[yocto] [meta-selinux][PATCH 04/21] libsemanage: uprev to 2.7 (20170804)
wenzong fan
wenzong.fan at windriver.com
Mon Sep 18 00:48:17 PDT 2017
On 09/14/2017 09:33 PM, Mark Hatle wrote:
> On 9/14/17 5:31 AM, wenzong fan wrote:
>>
>>
>> On 09/14/2017 08:07 AM, Mark Hatle wrote:
>>> On 9/12/17 9:19 PM, Mark Hatle wrote:
>>>> On 9/12/17 9:06 PM, wenzong fan wrote:
>>>>> On 09/12/2017 06:59 PM, Chanho Park wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I can't apply this patch on top of the master branch. Which revision did
>>>>>> you make the patches?
>>>>>
>>>>> Oops, that's my fault. I did a "sed -i -e 's/Subject: [/Subject:
>>>>> [meta-selinux][/g' 00*" to add prefix for mail subjects, that also
>>>>> changed the removed patch files in libsemanage.
>>>>>
>>>>> I'll send v2.
>>>>>
>>>>> Thanks
>>>>> Wenzong
>>>>
>>>> I don't see the original set of patches in my archives. When you rebase, please
>>>> rebase on top of mgh/master-next.
>>>
>>> My mailer finally loaded the original set. I saw the same problems, but was
>>> able to get them merged.
>>>
>>> I have updated 'mgh/master-next'. Please verify the contents include all of
>>> your changes.
>>
>> All my changes are there now.
>>
>>>
>>> I tried to build a system and boot it, but it didn't work. I'm guessing I
>>> forgot something simple, but I can't make master-next into master without
>>> knowing I can boot.. Any clue would be useful. Thanks!
>>>
>>>
>>> My configuration is:
>>>
>>> bblayers.conf:
>>>
>>> oe-core (master) & meta-selinux (mgh/master-next)
>>>
>>>
>>> local.conf:
>>>
>>> IMAGE_FEATURES_append = " debug-tweaks ssh-server-openssh"
>>>
>>> DISTRO_FEATURES_append = " opengl x11 wayland acl xattr pam selinux"
>>>
>>> PREFERRED_PROVIDER_virtual/refpolicy = "refpolicy-mls"
>>> PREFERRED_VERSION_refpolicy-mls = "2.20170204"
>>
>> Above configs are OK, you can simply use:
>>
>> DISTRO = "poky-selinux"
>> PREFERRED_VERSION_refpolicy-mls ?= "2.20170204"
>
> The DISTRO settings in meta-selinux are being removed (they are no longer in the
> master-next branch). Instead the user will be required to set the
> DISTRO_FEATURE 'selinux' to enable the components. (It is expected they will
> also enable acl/xattr and pam.)
>
>>>
>>>
>>> I ran QEMU using:
>>>
>>>
>>> runqemu qemux86 core-image-selinux ext4 nographic
>>>
>>>
>>
>> Please run QEMU with:
>>
>> $ runqemu qemux86 core-image-selinux ext4 nographic
>> bootparams="selinux=1 enforcing=0"
>
>
>
>>>
>>> Trying to login I get:
>>>
>>> qemux86 login: root
>>> [ 23.960609] kauditd_printk_skb: 13 callbacks suppressed
>>> Cannot execute /bin/sh: Permission denied
>>> [ 23.973922] audit: type=1400 audit(1505347190.805:29): avc: denied {
>>> execute } for pid=671 comm="login" name="bash.bash" dev="vda" ino=8163
>>> scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
>>> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
>>> [ 23.975463] audit: type=1400 audit(1505347190.813:30): avc: denied {
>>> execute } for pid=671 comm="login" name="bash.bash" dev="vda" ino=8163
>>> scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
>>> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
>>>
>>>
>>
>> This should be blocked by refpolicy-mls, please boot with "selinux=1
>> enforcing=0" to verify if SELinux tools work. For example:
>
> I would like to update the README file for the layer on how the user can
> actually make a bootable system. If this involves adding a user, that is fine.
> But at present there is no way to login w/o turning off enforcing. That seems
> to defeat the purpose of enabling selinux in a design.
This is really an issue, I'll fix it.
Thanks
Wenzong
>
> So any help you can give me for the documentation would be appreciated.
>
>> $ sestatus
>
> root at qemux86:~# sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: mls
> Current mode: permissive
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Memory protection checking: requested (insecure)
> Max kernel policy version: 30
>
>> OR:
>> $ semanage login -l
>
> root at qemux86:~# semanage login -l
>
> Login Name SELinux User MLS/MCS Range Service
>
> __default__ user_u s0-s0 *
> root root s0-s15:c0.c1023 *
>
> (I followed the information below and enabled the python components.)
>
>> Actually this doesn't work since runtime dependencies, I commented off
>> this from setools_4.1.1.bb:
>>
>> # TODO: depends on meta-python, disable the RDEPENDS for now:
>> # RDEPENDS_${PN} += "python-networkx python-enum34 python-decorator
>> python-setuptools"
>>
>> For community, we need to discuss if we can get meta-selinux depend on
>> meta-python by default? Or just get users to do that?
>
> Yes, we can add a requirement for meta-python. I just need to clearly document
> in the commit message why it is there.
>
> I will work to update the mgh/master-next with the meta-python items and some of
> the information above...
>
> --Mark
>
>> Thanks
>> Wenzong
>>
>>>
>>>> --Mark
>>>>
>>>
>>>
>
>
More information about the yocto
mailing list