From: Joe MacDonald <joe@deserted.net>
To: Mark Hatle <mark.hatle@windriver.com>
Cc: yocto@yoctoproject.org
Subject: Re: [meta-selinux] Updated meta-selinux -- master-next
Date: Fri, 27 Sep 2013 15:58:53 -0400 [thread overview]
Message-ID: <20130927195850.GA8272@deserted.net> (raw)
In-Reply-To: <523B4551.3040407@windriver.com>
[-- Attachment #1: Type: text/plain, Size: 8266 bytes --]
[[yocto] [meta-selinux] Updated meta-selinux -- master-next] On 13.09.19 (Thu 13:41) Mark Hatle wrote:
> I have updated meta-selinux, and placed the update into the 'master-next' branch.
>
> This was locally tested with Poky as of commit
> 853bc53cd58a621918f0e5ce662dba263d1befb4.
>
> Note, when building the core-image-selinux, the internal refpolicies
> cause a lot of failures. I'm not an expert on how this should be
> configured, so I'm looking for help/patches from others.
>
> If you know of any other additional patches that should be applied,
> or are able to help with the refpolicies, please let me know!
>
> Thanks!
> --Mark
I just pushed a new (non-ff!) update to master-next. It includes the
following:
- Mark Hatle: policycoreutils: avoid shell for checking target-special actions
- Mark Hatle: setools: Uprev setools
- Mark Hatle: README: Update status
- Mark Hatle: libcap-ng: Uprev libcap-ng
- Mark Hatle: audit: Uprev to audit 2.3.2
- Mark Hatle: swig: Update to latest swig from meta-openembedded
- Mark Hatle: python-ipy: Uprev to latest 0.81 version
- Mark Hatle: distro/*: Update the distro files
- Christopher Larson: layer.conf: avoid unnecessary early expansion with :=
- Qiang Chen: selinux: remove reference to locale env files from login
- Mark Hatle: linux-yocto: Add support for the 3.10 kernel
- Xin Ouyang: kernel: add BBAPPEND for linux 3.10
- Xin Ouyang: busybox: alternatives link to sh wrappers for commands
- Xin Ouyang: refpolicy*: remove old version recipes and patches.
- Xin Ouyang: refpolicy*: add new version 2.20130424
- Joe MacDonald: udev/init: work around dev-cache restore problems
- Mark Hatle: udev/init: sync to latest poky version
- Xin Ouyang: always force to restore file contexts in initscripts
- Xin Ouyang: policycoreutils: fix wrong newrole/run_init pam config
- Xin Ouyang: sepolgen: migrate SRC_URI to 1.1.9
- Xin Ouyang: policycoreutils: migrate SRC_URI and patches to 2.1.14
- Xin Ouyang: libsepol: migrate SRC_URI to 2.1.9
- Xin Ouyang: libsemanage: migrate SRC_URI to 2.1.10
- Xin Ouyang: libselinux: migrate SRC_URI and patches to 2.1.13
- Xin Ouyang: checkpolicy: migrate SRC_URI to 2.1.12
- Xin Ouyang: selinux userspace: uprev packages to release 20130423
- Philip Tricca: Add ${bindir}/sepolgen to system-config-selinux package.
- Philip Tricca: Check for the availability of 'secon' and 'setenforce' in the selinux-init.sh script.
- Philip Tricca: Resend: Install policy headers and include them in the refpolicy dev package.
- Joe Slater: openssh: add PACKAGECONFIG data regarding audit
- Philip Tricca: Add util-linux-agetty to core-image-selinux IMAGE_INSTALL.
- Joe MacDonald: documentation: update guidance for runqemu
- Philip Tricca: Stage SELinux config file in the sysroot.
- Philip Tricca: Add leading whitespace to DISTRO_FEATURES_append in oe-selinux.conf
It's still not as clean as I would like it, but at least I understand
(most of) the current failures. I'll probably not get another chance to
look at this until Monday, though.
First boot and auto-relabel works fine.
Second boot generates the following audit warnings:
type=1401 audit(1380309719.391:4): security_validate_transition: denied for oldcontext=system_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:framebuf_device_t:s0 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
udevd[135]: setfilecon /dev/fb0 failed: Operation not permitted
type=1401 audit(1380309729.653:5): security_validate_transition: denied for oldcontext=system_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:tty_device_t:s0 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380309729.663:6): security_validate_transition: denied for oldcontext=system_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:tty_device_t:s0 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
udevd[86]: setfilecon /dev/vcs2 failed: Operation not permitted
udevd[93]: setfilecon /dev/vcsa2 failed: Operation not permitted
I initially sunk a lot of time into these until I realized the problem
is present (and just not reported) in master. I haven't yet opened a
bug on it, but I intend to unless I can fix it myself (or someone sends
me a patch) in the very short term.
Subsequent boots are less happy:
type=1401 audit(1380310608.155:5): security_validate_transition: denied for oldcontext=system_u:object_r:device_t:s0 newcontext=system_u:object_r:memory_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380310608.164:6): security_validate_transition: denied for oldcontext=system_u:object_r:device_t:s0 newcontext=system_u:object_r:memory_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380310608.178:7): security_validate_transition: denied for oldcontext=system_u:object_r:device_t:s0 newcontext=system_u:object_r:memory_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380310608.203:8): security_validate_transition: denied for oldcontext=system_u:object_r:device_t:s0 newcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380310608.783:9): security_validate_transition: denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
type=1401 audit(1380310608.789:10): security_validate_transition: denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
type=1401 audit(1380310608.793:11): security_validate_transition: denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
type=1401 audit(1380310608.798:12): security_validate_transition: denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
type=1401 audit(1380310608.802:13): security_validate_transition: denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
udevd[86]: starting version 182
Starting Bootlog daemon: bootlogd.
Populating dev cache
ALSA: Restoring mixer settings...
audit_printk_skb: 87 callbacks suppressed
type=1400 audit(1380310625.861:43): avc: denied { read write } for pid=249 comm="alsactl" path="/dev/ttyS0" dev="devtmpfs" ino=6092 scontext=system_u:system_r:alsa_t:s0-s15:c0.c1023 tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file
Configuring network interfaces... done.
Starting rpcbind daemon...type=1400 audit(1380310628.230:44): avc: denied { read write } for pid=265 comm="rpcbind" path="/dev/ttyS0" dev="devtmpfs" ino=6092 scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file
done.
But these are all due to problems I detail in "udev/init: work around
dev-cache restore problems". There's a simple workaround for it, but
it's hacky (less hacky than not using the dev cache at all? more? not
sure) so I'd rather come up with a cleaner solution.
Anyway, that's the state of meta-selinux's master-next as of right now.
As mentioned (somewhere) elsewhere, master-next will continue to be
non-ff for the foreseeable future, so anyone else should use it with
caution. master is, of course, perfectly stable (and I hope up-to-date
with all current submissions merged).
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]
next prev parent reply other threads:[~2013-09-27 19:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-19 18:41 [meta-selinux] Updated meta-selinux -- master-next Mark Hatle
2013-09-27 19:58 ` Joe MacDonald [this message]
2013-09-28 19:46 ` Philip Tricca
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130927195850.GA8272@deserted.net \
--to=joe@deserted.net \
--cc=mark.hatle@windriver.com \
--cc=yocto@yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.