[meta-selinux][PATCH 0/5] Remove python dependency from refpol.

[meta-selinux][PATCH 0/5] Remove python dependency from refpol.

[flihp]

The reference policy package currently pulls in a lot of python stuff
that isn't strictly necessary to boot an SELinux system and load a
policy. This is caused by the mix of python and C utilities in
policycoreutils.

This patch set breaks the policycoreutils recipe up into multiple
packages, one for each utility. In this way we can have the refpol etc
pull in only the utilities necessary for normal operation. This happens
to be only the utilities written in C and thus we can remove python
completely in a minimal image.

I've attempted to localize these changes as much as possible so changes
in this patchset outside of the policycoreutils recipe are few. An
example image reicpe is added to demonstrate a minimal image with only
the utilities required to load a policy and manipulate the policy store
(add / remove policy modules) at runtime.

Re: [meta-selinux][PATCH 0/5] Remove python dependency from refpol.

[Joe MacDonald]

[-- Attachment #1: Type: text/plain, Size: 1174 bytes --]

[[meta-selinux][PATCH 0/5] Remove python dependency from refpol.] On 13.10.09 (Wed 03:02) flihp@longhaul.twobit.us wrote:

> The reference policy package currently pulls in a lot of python stuff
> that isn't strictly necessary to boot an SELinux system and load a
> policy. This is caused by the mix of python and C utilities in
> policycoreutils.
> 
> This patch set breaks the policycoreutils recipe up into multiple
> packages, one for each utility. In this way we can have the refpol etc
> pull in only the utilities necessary for normal operation. This happens
> to be only the utilities written in C and thus we can remove python
> completely in a minimal image.
> 
> I've attempted to localize these changes as much as possible so changes
> in this patchset outside of the policycoreutils recipe are few. An
> example image reicpe is added to demonstrate a minimal image with only
> the utilities required to load a policy and manipulate the policy store
> (add / remove policy modules) at runtime.

Hey Philip,

The patches never arrived in my mailbox and I don't see them in
patchworks.  Can you re-send, please?

-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]

[meta-selinux][PATCH 0/5] Remove python dependency from refpol.

[Philip Tricca]

The reference policy package currently pulls in a lot of python stuff
that isn't strictly necessary to boot an SELinux system and load a
policy. AFAIK this is caused by the mix of python and C utilities in
policycoreutils.

This patch set breaks the policycoreutils recipe up into multiple
packages, one for each utility. In this way we can have the refpol etc
pull in only the utilities necessary for normal operation. This happens
to be only the utilities written in C and thus we can remove python
completely in a minimal image.

I've attempted to localize these changes as much as possible so this
patch set should have minimal impact on recipes outside of the
policycoreutils. An example image reicpe is added to demonstrate a
minimal image with only the utilities required to load a policy and
manipulate the policy store (add / remove policy modules) at runtime.

Regards,
- Philip

Re: [meta-selinux][PATCH 0/5] Remove python dependency from refpol.

[Philip Tricca]

Morning Joe

On 10/09/2013 08:23 AM, Joe MacDonald wrote:
> [[meta-selinux][PATCH 0/5] Remove python dependency from refpol.]
> On 13.10.09 (Wed 03:02) flihp@longhaul.twobit.us wrote:
> 
>> The reference policy package currently pulls in a lot of python
>> stuff that isn't strictly necessary to boot an SELinux system and
>> load a policy. This is caused by the mix of python and C
>> utilities in policycoreutils.
>> 
>> This patch set breaks the policycoreutils recipe up into
>> multiple packages, one for each utility. In this way we can have
>> the refpol etc pull in only the utilities necessary for normal
>> operation. This happens to be only the utilities written in C and
>> thus we can remove python completely in a minimal image.
>> 
>> I've attempted to localize these changes as much as possible so
>> changes in this patchset outside of the policycoreutils recipe
>> are few. An example image reicpe is added to demonstrate a
>> minimal image with only the utilities required to load a policy
>> and manipulate the policy store (add / remove policy modules) at
>> runtime.
> 
> Hey Philip,
> 
> The patches never arrived in my mailbox and I don't see them in 
> patchworks.  Can you re-send, please?

I don't think this message made it to the list. Must have made it to
you and Mark though. I've resent and will send patches momentarily.

Cheers,
- Philip

Re: [meta-selinux][PATCH 1/5] Break policycoreutils out into separate packages for the various utilities.

[Philip Tricca]

The driver beind this is to allow images to be built with the minimal
tools necessary to load a policy.  Breaking all of the stuff that's
dependent on python out from the core utils allows us to make much
smaller images.

Signed-off-by: Philip Tricca <flihp@twobit.us>
---
 recipes-security/selinux/policycoreutils.inc |  181 +++++++++++++++++++++++++-
 1 file changed, 175 insertions(+), 6 deletions(-)

diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
index dfd65e3..e6ff4ed 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -38,6 +38,92 @@ RDEPENDS_${BPN} += "\
 	python-ipy \
 	"
 
+RDEPENDS_${BPN}-audit2allow = " \
+	python-textutils \
+	libselinux-python \
+	sepolgen \
+	"
+RDEPENDS_${BPN}-chcat = " \
+	python-codecs \
+	python-shell \
+	python-stringold \
+	python-unixadmin \
+	${BPN}-python \
+	libselinux-python \
+	"
+RDEPENDS_${BPN}-fixfiles += "\
+	${BPN}-setfiles \
+	"
+RDEPENDS_${BPN}-genhomedircon += "\
+	${BPN}-genhomedircon \
+	${BPN}-semodule \
+	"
+RDEPENDS_${BPN}-loadpolicy += "\
+	libselinux \
+	libsepol \
+	"
+RDEPENDS_${BPN}-newrole += "\
+	libcap-ng \
+	libselinux \
+	"
+RDEPENDS_${BPN}-python += "\
+	python-codecs \
+	python-io \
+	python-ipy \
+	python-re \
+	python-stringold \
+	python-syslog \
+	python-unixadmin \
+	libselinux-python \
+	libsemanage-python \
+	"
+RDEPENDS_${BPN}-runinit += "libselinux"
+RDEPENDS_${BPN}-sandbox += "\
+	python-math \
+	python-shell \
+	python-subprocess \
+	python-textutils \
+	python-unixadmin \
+	libselinux-python \
+	${BPN}-python \
+	"
+RDEPENDS_${BPN}-secon += "libselinux"
+RDEPENDS_${BPN}-semanage = " \
+	python-core \
+	python-ipy \
+	${BPN}-python \
+	libselinux-python \
+	"
+RDEPENDS_${BPN}-semodule += "\
+	libsepol \
+	libselinux \
+	libsemanage \
+	"
+# static link to libsepol
+DEPENDS_${BPN}-semodule-deps += "libsepol"
+RDEPENDS_${BPN}-semodule-expand += "libsepol libselinux"
+RDEPENDS_${BPN}-semodule-link += "libsepol libselinux"
+RDEPENDS_${BPN}-semodule-package += "libsepol libselinux"
+RDEPENDS_${BPN}-sepolicy += "\
+	python-argparse \
+	python-codecs \
+	python-core \
+	python-syslog \
+	${BPN}-python \
+	"
+# static link to libsepol
+DEPENDS_${BPN}-sepolgen-ifgen += "libsepol"
+RDEPENDS_${BPN}-sepolgen-ifgen += "libselinux-python"
+RDEPENDS_${BPN}-sestatus += "libselinux"
+RDEPENDS_${BPN}-setfiles += "\
+	libselinux \
+	libsepol \
+	"
+RDEPENDS_${BPN}-setsebool += "\
+	libsepol \
+	libselinux \
+	libsemanage \
+	"
 RDEPENDS_${BPN} += "setools setools-libs ${BPN}-python"
 
 WARN_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${WARN_QA}', d)}"
@@ -45,14 +131,97 @@ ERROR_QA := "${@oe_filter_out('unsafe-references-in-scripts', '${ERROR_QA}', d)}
 
 inherit pythonnative
 
-PACKAGES =+ "${PN}-python ${PN}-sandbox system-config-selinux"
-FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \
+PACKAGES =+ "\
+	${PN}-audit2allow \
+	${PN}-chcat \
+	${PN}-fixfiles \
+	${PN}-genhomedircon \
+	${PN}-loadpolicy \
+	${PN}-newrole \
+	${PN}-python \
+	${PN}-runinit \
+	${PN}-sandbox \
+	${PN}-secon \
+	${PN}-semanage \
+	${PN}-semodule \
+	${PN}-semodule-deps \
+	${PN}-semodule-expand \
+	${PN}-semodule-link \
+	${PN}-semodule-package \
+	${PN}-sepolgen-ifgen \
+	${PN}-sepolicy \
+	${PN}-sestatus \
+	${PN}-setfiles \
+	${PN}-setsebool \
+	system-config-selinux \
+	"
+FILES_${PN}-audit2allow = " \
+	${bindir}/audit2allow \
+	${bindir}/audit2why \
+	"
+FILES_${PN}-chcat = " \
+	${bindir}/chcat \
+	"
+FILES_${PN}-fixfiles += "${base_sbindir}/fixfiles"
+FILES_${PN}-genhomedircon += "${sbindir}/genhomedircon"
+FILES_${PN}-loadpolicy += "\
+	${base_sbindir}/load_policy \
+	${sbindir}/load_policy \
+	"
+FILES_${PN}-newrole += "\
+	${bindir}/newrole \
+	${@base_contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/newrole', '', d)} \
+	"
+FILES_${PN}-python = " \
+	${libdir}/python${PYTHON_BASEVERSION}/site-packages/seobject.py* \
 	${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy*.egg-info \
-	${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/*"
+	${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/* \
+        "
+FILES_${PN}-runinit += "\
+	${sbindir}/run_init \
+	${sbindir}/open_init_pty \
+	${@base_contains('DISTRO_FEATURES', 'pam', '${sysconfdir}/pam.d/run_init', '', d)} \
+	"
 FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/site-packages/sepolicy/.debug/*"
-FILES_${PN}-sandbox = "${datadir}/sandbox/*"
-FILES_${PN}-sandbox += "${bindir}/sandbox"
-FILES_${PN}-sandbox += "${sbindir}/seunshare"
+FILES_${PN}-sandbox += "\
+	${datadir}/sandbox/* \
+	${bindir}/sandbox \
+	${sbindir}/seunshare \
+	${sysconfdir}/sysconfig/sandbox \
+	"
+FILES_${PN}-secon += "${bindir}/secon"
+FILES_${PN}-semanage = " \
+	${sbindir}/semanage \
+	${sysconfdir}/bash_completion.d/semanage-bash-completion.sh \
+	"
+FILES_${PN}-semodule += "${sbindir}/semodule"
+FILES_${PN}-semodule-deps += "${bindir}/semodule_deps"
+FILES_${PN}-semodule-expand += "${bindir}/semodule_expand"
+FILES_${PN}-semodule-link += "${bindir}/semodule_link"
+FILES_${PN}-semodule-package += "\
+	${bindir}/semodule_package \
+	${bindir}/semodule_unpackage \
+	"
+FILES_${PN}-sepolicy += "\
+	${bindir}/sepolicy \
+	${sysconfdir}/bash_completion.d/sepolicy-bash-completion.sh \
+	"
+FILES_${PN}-sepolgen-ifgen += "\
+	${bindir}/sepolgen-ifgen \
+	${bindir}/sepolgen-ifgen-attr-helper \
+	"
+FILES_${PN}-sestatus += "\
+	${sbindir}/sestatus \
+	${sysconfdir}/sestatus.conf \
+	"
+FILES_${PN}-setfiles += " \
+	${base_sbindir}/restorecon \
+	${base_sbindir}/setfiles \
+	"
+FILES_${PN}-setsebool += " \
+	${sbindir}/setsebool \
+	${sysconfdir}/bash_completion.d/setsebool-bash-completion.sh \
+	"
 FILES_system-config-selinux = " \
     ${bindir}/sepolgen \
     ${datadir}/system-config-selinux/* \
-- 
1.7.10.4

Re: [meta-selinux][PATCH 2/5] Remove unnecessary RDEPENDS_${BPN}.

[Philip Tricca]

Now that the policycoreutuils package is empty no need for RDEPENDS.
Doing this in the commit that broke up the policycoreutuils package
made the diff hard to read. Figured it best to break it out for
readability.

Signed-off-by: Philip Tricca <flihp@twobit.us>
---
 recipes-security/selinux/policycoreutils.inc |   16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/recipes-security/selinux/policycoreutils.inc b/recipes-security/selinux/policycoreutils.inc
index e6ff4ed..05de7ac 100644
--- a/recipes-security/selinux/policycoreutils.inc
+++ b/recipes-security/selinux/policycoreutils.inc
@@ -22,22 +22,6 @@ DEPENDS += "${@['', '${EXTRA_DEPENDS}']['${PN}' != '${BPN}-native']}"
 inherit selinux
 DEPENDS += "${@target_selinux(d, 'libpam audit')}"
 
-RDEPENDS_${BPN} += "\
-	libselinux-python \
-	libsemanage-python \
-	sepolgen \
-	"
-RDEPENDS_${BPN} += "\
-	python \
-	python-unixadmin \
-	python-shell \
-	python-crypt \
-	python-subprocess \
-	python-syslog \
-	python-textutils \
-	python-ipy \
-	"
-
 RDEPENDS_${BPN}-audit2allow = " \
 	python-textutils \
 	libselinux-python \
-- 
1.7.10.4

Re: [meta-selinux][PATCH 3/5] Remove runtime dependency on policycoreutils from the reference policy.

[Philip Tricca]

The only thing refpol needs to depend on at runtime are the things
necessary to load the policy.  If sysvinit is patched to load the
policy (which it is) then we only need the config.

Signed-off-by: Philip Tricca <flihp@twobit.us>
---
 recipes-security/refpolicy/refpolicy_common.inc |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 3eaf16d..873d887 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -16,7 +16,7 @@ FILES_${PN} = "${sysconfdir}/selinux/${POLICY_NAME}/ \
 FILES_${PN}-dev =+ "${datadir}/selinux/${POLICY_NAME}/include/"
 
 DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
-RDEPENDS_${PN} += "policycoreutils selinux-config"
+RDEPENDS_${PN} += "selinux-config"
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
-- 
1.7.10.4

Re: [meta-selinux][PATCH 4/5] Add packagegroup and image recipe for minimal SELinux image.

