* [meta-selinux] Updated meta-selinux -- master-next
@ 2013-09-19 18:41 Mark Hatle
2013-09-27 19:58 ` Joe MacDonald
0 siblings, 1 reply; 3+ messages in thread
From: Mark Hatle @ 2013-09-19 18:41 UTC (permalink / raw)
To: yocto
I have updated meta-selinux, and placed the update into the 'master-next' branch.
This was locally tested with Poky as of commit
853bc53cd58a621918f0e5ce662dba263d1befb4.
Note, when building the core-image-selinux, the internal refpolicies cause a lot
of failures. I'm not an expert on how this should be configured, so I'm looking
for help/patches from others.
If you know of any other additional patches that should be applied, or are able
to help with the refpolicies, please let me know!
Thanks!
--Mark
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [meta-selinux] Updated meta-selinux -- master-next
2013-09-19 18:41 [meta-selinux] Updated meta-selinux -- master-next Mark Hatle
@ 2013-09-27 19:58 ` Joe MacDonald
2013-09-28 19:46 ` Philip Tricca
0 siblings, 1 reply; 3+ messages in thread
From: Joe MacDonald @ 2013-09-27 19:58 UTC (permalink / raw)
To: Mark Hatle; +Cc: yocto
[-- Attachment #1: Type: text/plain, Size: 8266 bytes --]
[[yocto] [meta-selinux] Updated meta-selinux -- master-next] On 13.09.19 (Thu 13:41) Mark Hatle wrote:
> I have updated meta-selinux, and placed the update into the 'master-next' branch.
>
> This was locally tested with Poky as of commit
> 853bc53cd58a621918f0e5ce662dba263d1befb4.
>
> Note, when building the core-image-selinux, the internal refpolicies
> cause a lot of failures. I'm not an expert on how this should be
> configured, so I'm looking for help/patches from others.
>
> If you know of any other additional patches that should be applied,
> or are able to help with the refpolicies, please let me know!
>
> Thanks!
> --Mark
I just pushed a new (non-ff!) update to master-next. It includes the
following:
- Mark Hatle: policycoreutils: avoid shell for checking target-special actions
- Mark Hatle: setools: Uprev setools
- Mark Hatle: README: Update status
- Mark Hatle: libcap-ng: Uprev libcap-ng
- Mark Hatle: audit: Uprev to audit 2.3.2
- Mark Hatle: swig: Update to latest swig from meta-openembedded
- Mark Hatle: python-ipy: Uprev to latest 0.81 version
- Mark Hatle: distro/*: Update the distro files
- Christopher Larson: layer.conf: avoid unnecessary early expansion with :=
- Qiang Chen: selinux: remove reference to locale env files from login
- Mark Hatle: linux-yocto: Add support for the 3.10 kernel
- Xin Ouyang: kernel: add BBAPPEND for linux 3.10
- Xin Ouyang: busybox: alternatives link to sh wrappers for commands
- Xin Ouyang: refpolicy*: remove old version recipes and patches.
- Xin Ouyang: refpolicy*: add new version 2.20130424
- Joe MacDonald: udev/init: work around dev-cache restore problems
- Mark Hatle: udev/init: sync to latest poky version
- Xin Ouyang: always force to restore file contexts in initscripts
- Xin Ouyang: policycoreutils: fix wrong newrole/run_init pam config
- Xin Ouyang: sepolgen: migrate SRC_URI to 1.1.9
- Xin Ouyang: policycoreutils: migrate SRC_URI and patches to 2.1.14
- Xin Ouyang: libsepol: migrate SRC_URI to 2.1.9
- Xin Ouyang: libsemanage: migrate SRC_URI to 2.1.10
- Xin Ouyang: libselinux: migrate SRC_URI and patches to 2.1.13
- Xin Ouyang: checkpolicy: migrate SRC_URI to 2.1.12
- Xin Ouyang: selinux userspace: uprev packages to release 20130423
- Philip Tricca: Add ${bindir}/sepolgen to system-config-selinux package.
- Philip Tricca: Check for the availability of 'secon' and 'setenforce' in the selinux-init.sh script.
- Philip Tricca: Resend: Install policy headers and include them in the refpolicy dev package.
- Joe Slater: openssh: add PACKAGECONFIG data regarding audit
- Philip Tricca: Add util-linux-agetty to core-image-selinux IMAGE_INSTALL.
- Joe MacDonald: documentation: update guidance for runqemu
- Philip Tricca: Stage SELinux config file in the sysroot.
- Philip Tricca: Add leading whitespace to DISTRO_FEATURES_append in oe-selinux.conf
It's still not as clean as I would like it, but at least I understand
(most of) the current failures. I'll probably not get another chance to
look at this until Monday, though.
First boot and auto-relabel works fine.
Second boot generates the following audit warnings:
type=1401 audit(1380309719.391:4): security_validate_transition: denied for oldcontext=system_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:framebuf_device_t:s0 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
udevd[135]: setfilecon /dev/fb0 failed: Operation not permitted
type=1401 audit(1380309729.653:5): security_validate_transition: denied for oldcontext=system_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:tty_device_t:s0 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380309729.663:6): security_validate_transition: denied for oldcontext=system_u:object_r:device_t:s15:c0.c1023 newcontext=system_u:object_r:tty_device_t:s0 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
udevd[86]: setfilecon /dev/vcs2 failed: Operation not permitted
udevd[93]: setfilecon /dev/vcsa2 failed: Operation not permitted
I initially sunk a lot of time into these until I realized the problem
is present (and just not reported) in master. I haven't yet opened a
bug on it, but I intend to unless I can fix it myself (or someone sends
me a patch) in the very short term.
