Re: [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.

[Joe MacDonald <Joe_MacDonald@mentor.com>]

[-- Attachment #1: Type: text/plain, Size: 7969 bytes --]

Hi Wenzong,

[Re: [yocto] [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.] On 16.04.08 (Fri 16:27) wenzong fan wrote:

> This causes do_populate_sysroot error if build two or more types of
> refpolicy:
> 
> $ bitbake refpolicy-minimum && bitbake refpolicy-mls
> 
> ERROR: refpolicy-mls-git-r0 do_populate_sysroot: The recipe refpolicy-mls is
> trying to install files into a shared area when those files already exist.
> Those files and their manifest location are:

I think this was always the intent with the series Philip submitted last
week (for reference, the thread is
https://www.mail-archive.com/yocto@yoctoproject.org/msg28530.html).
Isn't this (part of) the expected behaviour of the virtual provider
mechanism?  We did discuss what it would mean to be trying out multiple
policies on a system at the same time and at the time it seemed like the
"just works" angle was more important than "buffet style" when it came
to providing policy on the image.

It might be worth considering extending the changes to only do some
install steps at, say, do_rootfs but I don't know if that even makes
sense, this is really the first I've thought of it.  I think Philip's
original changes are good, though, for our maintenance and for clients
of meta-selinux.

-J.

> 
> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/sepolgen.conf
>  Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
> 
> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/config
>  Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
> 
> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/sysroot-providers/virtual_refpolicy
>  Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
> Please verify which recipe should provide the above files.
> 
> Philip,
> 
> Can you consider to withdraw the integration?
> 
> Thanks
> Wenzong
> 
> On 04/04/2016 08:21 AM, Philip Tricca wrote:
> >With the virutal package there's no need for a separate recipe to build
> >the config. This can be generated and included as part of the policy
> >package.
> >
> >Signed-off-by: Philip Tricca <flihp@twobit.us>
> >---
> >  .../packagegroups/packagegroup-core-selinux.bb     |  1 -
> >  .../packagegroups/packagegroup-selinux-minimal.bb  |  1 -
> >  recipes-security/refpolicy/refpolicy_common.inc    | 30 ++++++++++++++--
> >  recipes-security/selinux/selinux-config_0.1.bb     | 40 ----------------------
> >  4 files changed, 28 insertions(+), 44 deletions(-)
> >  delete mode 100644 recipes-security/selinux/selinux-config_0.1.bb
> >
> >diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
> >index 62c5a76..c6d22b7 100644
> >--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
> >+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
> >@@ -22,7 +22,6 @@ RDEPENDS_${PN} = " \
> >  	packagegroup-selinux-policycoreutils \
> >  	setools \
> >  	setools-console \
> >-	selinux-config \
> >  	selinux-autorelabel \
> >  	selinux-init \
> >  	selinux-labeldev \
> >diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> >index 87ae686..451ae8b 100644
> >--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> >+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> >@@ -21,7 +21,6 @@ RDEPENDS_${PN} = "\
> >  	policycoreutils-semodule \
> >  	policycoreutils-sestatus \
> >  	policycoreutils-setfiles \
> >-	selinux-config \
> >  	selinux-labeldev \
> >  	virtual/refpolicy \
> >  "
> >diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
> >index ba887e4..305675f 100644
> >--- a/recipes-security/refpolicy/refpolicy_common.inc
> >+++ b/recipes-security/refpolicy/refpolicy_common.inc
> >@@ -1,3 +1,5 @@
> >+DEFAULT_ENFORCING ??= "enforcing"
> >+
> >  SECTION = "base"
> >  LICENSE = "GPLv2"
> >
> >@@ -14,7 +16,8 @@ SRC_URI += "file://customizable_types \
> >
> >  S = "${WORKDIR}/refpolicy"
> >
> >-FILES_${PN} = " \
> >+CONFFILES_${PN} += "${sysconfdir}/selinux/config"
> >+FILES_${PN} += " \
> >  	${sysconfdir}/selinux/${POLICY_NAME}/ \
> >  	${datadir}/selinux/${POLICY_NAME}/*.pp \
> >  	${localstatedir}/lib/selinux/${POLICY_NAME}/ \
> >@@ -25,7 +28,6 @@ FILES_${PN}-dev =+ " \
> >  "
> >
> >  DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
> >-RDEPENDS_${PN} += "selinux-config"
> >
> >  PACKAGE_ARCH = "${MACHINE_ARCH}"
> >
> >@@ -137,13 +139,37 @@ install_misc_files () {
> >  	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
> >  }
> >
> >+install_config () {
> >+	echo "\
> >+# This file controls the state of SELinux on the system.
> >+# SELINUX= can take one of these three values:
> >+#     enforcing - SELinux security policy is enforced.
> >+#     permissive - SELinux prints warnings instead of enforcing.
> >+#     disabled - No SELinux policy is loaded.
> >+SELINUX=${DEFAULT_ENFORCING}
> >+# SELINUXTYPE= can take one of these values:
> >+#     standard - Standard Security protection.
> >+#     mls - Multi Level Security protection.
> >+#     targeted - Targeted processes are protected.
> >+#     mcs - Multi Category Security protection.
> >+SELINUXTYPE=${POLICY_TYPE}
> >+" > ${WORKDIR}/config
> >+	install -d ${D}/${sysconfdir}/selinux
> >+	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
> >+}
> >+
> >  do_install () {
> >  	prepare_policy_store
> >  	rebuild_policy
> >  	install_misc_files
> >+	install_config
> >  }
> >
> >  do_install_append(){
> >  	# While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
> >  	echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
> >  }
> >+
> >+sysroot_stage_all_append () {
> >+	sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
> >+}
> >diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
> >deleted file mode 100644
> >index e902e98..0000000
> >--- a/recipes-security/selinux/selinux-config_0.1.bb
> >+++ /dev/null
> >@@ -1,40 +0,0 @@
> >-DEFAULT_ENFORCING ??= "enforcing"
> >-
> >-SUMMARY = "SELinux configuration"
> >-DESCRIPTION = "\
> >-SELinux configuration files for Yocto. \
> >-"
> >-
> >-SECTION = "base"
> >-LICENSE = "MIT"
> >-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
> >-PR = "r4"
> >-
> >-S = "${WORKDIR}"
> >-
> >-CONFFILES_${PN} += "${sysconfdir}/selinux/config"
> >-
> >-PACKAGE_ARCH = "${MACHINE_ARCH}"
> >-
> >-do_install () {
> >-	echo "\
> >-# This file controls the state of SELinux on the system.
> >-# SELINUX= can take one of these three values:
> >-#     enforcing - SELinux security policy is enforced.
> >-#     permissive - SELinux prints warnings instead of enforcing.
> >-#     disabled - No SELinux policy is loaded.
> >-SELINUX=${DEFAULT_ENFORCING}
> >-# SELINUXTYPE= can take one of these values:
> >-#     standard - Standard Security protection.
> >-#     mls - Multi Level Security protection.
> >-#     targeted - Targeted processes are protected.
> >-#     mcs - Multi Category Security protection.
> >-SELINUXTYPE=${@d.getVar("PREFERRED_PROVIDER_virtual/refpolicy", False)[len("refpolicy-"):]}
> >-" > ${WORKDIR}/config
> >-	install -d ${D}/${sysconfdir}/selinux
> >-	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
> >-}
> >-
> >-sysroot_stage_all_append () {
> >-	sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
> >-}
> >

-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]