On Mon, Apr 18, 2016 at 2:34 AM, wenzong fan <wenzong....@windriver.com> wrote: > On 04/18/2016 05:02 AM, Philip Tricca wrote: >> >> Hello Wenzong, >> >> On 04/08/2016 01:19 AM, wenzong....@windriver.com wrote: >>> >>> From: Wenzong Fan <wenzong....@windriver.com> >>> >>> Apply the changes to refpolicy-minimum_2.20151208.bb: >>> >>> commit bfaf278116e6c3a04bb82c9f8a4f8629a0a85df8 >>> Author: Wenzong Fan <wenzong....@windriver.com> >>> Date: Tue Oct 27 06:25:04 2015 -0400 >>> >>> refpolicy-minimum: update prepare_policy_store >>> >>> * update prepare_policy_store() for supporting SELinux 2.4 & CIL, >>> the >>> logic is from refpolicy_common.inc but with minimum set of policy >>> modules; >>> >>> * add extra policy modules that required by sysnetwork, without >>> those >>> modules the install process will fail with error: >>> >>> | Failed to resolve roletype statement at 62 of \ >>> >>> .../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil >>> | Failed to resolve ast >>> | semodule: Failed! >>> >>> Signed-off-by: Wenzong Fan <wenzong....@windriver.com> >>> Signed-off-by: Joe MacDonald <joe_macdon...@mentor.com> >>> >>> Signed-off-by: Wenzong Fan <wenzong....@windriver.com> >>> --- >> >> >> This looks great but in testing it I'm unable to use the 'minimum' >> refpolicy recipe in any image. The recipe builds fine but the do_rootfs >> fails trying to label the filesystem. I haven't been able to find the >> root cause for this yet, but I'm seeing this behavior both before and >> after adding this patch so it may be a preexisting issue? >> >> Given all of that, I've merged this patch into master since it doesn't >> seem related to the issue I'm seeing. Still, some help in resolving the >> issue I'm seeing with the minimum refpolicy recipe would be appreciated. > > > Hi Philip, > > Thanks for getting the change merged. > > I did a test and see errors about: > > > /.../core-image-selinux/1.0-r0/rootfs//etc/selinux/mcs/contexts/files/file_contexts: > No such file or directory > > That should be the SELINUXTYPE in /etc/selinux/config is not correct, below > patches could fix it: > > --- a/recipes-security/refpolicy/refpolicy_common.inc > +++ b/recipes-security/refpolicy/refpolicy_common.inc > @@ -162,7 +162,8 @@ SELINUX=${DEFAULT_ENFORCING} > # mls - Multi Level Security protection. > # targeted - Targeted processes are protected. > # mcs - Multi Category Security protection. > -SELINUXTYPE=${POLICY_TYPE} > +# minimum - Minimum Security protection. > +SELINUXTYPE=${POLICY_NAME} > > It works in my test, please feel free to integrate it if you think it makes > sense. >
With this change my refpolicy-targeted build completes again. Thanks, George > Thanks > Wenzong > > >> >> Thanks, >> Philip >> >>> .../refpolicy/refpolicy-minimum_2.20151208.bb | 41 >>> ++++++++++++++++------ >>> 1 file changed, 30 insertions(+), 11 deletions(-) >>> >>> diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb >>> b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb >>> index b275821..47ed558 100644 >>> --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb >>> +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb >>> @@ -26,23 +26,42 @@ EXTRA_POLICY_MODULES += "nscd" >>> # "login", so "login" process will access to /var/spool/mail. >>> EXTRA_POLICY_MODULES += "mta" >>> >>> +# sysnetwork requires type definitions (insmod_t, consoletype_t, >>> +# hostname_t, ping_t, netutils_t) from modules: >>> +EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils" >>> + >>> POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}" >>> >>> # re-write the same func from refpolicy_common.inc >>> prepare_policy_store () { >>> oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install >>> + POL_PRIORITY=100 >>> + POL_SRC=${D}${datadir}/selinux/${POLICY_NAME} >>> + POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME} >>> + POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY} >>> >>> # Prepare to create policy store >>> - mkdir -p ${D}${sysconfdir}/selinux/ >>> - mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy >>> - mkdir -p >>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules >>> - mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files >>> - touch >>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local >>> - for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do >>> - bzip2 -f $i && mv -f $i.bz2 $i >>> - done >>> - cp base.pp >>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp >>> - for i in ${POLICY_MODULES_MIN}; do >>> - cp ${i}.pp >>> ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename >>> $i.pp` >>> + mkdir -p ${POL_STORE} >>> + mkdir -p ${POL_ACTIVE_MODS} >>> + >>> + # get hll type from suffix on base policy module >>> + HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print >>> $NF}}') >>> + >>> HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE} >>> + >>> + for i in base ${POLICY_MODULES_MIN}; do >>> + MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE} >>> + MOD_DIR=${POL_ACTIVE_MODS}/${i} >>> + mkdir -p ${MOD_DIR} >>> + echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext >>> + >>> + if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then >>> + ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > >>> ${MOD_DIR}/cil >>> + bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 >>> ${MOD_FILE} >>> + else >>> + bunzip2 --stdout ${MOD_FILE} | \ >>> + ${HLL_BIN} | \ >>> + bzip2 --stdout > ${MOD_DIR}/cil >>> + fi >>> + cp ${MOD_FILE} ${MOD_DIR}/hll >>> done >>> } >>> >> >> >> > -- > _______________________________________________ > yocto mailing list > yocto@yoctoproject.org > https://lists.yoctoproject.org/listinfo/yocto -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto