On 09/14/2017 09:33 PM, Mark Hatle wrote:
On 9/14/17 5:31 AM, wenzong fan wrote:
On 09/14/2017 08:07 AM, Mark Hatle wrote:
On 9/12/17 9:19 PM, Mark Hatle wrote:
On 9/12/17 9:06 PM, wenzong fan wrote:
On 09/12/2017 06:59 PM, Chanho Park wrote:
Hi,
I can't apply this patch on top of the master branch. Which revision did
you make the patches?
Oops, that's my fault. I did a "sed -i -e 's/Subject: [/Subject:
[meta-selinux][/g' 00*" to add prefix for mail subjects, that also
changed the removed patch files in libsemanage.
I'll send v2.
Thanks
Wenzong
I don't see the original set of patches in my archives. When you rebase, please
rebase on top of mgh/master-next.
My mailer finally loaded the original set. I saw the same problems, but was
able to get them merged.
I have updated 'mgh/master-next'. Please verify the contents include all of
your changes.
All my changes are there now.
I tried to build a system and boot it, but it didn't work. I'm guessing I
forgot something simple, but I can't make master-next into master without
knowing I can boot.. Any clue would be useful. Thanks!
My configuration is:
bblayers.conf:
oe-core (master) & meta-selinux (mgh/master-next)
local.conf:
IMAGE_FEATURES_append = " debug-tweaks ssh-server-openssh"
DISTRO_FEATURES_append = " opengl x11 wayland acl xattr pam selinux"
PREFERRED_PROVIDER_virtual/refpolicy = "refpolicy-mls"
PREFERRED_VERSION_refpolicy-mls = "2.20170204"
Above configs are OK, you can simply use:
DISTRO = "poky-selinux"
PREFERRED_VERSION_refpolicy-mls ?= "2.20170204"
The DISTRO settings in meta-selinux are being removed (they are no longer in the
master-next branch). Instead the user will be required to set the
DISTRO_FEATURE 'selinux' to enable the components. (It is expected they will
also enable acl/xattr and pam.)
I ran QEMU using:
runqemu qemux86 core-image-selinux ext4 nographic
Please run QEMU with:
$ runqemu qemux86 core-image-selinux ext4 nographic
bootparams="selinux=1 enforcing=0"
Trying to login I get:
qemux86 login: root
[ 23.960609] kauditd_printk_skb: 13 callbacks suppressed
Cannot execute /bin/sh: Permission denied
[ 23.973922] audit: type=1400 audit(1505347190.805:29): avc: denied {
execute } for pid=671 comm="login" name="bash.bash" dev="vda" ino=8163
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
[ 23.975463] audit: type=1400 audit(1505347190.813:30): avc: denied {
execute } for pid=671 comm="login" name="bash.bash" dev="vda" ino=8163
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
This should be blocked by refpolicy-mls, please boot with "selinux=1
enforcing=0" to verify if SELinux tools work. For example:
I would like to update the README file for the layer on how the user can
actually make a bootable system. If this involves adding a user, that is fine.
But at present there is no way to login w/o turning off enforcing. That seems
to defeat the purpose of enabling selinux in a design.
This is really an issue, I'll fix it.
Thanks
Wenzong
So any help you can give me for the documentation would be appreciated.
$ sestatus
root@qemux86:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: mls
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: requested (insecure)
Max kernel policy version: 30
OR:
$ semanage login -l
root@qemux86:~# semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ user_u s0-s0 *
root root s0-s15:c0.c1023 *
(I followed the information below and enabled the python components.)
Actually this doesn't work since runtime dependencies, I commented off
this from setools_4.1.1.bb:
# TODO: depends on meta-python, disable the RDEPENDS for now:
# RDEPENDS_${PN} += "python-networkx python-enum34 python-decorator
python-setuptools"
For community, we need to discuss if we can get meta-selinux depend on
meta-python by default? Or just get users to do that?
Yes, we can add a requirement for meta-python. I just need to clearly document
in the commit message why it is there.
I will work to update the mgh/master-next with the meta-python items and some of
the information above...
--Mark
Thanks
Wenzong
--Mark
--
_______________________________________________
yocto mailing list
[email protected]
https://lists.yoctoproject.org/listinfo/yocto
