Re: Tuna policy files

Re: Tuna policy files

[Stephen Smalley]

On Wed, 2012-05-16 at 12:21 -0400, Stephen Smalley wrote:
> On Tue, 2012-05-15 at 09:48 -0700, William Roberts wrote:
> > Should the files in device/samsung/tuna be in maguro and toro
> > directories? I ask this because when I build maguro, I am still not
> > seeing factory getting labeled correctly. 
> > 
> > 
> > In externale/sepolicy we have the below line...
> > LOCAL_POLICY_DIRS := $(SRC_TARGET_DIR)/board/$(TARGET_DEVICE)/
> > device/*/$(TARGET_DEVICE)/ vendor/*/$(TARGET_DEVICE)/
> > 
> > 
> > Tuna is never really built, maguro and toro inherit their product
> > makefiles from tuna, so I think we need to move these files and update
> > the external/sepolicy so thier is no conflict on labeling factory.
> > 
> > 
> > Can someone confirm my sanity?
> 
> I think you are correct.  We wouldn't have caught it because we don't
> have Galaxy Nexus ourselves on which to test.  So our changes to
> BoardConfig.mk, device.mk, and init.tuna.rc are correctly under
> device/samsung/tuna, but the sepolicy.* files need to be copied to both
> device/samsung/maguro and device/samsung/toro?  Or possibly we could
> create sepolicy.te files that merely include the tuna/ ones, e.g.
> $ cat sepolicy.te
> include(`device/samsung/tuna/sepolicy.te')
> 
> To support that for .fc files, we'd need to apply m4 there as well in
> the sepolicy Android.mk file.

(cc selinux list)

I have set up git projects for toro and maguro on selinuxproject.org,
updated the local_manifest.xml files (for master and 4.0.4) to include
these projects, added trivial sepolicy.{te,fc} files that include the
tuna files, and modified the sepolicy Android.mk file to apply m4 for
the .fc files in addition to .te files so that they can use includes.

To update, you'll want to grab the updated local_manifest.xml file and
run repo sync -j1 again.  If you have locally created the
sepolicy.{te,fc} files, you may need to move them aside.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Tuna policy files

[Bryan Hinton]

It seems that for the VZW Galaxy Nexus, sepolicy.fc and sepolicy.te
files should reside in device/samsung/toro.
ueventd.tuna.rc contains the names of the LTE RIL device nodes.
I have these device nodes labeled in device/samsung/toro/sepolicy.fc
for the Galaxy Nexus.

For GSM/HSPA+ Galaxy Nexus, the relevant device nodes are also listed
in ueventd.tuna.rc.
It appears that they were never separated out. But given that there
are other model-specific device nodes
that have to be labeled correctly in their respective directories, it
seems logical to separate things.
For example,  device/samsung/crespo/sepolicy.fc would contain a label
for /dev/pn544 while
device/samsung/toro would contain a label for /dev/ttyO3.

Lastly, regarding the proper labeling of factory, are you using the
init.tuna.rc patch that I added on Mar 6?


Bryan Hinton



On Fri, May 18, 2012 at 5:54 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Wed, 2012-05-16 at 12:21 -0400, Stephen Smalley wrote:
>> On Tue, 2012-05-15 at 09:48 -0700, William Roberts wrote:
>> > Should the files in device/samsung/tuna be in maguro and toro
>> > directories? I ask this because when I build maguro, I am still not
>> > seeing factory getting labeled correctly.
>> >
>> >
>> > In externale/sepolicy we have the below line...
>> > LOCAL_POLICY_DIRS := $(SRC_TARGET_DIR)/board/$(TARGET_DEVICE)/
>> > device/*/$(TARGET_DEVICE)/ vendor/*/$(TARGET_DEVICE)/
>> >
>> >
>> > Tuna is never really built, maguro and toro inherit their product
>> > makefiles from tuna, so I think we need to move these files and update
>> > the external/sepolicy so thier is no conflict on labeling factory.
>> >
>> >
>> > Can someone confirm my sanity?
>>
>> I think you are correct.  We wouldn't have caught it because we don't
>> have Galaxy Nexus ourselves on which to test.  So our changes to
>> BoardConfig.mk, device.mk, and init.tuna.rc are correctly under
>> device/samsung/tuna, but the sepolicy.* files need to be copied to both
>> device/samsung/maguro and device/samsung/toro?  Or possibly we could
>> create sepolicy.te files that merely include the tuna/ ones, e.g.
>> $ cat sepolicy.te
>> include(`device/samsung/tuna/sepolicy.te')
>>
>> To support that for .fc files, we'd need to apply m4 there as well in
>> the sepolicy Android.mk file.
>
> (cc selinux list)
>
> I have set up git projects for toro and maguro on selinuxproject.org,
> updated the local_manifest.xml files (for master and 4.0.4) to include
> these projects, added trivial sepolicy.{te,fc} files that include the
> tuna files, and modified the sepolicy Android.mk file to apply m4 for
> the .fc files in addition to .te files so that they can use includes.
>
> To update, you'll want to grab the updated local_manifest.xml file and
> run repo sync -j1 again.  If you have locally created the
> sepolicy.{te,fc} files, you may need to move them aside.
>
> --
> Stephen Smalley
> National Security Agency
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Tuna policy files

[Stephen Smalley]

On Fri, 2012-05-18 at 22:08 -0700, Bryan Hinton wrote:
> It seems that for the VZW Galaxy Nexus, sepolicy.fc and sepolicy.te
> files should reside in device/samsung/toro.
> ueventd.tuna.rc contains the names of the LTE RIL device nodes.
> I have these device nodes labeled in device/samsung/toro/sepolicy.fc
> for the Galaxy Nexus.
> 
> For GSM/HSPA+ Galaxy Nexus, the relevant device nodes are also listed
> in ueventd.tuna.rc.
> It appears that they were never separated out. But given that there
> are other model-specific device nodes
> that have to be labeled correctly in their respective directories, it
> seems logical to separate things.
> For example,  device/samsung/crespo/sepolicy.fc would contain a label
> for /dev/pn544 while
> device/samsung/toro would contain a label for /dev/ttyO3.

What we have done presently is created trivial sepolicy.{te,fc} files
under toro and maguro that simply contain a single include line to
inherit the tuna definitions, e.g.
include(`device/samsung/tuna/sepolicy.te')

This is similar to how they handle BoardConfig.mk and device.mk, which
likewise include the tuna files.

This required a small change to sepolicy/Android.mk to apply m4 as a
preprocessor for .fc files (was already being applied for .te files) so
that we can support includes in both kinds of files.

You could still add device-specific lines after the include directive
for entries that are truly unique to toro or maguro, but this avoids
duplicating the entries that they have in common in both directories.

> Lastly, regarding the proper labeling of factory, are you using the
> init.tuna.rc patch that I added on Mar 6?


-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.