[Philip Tricca]

This is intended to demonstrate the minimal set packages necessary
to boot and load a system with SELinux enabled. Specifically we
don't need any of the packages that depend on python.

Signed-off-by: Philip Tricca <flihp@twobit.us>
---
 .../images/core-image-selinux-minimal.bb           |   15 +++++++++++
 .../packagegroups/packagegroup-selinux-minimal.bb  |   26 ++++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 recipes-security/images/core-image-selinux-minimal.bb
 create mode 100644 recipes-security/packagegroups/packagegroup-selinux-minimal.bb

diff --git a/recipes-security/images/core-image-selinux-minimal.bb b/recipes-security/images/core-image-selinux-minimal.bb
new file mode 100644
index 0000000..45cd847
--- /dev/null
+++ b/recipes-security/images/core-image-selinux-minimal.bb
@@ -0,0 +1,15 @@
+DESCRIPTION = "Minimal image with SELinux support (no python)"
+
+IMAGE_FEATURES += "splash ssh-server-openssh"
+
+LICENSE = "MIT"
+
+IMAGE_INSTALL = "\
+	${CORE_IMAGE_BASE_INSTALL} \
+	bash \
+	util-linux-agetty \
+	packagegroup-core-boot \
+	packagegroup-selinux-minimal \
+"
+
+inherit core-image
diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
new file mode 100644
index 0000000..16f6bae
--- /dev/null
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -0,0 +1,26 @@
+DESCRIPTION = "SELinux packagegroup with only packages required for basic operations"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=3f40d7994397109285ec7b81fdeb3b58 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+PR = "r0"
+
+PACKAGES = "\
+	${PN} \
+	"
+
+ALLOW_EMPTY_${PN} = "1"
+
+RDEPENDS_${PN} = " \
+	coreutils \
+	libsepol \
+	libselinux \
+	libselinux-bin \
+	libsemanage \
+	policycoreutils-fixfiles \
+	policycoreutils-secon \
+	policycoreutils-semodule \
+	policycoreutils-sestatus \
+	policycoreutils-setfiles \
+	selinux-config \
+	refpolicy-mls \
+	"
-- 
1.7.10.4

Re: [meta-selinux][PATCH 5/5] Add packagegroup for policycoreutils packages.

[Philip Tricca]

The policycoreutils package previously included most everything in
the base package. This packagegroup is intended to fill the role
of the old policycoreutils package and pull in all packages from the
policycoreutils recipe.

Signed-off-by: Philip Tricca <flihp@twobit.us>
---
 .../packagegroups/packagegroup-core-selinux.bb     |    4 +--
 .../packagegroup-selinux-policycoreutils.bb        |   36 ++++++++++++++++++++
 2 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb

diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index 7cd7409..76863b0 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -19,9 +19,7 @@ RDEPENDS_${PN} = " \
 	libsemanage \
 	checkpolicy \
 	sepolgen \
-	policycoreutils \
-	policycoreutils-sandbox \
-	policycoreutils-python \
+	packagegroup-selinux-policycoreutils \
 	setools \
 	setools-console \
 	selinux-config \
diff --git a/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
new file mode 100644
index 0000000..296a7e3
--- /dev/null
+++ b/recipes-security/packagegroups/packagegroup-selinux-policycoreutils.bb
@@ -0,0 +1,36 @@
+DESCRIPTION = "SELinux policycoreutils packagegroup"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/LICENSE;md5=3f40d7994397109285ec7b81fdeb3b58 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+PR = "r0"
+
+PACKAGES = "\
+    ${PN} \
+    "
+
+ALLOW_EMPTY_${PN} = "1"
+
+RDEPENDS_${PN} = " \
+	policycoreutils-audit2allow \
+	policycoreutils-chcat \
+	policycoreutils-fixfiles \
+	policycoreutils-genhomedircon \
+	policycoreutils-loadpolicy \
+	policycoreutils-newrole \
+	policycoreutils-python \
+	policycoreutils-runinit \
+	policycoreutils-sandbox \
+	policycoreutils-secon \
+	policycoreutils-semanage \
+	policycoreutils-semodule \
+	policycoreutils-semodule-deps \
+	policycoreutils-semodule-expand \
+	policycoreutils-semodule-link \
+	policycoreutils-semodule-package \
+	policycoreutils-sepolgen-ifgen \
+	policycoreutils-sepolicy \
+	policycoreutils-sestatus \
+	policycoreutils-setfiles \
+	policycoreutils-setsebool \
+	system-config-selinux \
+	"
-- 
1.7.10.4