* [meta-selinux][PATCH 0/3] refpolicy virtual package
@ 2016-04-04 0:21 Philip Tricca
2016-04-04 0:21 ` [meta-selinux][PATCH 1/3] refpolicy: Setup virtual/refpolicy provider Philip Tricca
` (3 more replies)
0 siblings, 4 replies; 12+ messages in thread
From: Philip Tricca @ 2016-04-04 0:21 UTC (permalink / raw)
To: mark.hatle, Joe_MacDonald, yocto
We currently require each image to depend on the policy (or multiple
policies) that they want installed and the selinux-config package
enables the DEFAULT_POLICY. Since only one policy can be in effect at a
time, and we're targeting "embedded" systems it makes sense (to me at
least) that we would treat the policy much like we do the kernel and use
a virtual provider.
Feedback would be much appreciated,
Philip
Philip Tricca (3):
refpolicy: Setup virtual/refpolicy provider.
Integrate selinux-config into refpolicy_common.
refpolicy_common: Sanity test DEFAULT_ENFORCING value and set default.
conf/distro/oe-selinux.conf | 1 +
.../packagegroups/packagegroup-core-selinux.bb | 4 +-
.../packagegroups/packagegroup-selinux-minimal.bb | 3 +-
recipes-security/refpolicy/refpolicy_common.inc | 43 +++++++++++++++++++++-
recipes-security/selinux/selinux-config_0.1.bb | 41 ---------------------
5 files changed, 44 insertions(+), 48 deletions(-)
delete mode 100644 recipes-security/selinux/selinux-config_0.1.bb
--
2.1.4
^ permalink raw reply [flat|nested] 12+ messages in thread
* [meta-selinux][PATCH 1/3] refpolicy: Setup virtual/refpolicy provider.
2016-04-04 0:21 [meta-selinux][PATCH 0/3] refpolicy virtual package Philip Tricca
@ 2016-04-04 0:21 ` Philip Tricca
2016-04-04 0:21 ` [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common Philip Tricca
` (2 subsequent siblings)
3 siblings, 0 replies; 12+ messages in thread
From: Philip Tricca @ 2016-04-04 0:21 UTC (permalink / raw)
To: mark.hatle, Joe_MacDonald, yocto
This allows us to provide a default policy through the
PREFERRED_PROVIDER mechanism for each of the example distro configs.
Consumers of meta-selinux will be able to override this at the config
level instead of having to depend on a specific policy package. We do
lose the ability install more than one policy package but this falls
in line with the embedded nature of the project.
Signed-off-by: Philip Tricca <flihp@twobit.us>
---
conf/distro/oe-selinux.conf | 1 +
recipes-security/packagegroups/packagegroup-core-selinux.bb | 3 +--
recipes-security/packagegroups/packagegroup-selinux-minimal.bb | 2 +-
recipes-security/refpolicy/refpolicy_common.inc | 3 +++
recipes-security/selinux/selinux-config_0.1.bb | 3 +--
5 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/conf/distro/oe-selinux.conf b/conf/distro/oe-selinux.conf
index 6e55a32..0011d45 100644
--- a/conf/distro/oe-selinux.conf
+++ b/conf/distro/oe-selinux.conf
@@ -2,3 +2,4 @@ DISTRO = "oe-selinux"
DISTROOVERRIDES .= ":selinux"
DISTRO_FEATURES_append = " acl xattr pam selinux"
+PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"
diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index a2480a3..62c5a76 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -26,7 +26,6 @@ RDEPENDS_${PN} = " \
selinux-autorelabel \
selinux-init \
selinux-labeldev \
- refpolicy-standard \
- refpolicy-mls \
+ virtual/refpolicy \
coreutils \
"
diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
index 34c5f7c..87ae686 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -23,5 +23,5 @@ RDEPENDS_${PN} = "\
policycoreutils-setfiles \
selinux-config \
selinux-labeldev \
- refpolicy-mls \
+ virtual/refpolicy \
"
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 67d0426..ba887e4 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -3,6 +3,9 @@ LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"
+PROVIDES += "virtual/refpolicy"
+RPROVIDES_${PN} += "virtual/refpolicy"
+
# Specific config files for Poky
SRC_URI += "file://customizable_types \
file://setrans-mls.conf \
diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
index 37fe4b7..e902e98 100644
--- a/recipes-security/selinux/selinux-config_0.1.bb
+++ b/recipes-security/selinux/selinux-config_0.1.bb
@@ -1,4 +1,3 @@
-DEFAULT_POLICY ??= "mls"
DEFAULT_ENFORCING ??= "enforcing"
SUMMARY = "SELinux configuration"
@@ -30,7 +29,7 @@ SELINUX=${DEFAULT_ENFORCING}
# mls - Multi Level Security protection.
# targeted - Targeted processes are protected.
# mcs - Multi Category Security protection.
-SELINUXTYPE=${DEFAULT_POLICY}
+SELINUXTYPE=${@d.getVar("PREFERRED_PROVIDER_virtual/refpolicy", False)[len("refpolicy-"):]}
" > ${WORKDIR}/config
install -d ${D}/${sysconfdir}/selinux
install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
--
2.1.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.
2016-04-04 0:21 [meta-selinux][PATCH 0/3] refpolicy virtual package Philip Tricca
2016-04-04 0:21 ` [meta-selinux][PATCH 1/3] refpolicy: Setup virtual/refpolicy provider Philip Tricca
@ 2016-04-04 0:21 ` Philip Tricca
2016-04-08 8:27 ` wenzong fan
2016-04-04 0:21 ` [meta-selinux][PATCH 3/3] refpolicy_common: Sanity test DEFAULT_ENFORCING value and set default Philip Tricca
2016-04-04 17:53 ` [meta-selinux][PATCH 0/3] refpolicy virtual package Joe MacDonald
3 siblings, 1 reply; 12+ messages in thread
From: Philip Tricca @ 2016-04-04 0:21 UTC (permalink / raw)
To: mark.hatle, Joe_MacDonald, yocto
With the virutal package there's no need for a separate recipe to build
the config. This can be generated and included as part of the policy
package.
Signed-off-by: Philip Tricca <flihp@twobit.us>
---
.../packagegroups/packagegroup-core-selinux.bb | 1 -
.../packagegroups/packagegroup-selinux-minimal.bb | 1 -
recipes-security/refpolicy/refpolicy_common.inc | 30 ++++++++++++++--
recipes-security/selinux/selinux-config_0.1.bb | 40 ----------------------
4 files changed, 28 insertions(+), 44 deletions(-)
delete mode 100644 recipes-security/selinux/selinux-config_0.1.bb
diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index 62c5a76..c6d22b7 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -22,7 +22,6 @@ RDEPENDS_${PN} = " \
packagegroup-selinux-policycoreutils \
setools \
setools-console \
- selinux-config \
selinux-autorelabel \
selinux-init \
selinux-labeldev \
diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
index 87ae686..451ae8b 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -21,7 +21,6 @@ RDEPENDS_${PN} = "\
policycoreutils-semodule \
policycoreutils-sestatus \
policycoreutils-setfiles \
- selinux-config \
selinux-labeldev \
virtual/refpolicy \
"
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index ba887e4..305675f 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -1,3 +1,5 @@
+DEFAULT_ENFORCING ??= "enforcing"
+
SECTION = "base"
LICENSE = "GPLv2"
@@ -14,7 +16,8 @@ SRC_URI += "file://customizable_types \
S = "${WORKDIR}/refpolicy"
-FILES_${PN} = " \
+CONFFILES_${PN} += "${sysconfdir}/selinux/config"
+FILES_${PN} += " \
${sysconfdir}/selinux/${POLICY_NAME}/ \
${datadir}/selinux/${POLICY_NAME}/*.pp \
${localstatedir}/lib/selinux/${POLICY_NAME}/ \
@@ -25,7 +28,6 @@ FILES_${PN}-dev =+ " \
"
DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
-RDEPENDS_${PN} += "selinux-config"
PACKAGE_ARCH = "${MACHINE_ARCH}"
@@ -137,13 +139,37 @@ install_misc_files () {
oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
}
+install_config () {
+ echo "\
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=${DEFAULT_ENFORCING}
+# SELINUXTYPE= can take one of these values:
+# standard - Standard Security protection.
+# mls - Multi Level Security protection.
+# targeted - Targeted processes are protected.
+# mcs - Multi Category Security protection.
+SELINUXTYPE=${POLICY_TYPE}
+" > ${WORKDIR}/config
+ install -d ${D}/${sysconfdir}/selinux
+ install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
+}
+
do_install () {
prepare_policy_store
rebuild_policy
install_misc_files
+ install_config
}
do_install_append(){
# While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
}
+
+sysroot_stage_all_append () {
+ sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
+}
diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
deleted file mode 100644
index e902e98..0000000
--- a/recipes-security/selinux/selinux-config_0.1.bb
+++ /dev/null
@@ -1,40 +0,0 @@
-DEFAULT_ENFORCING ??= "enforcing"
-
-SUMMARY = "SELinux configuration"
-DESCRIPTION = "\
-SELinux configuration files for Yocto. \
-"
-
-SECTION = "base"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-PR = "r4"
-
-S = "${WORKDIR}"
-
-CONFFILES_${PN} += "${sysconfdir}/selinux/config"
-
-PACKAGE_ARCH = "${MACHINE_ARCH}"
-
-do_install () {
- echo "\
-# This file controls the state of SELinux on the system.
-# SELINUX= can take one of these three values:
-# enforcing - SELinux security policy is enforced.
-# permissive - SELinux prints warnings instead of enforcing.
-# disabled - No SELinux policy is loaded.
-SELINUX=${DEFAULT_ENFORCING}
-# SELINUXTYPE= can take one of these values:
-# standard - Standard Security protection.
-# mls - Multi Level Security protection.
-# targeted - Targeted processes are protected.
-# mcs - Multi Category Security protection.
-SELINUXTYPE=${@d.getVar("PREFERRED_PROVIDER_virtual/refpolicy", False)[len("refpolicy-"):]}
-" > ${WORKDIR}/config
- install -d ${D}/${sysconfdir}/selinux
- install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
-}
-
-sysroot_stage_all_append () {
- sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
-}
--
2.1.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [meta-selinux][PATCH 3/3] refpolicy_common: Sanity test DEFAULT_ENFORCING value and set default.
2016-04-04 0:21 [meta-selinux][PATCH 0/3] refpolicy virtual package Philip Tricca
2016-04-04 0:21 ` [meta-selinux][PATCH 1/3] refpolicy: Setup virtual/refpolicy provider Philip Tricca
2016-04-04 0:21 ` [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common Philip Tricca
@ 2016-04-04 0:21 ` Philip Tricca
2016-04-04 17:53 ` [meta-selinux][PATCH 0/3] refpolicy virtual package Joe MacDonald
3 siblings, 0 replies; 12+ messages in thread
From: Philip Tricca @ 2016-04-04 0:21 UTC (permalink / raw)
To: mark.hatle, Joe_MacDonald, yocto
Use the anonymous python function to be sure the value set for
'SELINUX' in the config file is something useful. In the event that
DEFAULT_ENFORCING isn't set to one of the 3 permissible values we
set it to 'permissive'.
Signed-off-by: Philip Tricca <flihp@twobit.us>
---
recipes-security/refpolicy/refpolicy_common.inc | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 305675f..10e972d 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -66,6 +66,16 @@ EXTRA_OEMAKE += "tc_usrbindir=${STAGING_BINDIR_NATIVE}"
EXTRA_OEMAKE += "OUTPUT_POLICY=`${STAGING_BINDIR_NATIVE}/checkpolicy -V | cut -d' ' -f1`"
EXTRA_OEMAKE += "CC='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' PYTHON='${PYTHON}'"
+python __anonymous () {
+ import re
+
+ # make sure DEFAULT_ENFORCING is something sane
+ if not re.match('^(enforcing|permissive|disabled)$',
+ d.getVar('DEFAULT_ENFORCING', True),
+ flags=0):
+ d.setVar('DEFAULT_ENFORCING', 'permissive')
+}
+
do_compile() {
oe_runmake conf
oe_runmake policy
--
2.1.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [meta-selinux][PATCH 0/3] refpolicy virtual package
2016-04-04 0:21 [meta-selinux][PATCH 0/3] refpolicy virtual package Philip Tricca
` (2 preceding siblings ...)
