[Buildroot] [PATCH 0/2] package/libsemanage: set policy versions explicitly.

[Buildroot] [PATCH 0/2] package/libsemanage: set policy versions explicitly.

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

When updating the libselinux patch series to 3.0, I ran into an issue:
When running semodule, I received the error:
policydb version 32 does not match my version range 15-31.

After many many hours of digging, I found answers in the code:
  - The kernel I was building supported policies up to version 31.
  - Libselinux 3.0 supports policies up to version 32.

Here's how it works in my case:
semodule -> libsemanage -> libsepol -> include/sepol/policydb/policydb.h
#define POLICYDB_VERSION_MAX    POLICYDB_VERSION_GLBLUB (This is 32)

semodule -> libsemanage -> libsepol -> security/selinux/include/security.h
#define POLICYDB_VERSION_MAX   POLICYDB_VERSION_INFINIBAND (This is 31)

These two patches attempt to fix the issue in a clean way that's easy on the
user:

The first patch adds two simple configuration options:
  - BR2_PACKAGE_SELINUX_POLICY_MANUAL_VERSION (A bool)
  - BR2_PACKAGE_SELINUX_POLICY_MAX_VERSION (A int with a range of 25 - 31)

This patch allows a user to specify the maximum policy value manually, however,
there are five disadvantages to this manual option:
1) It doesn't guarantee that the above won't happen.
2) It is set to 25 by default, which is incredibly old and isn't as secure as
   the newer supported policies.
3) It's manual, and a user has to know what to select.
4) I can do better.
5) I want to do better. ;)


The second patch attempts to fix the above IF a user specifies a kernel version
in the config. (As they should!)

The patch attempts to do the following:
  - Call out to a new script: package/libsemanage/get-kernel-max-policy-version.sh
    which does the following:
      - Cut up the BR2_PACKAGE_LIBSEMANAGE_KERNEL_VERSION variable into two
        seperate variables:
       - LIBSEMANAGE_LINUX_VERSION_MAJOR
        - LIBSEMANAGE_LINUX_VERSION_MINOR
          IE: 4.2.1 becomes 4 and 2.
          (Lucky for me, a policy version support bump has NEVER happened on a
           subversion release, only on point releases.)
     - Go through a bunch of if statements.
     - Echo out the maximum policy version back to the .mk file.
      Note: Thomas recommended putting the following in a patch to make it
            easier to read and maintain, and I agree.

  - If a user has not manually selected a policy, stop here. We have a
    guaranteed maximum policy that's guaranteed to work with the specified
    kernel! Hooray! Better security for everybody!

  - If a user has opted to set the policy version manually, we can now test to
    ensure he didn't set the policy greater than the policy supported in the
    specified kernel:
    - If the manually selected policy is lower, print a warning.
    - If the manually selected policy is greater, throw an error.

  - If a user does not specify a kernel version then we just keep whatever
    policy version they wanted in the first place and they can deal with
    consequences if things breaks.
    
  - If nothing is specified the maximum policy version is built and the user
    can deal with the consequences if things breaks.

This patch does have a big drawback:
  - There is no logic to derive the policy from a kernel that is already being
    built, however this would be quite nice. However this is a good compromise
    I believe.


This patch makes building policies much easier in Buildroot, and in the future
will help when I am ready to introduce another big patch set:
Refpolicy: Going modular.

I am not slightly more insane than I was before all of this, but probably for
the better!

Thanks for reading!
Adam

Adam Duskett (2):
  package/libsemanage: add option to manually define policy version
  package/libsemanage: check against the Kernel for max policy version

 package/libsemanage/Config.in                 | 30 +++++++++
 .../get-kernel-max-policy-version.sh          | 65 +++++++++++++++++++
 package/libsemanage/libsemanage.mk            | 64 ++++++++++++++++++
 3 files changed, 159 insertions(+)
 create mode 100755 package/libsemanage/get-kernel-max-policy-version.sh

-- 
2.23.0

[Buildroot] [PATCH 1/2] package/libsemanage: add option to manually define policy version

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

The semodule package derives the maximum SELinux policy version from
the libsemanage library.

By default, libsemanage returns the highest supported policy version that
libsepol supports found in include/sepol/policydb/policydb.h and not from the
Kernel. However, if the maximum supported SELinux policy version supported by
the Kernel is lower than the maximum supported policy version from libsemanage,
if a user attempts to build a policy using the semodule program, semodule fails
when creating a policy with the error:
policydb version X does not match my version range 15-X.

This default value may be overwrriten by setting the policy-version = line in
/etc/semanage/semanage.conf.

Create an option that allows a user to overwrite the default policy version to
ensure that semodule works on older kernels.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
 package/libsemanage/Config.in      | 29 +++++++++++++++++++++++++++++
 package/libsemanage/libsemanage.mk | 23 +++++++++++++++++++++++
 2 files changed, 52 insertions(+)

diff --git a/package/libsemanage/Config.in b/package/libsemanage/Config.in
index 3c7050ee51..814bf293d7 100644
--- a/package/libsemanage/Config.in
+++ b/package/libsemanage/Config.in
@@ -17,6 +17,35 @@ config BR2_PACKAGE_LIBSEMANAGE
 
 	  http://selinuxproject.org/page/Main_Page
 
+if BR2_PACKAGE_LIBSEMANAGE
+
+config BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
+	bool "Manually specify the policy version"
+	help
+	  Manually specify the policy version to build.
+
+if BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
+
+config BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION
+	int "maximum policy version"
+	default 25
+	range 25 31
+	help
+	  The maximum SELinux policy version your kernel supports.
+
+	  Here's a handy table to help you choose:
+	  kernel version   SElinux policy max version
+	  <= 2.6.x         25
+	  > 2.6 <= 3.5     26
+	  > 3.5 <= 3.14    28 (27 and 28 were added@the same time)
+	  > 3.14 <= 4.3    29
+	  > 4.3 <= 4.13    30
+	  > 4.13 <= 5.5    31
+
+endif # BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
+
+endif # BR2_PACKAGE_LIBSEMANAGE
+
 comment "libsemanage needs a toolchain w/ threads, dynamic library"
 	depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS
 	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index fd90346049..1415916b1f 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -13,6 +13,29 @@ LIBSEMANAGE_INSTALL_STAGING = YES
 
 LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
 
+# Semodule derives the maximum SELinux policy version from libsemanage.
+# By default, libsemanage returns the highest supported policy version that
+# libsepol supports found in include/sepol/policydb/policydb.h and not just
+# from the Kernel. However, if the maximum supported SELinux policy version
+# supported by the Kernel is lower than the maximum supported policy version
+# from libsemanage, if a user attempts to build a policy using the semodule
+# program, semodule fails when creating a policy with the error:
+# policydb version X does not match my version range 15-X.
+
+# This default value may be overwrriten by setting the policy-version = line in
+# /etc/semanage/semanage.conf.
+LIBSEMANAGE_MAX_POLICY_VERSION = 31
+ifeq ($(BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION),y)
+LIBSEMANAGE_MAX_POLICY_VERSION = $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION)
+endif
+
+define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
+	$(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
+		$(TARGET_DIR)/etc/selinux/semanage.conf
+endef
+LIBSEMANAGE_POST_INSTALL_TARGET_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
+HOST_LIBSEMANAGE_POST_INSTALL_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
+
 define LIBSEMANAGE_BUILD_CMDS
 	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPTS) all
 endef
-- 
2.23.0

[Buildroot] [PATCH 2/2] package/libsemanage: allow the user to specify a kernel version

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

If a user specified a kernel version being build, then libsemanage can
derive the maximum policy from the chosen Kernel.

This change gives three main benefits:
 1) A user no longer has to select a policy version manually.
 2) A user is guaranteed the maximum supported version automatically.
 3) If a user has manually selected a policy version that version may now be
   checked against the maximum version allowed by the Kernel.
   - If the manually selected policy is lower, print a warning.
   - If the manually selected policy is greater, throw an error.

The logic to determine the maximum policy is in
package/libsemanage/get-kernel-max-policy-version.sh as it is much easier to
understand and maintain than to have the logic in libsemanage.mk itself.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
 package/libsemanage/Config.in                 |  7 +-
 .../get-kernel-max-policy-version.sh          | 82 +++++++++++++++++++
 package/libsemanage/libsemanage.mk            | 42 ++++++++++
 3 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100755 package/libsemanage/get-kernel-max-policy-version.sh

diff --git a/package/libsemanage/Config.in b/package/libsemanage/Config.in
index 814bf293d7..6c3e269579 100644
--- a/package/libsemanage/Config.in
+++ b/package/libsemanage/Config.in
@@ -44,7 +44,12 @@ config BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION
 
 endif # BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
 
-endif # BR2_PACKAGE_LIBSEMANAGE
+config BR2_PACKAGE_LIBSEMANAGE_KERNEL_VERSION
+	string "Kernel version being built"
+	help
+	  The version of the kernel being built. This version must be in
+	  the standard X.X format (IE: 4.0 or 5.2.1)
+endif
 
