[Buildroot] [PATCH v2 1/1] package/libsemanage: add option to manually define policy version

[Buildroot] [PATCH v2 1/1] package/libsemanage: add option to manually define policy version

[aduskett at gmail.com]

From: Adam Duskett <Aduskett@gmail.com>

The semodule package derives the maximum SELinux policy version from
the libsemanage library.

By default, libsemanage returns the highest supported policy version that
libsepol supports found in include/sepol/policydb/policydb.h and not just from
the Kernel. However, if the maximum supported SELinux policy version supported
by the Kernel is lower than the maximum supported policy version from
libsemanage, if a user attempts to build a policy using the semodule program,
semodule fails when creating a policy with the error:
  "policydb version X does not match my version range 15-X."

This default value may be overwrriten by setting the policy-version = line in
/etc/semanage/semanage.conf.

Create an option that allows a user to overwrite the default policy version to
ensure that semodule works on older kernels.

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
---
Changes v1 -> v2:
  - Set the default value of the policy version based off of the toolchain
    header version (Thomas)
  - Remove the BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION option (Thomas)
  - Remove LIBSEMANAGE_MAX_POLICY_VERSION variable from libsemanage.mk (Thomas)
  - Fix the post install hook for hosts. (Thomas)


 package/libsemanage/Config.in      | 25 +++++++++++++++++++++++++
 package/libsemanage/libsemanage.mk | 24 ++++++++++++++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/package/libsemanage/Config.in b/package/libsemanage/Config.in
index 3c7050ee51..04fa046b0f 100644
--- a/package/libsemanage/Config.in
+++ b/package/libsemanage/Config.in
@@ -17,6 +17,31 @@ config BR2_PACKAGE_LIBSEMANAGE
 
 	  http://selinuxproject.org/page/Main_Page
 
+if BR2_PACKAGE_LIBSEMANAGE
+
+config BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION
+	int "maximum policy version"
+	default 31 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13
+	default 30 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_3
+	default 29 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_14
+	default 28 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_5
+	default 26 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_2_6
+	default 25
+	range 25 31
+	help
+	  The maximum SELinux policy version your kernel supports.
+
+	  Here's a handy table to help you choose:
+	  kernel version   SElinux policy max version
+	  <= 2.6.x         25
+	  > 2.6 <= 3.5     26
+	  > 3.5 <= 3.14    28 (27 and 28 were added@the same time)
+	  > 3.14 <= 4.3    29
+	  > 4.3 <= 4.13    30
+	  > 4.13 <= 5.5    31
+
+endif # BR2_PACKAGE_LIBSEMANAGE
+
 comment "libsemanage needs a toolchain w/ threads, dynamic library"
 	depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS
 	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index fd90346049..74e3a91c5e 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -13,6 +13,30 @@ LIBSEMANAGE_INSTALL_STAGING = YES
 
 LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
 
+# Semodule derives the maximum SELinux policy version from libsemanage.
+# By default, libsemanage returns the highest supported policy version that
+# libsepol supports found in include/sepol/policydb/policydb.h and not just
+# from the Kernel. However, if the maximum supported SELinux policy version
+# supported by the Kernel is lower than the maximum supported policy version
+# from libsemanage, if a user attempts to build a policy using the semodule
+# program, semodule fails when creating a policy with the error:
+# policydb version X does not match my version range 15-X.
+
+# This default value may be overwrriten by setting the policy-version = line in
+# /etc/semanage/semanage.conf.
+LIBSEMANAGE_MAX_POLICY_VERSION = $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION)
+
+define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY_TARGET
+	$(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
+		$(TARGET_DIR)/etc/selinux/semanage.conf
+endef
+define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY_HOST
+	$(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
+		$(HOST_DIR)/etc/selinux/semanage.conf
+endef
+LIBSEMANAGE_POST_INSTALL_TARGET_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY_TARGET
+HOST_LIBSEMANAGE_POST_INSTALL_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY_HOST
+
 define LIBSEMANAGE_BUILD_CMDS
 	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPTS) all
 endef
-- 
2.23.0

[Buildroot] [PATCH v2 1/1] package/libsemanage: add option to manually define policy version

[Thomas Petazzoni]

Hello Adam,

On Sun, 15 Dec 2019 10:00:03 -0800
aduskett at gmail.com wrote:

> From: Adam Duskett <Aduskett@gmail.com>
> 
> The semodule package derives the maximum SELinux policy version from
> the libsemanage library.
> 
> By default, libsemanage returns the highest supported policy version that
> libsepol supports found in include/sepol/policydb/policydb.h and not just from
> the Kernel. However, if the maximum supported SELinux policy version supported
> by the Kernel is lower than the maximum supported policy version from
> libsemanage, if a user attempts to build a policy using the semodule program,
> semodule fails when creating a policy with the error:
>   "policydb version X does not match my version range 15-X."
> 
> This default value may be overwrriten by setting the policy-version = line in
> /etc/semanage/semanage.conf.
> 
> Create an option that allows a user to overwrite the default policy version to
> ensure that semodule works on older kernels.
> 
> Signed-off-by: Adam Duskett <Aduskett@gmail.com>

So, I had a more serious look into this. I have some implementation
details which I fixed up locally, but then had some second thoughts.

The thing that made me wonder is that you are adding an option for the
*target* version of libsemanage, but it also affects libsemanage on the
host. But what if you don't have libsemanage on the target? I think it
is not mandatory to have it on the target. In this case, how would you
select the policy version ?

Ideally, the selection of the policy version should be chosen together
with the policy itself, or somewhere close to where the policy
compilation happens.

And it turns out we already have such an option that exists in Buildroot:

config BR2_PACKAGE_REFPOLICY_POLICY_VERSION
        string "Policy version"
        default "30"

why don't we use this version ?

It's used in refpolicy.mk to create the build.conf:

define REFPOLICY_CONFIGURE_CMDS
        $(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \
                $(@D)/build.conf

How does this interacts with libsemanage ?

I nevertheless give my minor implementation details below.

> +define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY_TARGET
> +	$(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
> +		$(TARGET_DIR)/etc/selinux/semanage.conf

This command can go directly in LIBSEMANAGE_INSTALL_TARGET_CMDS.

> +endef
> +define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY_HOST
> +	$(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
> +		$(HOST_DIR)/etc/selinux/semanage.conf

This command can go directly in HOST_LIBSEMANAGE_INSTALL_CMDS. The name
of the hook was not very well chosen in any case, as we prefer to have
HOST_ as a prefix rather than a suffix.

Again, these are minor details that I had fixed locally. It's really
the more fundamental questions above that makes me wonder what is the
right solution.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com