On 04/18/2016 05:02 AM, Philip Tricca wrote:
Hello Wenzong,
On 04/08/2016 01:19 AM, [email protected] wrote:
From: Wenzong Fan <[email protected]>
Apply the changes to refpolicy-minimum_2.20151208.bb:
commit bfaf278116e6c3a04bb82c9f8a4f8629a0a85df8
Author: Wenzong Fan <[email protected]>
Date: Tue Oct 27 06:25:04 2015 -0400
refpolicy-minimum: update prepare_policy_store
* update prepare_policy_store() for supporting SELinux 2.4 & CIL, the
logic is from refpolicy_common.inc but with minimum set of policy
modules;
* add extra policy modules that required by sysnetwork, without those
modules the install process will fail with error:
| Failed to resolve roletype statement at 62 of \
.../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil
| Failed to resolve ast
| semodule: Failed!
Signed-off-by: Wenzong Fan <[email protected]>
Signed-off-by: Joe MacDonald <[email protected]>
Signed-off-by: Wenzong Fan <[email protected]>
---
This looks great but in testing it I'm unable to use the 'minimum'
refpolicy recipe in any image. The recipe builds fine but the do_rootfs
fails trying to label the filesystem. I haven't been able to find the
root cause for this yet, but I'm seeing this behavior both before and
after adding this patch so it may be a preexisting issue?
Given all of that, I've merged this patch into master since it doesn't
seem related to the issue I'm seeing. Still, some help in resolving the
issue I'm seeing with the minimum refpolicy recipe would be appreciated.
Hi Philip,
Thanks for getting the change merged.
I did a test and see errors about:
/.../core-image-selinux/1.0-r0/rootfs//etc/selinux/mcs/contexts/files/file_contexts:
No such file or directory
That should be the SELINUXTYPE in /etc/selinux/config is not correct,
below patches could fix it:
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -162,7 +162,8 @@ SELINUX=${DEFAULT_ENFORCING}
# mls - Multi Level Security protection.
# targeted - Targeted processes are protected.
# mcs - Multi Category Security protection.
-SELINUXTYPE=${POLICY_TYPE}
+# minimum - Minimum Security protection.
+SELINUXTYPE=${POLICY_NAME}
It works in my test, please feel free to integrate it if you think it
makes sense.
Thanks
Wenzong
Thanks,
Philip
.../refpolicy/refpolicy-minimum_2.20151208.bb | 41 ++++++++++++++++------
1 file changed, 30 insertions(+), 11 deletions(-)
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
index b275821..47ed558 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -26,23 +26,42 @@ EXTRA_POLICY_MODULES += "nscd"
# "login", so "login" process will access to /var/spool/mail.
EXTRA_POLICY_MODULES += "mta"
+# sysnetwork requires type definitions (insmod_t, consoletype_t,
+# hostname_t, ping_t, netutils_t) from modules:
+EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
+
POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
# re-write the same func from refpolicy_common.inc
prepare_policy_store () {
oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+ POL_PRIORITY=100
+ POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
+ POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
+ POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
# Prepare to create policy store
- mkdir -p ${D}${sysconfdir}/selinux/
- mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
- mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
- mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
- touch
${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
- for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
- bzip2 -f $i && mv -f $i.bz2 $i
- done
- cp base.pp
${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
- for i in ${POLICY_MODULES_MIN}; do
- cp ${i}.pp
${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp`
+ mkdir -p ${POL_STORE}
+ mkdir -p ${POL_ACTIVE_MODS}
+
+ # get hll type from suffix on base policy module
+ HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
+ HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
+
+ for i in base ${POLICY_MODULES_MIN}; do
+ MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
+ MOD_DIR=${POL_ACTIVE_MODS}/${i}
+ mkdir -p ${MOD_DIR}
+ echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
+
+ if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
+ ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
+ bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2
${MOD_FILE}
+ else
+ bunzip2 --stdout ${MOD_FILE} | \
+ ${HLL_BIN} | \
+ bzip2 --stdout > ${MOD_DIR}/cil
+ fi
+ cp ${MOD_FILE} ${MOD_DIR}/hll
done
}
--
_______________________________________________
yocto mailing list
[email protected]
https://lists.yoctoproject.org/listinfo/yocto