 comment "libsemanage needs a toolchain w/ threads, dynamic library"
 	depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS
diff --git a/package/libsemanage/get-kernel-max-policy-version.sh b/package/libsemanage/get-kernel-max-policy-version.sh
new file mode 100755
index 0000000000..015e2bf16d
--- /dev/null
+++ b/package/libsemanage/get-kernel-max-policy-version.sh
@@ -0,0 +1,82 @@
+#!/bin/sh
+# The following logic is used to determine the maximum policy value and is
+# derived from the selected kernel version.
+# The following kernel versions support the following maximum policy number
+# found in security/selinux/include/security.h:
+# <= 2.6: 25
+# > 2.6 <= 3.5: 26
+# > 3.5 <= 3.14: 28 (27 and 28 were added@the same time.)
+# > 3.14 <= 4.3: 29
+# > 4.3 <= 4.13: 30
+# > 4.13 <= 5.5: 31
+
+function get_max_kernel_policy_version(){
+  LIBSEMANAGE_LINUX_VERSION="${1}"
+  # Only the major and minor versions are needed. Sub minor version bumps do not
+  # receive SELinux policy version bump updates.
+  LIBSEMANAGE_LINUX_VERSION_MAJOR=$(echo ${LIBSEMANAGE_LINUX_VERSION} | cut -d"." -f1)
+  LIBSEMANAGE_LINUX_VERSION_MINOR=$(echo ${LIBSEMANAGE_LINUX_VERSION} | cut -d"." -f2)
+  # Default maximum policy version
+  MAX_POLICY_VERSION="31"
+  # <= 2.6.x
+  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 2 ]; then
+    MAX_POLICY_VERSION="25"
+  fi
+
+  # > 2.6 <= 3.5
+  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 3 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -le 4 ]; then
+    MAX_POLICY_VERSION="26"
+  fi
+
+  # > 3.5 <= 3.14
+  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 3 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -lt 14 ]; then
+    MAX_POLICY_VERSION="28"
+  fi
+
+  # > 3.14
+  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 3 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -ge 14 ]; then
+    MAX_POLICY_VERSION="29"
+  fi
+
+  # > 4.0 < 4.3
+  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 4 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -lt 3 ]; then
+    MAX_POLICY_VERSION="29"
+  fi
+
+  # > 4.3
+  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 4 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -ge 3 ]; then
+    MAX_POLICY_VERSION="30"
+  fi
+
+  # > 4.13
+  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 4 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -ge 13 ]; then
+    MAX_POLICY_VERSION="31"
+  fi
+
+  # > 5.0 <= 5.5
+  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 5 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -lt 5 ]; then
+    MAX_POLICY_VERSION="31"
+  fi
+
+  echo ${MAX_POLICY_VERSION}
+}
+
+function policy_version_check(){
+  KERNEL_MAX_SELINUX_POLICY_VERSION="${1}"
+  SEPOLICY_MAX_VERSION="${2}"
+  if [ ${SEPOLICY_MAX_VERSION} -lt ${KERNEL_MAX_SELINUX_POLICY_VERSION} ]; then
+    echo lt
+  fi
+
+  if [ ${SEPOLICY_MAX_VERSION} -gt ${KERNEL_MAX_SELINUX_POLICY_VERSION} ]; then
+    echo gt
+  fi
+}
+
+if [[ "${1}" == "get_max_kernel_policy_version" ]]; then
+  get_max_kernel_policy_version "${2}"
+fi
+
+if [[ "${1}" == "policy_version_check" ]]; then
+  policy_version_check "${2}" "${3}"
+fi
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index d260e449eb..57c58a5570 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -25,14 +25,56 @@ LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
 # This default value may be overwrriten by setting the policy-version = line in
 # /etc/semanage/semanage.conf.
 LIBSEMANAGE_MAX_POLICY_VERSION = 31
+
+# If a kernel version is specified, get the maximum supported policy version
+# of that kernel.
+LIBSEMANAGE_KERNEL_VERSION = $(call qstrip,$(BR2_PACKAGE_LIBSEMANAGE_KERNEL_VERSION))
+ifneq ($(LIBSEMANAGE_KERNEL_VERSION),)
+LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION := \
+	$(shell package/libsemanage/get-kernel-max-policy-version.sh \
+	"get_max_kernel_policy_version" \
+	$(BR2_PACKAGE_LIBSEMANAGE_KERNEL_VERSION))
+LIBSEMANAGE_MAX_POLICY_VERSION = $(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION)
+endif
+
 ifeq ($(BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION),y)
 LIBSEMANAGE_MAX_POLICY_VERSION = $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION)
+
+# If a kernel version is specified, check if the policy version set by the user
+# is lower or greater than the maximum supported policy version in the kernel.
+# If the policy is lower, display a warning.
+# If the policy is greater, throw an error.
+ifneq ($(LIBSEMANAGE_KERNEL_VERSION),)
+LIBSEMANAGE_MANUAL_POLICY_VERSION_CHECK := \
+	$(shell package/libsemanage/get-kernel-max-policy-version.sh \
+	"policy_version_check" \
+	$(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION) \
+	$(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION))
+
+ifeq ($(LIBSEMANAGE_MANUAL_POLICY_VERSION_CHECK),lt)
+$(warning \
+	The policy version set for libsemanage $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION) \
+	is lower than the maximum policy version supported by the kernel being built: \
+	$(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION). It is HIGHLY recommended that you set the \
+	policy version to $(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION)! \
+	)
+endif
+
+ifeq ($(LIBSEMANAGE_MANUAL_POLICY_VERSION_CHECK),gt)
+$(error \
+	The policy version set for libsemanage $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION) \
+	is higher than the maximum policy version supported by the kernel being built: \
+	$(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION). \
+	)
 endif
+endif # ifeq ($(LIBSEMANAGE_KERNEL_VERSION),y)
+endif # ($(BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION),y)
 
 define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
 	$(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
 		$(TARGET_DIR)/etc/selinux/semanage.conf
 endef
+
 LIBSEMANAGE_POST_INSTALL_TARGET_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
 HOST_LIBSEMANAGE_POST_INSTALL_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
 
