[PATCH][meta-selinux] refpolicy-minimum: port changes for prepare_policy

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH][meta-selinux] refpolicy-minimum: port changes for prepare_policy_store
@ 2016-04-08  8:19 wenzong.fan
  2016-04-17 21:02 ` Philip Tricca
  0 siblings, 1 reply; 5+ messages in thread
From: wenzong.fan @ 2016-04-08  8:19 UTC (permalink / raw)
  To: yocto

From: Wenzong Fan <wenzong.fan@windriver.com>

Apply the changes to refpolicy-minimum_2.20151208.bb:

  commit bfaf278116e6c3a04bb82c9f8a4f8629a0a85df8
  Author: Wenzong Fan <wenzong.fan@windriver.com>
  Date:   Tue Oct 27 06:25:04 2015 -0400

    refpolicy-minimum: update prepare_policy_store

    * update prepare_policy_store() for supporting SELinux 2.4 & CIL, the
      logic is from refpolicy_common.inc but with minimum set of policy
      modules;

    * add extra policy modules that required by sysnetwork, without those
      modules the install process will fail with error:

        | Failed to resolve roletype statement at 62 of \
          .../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil
        | Failed to resolve ast
        | semodule:  Failed!

    Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
    Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
 .../refpolicy/refpolicy-minimum_2.20151208.bb      | 41 ++++++++++++++++------
 1 file changed, 30 insertions(+), 11 deletions(-)

diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
index b275821..47ed558 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -26,23 +26,42 @@ EXTRA_POLICY_MODULES += "nscd"
 # "login", so "login" process will access to /var/spool/mail.
 EXTRA_POLICY_MODULES += "mta"
 
+# sysnetwork requires type definitions (insmod_t, consoletype_t,
+# hostname_t, ping_t, netutils_t) from modules:
+EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
+
 POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
 
 # re-write the same func from refpolicy_common.inc
 prepare_policy_store () {
 	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
+	POL_PRIORITY=100
+	POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
+	POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
+	POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
 
 	# Prepare to create policy store
-	mkdir -p ${D}${sysconfdir}/selinux/
-	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
-	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
-	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
-	touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
-	for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
-		bzip2 -f $i && mv -f $i.bz2 $i
-	done
-	cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
-	for i in ${POLICY_MODULES_MIN}; do
-		cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp`
+	mkdir -p ${POL_STORE}
+	mkdir -p ${POL_ACTIVE_MODS}
+
+	# get hll type from suffix on base policy module
+	HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
+	HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
+
+	for i in base ${POLICY_MODULES_MIN}; do
+		MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
+		MOD_DIR=${POL_ACTIVE_MODS}/${i}
+		mkdir -p ${MOD_DIR}
+		echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
+
+		if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
+			${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
+			bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE}
+		else
+			bunzip2 --stdout ${MOD_FILE} | \
+				${HLL_BIN} | \
+				bzip2 --stdout > ${MOD_DIR}/cil
+		fi
+		cp ${MOD_FILE} ${MOD_DIR}/hll
 	done
 }
-- 
1.9.1



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH][meta-selinux] refpolicy-minimum: port changes for prepare_policy_store
  2016-04-08  8:19 [PATCH][meta-selinux] refpolicy-minimum: port changes for prepare_policy_store wenzong.fan
@ 2016-04-17 21:02 ` Philip Tricca
  2016-04-18  7:34   ` wenzong fan
  0 siblings, 1 reply; 5+ messages in thread
From: Philip Tricca @ 2016-04-17 21:02 UTC (permalink / raw)
  To: wenzong.fan; +Cc: yocto

Hello Wenzong,

On 04/08/2016 01:19 AM, wenzong.fan@windriver.com wrote:
> From: Wenzong Fan <wenzong.fan@windriver.com>
> 
> Apply the changes to refpolicy-minimum_2.20151208.bb:
> 
>   commit bfaf278116e6c3a04bb82c9f8a4f8629a0a85df8
>   Author: Wenzong Fan <wenzong.fan@windriver.com>
>   Date:   Tue Oct 27 06:25:04 2015 -0400
> 
>     refpolicy-minimum: update prepare_policy_store
> 
>     * update prepare_policy_store() for supporting SELinux 2.4 & CIL, the
>       logic is from refpolicy_common.inc but with minimum set of policy
>       modules;
> 
>     * add extra policy modules that required by sysnetwork, without those
>       modules the install process will fail with error:
> 
>         | Failed to resolve roletype statement at 62 of \
>           .../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil
>         | Failed to resolve ast
>         | semodule:  Failed!
> 
>     Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>     Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
> 
> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> ---

This looks great but in testing it I'm unable to use the 'minimum'
refpolicy recipe in any image. The recipe builds fine but the do_rootfs
fails trying to label the filesystem. I haven't been able to find the
root cause for this yet, but I'm seeing this behavior both before and
after adding this patch so it may be a preexisting issue?

Given all of that, I've merged this patch into master since it doesn't
seem related to the issue I'm seeing. Still, some help in resolving the
issue I'm seeing with the minimum refpolicy recipe would be appreciated.

Thanks,
Philip

>  .../refpolicy/refpolicy-minimum_2.20151208.bb      | 41 ++++++++++++++++------
>  1 file changed, 30 insertions(+), 11 deletions(-)
> 
> diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
> index b275821..47ed558 100644
> --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
> +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
> @@ -26,23 +26,42 @@ EXTRA_POLICY_MODULES += "nscd"
>  # "login", so "login" process will access to /var/spool/mail.
>  EXTRA_POLICY_MODULES += "mta"
>  
> +# sysnetwork requires type definitions (insmod_t, consoletype_t,
> +# hostname_t, ping_t, netutils_t) from modules:
> +EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
> +
>  POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
>  
>  # re-write the same func from refpolicy_common.inc
>  prepare_policy_store () {
>  	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
> +	POL_PRIORITY=100
> +	POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
> +	POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
> +	POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
>  
>  	# Prepare to create policy store
> -	mkdir -p ${D}${sysconfdir}/selinux/
> -	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
> -	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
> -	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
> -	touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
> -	for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
> -		bzip2 -f $i && mv -f $i.bz2 $i
> -	done
> -	cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
> -	for i in ${POLICY_MODULES_MIN}; do
> -		cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp`
> +	mkdir -p ${POL_STORE}
> +	mkdir -p ${POL_ACTIVE_MODS}
> +
> +	# get hll type from suffix on base policy module
> +	HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
> +	HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
> +
> +	for i in base ${POLICY_MODULES_MIN}; do
> +		MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
> +		MOD_DIR=${POL_ACTIVE_MODS}/${i}
> +		mkdir -p ${MOD_DIR}
> +		echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
> +
> +		if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
> +			${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
> +			bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE}
> +		else
> +			bunzip2 --stdout ${MOD_FILE} | \
> +				${HLL_BIN} | \
> +				bzip2 --stdout > ${MOD_DIR}/cil
> +		fi
> +		cp ${MOD_FILE} ${MOD_DIR}/hll
>  	done
>  }
> 



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH][meta-selinux] refpolicy-minimum: port changes for prepare_policy_store
  2016-04-17 21:02 ` Philip Tricca
@ 2016-04-18  7:34   ` wenzong fan
  2016-04-19 18:34     ` George McCollister
  0 siblings, 1 reply; 5+ messages in thread
From: wenzong fan @ 2016-04-18  7:34 UTC (permalink / raw)
  To: Philip Tricca; +Cc: yocto

On 04/18/2016 05:02 AM, Philip Tricca wrote:
> Hello Wenzong,
>
> On 04/08/2016 01:19 AM, wenzong.fan@windriver.com wrote:
>> From: Wenzong Fan <wenzong.fan@windriver.com>
>>
>> Apply the changes to refpolicy-minimum_2.20151208.bb:
>>
>>    commit bfaf278116e6c3a04bb82c9f8a4f8629a0a85df8
>>    Author: Wenzong Fan <wenzong.fan@windriver.com>
>>    Date:   Tue Oct 27 06:25:04 2015 -0400
>>
>>      refpolicy-minimum: update prepare_policy_store
>>
>>      * update prepare_policy_store() for supporting SELinux 2.4 & CIL, the
>>        logic is from refpolicy_common.inc but with minimum set of policy
>>        modules;
>>
>>      * add extra policy modules that required by sysnetwork, without those
>>        modules the install process will fail with error:
>>
>>          | Failed to resolve roletype statement at 62 of \
>>            .../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil
>>          | Failed to resolve ast
>>          | semodule:  Failed!
>>
>>      Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>>      Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
>>
>> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>> ---
>
> This looks great but in testing it I'm unable to use the 'minimum'
> refpolicy recipe in any image. The recipe builds fine but the do_rootfs
> fails trying to label the filesystem. I haven't been able to find the
> root cause for this yet, but I'm seeing this behavior both before and
> after adding this patch so it may be a preexisting issue?
>
> Given all of that, I've merged this patch into master since it doesn't
> seem related to the issue I'm seeing. Still, some help in resolving the
> issue I'm seeing with the minimum refpolicy recipe would be appreciated.

Hi Philip,

Thanks for getting the change merged.

I did a test and see errors about:

 
/.../core-image-selinux/1.0-r0/rootfs//etc/selinux/mcs/contexts/files/file_contexts: 
No such file or directory

That should be the SELINUXTYPE in /etc/selinux/config is not correct, 
below patches could fix it:

--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -162,7 +162,8 @@ SELINUX=${DEFAULT_ENFORCING}
  #     mls - Multi Level Security protection.
  #     targeted - Targeted processes are protected.
  #     mcs - Multi Category Security protection.
-SELINUXTYPE=${POLICY_TYPE}
+#     minimum - Minimum Security protection.
+SELINUXTYPE=${POLICY_NAME}

It works in my test, please feel free to integrate it if you think it 
makes sense.

Thanks
Wenzong

>
> Thanks,
> Philip
>
>>   .../refpolicy/refpolicy-minimum_2.20151208.bb      | 41 ++++++++++++++++------
>>   1 file changed, 30 insertions(+), 11 deletions(-)
>>
>> diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>> index b275821..47ed558 100644
>> --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>> +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>> @@ -26,23 +26,42 @@ EXTRA_POLICY_MODULES += "nscd"
>>   # "login", so "login" process will access to /var/spool/mail.
>>   EXTRA_POLICY_MODULES += "mta"
>>
>> +# sysnetwork requires type definitions (insmod_t, consoletype_t,
>> +# hostname_t, ping_t, netutils_t) from modules:
>> +EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
>> +
>>   POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
>>
>>   # re-write the same func from refpolicy_common.inc
>>   prepare_policy_store () {
>>   	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
>> +	POL_PRIORITY=100
>> +	POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
>> +	POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
>> +	POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
>>
>>   	# Prepare to create policy store
>> -	mkdir -p ${D}${sysconfdir}/selinux/
>> -	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
>> -	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
>> -	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
>> -	touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
>> -	for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
>> -		bzip2 -f $i && mv -f $i.bz2 $i
>> -	done
>> -	cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
>> -	for i in ${POLICY_MODULES_MIN}; do
>> -		cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp`
>> +	mkdir -p ${POL_STORE}
>> +	mkdir -p ${POL_ACTIVE_MODS}
>> +
>> +	# get hll type from suffix on base policy module
>> +	HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
>> +	HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
>> +
>> +	for i in base ${POLICY_MODULES_MIN}; do
>> +		MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
>> +		MOD_DIR=${POL_ACTIVE_MODS}/${i}
>> +		mkdir -p ${MOD_DIR}
>> +		echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
>> +
>> +		if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
>> +			${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil
>> +			bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE}
>> +		else
>> +			bunzip2 --stdout ${MOD_FILE} | \
>> +				${HLL_BIN} | \
>> +				bzip2 --stdout > ${MOD_DIR}/cil
>> +		fi
>> +		cp ${MOD_FILE} ${MOD_DIR}/hll
>>   	done
>>   }
>>
>
>
>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH][meta-selinux] refpolicy-minimum: port changes for prepare_policy_store
  2016-04-18  7:34   ` wenzong fan
@ 2016-04-19 18:34     ` George McCollister
  2016-04-20  5:30       ` Philip Tricca
  0 siblings, 1 reply; 5+ messages in thread
From: George McCollister @ 2016-04-19 18:34 UTC (permalink / raw)
  To: wenzong fan; +Cc: yocto

