[yocto] [meta-selinux][PATCH 04/21] libsemanage: uprev to 2.7 (20170804)

Mark Hatle mark.hatle at windriver.com
Mon Sep 18 07:24:52 PDT 2017 

On 9/18/17 2:48 AM, wenzong fan wrote:
> 
> 
> On 09/14/2017 09:33 PM, Mark Hatle wrote:
>> On 9/14/17 5:31 AM, wenzong fan wrote:
>>>
>>>
>>> On 09/14/2017 08:07 AM, Mark Hatle wrote:
>>>> On 9/12/17 9:19 PM, Mark Hatle wrote:
>>>>> On 9/12/17 9:06 PM, wenzong fan wrote:
>>>>>> On 09/12/2017 06:59 PM, Chanho Park wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I can't apply this patch on top of the master branch. Which revision did
>>>>>>> you make the patches?
>>>>>>
>>>>>> Oops, that's my fault. I did a "sed -i -e 's/Subject: [/Subject:
>>>>>> [meta-selinux][/g' 00*" to add prefix for mail subjects, that also
>>>>>> changed the removed patch files in libsemanage.
>>>>>>
>>>>>> I'll send v2.
>>>>>>
>>>>>> Thanks
>>>>>> Wenzong
>>>>>
>>>>> I don't see the original set of patches in my archives.  When you rebase, please
>>>>> rebase on top of mgh/master-next.
>>>>
>>>> My mailer finally loaded the original set.  I saw the same problems, but was
>>>> able to get them merged.
>>>>
>>>> I have updated 'mgh/master-next'.  Please verify the contents include all of
>>>> your changes.
>>>
>>> All my changes are there now.
>>>
>>>>
>>>> I tried to build a system and boot it, but it didn't work.  I'm guessing I
>>>> forgot something simple, but I can't make master-next into master without
>>>> knowing I can boot..  Any clue would be useful.  Thanks!
>>>>
>>>>
>>>> My configuration is:
>>>>
>>>> bblayers.conf:
>>>>
>>>> oe-core (master) & meta-selinux (mgh/master-next)
>>>>
>>>>
>>>> local.conf:
>>>>
>>>> IMAGE_FEATURES_append = " debug-tweaks ssh-server-openssh"
>>>>
>>>> DISTRO_FEATURES_append = " opengl x11 wayland acl xattr pam selinux"
>>>>
>>>> PREFERRED_PROVIDER_virtual/refpolicy = "refpolicy-mls"
>>>> PREFERRED_VERSION_refpolicy-mls = "2.20170204"
>>>
>>> Above configs are OK, you can simply use:
>>>
>>> DISTRO = "poky-selinux"
>>> PREFERRED_VERSION_refpolicy-mls ?= "2.20170204"
>>
>> The DISTRO settings in meta-selinux are being removed (they are no longer in the
>> master-next branch).  Instead the user will be required to set the
>> DISTRO_FEATURE 'selinux' to enable the components.  (It is expected they will
>> also enable acl/xattr and pam.)
>>
>>>>
>>>>
>>>> I ran QEMU using:
>>>>
>>>>
>>>> runqemu qemux86 core-image-selinux ext4 nographic
>>>>
>>>>
>>>
>>> Please run QEMU with:
>>>
>>> $ runqemu qemux86 core-image-selinux ext4 nographic
>>> bootparams="selinux=1 enforcing=0"
>>
>>
>>
>>>>
>>>> Trying to login I get:
>>>>
>>>> qemux86 login: root
>>>> [   23.960609] kauditd_printk_skb: 13 callbacks suppressed
>>>> Cannot execute /bin/sh: Permission denied
>>>> [   23.973922] audit: type=1400 audit(1505347190.805:29): avc:  denied  {
>>>> execute } for  pid=671 comm="login" name="bash.bash" dev="vda" ino=8163
>>>> scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
>>>> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
>>>> [   23.975463] audit: type=1400 audit(1505347190.813:30): avc:  denied  {
>>>> execute } for  pid=671 comm="login" name="bash.bash" dev="vda" ino=8163
>>>> scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
>>>> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
>>>>
>>>>
>>>
>>> This should be blocked by refpolicy-mls, please boot with "selinux=1
>>> enforcing=0" to verify if SELinux tools work. For example:
>>
>> I would like to update the README file for the layer on how the user can
>> actually make a bootable system.  If this involves adding a user, that is fine.
>> But at present there is no way to login w/o turning off enforcing.  That seems
>> to defeat the purpose of enabling selinux in a design.
> 
> This is really an issue, I'll fix it.

The root login issue was fixed in a commit.  The above was due to 'bash.bash'
not having appropriate context specified in the refpolicies.

I also added to the README file.  If you have any additional suggestions or
changes, please let me know.

--Mark

> Thanks
> Wenzong
> 
>>
>> So any help you can give me for the documentation would be appreciated.
>>
>>> $ sestatus
>>
>> root at qemux86:~# sestatus
>> SELinux status:                 enabled
>> SELinuxfs mount:                /sys/fs/selinux
>> SELinux root directory:         /etc/selinux
>> Loaded policy name:             mls
>> Current mode:                   permissive
>> Mode from config file:          enforcing
>> Policy MLS status:              enabled
>> Policy deny_unknown status:     allowed
>> Memory protection checking:     requested (insecure)
>> Max kernel policy version:      30
>>
>>> OR:
>>> $ semanage login -l
>>
>> root at qemux86:~# semanage login -l
>>
>> Login Name           SELinux User         MLS/MCS Range        Service
>>
>> __default__          user_u               s0-s0                *
>> root                 root                 s0-s15:c0.c1023      *
>>
>> (I followed the information below and enabled the python components.)
>>
>>> Actually this doesn't work since runtime dependencies, I commented off
>>> this from setools_4.1.1.bb:
>>>
>>> # TODO: depends on meta-python, disable the RDEPENDS for now:
>>> # RDEPENDS_${PN} += "python-networkx python-enum34 python-decorator
>>> python-setuptools"
>>>
>>> For community, we need to discuss if we can get meta-selinux depend on
>>> meta-python by default? Or just get users to do that?
>>
>> Yes, we can add a requirement for meta-python.  I just need to clearly document
>> in the commit message why it is there.
>>
>> I will work to update the mgh/master-next with the meta-python items and some of
>> the information above...
>>
>> --Mark
>>
>>> Thanks
>>> Wenzong
>>>
>>>>
>>>>> --Mark
>>>>>
>>>>
>>>>
>>
>>

More information about the yocto mailing list