The policy modules are now installed into /var/lib/selinux instead of /etc/selinux. Policies now have priorities. This is represented as part of the path under /var/lib/selinux. The new intermediate policy representation requires that we install the policy package as 3 files (hll, cil & lang_ext) instead of just the *.pp as before. The cil is generated from the hll (the pp file) using the new 'pp' utility. The base policy module now lives with all of the other modules. policy.kern has gone away.
Signed-off-by: Philip Tricca <[email protected]> --- recipes-security/refpolicy/refpolicy_common.inc | 40 ++++++++++++++++--------- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 620e7c0..de38dfc 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -14,6 +14,7 @@ S = "${WORKDIR}/refpolicy" FILES_${PN} = " \ ${sysconfdir}/selinux/${POLICY_NAME}/ \ ${datadir}/selinux/${POLICY_NAME}/*.pp \ + ${localstatedir}/lib/selinux/${POLICY_NAME}/ \ " FILES_${PN}-dev =+ " \ ${datadir}/selinux/${POLICY_NAME}/include/ \ @@ -65,20 +66,33 @@ do_compile() { prepare_policy_store () { oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install + POL_PRIORITY=100 + POL_SRC=${D}${datadir}/selinux/${POLICY_NAME} + POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME} + POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY} # Prepare to create policy store - mkdir -p ${D}${sysconfdir}/selinux/ - mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy - mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules - mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files - touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local - for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do - bzip2 -f $i && mv -f $i.bz2 $i - if [ "`basename $i`" != "base.pp" ]; then - cp $i ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i` + mkdir -p ${POL_STORE} + mkdir -p ${POL_ACTIVE_MODS} + + # get hll type from suffix on base policy module + HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}') + HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE} + + for i in ${POL_SRC}/*.${HLL_TYPE}; do + MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//") + MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME} + mkdir -p ${MOD_DIR} + echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext + if ! bzip2 -qt $i 2>/dev/null; then + ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil + bzip2 -f $i && mv -f $i.bz2 $i else - cp $i ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/`basename $i` + bunzip2 --stdout $i | \ + ${HLL_BIN} | \ + bzip2 --stdout > ${MOD_DIR}/cil fi + cp $i ${MOD_DIR}/hll done } @@ -100,6 +114,8 @@ EOF # Create policy store and build the policy semodule -p ${D} -s ${POLICY_NAME} -n -B rm -f ${D}${sysconfdir}/selinux/semanage.conf + # no need to leave tmp dir created by semanage lanying around + rm -rf ${D}${localstatedir}/lib/selinux/tmp } install_misc_files () { @@ -114,10 +130,6 @@ install_misc_files () { # install policy headers oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers - - # Fix symbol link policy.kern - link_path=`readlink -f ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/policy.kern` - ln -sf ../../policy/`basename $link_path` ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/policy.kern } do_install () { -- 2.1.4 -- _______________________________________________ yocto mailing list [email protected] https://lists.yoctoproject.org/listinfo/yocto