Subsequent boots are less happy:
type=1401 audit(1380310608.155:5): security_validate_transition: denied for oldcontext=system_u:object_r:device_t:s0 newcontext=system_u:object_r:memory_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380310608.164:6): security_validate_transition: denied for oldcontext=system_u:object_r:device_t:s0 newcontext=system_u:object_r:memory_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380310608.178:7): security_validate_transition: denied for oldcontext=system_u:object_r:device_t:s0 newcontext=system_u:object_r:memory_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380310608.203:8): security_validate_transition: denied for oldcontext=system_u:object_r:device_t:s0 newcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380310608.783:9): security_validate_transition: denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
type=1401 audit(1380310608.789:10): security_validate_transition: denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
type=1401 audit(1380310608.793:11): security_validate_transition: denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
type=1401 audit(1380310608.798:12): security_validate_transition: denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
type=1401 audit(1380310608.802:13): security_validate_transition: denied for oldcontext=system_u:object_r:fixed_disk_device_t:s0 newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023 taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
udevd[86]: starting version 182
Starting Bootlog daemon: bootlogd.
Populating dev cache
ALSA: Restoring mixer settings...
audit_printk_skb: 87 callbacks suppressed
type=1400 audit(1380310625.861:43): avc: denied { read write } for pid=249 comm="alsactl" path="/dev/ttyS0" dev="devtmpfs" ino=6092 scontext=system_u:system_r:alsa_t:s0-s15:c0.c1023 tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file
Configuring network interfaces... done.
Starting rpcbind daemon...type=1400 audit(1380310628.230:44): avc: denied { read write } for pid=265 comm="rpcbind" path="/dev/ttyS0" dev="devtmpfs" ino=6092 scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023 tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file
done.
But these are all due to problems I detail in "udev/init: work around
dev-cache restore problems". There's a simple workaround for it, but
it's hacky (less hacky than not using the dev cache at all? more? not
sure) so I'd rather come up with a cleaner solution.
Anyway, that's the state of meta-selinux's master-next as of right now.
As mentioned (somewhere) elsewhere, master-next will continue to be
non-ff for the foreseeable future, so anyone else should use it with
caution. master is, of course, perfectly stable (and I hope up-to-date
with all current submissions merged).
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [meta-selinux] Updated meta-selinux -- master-next
2013-09-27 19:58 ` Joe MacDonald
@ 2013-09-28 19:46 ` Philip Tricca
0 siblings, 0 replies; 3+ messages in thread
From: Philip Tricca @ 2013-09-28 19:46 UTC (permalink / raw)
To: joe; +Cc: yocto
On 09/27/2013 03:58 PM, Joe MacDonald wrote:
> [[yocto] [meta-selinux] Updated meta-selinux -- master-next] On 13.09.19 (Thu 13:41) Mark Hatle wrote:
>
>> I have updated meta-selinux, and placed the update into the 'master-next' branch.
>>
>> This was locally tested with Poky as of commit
>> 853bc53cd58a621918f0e5ce662dba263d1befb4.
>>
>> Note, when building the core-image-selinux, the internal refpolicies
>> cause a lot of failures. I'm not an expert on how this should be
>> configured, so I'm looking for help/patches from others.
>>
>> If you know of any other additional patches that should be applied,
>> or are able to help with the refpolicies, please let me know!
>>
>> Thanks!
>> --Mark
>
> I just pushed a new (non-ff!) update to master-next. It includes the
> following:
>
> - Mark Hatle: policycoreutils: avoid shell for checking target-special actions
> - Mark Hatle: setools: Uprev setools
> - Mark Hatle: README: Update status
> - Mark Hatle: libcap-ng: Uprev libcap-ng
> - Mark Hatle: audit: Uprev to audit 2.3.2
> - Mark Hatle: swig: Update to latest swig from meta-openembedded
> - Mark Hatle: python-ipy: Uprev to latest 0.81 version
> - Mark Hatle: distro/*: Update the distro files
> - Christopher Larson: layer.conf: avoid unnecessary early expansion with :=
> - Qiang Chen: selinux: remove reference to locale env files from login
> - Mark Hatle: linux-yocto: Add support for the 3.10 kernel
> - Xin Ouyang: kernel: add BBAPPEND for linux 3.10
Can I put in a request to cherry-pick the 3.10 kernel update down to master? This is independent from all of the tools / policy updates and it would be very convenient for those of us building against master oe-core. As of now a build of meta-selinux master against oe-core master results in an image that will panic on boot as linux-yocto builds the 3.10 kernel and the selinux distros don't prefer a kernel with an available selinux config (3.8 is the most recent).
Thanks,
- Philip
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-09-28 19:46 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-19 18:41 [meta-selinux] Updated meta-selinux -- master-next Mark Hatle
2013-09-27 19:58 ` Joe MacDonald
2013-09-28 19:46 ` Philip Tricca
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.