On Mon, Apr 18, 2016 at 2:34 AM, wenzong fan <wenzong.fan@windriver.com> wrote:
> On 04/18/2016 05:02 AM, Philip Tricca wrote:
>>
>> Hello Wenzong,
>>
>> On 04/08/2016 01:19 AM, wenzong.fan@windriver.com wrote:
>>>
>>> From: Wenzong Fan <wenzong.fan@windriver.com>
>>>
>>> Apply the changes to refpolicy-minimum_2.20151208.bb:
>>>
>>>    commit bfaf278116e6c3a04bb82c9f8a4f8629a0a85df8
>>>    Author: Wenzong Fan <wenzong.fan@windriver.com>
>>>    Date:   Tue Oct 27 06:25:04 2015 -0400
>>>
>>>      refpolicy-minimum: update prepare_policy_store
>>>
>>>      * update prepare_policy_store() for supporting SELinux 2.4 & CIL,
>>> the
>>>        logic is from refpolicy_common.inc but with minimum set of policy
>>>        modules;
>>>
>>>      * add extra policy modules that required by sysnetwork, without
>>> those
>>>        modules the install process will fail with error:
>>>
>>>          | Failed to resolve roletype statement at 62 of \
>>>
>>> .../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil
>>>          | Failed to resolve ast
>>>          | semodule:  Failed!
>>>
>>>      Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>>>      Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
>>>
>>> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>>> ---
>>
>>
>> This looks great but in testing it I'm unable to use the 'minimum'
>> refpolicy recipe in any image. The recipe builds fine but the do_rootfs
>> fails trying to label the filesystem. I haven't been able to find the
>> root cause for this yet, but I'm seeing this behavior both before and
>> after adding this patch so it may be a preexisting issue?
>>
>> Given all of that, I've merged this patch into master since it doesn't
>> seem related to the issue I'm seeing. Still, some help in resolving the
>> issue I'm seeing with the minimum refpolicy recipe would be appreciated.
>
>
> Hi Philip,
>
> Thanks for getting the change merged.
>
> I did a test and see errors about:
>
>
> /.../core-image-selinux/1.0-r0/rootfs//etc/selinux/mcs/contexts/files/file_contexts:
> No such file or directory
>
> That should be the SELINUXTYPE in /etc/selinux/config is not correct, below
> patches could fix it:
>
> --- a/recipes-security/refpolicy/refpolicy_common.inc
> +++ b/recipes-security/refpolicy/refpolicy_common.inc
> @@ -162,7 +162,8 @@ SELINUX=${DEFAULT_ENFORCING}
>  #     mls - Multi Level Security protection.
>  #     targeted - Targeted processes are protected.
>  #     mcs - Multi Category Security protection.
> -SELINUXTYPE=${POLICY_TYPE}
> +#     minimum - Minimum Security protection.
> +SELINUXTYPE=${POLICY_NAME}
>
> It works in my test, please feel free to integrate it if you think it makes
> sense.
>

With this change my refpolicy-targeted build completes again.
Thanks,
George

> Thanks
> Wenzong
>
>
>>
>> Thanks,
>> Philip
>>
>>>   .../refpolicy/refpolicy-minimum_2.20151208.bb      | 41
>>> ++++++++++++++++------
>>>   1 file changed, 30 insertions(+), 11 deletions(-)
>>>
>>> diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>> b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>> index b275821..47ed558 100644
>>> --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>> +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>> @@ -26,23 +26,42 @@ EXTRA_POLICY_MODULES += "nscd"
>>>   # "login", so "login" process will access to /var/spool/mail.
>>>   EXTRA_POLICY_MODULES += "mta"
>>>
>>> +# sysnetwork requires type definitions (insmod_t, consoletype_t,
>>> +# hostname_t, ping_t, netutils_t) from modules:
>>> +EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
>>> +
>>>   POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
>>>
>>>   # re-write the same func from refpolicy_common.inc
>>>   prepare_policy_store () {
>>>         oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
>>> +       POL_PRIORITY=100
>>> +       POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
>>> +       POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
>>> +       POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
>>>
>>>         # Prepare to create policy store
>>> -       mkdir -p ${D}${sysconfdir}/selinux/
>>> -       mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
>>> -       mkdir -p
>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
>>> -       mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
>>> -       touch
>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
>>> -       for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
>>> -               bzip2 -f $i && mv -f $i.bz2 $i
>>> -       done
>>> -       cp base.pp
>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
>>> -       for i in ${POLICY_MODULES_MIN}; do
>>> -               cp ${i}.pp
>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename
>>> $i.pp`
>>> +       mkdir -p ${POL_STORE}
>>> +       mkdir -p ${POL_ACTIVE_MODS}
>>> +
>>> +       # get hll type from suffix on base policy module
>>> +       HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print
>>> $NF}}')
>>> +
>>> HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
>>> +
>>> +       for i in base ${POLICY_MODULES_MIN}; do
>>> +               MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
>>> +               MOD_DIR=${POL_ACTIVE_MODS}/${i}
>>> +               mkdir -p ${MOD_DIR}
>>> +               echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
>>> +
>>> +               if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
>>> +                       ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout >
>>> ${MOD_DIR}/cil
>>> +                       bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2
>>> ${MOD_FILE}
>>> +               else
>>> +                       bunzip2 --stdout ${MOD_FILE} | \
>>> +                               ${HLL_BIN} | \
>>> +                               bzip2 --stdout > ${MOD_DIR}/cil
>>> +               fi
>>> +               cp ${MOD_FILE} ${MOD_DIR}/hll
>>>         done
>>>   }
>>>
>>
>>
>>
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH][meta-selinux] refpolicy-minimum: port changes for prepare_policy_store
  2016-04-19 18:34     ` George McCollister
@ 2016-04-20  5:30       ` Philip Tricca
  0 siblings, 0 replies; 5+ messages in thread
From: Philip Tricca @ 2016-04-20  5:30 UTC (permalink / raw)
  To: George McCollister, wenzong fan; +Cc: yocto

On 04/19/2016 11:34 AM, George McCollister wrote:
> On Mon, Apr 18, 2016 at 2:34 AM, wenzong fan <wenzong.fan@windriver.com> wrote:
>> On 04/18/2016 05:02 AM, Philip Tricca wrote:
>>>
>>> Hello Wenzong,
>>>
>>> On 04/08/2016 01:19 AM, wenzong.fan@windriver.com wrote:
>>>>
>>>> From: Wenzong Fan <wenzong.fan@windriver.com>
>>>>
>>>> Apply the changes to refpolicy-minimum_2.20151208.bb:
>>>>
>>>>    commit bfaf278116e6c3a04bb82c9f8a4f8629a0a85df8
>>>>    Author: Wenzong Fan <wenzong.fan@windriver.com>
>>>>    Date:   Tue Oct 27 06:25:04 2015 -0400
>>>>
>>>>      refpolicy-minimum: update prepare_policy_store
>>>>
>>>>      * update prepare_policy_store() for supporting SELinux 2.4 & CIL,
>>>> the
>>>>        logic is from refpolicy_common.inc but with minimum set of policy
>>>>        modules;
>>>>
>>>>      * add extra policy modules that required by sysnetwork, without
>>>> those
>>>>        modules the install process will fail with error:
>>>>
>>>>          | Failed to resolve roletype statement at 62 of \
>>>>
>>>> .../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil
>>>>          | Failed to resolve ast
>>>>          | semodule:  Failed!
>>>>
>>>>      Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>>>>      Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
>>>>
>>>> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>>>> ---
>>>
>>>
>>> This looks great but in testing it I'm unable to use the 'minimum'
>>> refpolicy recipe in any image. The recipe builds fine but the do_rootfs
>>> fails trying to label the filesystem. I haven't been able to find the
>>> root cause for this yet, but I'm seeing this behavior both before and
>>> after adding this patch so it may be a preexisting issue?
>>>
>>> Given all of that, I've merged this patch into master since it doesn't
>>> seem related to the issue I'm seeing. Still, some help in resolving the
>>> issue I'm seeing with the minimum refpolicy recipe would be appreciated.
>>
>>
>> Hi Philip,
>>
>> Thanks for getting the change merged.
>>
>> I did a test and see errors about:
>>
>>
>> /.../core-image-selinux/1.0-r0/rootfs//etc/selinux/mcs/contexts/files/file_contexts:
>> No such file or directory
>>
>> That should be the SELINUXTYPE in /etc/selinux/config is not correct, below
>> patches could fix it:
>>
>> --- a/recipes-security/refpolicy/refpolicy_common.inc
>> +++ b/recipes-security/refpolicy/refpolicy_common.inc
>> @@ -162,7 +162,8 @@ SELINUX=${DEFAULT_ENFORCING}
>>  #     mls - Multi Level Security protection.
>>  #     targeted - Targeted processes are protected.
>>  #     mcs - Multi Category Security protection.
>> -SELINUXTYPE=${POLICY_TYPE}
>> +#     minimum - Minimum Security protection.
>> +SELINUXTYPE=${POLICY_NAME}
>>
>> It works in my test, please feel free to integrate it if you think it makes
>> sense.
>>
> 
> With this change my refpolicy-targeted build completes again.