-- 
2.23.0

[Buildroot] [PATCH 1/2] package/libsemanage: add option to manually define policy version

[Thomas Petazzoni]

Hello Adam,

Thanks for this patch. With the explanations of the commit log and the
cover letter, I understand a bit better what's going on.

On Sat, 14 Dec 2019 17:15:16 -0800
aduskett at gmail.com wrote:

> +if BR2_PACKAGE_LIBSEMANAGE
> +
> +config BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
> +	bool "Manually specify the policy version"
> +	help
> +	  Manually specify the policy version to build.

Do we really need this boolean ? Why not always have the option BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION ?

> +if BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
> +
> +config BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION
> +	int "maximum policy version"
> +	default 25
> +	range 25 31
> +	help
> +	  The maximum SELinux policy version your kernel supports.
> +
> +	  Here's a handy table to help you choose:
> +	  kernel version   SElinux policy max version
> +	  <= 2.6.x         25
> +	  > 2.6 <= 3.5     26
> +	  > 3.5 <= 3.14    28 (27 and 28 were added@the same time)
> +	  > 3.14 <= 4.3    29
> +	  > 4.3 <= 4.13    30
> +	  > 4.13 <= 5.5    31

I think on top of PATCH 1/2, another patch could be added to make
things a little bit smarter in terms of defaults:

	default 31 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13
	default 30 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_3
	default 29 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_14
	default 28 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_5
	default 26 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_2_6
	default 25

This would@least allow the default value to be a bit more sensible
than just using "25", which is ancient.

> +# This default value may be overwrriten by setting the policy-version = line in
> +# /etc/semanage/semanage.conf.
> +LIBSEMANAGE_MAX_POLICY_VERSION = 31

Here, what you're basically doing is assuming that if
BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION is not enabled, we
default to "31". But "31" may be wrong. That's why I suggest to drop BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION and always have a BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION option.

> +ifeq ($(BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION),y)
> +LIBSEMANAGE_MAX_POLICY_VERSION = $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION)
> +endif
> +
> +define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
> +	$(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
> +		$(TARGET_DIR)/etc/selinux/semanage.conf
> +endef
> +LIBSEMANAGE_POST_INSTALL_TARGET_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
> +HOST_LIBSEMANAGE_POST_INSTALL_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY

The host hook is not appropriate: it tweaks a file in $(TARGET_DIR),
which is not good.

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 2/2] package/libsemanage: allow the user to specify a kernel version

[Thomas Petazzoni]

Hello,

On Sat, 14 Dec 2019 17:15:17 -0800
aduskett at gmail.com wrote:


> diff --git a/package/libsemanage/Config.in b/package/libsemanage/Config.in
> index 814bf293d7..6c3e269579 100644
> --- a/package/libsemanage/Config.in
> +++ b/package/libsemanage/Config.in
> @@ -44,7 +44,12 @@ config BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION
>  
>  endif # BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
>  
> -endif # BR2_PACKAGE_LIBSEMANAGE
> +config BR2_PACKAGE_LIBSEMANAGE_KERNEL_VERSION
> +	string "Kernel version being built"
> +	help
> +	  The version of the kernel being built. This version must be in
> +	  the standard X.X format (IE: 4.0 or 5.2.1)
> +endif

I don't understand how this option articulates with the options added
in PATCH 1/2.

In my opinion, this PATCH 2/2 should in fact make the
BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION option added in PATCH 1/2
invisible when BR2_LINUX_KERNEL=y, by adding a:

	depends on !BR2_LINUX_KERNEL

and then libsemanage.mk has two possibilities:

 (1) BR2_LINUX_KERNEL=y, in which case you add "linux" to
     LIBSEMANAGE_DEPENDENCIES and use LINUX_VERSION_PROBED to know the
     kernel version

 (2) BR2_LINUX_KERNEL is not set, in which case
     BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION defines the maximum
     policy version, as is done in PATCH 1/2.

Yes it means that when the user is building his kernel manually,
outside of Buildroot, he is on his own to provide the appropriate
maximum SELinux policy version supported. But that's perfectly OK, just
like he is on his own to make sure that his kernel has the right
configuration options to have systemd work, for example.

> +function get_max_kernel_policy_version(){
> +  LIBSEMANAGE_LINUX_VERSION="${1}"
> +  # Only the major and minor versions are needed. Sub minor version bumps do not
> +  # receive SELinux policy version bump updates.
> +  LIBSEMANAGE_LINUX_VERSION_MAJOR=$(echo ${LIBSEMANAGE_LINUX_VERSION} | cut -d"." -f1)
> +  LIBSEMANAGE_LINUX_VERSION_MINOR=$(echo ${LIBSEMANAGE_LINUX_VERSION} | cut -d"." -f2)

You don't necessarily have to follow the naming convention of Buildroot
makefile variables in this shell script. Actually, it makes it a bit
difficult to read, perhaps just:

	major=$(echo ${1} | cut -d. -f1)
	minor=$(echo ${1} | cut -d. -f2)

> +  # Default maximum policy version
> +  MAX_POLICY_VERSION="31"
> +  # <= 2.6.x
> +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 2 ]; then
> +    MAX_POLICY_VERSION="25"
> +  fi
> +
> +  # > 2.6 <= 3.5

Less or equal to 3.5

> +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 3 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -le 4 ]; then

... but less or equal to 3.4

> +    MAX_POLICY_VERSION="26"
> +  fi
> +
> +  # > 3.5 <= 3.14

Less than or equal to 3.14

> +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 3 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -lt 14 ]; then

.. but strictly less than 3.14

> +    MAX_POLICY_VERSION="28"
> +  fi
> +
> +  # > 3.14

Strictly greater than 3.14...

> +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 3 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -ge 14 ]; then

... but greater or equal to 3.14

> +    MAX_POLICY_VERSION="29"
> +  fi
> +
> +  # > 4.0 < 4.3
> +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 4 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -lt 3 ]; then
> +    MAX_POLICY_VERSION="29"
> +  fi
> +
> +  # > 4.3

Strictly greater than 4.3

> +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 4 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -ge 3 ]; then

.. but greater or equal

> +    MAX_POLICY_VERSION="30"
> +  fi
> +
> +  # > 4.13
> +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 4 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -ge 13 ]; then
> +    MAX_POLICY_VERSION="31"
> +  fi
> +
> +  # > 5.0 <= 5.5

I don't see the point of having a max defined to 5.5, just for now
assume that all versions > 5.0 will support policy version 31.

Also, you don't handle the case of 5.0, your condition says that policy
version 31 is supported > 5.0, so only starting from 5.1, but still
your condition below will match 5.0.

> +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 5 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -lt 5 ]; then
> +    MAX_POLICY_VERSION="31"
> +  fi

This can be rewritten like this:

case 1 in
$((major == 2)))
	echo 25;;
$((major == 3 && $minor <= 4)))
	echo 26;;
$((major == 3 && $minor <= 14)))
	echo 28;;
$((major == 3 && $minor > 14)))
	echo 29;;
$((major == 4 && $minor <= 3)))
	echo 29;;
$((major == 4 && $minor <= 13)))
	echo 30;;
$((major == 4 && $minor > 13)))
	echo 31;
$((major >= 5)))
	echo 31;;
esac

a bit more compact isn't it? Of course, you'll have to set the shebang
to /bin/bash.


> diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
> index d260e449eb..57c58a5570 100644
> --- a/package/libsemanage/libsemanage.mk
> +++ b/package/libsemanage/libsemanage.mk
> @@ -25,14 +25,56 @@ LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
>  # This default value may be overwrriten by setting the policy-version = line in
>  # /etc/semanage/semanage.conf.
>  LIBSEMANAGE_MAX_POLICY_VERSION = 31
> +
> +# If a kernel version is specified, get the maximum supported policy version
> +# of that kernel.
> +LIBSEMANAGE_KERNEL_VERSION = $(call qstrip,$(BR2_PACKAGE_LIBSEMANAGE_KERNEL_VERSION))
> +ifneq ($(LIBSEMANAGE_KERNEL_VERSION),)
> +LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION := \
> +	$(shell package/libsemanage/get-kernel-max-policy-version.sh \
> +	"get_max_kernel_policy_version" \
> +	$(BR2_PACKAGE_LIBSEMANAGE_KERNEL_VERSION))
> +LIBSEMANAGE_MAX_POLICY_VERSION = $(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION)
> +endif
> +
>  ifeq ($(BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION),y)
>  LIBSEMANAGE_MAX_POLICY_VERSION = $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION)
> +
> +# If a kernel version is specified, check if the policy version set by the user
> +# is lower or greater than the maximum supported policy version in the kernel.
> +# If the policy is lower, display a warning.
> +# If the policy is greater, throw an error.
> +ifneq ($(LIBSEMANAGE_KERNEL_VERSION),)
> +LIBSEMANAGE_MANUAL_POLICY_VERSION_CHECK := \
> +	$(shell package/libsemanage/get-kernel-max-policy-version.sh \
> +	"policy_version_check" \
> +	$(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION) \
> +	$(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION))

This is no longer needed: if BR2_LINUX_KERNEL=y, you know what the
kernel version is, and the user should no longer enter a manual version.

> +ifeq ($(LIBSEMANAGE_MANUAL_POLICY_VERSION_CHECK),lt)
> +$(warning \
> +	The policy version set for libsemanage $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION) \
> +	is lower than the maximum policy version supported by the kernel being built: \
> +	$(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION). It is HIGHLY recommended that you set the \
> +	policy version to $(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION)! \
> +	)
> +endif
> +
> +ifeq ($(LIBSEMANAGE_MANUAL_POLICY_VERSION_CHECK),gt)
> +$(error \
> +	The policy version set for libsemanage $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION) \
> +	is higher than the maximum policy version supported by the kernel being built: \
> +	$(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION). \
> +	)
>  endif
> +endif # ifeq ($(LIBSEMANAGE_KERNEL_VERSION),y)
> +endif # ($(BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION),y)
>  
>  define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
>  	$(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
>  		$(TARGET_DIR)/etc/selinux/semanage.conf
>  endef
> +

Spurious new line added.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 1/2] package/libsemanage: add option to manually define policy version

[Adam Duskett]

On Sun, Dec 15, 2019 at 3:50 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello Adam,
>
> Thanks for this patch. With the explanations of the commit log and the
> cover letter, I understand a bit better what's going on.
>
> On Sat, 14 Dec 2019 17:15:16 -0800
> aduskett at gmail.com wrote:
>
> > +if BR2_PACKAGE_LIBSEMANAGE
> > +
> > +config BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
> > +     bool "Manually specify the policy version"
> > +     help
> > +       Manually specify the policy version to build.
>
> Do we really need this boolean ? Why not always have the option BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION ?
>
> > +if BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
> > +
> > +config BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION
> > +     int "maximum policy version"
> > +     default 25
> > +     range 25 31
> > +     help
> > +       The maximum SELinux policy version your kernel supports.
> > +
> > +       Here's a handy table to help you choose:
> > +       kernel version   SElinux policy max version
> > +       <= 2.6.x         25
> > +       > 2.6 <= 3.5     26
> > +       > 3.5 <= 3.14    28 (27 and 28 were added@the same time)
> > +       > 3.14 <= 4.3    29
> > +       > 4.3 <= 4.13    30
> > +       > 4.13 <= 5.5    31
>
> I think on top of PATCH 1/2, another patch could be added to make
> things a little bit smarter in terms of defaults:
>
>         default 31 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13
>         default 30 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_3
>         default 29 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_14
>         default 28 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_5
>         default 26 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_2_6
>         default 25
>
I'm not sure I like this, as toolchain header versions can be
misleading, but it's up
to you.

> This would at least allow the default value to be a bit more sensible
> than just using "25", which is ancient.
>
> > +# This default value may be overwritten by setting the policy-version = line in
> > +# /etc/semanage/semanage.conf.
> > +LIBSEMANAGE_MAX_POLICY_VERSION = 31
>
> Here, what you're basically doing is assuming that if
> BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION is not enabled, we
> default to "31". But "31" may be wrong. That's why I suggest to drop BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION and always have a BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION option.
>
I made it like this as a fallback. If you want to use the max, then
you don't have to select anything.
Although that could be misleading.

> > +ifeq ($(BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION),y)
> > +LIBSEMANAGE_MAX_POLICY_VERSION = $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION)
> > +endif
> > +
> > +define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
> > +     $(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
> > +             $(TARGET_DIR)/etc/selinux/semanage.conf
> > +endef
> > +LIBSEMANAGE_POST_INSTALL_TARGET_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
> > +HOST_LIBSEMANAGE_POST_INSTALL_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
>
> The host hook is not appropriate: it tweaks a file in $(TARGET_DIR),
> which is not good.
>
Yeah,  my bad.
> Best regards,
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

[Buildroot] [PATCH 2/2] package/libsemanage: allow the user to specify a kernel version

[Adam Duskett]

Hello;

On Sun, Dec 15, 2019 at 4:10 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> On Sat, 14 Dec 2019 17:15:17 -0800
> aduskett at gmail.com wrote:
>
>
> > diff --git a/package/libsemanage/Config.in b/package/libsemanage/Config.in
> > index 814bf293d7..6c3e269579 100644
> > --- a/package/libsemanage/Config.in
> > +++ b/package/libsemanage/Config.in
> > @@ -44,7 +44,12 @@ config BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION
> >
> >  endif # BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
> >
> > -endif # BR2_PACKAGE_LIBSEMANAGE
> > +config BR2_PACKAGE_LIBSEMANAGE_KERNEL_VERSION
> > +     string "Kernel version being built"
> > +     help
> > +       The version of the kernel being built. This version must be in
> > +       the standard X.X format (IE: 4.0 or 5.2.1)
> > +endif
>
> I don't understand how this option articulates with the options added
> in PATCH 1/2.
>
> In my opinion, this PATCH 2/2 should in fact make the
> BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION option added in PATCH 1/2
> invisible when BR2_LINUX_KERNEL=y, by adding a:
>
>         depends on !BR2_LINUX_KERNEL
>
> and then libsemanage.mk has two possibilities:
>
>  (1) BR2_LINUX_KERNEL=y, in which case you add "linux" to
>      LIBSEMANAGE_DEPENDENCIES and use LINUX_VERSION_PROBED to know the
>      kernel version
>
That is not possible. I tried for a few hours and was not able to use
LINUX_VERSION_PROBED,
or else I would have.

>  (2) BR2_LINUX_KERNEL is not set, in which case
>      BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION defines the maximum
>      policy version, as is done in PATCH 1/2.
>
> Yes it means that when the user is building his kernel manually,
> outside of Buildroot, he is on his own to provide the appropriate
> maximum SELinux policy version supported. But that's perfectly OK, just
> like he is on his own to make sure that his kernel has the right
> configuration options to have systemd work, for example.
>
I want this to be possible, I want to use LINUX_VERSION_PROBED, but I
was not able to
do so.

> > +function get_max_kernel_policy_version(){
> > +  LIBSEMANAGE_LINUX_VERSION="${1}"
> > +  # Only the major and minor versions are needed. Sub minor version bumps do not
> > +  # receive SELinux policy version bump updates.
> > +  LIBSEMANAGE_LINUX_VERSION_MAJOR=$(echo ${LIBSEMANAGE_LINUX_VERSION} | cut -d"." -f1)
> > +  LIBSEMANAGE_LINUX_VERSION_MINOR=$(echo ${LIBSEMANAGE_LINUX_VERSION} | cut -d"." -f2)
>
> You don't necessarily have to follow the naming convention of Buildroot
> makefile variables in this shell script. Actually, it makes it a bit
> difficult to read, perhaps just:
>
>         major=$(echo ${1} | cut -d. -f1)
>         minor=$(echo ${1} | cut -d. -f2)
>
sounds fine to me!

> > +  # Default maximum policy version
> > +  MAX_POLICY_VERSION="31"
> > +  # <= 2.6.x
> > +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 2 ]; then
> > +    MAX_POLICY_VERSION="25"
> > +  fi
> > +
> > +  # > 2.6 <= 3.5
>
> Less or equal to 3.5
>
> > +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 3 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -le 4 ]; then
>
> ... but less or equal to 3.4
>
> > +    MAX_POLICY_VERSION="26"
> > +  fi
> > +
> > +  # > 3.5 <= 3.14
>
> Less than or equal to 3.14
>
> > +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 3 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -lt 14 ]; then
>
> .. but strictly less than 3.14
>
> > +    MAX_POLICY_VERSION="28"
> > +  fi
> > +
> > +  # > 3.14
>
> Strictly greater than 3.14...
>
> > +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 3 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -ge 14 ]; then
>
> ... but greater or equal to 3.14
>
> > +    MAX_POLICY_VERSION="29"
> > +  fi
> > +
> > +  # > 4.0 < 4.3
> > +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 4 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -lt 3 ]; then
> > +    MAX_POLICY_VERSION="29"
> > +  fi
> > +
> > +  # > 4.3
>
> Strictly greater than 4.3
>
> > +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 4 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -ge 3 ]; then
>
> .. but greater or equal
>
> > +    MAX_POLICY_VERSION="30"
> > +  fi
> > +
> > +  # > 4.13
> > +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 4 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -ge 13 ]; then
> > +    MAX_POLICY_VERSION="31"
> > +  fi
> > +
> > +  # > 5.0 <= 5.5
>
> I don't see the point of having a max defined to 5.5, just for now
> assume that all versions > 5.0 will support policy version 31.
>
> Also, you don't handle the case of 5.0, your condition says that policy
> version 31 is supported > 5.0, so only starting from 5.1, but still
> your condition below will match 5.0.
>
> > +  if [ ${LIBSEMANAGE_LINUX_VERSION_MAJOR} -eq 5 -a ${LIBSEMANAGE_LINUX_VERSION_MINOR} -lt 5 ]; then
> > +    MAX_POLICY_VERSION="31"
> > +  fi
>
> This can be rewritten like this:
>
> case 1 in
> $((major == 2)))
>         echo 25;;
> $((major == 3 && $minor <= 4)))
>         echo 26;;
> $((major == 3 && $minor <= 14)))
>         echo 28;;
> $((major == 3 && $minor > 14)))
>         echo 29;;
> $((major == 4 && $minor <= 3)))
>         echo 29;;
> $((major == 4 && $minor <= 13)))
>         echo 30;;
> $((major == 4 && $minor > 13)))
>         echo 31;
> $((major >= 5)))
>         echo 31;;
> esac
>
> a bit more compact isn't it? Of course, you'll have to set the shebang
> to /bin/bash.
If you are ok with it, that works for me.

