[yocto] [meta-selinux][PATCH 04/21] libsemanage: uprev to 2.7 (20170804)

wenzong fan wenzong.fan at windriver.com
Mon Sep 18 00:48:17 PDT 2017 


On 09/14/2017 09:33 PM, Mark Hatle wrote:
> On 9/14/17 5:31 AM, wenzong fan wrote:
>>
>>
>> On 09/14/2017 08:07 AM, Mark Hatle wrote:
>>> On 9/12/17 9:19 PM, Mark Hatle wrote:
>>>> On 9/12/17 9:06 PM, wenzong fan wrote:
>>>>> On 09/12/2017 06:59 PM, Chanho Park wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I can't apply this patch on top of the master branch. Which revision did
>>>>>> you make the patches?
>>>>>
>>>>> Oops, that's my fault. I did a "sed -i -e 's/Subject: [/Subject:
>>>>> [meta-selinux][/g' 00*" to add prefix for mail subjects, that also
>>>>> changed the removed patch files in libsemanage.
>>>>>
>>>>> I'll send v2.
>>>>>
>>>>> Thanks
>>>>> Wenzong
>>>>
>>>> I don't see the original set of patches in my archives.  When you rebase, please
>>>> rebase on top of mgh/master-next.
>>>
>>> My mailer finally loaded the original set.  I saw the same problems, but was
>>> able to get them merged.
>>>
>>> I have updated 'mgh/master-next'.  Please verify the contents include all of
>>> your changes.
>>
>> All my changes are there now.
>>
>>>
>>> I tried to build a system and boot it, but it didn't work.  I'm guessing I
>>> forgot something simple, but I can't make master-next into master without
>>> knowing I can boot..  Any clue would be useful.  Thanks!
>>>
>>>
>>> My configuration is:
>>>
>>> bblayers.conf:
>>>
>>> oe-core (master) & meta-selinux (mgh/master-next)
>>>
>>>
>>> local.conf:
>>>
>>> IMAGE_FEATURES_append = " debug-tweaks ssh-server-openssh"
>>>
>>> DISTRO_FEATURES_append = " opengl x11 wayland acl xattr pam selinux"
>>>
>>> PREFERRED_PROVIDER_virtual/refpolicy = "refpolicy-mls"
>>> PREFERRED_VERSION_refpolicy-mls = "2.20170204"
>>
>> Above configs are OK, you can simply use:
>>
>> DISTRO = "poky-selinux"
>> PREFERRED_VERSION_refpolicy-mls ?= "2.20170204"
> 
> The DISTRO settings in meta-selinux are being removed (they are no longer in the
> master-next branch).  Instead the user will be required to set the
> DISTRO_FEATURE 'selinux' to enable the components.  (It is expected they will
> also enable acl/xattr and pam.)
> 
>>>
>>>
>>> I ran QEMU using:
>>>
>>>
>>> runqemu qemux86 core-image-selinux ext4 nographic
>>>
>>>
>>
>> Please run QEMU with:
>>
>> $ runqemu qemux86 core-image-selinux ext4 nographic
>> bootparams="selinux=1 enforcing=0"
> 
> 
> 
>>>
>>> Trying to login I get:
>>>
>>> qemux86 login: root
>>> [   23.960609] kauditd_printk_skb: 13 callbacks suppressed
>>> Cannot execute /bin/sh: Permission denied
>>> [   23.973922] audit: type=1400 audit(1505347190.805:29): avc:  denied  {
>>> execute } for  pid=671 comm="login" name="bash.bash" dev="vda" ino=8163
>>> scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
>>> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
>>> [   23.975463] audit: type=1400 audit(1505347190.813:30): avc:  denied  {
>>> execute } for  pid=671 comm="login" name="bash.bash" dev="vda" ino=8163
>>> scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
>>> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
>>>
>>>
>>
>> This should be blocked by refpolicy-mls, please boot with "selinux=1
>> enforcing=0" to verify if SELinux tools work. For example:
> 
> I would like to update the README file for the layer on how the user can
> actually make a bootable system.  If this involves adding a user, that is fine.
> But at present there is no way to login w/o turning off enforcing.  That seems
> to defeat the purpose of enabling selinux in a design.

This is really an issue, I'll fix it.

Thanks
Wenzong

> 
> So any help you can give me for the documentation would be appreciated.
> 
>> $ sestatus
> 
> root at qemux86:~# sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /sys/fs/selinux
> SELinux root directory:         /etc/selinux
> Loaded policy name:             mls
> Current mode:                   permissive
> Mode from config file:          enforcing
> Policy MLS status:              enabled
> Policy deny_unknown status:     allowed
> Memory protection checking:     requested (insecure)
> Max kernel policy version:      30
> 
>> OR:
>> $ semanage login -l
> 
> root at qemux86:~# semanage login -l
> 
> Login Name           SELinux User         MLS/MCS Range        Service
> 
> __default__          user_u               s0-s0                *
> root                 root                 s0-s15:c0.c1023      *
> 
> (I followed the information below and enabled the python components.)
> 
>> Actually this doesn't work since runtime dependencies, I commented off
>> this from setools_4.1.1.bb:
>>
>> # TODO: depends on meta-python, disable the RDEPENDS for now:
>> # RDEPENDS_${PN} += "python-networkx python-enum34 python-decorator
>> python-setuptools"
>>
>> For community, we need to discuss if we can get meta-selinux depend on
>> meta-python by default? Or just get users to do that?
> 
> Yes, we can add a requirement for meta-python.  I just need to clearly document
> in the commit message why it is there.
> 
> I will work to update the mgh/master-next with the meta-python items and some of
> the information above...
> 
> --Mark
> 
>> Thanks
>> Wenzong
>>
>>>
>>>> --Mark
>>>>
>>>
>>>
> 
>

More information about the yocto mailing list