Problem solved. Thanks!

> Thanks,
> George
> 
>> Thanks
>> Wenzong
>>
>>
>>>
>>> Thanks,
>>> Philip
>>>
>>>>   .../refpolicy/refpolicy-minimum_2.20151208.bb      | 41
>>>> ++++++++++++++++------
>>>>   1 file changed, 30 insertions(+), 11 deletions(-)
>>>>
>>>> diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>>> b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>>> index b275821..47ed558 100644
>>>> --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>>> +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
>>>> @@ -26,23 +26,42 @@ EXTRA_POLICY_MODULES += "nscd"
>>>>   # "login", so "login" process will access to /var/spool/mail.
>>>>   EXTRA_POLICY_MODULES += "mta"
>>>>
>>>> +# sysnetwork requires type definitions (insmod_t, consoletype_t,
>>>> +# hostname_t, ping_t, netutils_t) from modules:
>>>> +EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils"
>>>> +
>>>>   POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
>>>>
>>>>   # re-write the same func from refpolicy_common.inc
>>>>   prepare_policy_store () {
>>>>         oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
>>>> +       POL_PRIORITY=100
>>>> +       POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
>>>> +       POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
>>>> +       POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
>>>>
>>>>         # Prepare to create policy store
>>>> -       mkdir -p ${D}${sysconfdir}/selinux/
>>>> -       mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
>>>> -       mkdir -p
>>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
>>>> -       mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
>>>> -       touch
>>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local
>>>> -       for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do
>>>> -               bzip2 -f $i && mv -f $i.bz2 $i
>>>> -       done
>>>> -       cp base.pp
>>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
>>>> -       for i in ${POLICY_MODULES_MIN}; do
>>>> -               cp ${i}.pp
>>>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename
>>>> $i.pp`
>>>> +       mkdir -p ${POL_STORE}
>>>> +       mkdir -p ${POL_ACTIVE_MODS}
>>>> +
>>>> +       # get hll type from suffix on base policy module
>>>> +       HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print
>>>> $NF}}')
>>>> +
>>>> HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
>>>> +
>>>> +       for i in base ${POLICY_MODULES_MIN}; do
>>>> +               MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE}
>>>> +               MOD_DIR=${POL_ACTIVE_MODS}/${i}
>>>> +               mkdir -p ${MOD_DIR}
>>>> +               echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
>>>> +
>>>> +               if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then
>>>> +                       ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout >
>>>> ${MOD_DIR}/cil
>>>> +                       bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2
>>>> ${MOD_FILE}
>>>> +               else
>>>> +                       bunzip2 --stdout ${MOD_FILE} | \
>>>> +                               ${HLL_BIN} | \
>>>> +                               bzip2 --stdout > ${MOD_DIR}/cil
>>>> +               fi
>>>> +               cp ${MOD_FILE} ${MOD_DIR}/hll
>>>>         done
>>>>   }
>>>>
>>>
>>>
>>>
>> --
>> _______________________________________________
>> yocto mailing list
>> yocto@yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-04-20  5:30 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-08  8:19 [PATCH][meta-selinux] refpolicy-minimum: port changes for prepare_policy_store wenzong.fan
2016-04-17 21:02 ` Philip Tricca
2016-04-18  7:34   ` wenzong fan
2016-04-19 18:34     ` George McCollister
2016-04-20  5:30       ` Philip Tricca

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.