From: aduskett at gmail.com <aduskett@gmail.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/2] package/libsemanage: add option to manually define policy version
Date: Sat, 14 Dec 2019 17:15:16 -0800 [thread overview]
Message-ID: <20191215011517.1977342-2-aduskett@gmail.com> (raw)
In-Reply-To: <20191215011517.1977342-1-aduskett@gmail.com>
From: Adam Duskett <Aduskett@gmail.com>
The semodule package derives the maximum SELinux policy version from
the libsemanage library.
By default, libsemanage returns the highest supported policy version that
libsepol supports found in include/sepol/policydb/policydb.h and not from the
Kernel. However, if the maximum supported SELinux policy version supported by
the Kernel is lower than the maximum supported policy version from libsemanage,
if a user attempts to build a policy using the semodule program, semodule fails
when creating a policy with the error:
policydb version X does not match my version range 15-X.
This default value may be overwrriten by setting the policy-version = line in
/etc/semanage/semanage.conf.
Create an option that allows a user to overwrite the default policy version to
ensure that semodule works on older kernels.
Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
package/libsemanage/Config.in | 29 +++++++++++++++++++++++++++++
package/libsemanage/libsemanage.mk | 23 +++++++++++++++++++++++
2 files changed, 52 insertions(+)
diff --git a/package/libsemanage/Config.in b/package/libsemanage/Config.in
index 3c7050ee51..814bf293d7 100644
--- a/package/libsemanage/Config.in
+++ b/package/libsemanage/Config.in
@@ -17,6 +17,35 @@ config BR2_PACKAGE_LIBSEMANAGE
http://selinuxproject.org/page/Main_Page
+if BR2_PACKAGE_LIBSEMANAGE
+
+config BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
+ bool "Manually specify the policy version"
+ help
+ Manually specify the policy version to build.
+
+if BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
+
+config BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION
+ int "maximum policy version"
+ default 25
+ range 25 31
+ help
+ The maximum SELinux policy version your kernel supports.
+
+ Here's a handy table to help you choose:
+ kernel version SElinux policy max version
+ <= 2.6.x 25
+ > 2.6 <= 3.5 26
+ > 3.5 <= 3.14 28 (27 and 28 were added@the same time)
+ > 3.14 <= 4.3 29
+ > 4.3 <= 4.13 30
+ > 4.13 <= 5.5 31
+
+endif # BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
+
+endif # BR2_PACKAGE_LIBSEMANAGE
+
comment "libsemanage needs a toolchain w/ threads, dynamic library"
depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS
depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index fd90346049..1415916b1f 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -13,6 +13,29 @@ LIBSEMANAGE_INSTALL_STAGING = YES
LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
+# Semodule derives the maximum SELinux policy version from libsemanage.
+# By default, libsemanage returns the highest supported policy version that
+# libsepol supports found in include/sepol/policydb/policydb.h and not just
+# from the Kernel. However, if the maximum supported SELinux policy version
+# supported by the Kernel is lower than the maximum supported policy version
+# from libsemanage, if a user attempts to build a policy using the semodule
+# program, semodule fails when creating a policy with the error:
+# policydb version X does not match my version range 15-X.
+
+# This default value may be overwrriten by setting the policy-version = line in
+# /etc/semanage/semanage.conf.
+LIBSEMANAGE_MAX_POLICY_VERSION = 31
+ifeq ($(BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION),y)
+LIBSEMANAGE_MAX_POLICY_VERSION = $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION)
+endif
+
+define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
+ $(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
+ $(TARGET_DIR)/etc/selinux/semanage.conf
+endef
+LIBSEMANAGE_POST_INSTALL_TARGET_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
+HOST_LIBSEMANAGE_POST_INSTALL_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
+
define LIBSEMANAGE_BUILD_CMDS
$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPTS) all
endef
--
2.23.0
next prev parent reply other threads:[~2019-12-15 1:15 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-15 1:15 [Buildroot] [PATCH 0/2] package/libsemanage: set policy versions explicitly aduskett at gmail.com
2019-12-15 1:15 ` aduskett at gmail.com [this message]
2019-12-15 11:50 ` [Buildroot] [PATCH 1/2] package/libsemanage: add option to manually define policy version Thomas Petazzoni
2019-12-15 17:36 ` Adam Duskett
2019-12-16 9:02 ` Thomas Petazzoni
2019-12-15 1:15 ` [Buildroot] [PATCH 2/2] package/libsemanage: allow the user to specify a kernel version aduskett at gmail.com
2019-12-15 12:10 ` Thomas Petazzoni
2019-12-15 17:40 ` Adam Duskett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191215011517.1977342-2-aduskett@gmail.com \
--to=aduskett@gmail.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.