'.  Please verify the contents include all of
> your changes.

All my changes are there now.

> 
> I tried to build a system and boot it, but it didn't work.  I'm guessing I
> forgot something simple, but I can't make master-next into master without
> knowing I can boot..  Any clue would be useful.  Thanks!
> 
> 
> My configuration is:
> 
> bblayers.conf:
> 
> oe-core (master) & meta-selinux (mgh/master-next)
> 
> 
> local.conf:
> 
> IMAGE_FEATURES_append = " debug-tweaks ssh-server-openssh"
> 
> DISTRO_FEATURES_append = " opengl x11 wayland acl xattr pam selinux"
> 
> PREFERRED_PROVIDER_virtual/refpolicy = "refpolicy-mls"
> PREFERRED_VERSION_refpolicy-mls = "2.20170204"

Above configs are OK, you can simply use:

DISTRO = "poky-selinux"
PREFERRED_VERSION_refpolicy-mls ?= "2.20170204"

> 
> 
> I ran QEMU using:
> 
> 
> runqemu qemux86 core-image-selinux ext4 nographic
> 
>

Please run QEMU with:

$ runqemu qemux86 core-image-selinux ext4 nographic 
bootparams="selinux=1 enforcing=0"

> 
> Trying to login I get:
> 
> qemux86 login: root
> [   23.960609] kauditd_printk_skb: 13 callbacks suppressed
> Cannot execute /bin/sh: Permission denied
> [   23.973922] audit: type=1400 audit(1505347190.805:29): avc:  denied  {
> execute } for  pid=671 comm="login" name="bash.bash" dev="vda" ino=8163
> scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
> [   23.975463] audit: type=1400 audit(1505347190.813:30): avc:  denied  {
> execute } for  pid=671 comm="login" name="bash.bash" dev="vda" ino=8163
> scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
> 
>

This should be blocked by refpolicy-mls, please boot with "selinux=1 
enforcing=0" to verify if SELinux tools work. For example:

$ sestatus

OR:
$ semanage login -l
Actually this doesn't work since runtime dependencies, I commented off 
this from setools_4.1.1.bb:

# TODO: depends on meta-python, disable the RDEPENDS for now:
# RDEPENDS_${PN} += "python-networkx python-enum34 python-decorator 
python-setuptools"

For community, we need to discuss if we can get meta-selinux depend on 
meta-python by default? Or just get users to do that?

Thanks
Wenzong

> 
>> --Mark
>>
> 
>

More information about the yocto mailing list