On 9/18/17 2:48 AM, wenzong fan wrote: > > > On 09/14/2017 09:33 PM, Mark Hatle wrote: >> On 9/14/17 5:31 AM, wenzong fan wrote: >>> >>> >>> On 09/14/2017 08:07 AM, Mark Hatle wrote: >>>> On 9/12/17 9:19 PM, Mark Hatle wrote: >>>>> On 9/12/17 9:06 PM, wenzong fan wrote: >>>>>> On 09/12/2017 06:59 PM, Chanho Park wrote: >>>>>>> Hi, >>>>>>> >>>>>>> I can't apply this patch on top of the master branch. Which revision did >>>>>>> you make the patches? >>>>>> >>>>>> Oops, that's my fault. I did a "sed -i -e 's/Subject: [/Subject: >>>>>> [meta-selinux][/g' 00*" to add prefix for mail subjects, that also >>>>>> changed the removed patch files in libsemanage. >>>>>> >>>>>> I'll send v2. >>>>>> >>>>>> Thanks >>>>>> Wenzong >>>>> >>>>> I don't see the original set of patches in my archives. When you rebase, >>>>> please >>>>> rebase on top of mgh/master-next. >>>> >>>> My mailer finally loaded the original set. I saw the same problems, but >>>> was >>>> able to get them merged. >>>> >>>> I have updated 'mgh/master-next'. Please verify the contents include all >>>> of >>>> your changes. >>> >>> All my changes are there now. >>> >>>> >>>> I tried to build a system and boot it, but it didn't work. I'm guessing I >>>> forgot something simple, but I can't make master-next into master without >>>> knowing I can boot.. Any clue would be useful. Thanks! >>>> >>>> >>>> My configuration is: >>>> >>>> bblayers.conf: >>>> >>>> oe-core (master) & meta-selinux (mgh/master-next) >>>> >>>> >>>> local.conf: >>>> >>>> IMAGE_FEATURES_append = " debug-tweaks ssh-server-openssh" >>>> >>>> DISTRO_FEATURES_append = " opengl x11 wayland acl xattr pam selinux" >>>> >>>> PREFERRED_PROVIDER_virtual/refpolicy = "refpolicy-mls" >>>> PREFERRED_VERSION_refpolicy-mls = "2.20170204" >>> >>> Above configs are OK, you can simply use: >>> >>> DISTRO = "poky-selinux" >>> PREFERRED_VERSION_refpolicy-mls ?= "2.20170204" >> >> The DISTRO settings in meta-selinux are being removed (they are no longer in >> the >> master-next branch). Instead the user will be required to set the >> DISTRO_FEATURE 'selinux' to enable the components. (It is expected they will >> also enable acl/xattr and pam.) >> >>>> >>>> >>>> I ran QEMU using: >>>> >>>> >>>> runqemu qemux86 core-image-selinux ext4 nographic >>>> >>>> >>> >>> Please run QEMU with: >>> >>> $ runqemu qemux86 core-image-selinux ext4 nographic >>> bootparams="selinux=1 enforcing=0" >> >> >> >>>> >>>> Trying to login I get: >>>> >>>> qemux86 login: root >>>> [ 23.960609] kauditd_printk_skb: 13 callbacks suppressed >>>> Cannot execute /bin/sh: Permission denied >>>> [ 23.973922] audit: type=1400 audit(1505347190.805:29): avc: denied { >>>> execute } for pid=671 comm="login" name="bash.bash" dev="vda" ino=8163 >>>> scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 >>>> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 >>>> [ 23.975463] audit: type=1400 audit(1505347190.813:30): avc: denied { >>>> execute } for pid=671 comm="login" name="bash.bash" dev="vda" ino=8163 >>>> scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 >>>> tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 >>>> >>>> >>> >>> This should be blocked by refpolicy-mls, please boot with "selinux=1 >>> enforcing=0" to verify if SELinux tools work. For example: >> >> I would like to update the README file for the layer on how the user can >> actually make a bootable system. If this involves adding a user, that is >> fine. >> But at present there is no way to login w/o turning off enforcing. That >> seems >> to defeat the purpose of enabling selinux in a design. > > This is really an issue, I'll fix it.
The root login issue was fixed in a commit. The above was due to 'bash.bash' not having appropriate context specified in the refpolicies. I also added to the README file. If you have any additional suggestions or changes, please let me know. --Mark > Thanks > Wenzong > >> >> So any help you can give me for the documentation would be appreciated. >> >>> $ sestatus >> >> root@qemux86:~# sestatus >> SELinux status: enabled >> SELinuxfs mount: /sys/fs/selinux >> SELinux root directory: /etc/selinux >> Loaded policy name: mls >> Current mode: permissive >> Mode from config file: enforcing >> Policy MLS status: enabled >> Policy deny_unknown status: allowed >> Memory protection checking: requested (insecure) >> Max kernel policy version: 30 >> >>> OR: >>> $ semanage login -l >> >> root@qemux86:~# semanage login -l >> >> Login Name SELinux User MLS/MCS Range Service >> >> __default__ user_u s0-s0 * >> root root s0-s15:c0.c1023 * >> >> (I followed the information below and enabled the python components.) >> >>> Actually this doesn't work since runtime dependencies, I commented off >>> this from setools_4.1.1.bb: >>> >>> # TODO: depends on meta-python, disable the RDEPENDS for now: >>> # RDEPENDS_${PN} += "python-networkx python-enum34 python-decorator >>> python-setuptools" >>> >>> For community, we need to discuss if we can get meta-selinux depend on >>> meta-python by default? Or just get users to do that? >> >> Yes, we can add a requirement for meta-python. I just need to clearly >> document >> in the commit message why it is there. >> >> I will work to update the mgh/master-next with the meta-python items and >> some of >> the information above... >> >> --Mark >> >>> Thanks >>> Wenzong >>> >>>> >>>>> --Mark >>>>> >>>> >>>> >> >> -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto