Re: [yocto] [meta-selinux][PATCH 0/4] refpolicy: update to 20200229+git

Tue, 14 Jul 2020 23:19:49 -0700 


On 7/15/20 12:19 AM, Scott Murray wrote:

On Tue, 7 Jul 2020, Yi Zhao wrote:


Here is the changelog for this is patchset:

* Drop refpolicy 2.20190201
   If we still keep two versions of refpolicy, it is difficult to maintain two 
huge local patchsets. So drop this version and only keep the git version.

* Add patches to make systemd/sysvinit can work with all policy types.

Here are the results with this patcheset:

Machine: qemux86-64
Image: core-image-selinux
Init manager: sysvinit and systemd
Policy types: minimum, targeted, standard, mcs, mls
Boot command: runqemu qemux86-64 kvm nographic bootparams="selinux=1 enforcing=1" 
qemuparams="-m 1024"

1. All refpolicy type can be built without problems.

2. With parameter selinux=1 & enforcing=1
The qemu can boot up and login with all policy types.

[snip]

I suspect I'm really missing something, but I'm unable to successfully
make this work with poky + meta-selinux and its meta-openembedded
dependencies with either sysvinit or systemd; I see denials on boot and
cannot log in due to denials on reading /etc/passwd.  That's also the
behavior I see without this update, so I'm wondering if I'm just doing
something significantly wrong with respect to configuration.  My
local.conf additions for testing are just:

DISTRO_FEATURES_append = " selinux"



Please set the following DISTRO_FEATURES:

DISTRO_FEATURES_append = " acl xattr pam selinux"


If you see some AVC denials for {map} like below:
avc:  denied  { map } for  pid=249 comm="dbus-daemon" path="/etc/passwd" dev="vda" ino=345 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 avc:  denied  { map } for  pid=319 comm="avahi-daemon" path="/etc/passwd" dev="vda" ino=345 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 avc:  denied  { map } for  pid=379 comm="login" path="/etc/passwd" dev="vda" ino=345 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 

They are harmless.


//Yi



PREFERRED_PROVIDER_virtual/refpolicy = "refpolicy-targeted"

Any ideas?

Thanks,

Scott



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#49957): https://lists.yoctoproject.org/g/yocto/message/49957
Mute This Topic: https://lists.yoctoproject.org/mt/75351492/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to