>
>
> > diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
> > index d260e449eb..57c58a5570 100644
> > --- a/package/libsemanage/libsemanage.mk
> > +++ b/package/libsemanage/libsemanage.mk
> > @@ -25,14 +25,56 @@ LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
> >  # This default value may be overwrriten by setting the policy-version = line in
> >  # /etc/semanage/semanage.conf.
> >  LIBSEMANAGE_MAX_POLICY_VERSION = 31
> > +
> > +# If a kernel version is specified, get the maximum supported policy version
> > +# of that kernel.
> > +LIBSEMANAGE_KERNEL_VERSION = $(call qstrip,$(BR2_PACKAGE_LIBSEMANAGE_KERNEL_VERSION))
> > +ifneq ($(LIBSEMANAGE_KERNEL_VERSION),)
> > +LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION := \
> > +     $(shell package/libsemanage/get-kernel-max-policy-version.sh \
> > +     "get_max_kernel_policy_version" \
> > +     $(BR2_PACKAGE_LIBSEMANAGE_KERNEL_VERSION))
> > +LIBSEMANAGE_MAX_POLICY_VERSION = $(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION)
> > +endif
> > +
> >  ifeq ($(BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION),y)
> >  LIBSEMANAGE_MAX_POLICY_VERSION = $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION)
> > +
> > +# If a kernel version is specified, check if the policy version set by the user
> > +# is lower or greater than the maximum supported policy version in the kernel.
> > +# If the policy is lower, display a warning.
> > +# If the policy is greater, throw an error.
> > +ifneq ($(LIBSEMANAGE_KERNEL_VERSION),)
> > +LIBSEMANAGE_MANUAL_POLICY_VERSION_CHECK := \
> > +     $(shell package/libsemanage/get-kernel-max-policy-version.sh \
> > +     "policy_version_check" \
> > +     $(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION) \
> > +     $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION))
>
> This is no longer needed: if BR2_LINUX_KERNEL=y, you know what the
> kernel version is, and the user should no longer enter a manual version.
Again, I couldn't find a way to use LINUX_VERSION_PROBED.

>
> > +ifeq ($(LIBSEMANAGE_MANUAL_POLICY_VERSION_CHECK),lt)
> > +$(warning \
> > +     The policy version set for libsemanage $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION) \
> > +     is lower than the maximum policy version supported by the kernel being built: \
> > +     $(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION). It is HIGHLY recommended that you set the \
> > +     policy version to $(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION)! \
> > +     )
> > +endif
> > +
> > +ifeq ($(LIBSEMANAGE_MANUAL_POLICY_VERSION_CHECK),gt)
> > +$(error \
> > +     The policy version set for libsemanage $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION) \
> > +     is higher than the maximum policy version supported by the kernel being built: \
> > +     $(LIBSEMANAGE_MAX_KERNEL_POLICY_VERSION). \
> > +     )
> >  endif
> > +endif # ifeq ($(LIBSEMANAGE_KERNEL_VERSION),y)
> > +endif # ($(BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION),y)
> >
> >  define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
> >       $(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
> >               $(TARGET_DIR)/etc/selinux/semanage.conf
> >  endef
> > +
>
> Spurious new line added.
>
> Thanks!
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com

[Buildroot] [PATCH 1/2] package/libsemanage: add option to manually define policy version

[Thomas Petazzoni]

On Sun, 15 Dec 2019 09:36:49 -0800
Adam Duskett <aduskett@gmail.com> wrote:

> > I think on top of PATCH 1/2, another patch could be added to make
> > things a little bit smarter in terms of defaults:
> >
> >         default 31 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13
> >         default 30 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_3
> >         default 29 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_14
> >         default 28 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_5
> >         default 26 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_2_6
> >         default 25
> >  
> I'm not sure I like this, as toolchain header versions can be
> misleading, but it's up to you.

I don't see how they can be misleading. These options really state
which kernel headers version is used, and it's a rather good hint of
the minimal kernel version that runs on the target HW.

> > Here, what you're basically doing is assuming that if
> > BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION is not enabled, we
> > default to "31". But "31" may be wrong. That's why I suggest to drop BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION and always have a BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION option.
> >  
> I made it like this as a fallback. If you want to use the max, then
> you don't have to select anything. Although that could be misleading.

I'm not sure using the latest and greatest as the fallback is really
the safe option.

> > > +ifeq ($(BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION),y)
> > > +LIBSEMANAGE_MAX_POLICY_VERSION = $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION)
> > > +endif
> > > +
> > > +define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
> > > +     $(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
> > > +             $(TARGET_DIR)/etc/selinux/semanage.conf
> > > +endef
> > > +LIBSEMANAGE_POST_INSTALL_TARGET_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
> > > +HOST_LIBSEMANAGE_POST_INSTALL_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY  
> >
> > The host hook is not appropriate: it tweaks a file in $(TARGET_DIR),
> > which is not good.

I saw your new iteration, which adds a separate hook for the host
variant. So we need to set this for both the host and target variants
of libsemanage ?

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com