2016-04-04 0:21 ` [meta-selinux][PATCH 3/3] refpolicy_common: Sanity test DEFAULT_ENFORCING value and set default Philip Tricca
@ 2016-04-04 17:53 ` Joe MacDonald
3 siblings, 0 replies; 12+ messages in thread
From: Joe MacDonald @ 2016-04-04 17:53 UTC (permalink / raw)
To: Philip Tricca; +Cc: yocto
[-- Attachment #1: Type: text/plain, Size: 1581 bytes --]
[[yocto] [meta-selinux][PATCH 0/3] refpolicy virtual package] On 16.04.04 (Mon 00:21) Philip Tricca wrote:
> We currently require each image to depend on the policy (or multiple
> policies) that they want installed and the selinux-config package
> enables the DEFAULT_POLICY. Since only one policy can be in effect at a
> time, and we're targeting "embedded" systems it makes sense (to me at
> least) that we would treat the policy much like we do the kernel and use
> a virtual provider.
>
> Feedback would be much appreciated,
> Philip
>
> Philip Tricca (3):
> refpolicy: Setup virtual/refpolicy provider.
> Integrate selinux-config into refpolicy_common.
> refpolicy_common: Sanity test DEFAULT_ENFORCING value and set default.
>
> conf/distro/oe-selinux.conf | 1 +
> .../packagegroups/packagegroup-core-selinux.bb | 4 +-
> .../packagegroups/packagegroup-selinux-minimal.bb | 3 +-
> recipes-security/refpolicy/refpolicy_common.inc | 43 +++++++++++++++++++++-
> recipes-security/selinux/selinux-config_0.1.bb | 41 ---------------------
> 5 files changed, 44 insertions(+), 48 deletions(-)
> delete mode 100644 recipes-security/selinux/selinux-config_0.1.bb
I've tried this out today and it all looks good to me, I've tried
breaking the sanity check on DEFAULT_ENFORCING as we discussed and it
still seems to do the right thing. Since this is what we were
discussing last week and it seemed to make sense at the time, I went
ahead and merged your patches for you.
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.
2016-04-04 0:21 ` [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common Philip Tricca
@ 2016-04-08 8:27 ` wenzong fan
2016-04-11 12:54 ` Joe MacDonald
0 siblings, 1 reply; 12+ messages in thread
From: wenzong fan @ 2016-04-08 8:27 UTC (permalink / raw)
To: Philip Tricca, mark.hatle, Joe_MacDonald, yocto
This causes do_populate_sysroot error if build two or more types of
refpolicy:
$ bitbake refpolicy-minimum && bitbake refpolicy-mls
ERROR: refpolicy-mls-git-r0 do_populate_sysroot: The recipe
refpolicy-mls is trying to install files into a shared area when those
files already exist. Those files and their manifest location are:
/buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/sepolgen.conf
Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
/buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/config
Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
/buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/sysroot-providers/virtual_refpolicy
Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
Please verify which recipe should provide the above files.
Philip,
Can you consider to withdraw the integration?
Thanks
Wenzong
On 04/04/2016 08:21 AM, Philip Tricca wrote:
> With the virutal package there's no need for a separate recipe to build
> the config. This can be generated and included as part of the policy
> package.
>
> Signed-off-by: Philip Tricca <flihp@twobit.us>
> ---
> .../packagegroups/packagegroup-core-selinux.bb | 1 -
> .../packagegroups/packagegroup-selinux-minimal.bb | 1 -
> recipes-security/refpolicy/refpolicy_common.inc | 30 ++++++++++++++--
> recipes-security/selinux/selinux-config_0.1.bb | 40 ----------------------
> 4 files changed, 28 insertions(+), 44 deletions(-)
> delete mode 100644 recipes-security/selinux/selinux-config_0.1.bb
>
> diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
> index 62c5a76..c6d22b7 100644
> --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
> +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
> @@ -22,7 +22,6 @@ RDEPENDS_${PN} = " \
> packagegroup-selinux-policycoreutils \
> setools \
> setools-console \
> - selinux-config \
> selinux-autorelabel \
> selinux-init \
> selinux-labeldev \
> diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> index 87ae686..451ae8b 100644
> --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> @@ -21,7 +21,6 @@ RDEPENDS_${PN} = "\
> policycoreutils-semodule \
> policycoreutils-sestatus \
> policycoreutils-setfiles \
> - selinux-config \
> selinux-labeldev \
> virtual/refpolicy \
> "
> diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
> index ba887e4..305675f 100644
> --- a/recipes-security/refpolicy/refpolicy_common.inc
> +++ b/recipes-security/refpolicy/refpolicy_common.inc
> @@ -1,3 +1,5 @@
> +DEFAULT_ENFORCING ??= "enforcing"
> +
> SECTION = "base"
> LICENSE = "GPLv2"
>
> @@ -14,7 +16,8 @@ SRC_URI += "file://customizable_types \
>
> S = "${WORKDIR}/refpolicy"
>
> -FILES_${PN} = " \
> +CONFFILES_${PN} += "${sysconfdir}/selinux/config"
> +FILES_${PN} += " \
> ${sysconfdir}/selinux/${POLICY_NAME}/ \
> ${datadir}/selinux/${POLICY_NAME}/*.pp \
> ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
> @@ -25,7 +28,6 @@ FILES_${PN}-dev =+ " \
> "
>
> DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
> -RDEPENDS_${PN} += "selinux-config"
>
> PACKAGE_ARCH = "${MACHINE_ARCH}"
>
> @@ -137,13 +139,37 @@ install_misc_files () {
> oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
> }
>
> +install_config () {
> + echo "\
> +# This file controls the state of SELinux on the system.
> +# SELINUX= can take one of these three values:
> +# enforcing - SELinux security policy is enforced.
> +# permissive - SELinux prints warnings instead of enforcing.
> +# disabled - No SELinux policy is loaded.
> +SELINUX=${DEFAULT_ENFORCING}
> +# SELINUXTYPE= can take one of these values:
> +# standard - Standard Security protection.
> +# mls - Multi Level Security protection.
> +# targeted - Targeted processes are protected.
> +# mcs - Multi Category Security protection.
> +SELINUXTYPE=${POLICY_TYPE}
> +" > ${WORKDIR}/config
> + install -d ${D}/${sysconfdir}/selinux
> + install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
> +}
> +
> do_install () {
> prepare_policy_store
> rebuild_policy
> install_misc_files
> + install_config
> }
>
> do_install_append(){
> # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
> echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
> }
> +
> +sysroot_stage_all_append () {
> + sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
> +}
> diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
> deleted file mode 100644
> index e902e98..0000000
> --- a/recipes-security/selinux/selinux-config_0.1.bb
> +++ /dev/null
> @@ -1,40 +0,0 @@
> -DEFAULT_ENFORCING ??= "enforcing"
> -
> -SUMMARY = "SELinux configuration"
> -DESCRIPTION = "\
> -SELinux configuration files for Yocto. \
> -"
> -
> -SECTION = "base"
> -LICENSE = "MIT"
> -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
> -PR = "r4"
> -
> -S = "${WORKDIR}"
> -
> -CONFFILES_${PN} += "${sysconfdir}/selinux/config"
> -
> -PACKAGE_ARCH = "${MACHINE_ARCH}"
> -
> -do_install () {
> - echo "\
> -# This file controls the state of SELinux on the system.
> -# SELINUX= can take one of these three values:
> -# enforcing - SELinux security policy is enforced.
> -# permissive - SELinux prints warnings instead of enforcing.
> -# disabled - No SELinux policy is loaded.
> -SELINUX=${DEFAULT_ENFORCING}
> -# SELINUXTYPE= can take one of these values:
> -# standard - Standard Security protection.
> -# mls - Multi Level Security protection.
> -# targeted - Targeted processes are protected.
> -# mcs - Multi Category Security protection.
> -SELINUXTYPE=${@d.getVar("PREFERRED_PROVIDER_virtual/refpolicy", False)[len("refpolicy-"):]}
> -" > ${WORKDIR}/config
> - install -d ${D}/${sysconfdir}/selinux
> - install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
> -}
> -
> -sysroot_stage_all_append () {
> - sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
> -}
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.
2016-04-08 8:27 ` wenzong fan
@ 2016-04-11 12:54 ` Joe MacDonald
2016-04-12 3:55 ` Philip Tricca
0 siblings, 1 reply; 12+ messages in thread
From: Joe MacDonald @ 2016-04-11 12:54 UTC (permalink / raw)
To: wenzong fan; +Cc: yocto
[-- Attachment #1: Type: text/plain, Size: 7969 bytes --]
Hi Wenzong,
[Re: [yocto] [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.] On 16.04.08 (Fri 16:27) wenzong fan wrote:
> This causes do_populate_sysroot error if build two or more types of
> refpolicy:
>
> $ bitbake refpolicy-minimum && bitbake refpolicy-mls
>
> ERROR: refpolicy-mls-git-r0 do_populate_sysroot: The recipe refpolicy-mls is
> trying to install files into a shared area when those files already exist.
> Those files and their manifest location are:
I think this was always the intent with the series Philip submitted last
week (for reference, the thread is
https://www.mail-archive.com/yocto@yoctoproject.org/msg28530.html).
Isn't this (part of) the expected behaviour of the virtual provider
mechanism? We did discuss what it would mean to be trying out multiple
policies on a system at the same time and at the time it seemed like the
"just works" angle was more important than "buffet style" when it came
to providing policy on the image.
It might be worth considering extending the changes to only do some
install steps at, say, do_rootfs but I don't know if that even makes
sense, this is really the first I've thought of it. I think Philip's
original changes are good, though, for our maintenance and for clients
of meta-selinux.
-J.
>
> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/sepolgen.conf
> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>
> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/config
> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>
> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/sysroot-providers/virtual_refpolicy
> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
> Please verify which recipe should provide the above files.
>
> Philip,
>
> Can you consider to withdraw the integration?
>
> Thanks
> Wenzong
>
> On 04/04/2016 08:21 AM, Philip Tricca wrote:
> >With the virutal package there's no need for a separate recipe to build
> >the config. This can be generated and included as part of the policy
> >package.
> >
> >Signed-off-by: Philip Tricca <flihp@twobit.us>
> >---
> > .../packagegroups/packagegroup-core-selinux.bb | 1 -
> > .../packagegroups/packagegroup-selinux-minimal.bb | 1 -
> > recipes-security/refpolicy/refpolicy_common.inc | 30 ++++++++++++++--
> > recipes-security/selinux/selinux-config_0.1.bb | 40 ----------------------
> > 4 files changed, 28 insertions(+), 44 deletions(-)
> > delete mode 100644 recipes-security/selinux/selinux-config_0.1.bb
> >
> >diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
> >index 62c5a76..c6d22b7 100644
> >--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
> >+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
> >@@ -22,7 +22,6 @@ RDEPENDS_${PN} = " \
> > packagegroup-selinux-policycoreutils \
> > setools \
> > setools-console \
> >- selinux-config \
> > selinux-autorelabel \
> > selinux-init \
> > selinux-labeldev \
> >diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> >index 87ae686..451ae8b 100644
> >--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> >+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> >@@ -21,7 +21,6 @@ RDEPENDS_${PN} = "\
> > policycoreutils-semodule \
> > policycoreutils-sestatus \
> > policycoreutils-setfiles \
> >- selinux-config \
> > selinux-labeldev \
> > virtual/refpolicy \
> > "
> >diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
> >index ba887e4..305675f 100644
> >--- a/recipes-security/refpolicy/refpolicy_common.inc
> >+++ b/recipes-security/refpolicy/refpolicy_common.inc
> >@@ -1,3 +1,5 @@
> >+DEFAULT_ENFORCING ??= "enforcing"
> >+
> > SECTION = "base"
> > LICENSE = "GPLv2"
> >
> >@@ -14,7 +16,8 @@ SRC_URI += "file://customizable_types \
> >
> > S = "${WORKDIR}/refpolicy"
> >
> >-FILES_${PN} = " \
> >+CONFFILES_${PN} += "${sysconfdir}/selinux/config"
> >+FILES_${PN} += " \
> > ${sysconfdir}/selinux/${POLICY_NAME}/ \
> > ${datadir}/selinux/${POLICY_NAME}/*.pp \
> > ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
> >@@ -25,7 +28,6 @@ FILES_${PN}-dev =+ " \
> > "
> >
> > DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
> >-RDEPENDS_${PN} += "selinux-config"
> >
> > PACKAGE_ARCH = "${MACHINE_ARCH}"
> >
> >@@ -137,13 +139,37 @@ install_misc_files () {
> > oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
> > }
> >
> >+install_config () {
> >+ echo "\
> >+# This file controls the state of SELinux on the system.
> >+# SELINUX= can take one of these three values:
> >+# enforcing - SELinux security policy is enforced.
> >+# permissive - SELinux prints warnings instead of enforcing.
> >+# disabled - No SELinux policy is loaded.
> >+SELINUX=${DEFAULT_ENFORCING}
> >+# SELINUXTYPE= can take one of these values:
> >+# standard - Standard Security protection.
> >+# mls - Multi Level Security protection.
> >+# targeted - Targeted processes are protected.
> >+# mcs - Multi Category Security protection.
> >+SELINUXTYPE=${POLICY_TYPE}
> >+" > ${WORKDIR}/config
> >+ install -d ${D}/${sysconfdir}/selinux
> >+ install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
> >+}
> >+
> > do_install () {
> > prepare_policy_store
> > rebuild_policy
> > install_misc_files
> >+ install_config
> > }
> >
> > do_install_append(){
> > # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
> > echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
> > }
> >+
> >+sysroot_stage_all_append () {
> >+ sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
> >+}
> >diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
> >deleted file mode 100644
> >index e902e98..0000000
> >--- a/recipes-security/selinux/selinux-config_0.1.bb
> >+++ /dev/null
> >@@ -1,40 +0,0 @@
> >-DEFAULT_ENFORCING ??= "enforcing"
> >-
> >-SUMMARY = "SELinux configuration"
> >-DESCRIPTION = "\
> >-SELinux configuration files for Yocto. \
> >-"
> >-
> >-SECTION = "base"
> >-LICENSE = "MIT"
> >-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
> >-PR = "r4"
> >-
> >-S = "${WORKDIR}"
> >-
> >-CONFFILES_${PN} += "${sysconfdir}/selinux/config"
> >-
> >-PACKAGE_ARCH = "${MACHINE_ARCH}"
> >-
> >-do_install () {
> >- echo "\
> >-# This file controls the state of SELinux on the system.
> >-# SELINUX= can take one of these three values:
> >-# enforcing - SELinux security policy is enforced.
> >-# permissive - SELinux prints warnings instead of enforcing.
> >-# disabled - No SELinux policy is loaded.
> >-SELINUX=${DEFAULT_ENFORCING}
> >-# SELINUXTYPE= can take one of these values:
> >-# standard - Standard Security protection.
> >-# mls - Multi Level Security protection.
> >-# targeted - Targeted processes are protected.
> >-# mcs - Multi Category Security protection.
> >-SELINUXTYPE=${@d.getVar("PREFERRED_PROVIDER_virtual/refpolicy", False)[len("refpolicy-"):]}
> >-" > ${WORKDIR}/config
> >- install -d ${D}/${sysconfdir}/selinux
> >- install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
> >-}
> >-
> >-sysroot_stage_all_append () {
> >- sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
> >-}
> >
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.
2016-04-11 12:54 ` Joe MacDonald
@ 2016-04-12 3:55 ` Philip Tricca
2016-04-12 5:54 ` wenzong fan
0 siblings, 1 reply; 12+ messages in thread
From: Philip Tricca @ 2016-04-12 3:55 UTC (permalink / raw)
To: Joe MacDonald, wenzong fan; +Cc: yocto
[-- Attachment #1.1: Type: text/plain, Size: 9373 bytes --]
Hello,
On 04/11/2016 05:54 AM, Joe MacDonald wrote:
>> This causes do_populate_sysroot error if build two or more types of
>> refpolicy:
>>
>> $ bitbake refpolicy-minimum && bitbake refpolicy-mls
>>
>> ERROR: refpolicy-mls-git-r0 do_populate_sysroot: The recipe refpolicy-mls is
>> trying to install files into a shared area when those files already exist.
>> Those files and their manifest location are:
>
> I think this was always the intent with the series Philip submitted last
> week (for reference, the thread is
> https://www.mail-archive.com/yocto@yoctoproject.org/msg28530.html).
> Isn't this (part of) the expected behaviour of the virtual provider
> mechanism?
This is the question I think we need to figure out. My understanding
(quite possibly wrong) is that the virtual provider stuff would prevent
the installation of more than one provider. I hadn't considered the
implications for the sysroot.
Is the ability to install multiple providers in the sysroot expected? I
imagine that this problem must have been solved before in another
package with virtual providers that install the same file. I'm happy to
doing some digging here but if anyone knows of a good example I'd
appreciate a pointer.
> We did discuss what it would mean to be trying out multiple
> policies on a system at the same time and at the time it seemed like the
> "just works" angle was more important than "buffet style" when it came
> to providing policy on the image.
I guess the thing I like the most about setting the policy package up as
a virtual package is the ability to select the policy type as a distro
config. The virtual provider seemed like a natural fit as it's a pattern
that similar packages (kernel etc) use extensively.
> It might be worth considering extending the changes to only do some
> install steps at, say, do_rootfs but I don't know if that even makes
> sense, this is really the first I've thought of it. I think Philip's
> original changes are good, though, for our maintenance and for clients
> of meta-selinux.
There may be a middle ground and I think that would be leaving the
configuration file as a separate package. Personally I liked the idea of
rolling the config file into the policy package as it was always a bit
awkward requiring coordination of some variables across the policy and
the config package which made it a bit brittle.
Wenzong: A few questions: What's your use case for building multiple
policy packages? Would you suggest just backing out the removal of the
config package or the whole virtual provider thing?
Thanks,
Philip
>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/sepolgen.conf
>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>>
>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/config
>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>>
>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/sysroot-providers/virtual_refpolicy
>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>> Please verify which recipe should provide the above files.
>>
>> Philip,
>>
>> Can you consider to withdraw the integration?
>>
>> Thanks
>> Wenzong
>>
>> On 04/04/2016 08:21 AM, Philip Tricca wrote:
>>> With the virutal package there's no need for a separate recipe to build
>>> the config. This can be generated and included as part of the policy
>>> package.
>>>
>>> Signed-off-by: Philip Tricca <flihp@twobit.us>
>>> ---
>>> .../packagegroups/packagegroup-core-selinux.bb | 1 -
>>> .../packagegroups/packagegroup-selinux-minimal.bb | 1 -
>>> recipes-security/refpolicy/refpolicy_common.inc | 30 ++++++++++++++--
>>> recipes-security/selinux/selinux-config_0.1.bb | 40 ----------------------
>>> 4 files changed, 28 insertions(+), 44 deletions(-)
>>> delete mode 100644 recipes-security/selinux/selinux-config_0.1.bb
>>>
>>> diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>> index 62c5a76..c6d22b7 100644
>>> --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>> +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>> @@ -22,7 +22,6 @@ RDEPENDS_${PN} = " \
>>> packagegroup-selinux-policycoreutils \
>>> setools \
>>> setools-console \
>>> - selinux-config \
>>> selinux-autorelabel \
>>> selinux-init \
>>> selinux-labeldev \
>>> diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>> index 87ae686..451ae8b 100644
>>> --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>> +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>> @@ -21,7 +21,6 @@ RDEPENDS_${PN} = "\
>>> policycoreutils-semodule \
>>> policycoreutils-sestatus \
>>> policycoreutils-setfiles \
>>> - selinux-config \
>>> selinux-labeldev \
>>> virtual/refpolicy \
>>> "
>>> diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
>>> index ba887e4..305675f 100644
>>> --- a/recipes-security/refpolicy/refpolicy_common.inc
>>> +++ b/recipes-security/refpolicy/refpolicy_common.inc
>>> @@ -1,3 +1,5 @@
>>> +DEFAULT_ENFORCING ??= "enforcing"
>>> +
>>> SECTION = "base"
>>> LICENSE = "GPLv2"
>>>
>>> @@ -14,7 +16,8 @@ SRC_URI += "file://customizable_types \
>>>
>>> S = "${WORKDIR}/refpolicy"
>>>
>>> -FILES_${PN} = " \
>>> +CONFFILES_${PN} += "${sysconfdir}/selinux/config"
>>> +FILES_${PN} += " \
>>> ${sysconfdir}/selinux/${POLICY_NAME}/ \
>>> ${datadir}/selinux/${POLICY_NAME}/*.pp \
>>> ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
>>> @@ -25,7 +28,6 @@ FILES_${PN}-dev =+ " \
>>> "
>>>
>>> DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
>>> -RDEPENDS_${PN} += "selinux-config"
>>>
>>> PACKAGE_ARCH = "${MACHINE_ARCH}"
>>>
>>> @@ -137,13 +139,37 @@ install_misc_files () {
>>> oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
>>> }
>>>
>>> +install_config () {
>>> + echo "\
>>> +# This file controls the state of SELinux on the system.
>>> +# SELINUX= can take one of these three values:
>>> +# enforcing - SELinux security policy is enforced.
>>> +# permissive - SELinux prints warnings instead of enforcing.
>>> +# disabled - No SELinux policy is loaded.
>>> +SELINUX=${DEFAULT_ENFORCING}
>>> +# SELINUXTYPE= can take one of these values:
>>> +# standard - Standard Security protection.
>>> +# mls - Multi Level Security protection.
>>> +# targeted - Targeted processes are protected.
>>> +# mcs - Multi Category Security protection.
>>> +SELINUXTYPE=${POLICY_TYPE}
>>> +" > ${WORKDIR}/config
>>> + install -d ${D}/${sysconfdir}/selinux
>>> + install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
>>> +}
>>> +
>>> do_install () {
>>> prepare_policy_store
>>> rebuild_policy
>>> install_misc_files
>>> + install_config
>>> }
>>>
>>> do_install_append(){
>>> # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
>>> echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
>>> }
>>> +
>>> +sysroot_stage_all_append () {
>>> + sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
>>> +}
>>> diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
>>> deleted file mode 100644
>>> index e902e98..0000000
>>> --- a/recipes-security/selinux/selinux-config_0.1.bb
>>> +++ /dev/null
>>> @@ -1,40 +0,0 @@
>>> -DEFAULT_ENFORCING ??= "enforcing"
>>> -
>>> -SUMMARY = "SELinux configuration"
>>> -DESCRIPTION = "\
>>> -SELinux configuration files for Yocto. \
>>> -"
>>> -
>>> -SECTION = "base"
>>> -LICENSE = "MIT"
>>> -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
>>> -PR = "r4"
>>> -
>>> -S = "${WORKDIR}"
>>> -
>>> -CONFFILES_${PN} += "${sysconfdir}/selinux/config"
>>> -
>>> -PACKAGE_ARCH = "${MACHINE_ARCH}"
>>> -
>>> -do_install () {
>>> - echo "\
>>> -# This file controls the state of SELinux on the system.
>>> -# SELINUX= can take one of these three values:
>>> -# enforcing - SELinux security policy is enforced.
>>> -# permissive - SELinux prints warnings instead of enforcing.
>>> -# disabled - No SELinux policy is loaded.
>>> -SELINUX=${DEFAULT_ENFORCING}
>>> -# SELINUXTYPE= can take one of these values:
>>> -# standard - Standard Security protection.
>>> -# mls - Multi Level Security protection.
>>> -# targeted - Targeted processes are protected.
>>> -# mcs - Multi Category Security protection.
>>> -SELINUXTYPE=${@d.getVar("PREFERRED_PROVIDER_virtual/refpolicy", False)[len("refpolicy-"):]}
>>> -" > ${WORKDIR}/config
>>> - install -d ${D}/${sysconfdir}/selinux
>>> - install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
>>> -}
>>> -
>>> -sysroot_stage_all_append () {
>>> - sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
>>> -}
>>>
>
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.
2016-04-12 3:55 ` Philip Tricca
@ 2016-04-12 5:54 ` wenzong fan
2016-04-12 14:05 ` Joe MacDonald
0 siblings, 1 reply; 12+ messages in thread
From: wenzong fan @ 2016-04-12 5:54 UTC (permalink / raw)
To: Philip Tricca, Joe MacDonald; +Cc: yocto
On 04/12/2016 11:55 AM, Philip Tricca wrote:
> Hello,
>
> On 04/11/2016 05:54 AM, Joe MacDonald wrote:
>>> This causes do_populate_sysroot error if build two or more types of
>>> refpolicy:
>>>
>>> $ bitbake refpolicy-minimum && bitbake refpolicy-mls
>>>
>>> ERROR: refpolicy-mls-git-r0 do_populate_sysroot: The recipe refpolicy-mls is
>>> trying to install files into a shared area when those files already exist.
>>> Those files and their manifest location are:
>>
>> I think this was always the intent with the series Philip submitted last
>> week (for reference, the thread is
>> https://www.mail-archive.com/yocto@yoctoproject.org/msg28530.html).
>> Isn't this (part of) the expected behaviour of the virtual provider
>> mechanism?
>
> This is the question I think we need to figure out. My understanding
> (quite possibly wrong) is that the virtual provider stuff would prevent
> the installation of more than one provider. I hadn't considered the
> implications for the sysroot.
>
> Is the ability to install multiple providers in the sysroot expected? I
> imagine that this problem must have been solved before in another
> package with virtual providers that install the same file. I'm happy to
> doing some digging here but if anyone knows of a good example I'd
> appreciate a pointer.
>
>> We did discuss what it would mean to be trying out multiple
>> policies on a system at the same time and at the time it seemed like the
>> "just works" angle was more important than "buffet style" when it came
>> to providing policy on the image.
>
> I guess the thing I like the most about setting the policy package up as
> a virtual package is the ability to select the policy type as a distro
> config. The virtual provider seemed like a natural fit as it's a pattern
> that similar packages (kernel etc) use extensively.
>
>> It might be worth considering extending the changes to only do some
>> install steps at, say, do_rootfs but I don't know if that even makes
>> sense, this is really the first I've thought of it. I think Philip's
>> original changes are good, though, for our maintenance and for clients
>> of meta-selinux.
>
> There may be a middle ground and I think that would be leaving the
> configuration file as a separate package. Personally I liked the idea of
> rolling the config file into the policy package as it was always a bit
> awkward requiring coordination of some variables across the policy and
> the config package which made it a bit brittle.
>
> Wenzong: A few questions: What's your use case for building multiple
> policy packages? Would you suggest just backing out the removal of the
> config package or the whole virtual provider thing?
Hi Philip,
The virtual provider is OK, just restore the config package is the
simplest ways for fixing such issue I think.
My use cases include:
a. update refpolicy and build each type to make sure patch/build/install
work;
b. run world build with meta-selinux layer.
Thanks
Wenzong
>
> Thanks,
> Philip
>
>>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/sepolgen.conf
>>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>>>
>>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/config
>>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>>>
>>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/sysroot-providers/virtual_refpolicy
>>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>>> Please verify which recipe should provide the above files.
>>>
>>> Philip,
>>>
>>> Can you consider to withdraw the integration?
>>>
>>> Thanks
>>> Wenzong
>>>
>>> On 04/04/2016 08:21 AM, Philip Tricca wrote:
>>>> With the virutal package there's no need for a separate recipe to build
>>>> the config. This can be generated and included as part of the policy
>>>> package.
>>>>
>>>> Signed-off-by: Philip Tricca <flihp@twobit.us>
>>>> ---
>>>> .../packagegroups/packagegroup-core-selinux.bb | 1 -
>>>> .../packagegroups/packagegroup-selinux-minimal.bb | 1 -
>>>> recipes-security/refpolicy/refpolicy_common.inc | 30 ++++++++++++++--
>>>> recipes-security/selinux/selinux-config_0.1.bb | 40 ----------------------
>>>> 4 files changed, 28 insertions(+), 44 deletions(-)
>>>> delete mode 100644 recipes-security/selinux/selinux-config_0.1.bb
>>>>
>>>> diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>>> index 62c5a76..c6d22b7 100644
>>>> --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>>> +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>>> @@ -22,7 +22,6 @@ RDEPENDS_${PN} = " \
>>>> packagegroup-selinux-policycoreutils \
>>>> setools \
>>>> setools-console \
>>>> - selinux-config \
>>>> selinux-autorelabel \
>>>> selinux-init \
>>>> selinux-labeldev \
>>>> diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>>> index 87ae686..451ae8b 100644
>>>> --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>>> +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>>> @@ -21,7 +21,6 @@ RDEPENDS_${PN} = "\
>>>> policycoreutils-semodule \
>>>> policycoreutils-sestatus \
>>>> policycoreutils-setfiles \
>>>> - selinux-config \
>>>> selinux-labeldev \
>>>> virtual/refpolicy \
>>>> "
>>>> diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
>>>> index ba887e4..305675f 100644
>>>> --- a/recipes-security/refpolicy/refpolicy_common.inc
>>>> +++ b/recipes-security/refpolicy/refpolicy_common.inc
>>>> @@ -1,3 +1,5 @@
>>>> +DEFAULT_ENFORCING ??= "enforcing"
>>>> +
>>>> SECTION = "base"
>>>> LICENSE = "GPLv2"
>>>>
>>>> @@ -14,7 +16,8 @@ SRC_URI += "file://customizable_types \
>>>>
>>>> S = "${WORKDIR}/refpolicy"
>>>>
>>>> -FILES_${PN} = " \
>>>> +CONFFILES_${PN} += "${sysconfdir}/selinux/config"
>>>> +FILES_${PN} += " \
>>>> ${sysconfdir}/selinux/${POLICY_NAME}/ \
>>>> ${datadir}/selinux/${POLICY_NAME}/*.pp \
>>>> ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
>>>> @@ -25,7 +28,6 @@ FILES_${PN}-dev =+ " \
>>>> "
>>>>
>>>> DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
>>>> -RDEPENDS_${PN} += "selinux-config"
>>>>
>>>> PACKAGE_ARCH = "${MACHINE_ARCH}"
>>>>
>>>> @@ -137,13 +139,37 @@ install_misc_files () {
>>>> oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
>>>> }
>>>>
>>>> +install_config () {
>>>> + echo "\
>>>> +# This file controls the state of SELinux on the system.
>>>> +# SELINUX= can take one of these three values:
>>>> +# enforcing - SELinux security policy is enforced.
>>>> +# permissive - SELinux prints warnings instead of enforcing.
>>>> +# disabled - No SELinux policy is loaded.
>>>> +SELINUX=${DEFAULT_ENFORCING}
>>>> +# SELINUXTYPE= can take one of these values:
>>>> +# standard - Standard Security protection.
>>>> +# mls - Multi Level Security protection.
>>>> +# targeted - Targeted processes are protected.
>>>> +# mcs - Multi Category Security protection.
>>>> +SELINUXTYPE=${POLICY_TYPE}
>>>> +" > ${WORKDIR}/config
>>>> + install -d ${D}/${sysconfdir}/selinux
>>>> + install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
>>>> +}
>>>> +
>>>> do_install () {
>>>> prepare_policy_store
>>>> rebuild_policy
>>>> install_misc_files
>>>> + install_config
>>>> }
>>>>
>>>> do_install_append(){
>>>> # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
>>>> echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
>>>> }
>>>> +
>>>> +sysroot_stage_all_append () {
>>>> + sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
>>>> +}
>>>> diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
>>>> deleted file mode 100644
>>>> index e902e98..0000000
>>>> --- a/recipes-security/selinux/selinux-config_0.1.bb
>>>> +++ /dev/null
>>>> @@ -1,40 +0,0 @@
>>>> -DEFAULT_ENFORCING ??= "enforcing"
>>>> -
>>>> -SUMMARY = "SELinux configuration"
>>>> -DESCRIPTION = "\
>>>> -SELinux configuration files for Yocto. \
>>>> -"
>>>> -
>>>> -SECTION = "base"
>>>> -LICENSE = "MIT"
>>>> -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
>>>> -PR = "r4"
>>>> -
>>>> -S = "${WORKDIR}"
>>>> -
>>>> -CONFFILES_${PN} += "${sysconfdir}/selinux/config"
>>>> -
>>>> -PACKAGE_ARCH = "${MACHINE_ARCH}"
>>>> -
>>>> -do_install () {
>>>> - echo "\
>>>> -# This file controls the state of SELinux on the system.
>>>> -# SELINUX= can take one of these three values:
>>>> -# enforcing - SELinux security policy is enforced.
>>>> -# permissive - SELinux prints warnings instead of enforcing.
>>>> -# disabled - No SELinux policy is loaded.
>>>> -SELINUX=${DEFAULT_ENFORCING}
>>>> -# SELINUXTYPE= can take one of these values:
>>>> -# standard - Standard Security protection.
>>>> -# mls - Multi Level Security protection.
>>>> -# targeted - Targeted processes are protected.
>>>> -# mcs - Multi Category Security protection.
>>>> -SELINUXTYPE=${@d.getVar("PREFERRED_PROVIDER_virtual/refpolicy", False)[len("refpolicy-"):]}
>>>> -" > ${WORKDIR}/config
>>>> - install -d ${D}/${sysconfdir}/selinux
>>>> - install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
>>>> -}
>>>> -
>>>> -sysroot_stage_all_append () {
>>>> - sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
>>>> -}
>>>>
>>
>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.
2016-04-12 5:54 ` wenzong fan
@ 2016-04-12 14:05 ` Joe MacDonald
2016-04-13 7:23 ` wenzong fan
0 siblings, 1 reply; 12+ messages in thread
From: Joe MacDonald @ 2016-04-12 14:05 UTC (permalink / raw)
To: wenzong fan; +Cc: yocto
[-- Attachment #1: Type: text/plain, Size: 11313 bytes --]
Philip / Wenzong,
[Re: [yocto] [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.] On 16.04.12 (Tue 13:54) wenzong fan wrote:
> On 04/12/2016 11:55 AM, Philip Tricca wrote:
> >Hello,
> >
> >On 04/11/2016 05:54 AM, Joe MacDonald wrote:
> >>>This causes do_populate_sysroot error if build two or more types of
> >>>refpolicy:
> >>>
> >>>$ bitbake refpolicy-minimum && bitbake refpolicy-mls
> >>>
> >>>ERROR: refpolicy-mls-git-r0 do_populate_sysroot: The recipe refpolicy-mls is
> >>>trying to install files into a shared area when those files already exist.
> >>>Those files and their manifest location are:
> >>
> >>I think this was always the intent with the series Philip submitted last
> >>week (for reference, the thread is
> >>https://www.mail-archive.com/yocto@yoctoproject.org/msg28530.html).
> >>Isn't this (part of) the expected behaviour of the virtual provider
> >>mechanism?
> >
> >This is the question I think we need to figure out. My understanding
> >(quite possibly wrong) is that the virtual provider stuff would prevent
> >the installation of more than one provider. I hadn't considered the
> >implications for the sysroot.
> >
> >Is the ability to install multiple providers in the sysroot expected? I
> >imagine that this problem must have been solved before in another
> >package with virtual providers that install the same file. I'm happy to
> >doing some digging here but if anyone knows of a good example I'd
> >appreciate a pointer.
> >
> >>We did discuss what it would mean to be trying out multiple
> >>policies on a system at the same time and at the time it seemed like the
> >>"just works" angle was more important than "buffet style" when it came
> >>to providing policy on the image.
> >
> >I guess the thing I like the most about setting the policy package up as
> >a virtual package is the ability to select the policy type as a distro
> >config. The virtual provider seemed like a natural fit as it's a pattern
> >that similar packages (kernel etc) use extensively.
> >
> >>It might be worth considering extending the changes to only do some
> >>install steps at, say, do_rootfs but I don't know if that even makes
> >>sense, this is really the first I've thought of it. I think Philip's
> >>original changes are good, though, for our maintenance and for clients
> >>of meta-selinux.
> >
> >There may be a middle ground and I think that would be leaving the
> >configuration file as a separate package. Personally I liked the idea of
> >rolling the config file into the policy package as it was always a bit
> >awkward requiring coordination of some variables across the policy and
> >the config package which made it a bit brittle.
> >
> >Wenzong: A few questions: What's your use case for building multiple
> >policy packages? Would you suggest just backing out the removal of the
> >config package or the whole virtual provider thing?
>
> Hi Philip,
>
> The virtual provider is OK, just restore the config package is the simplest
> ways for fixing such issue I think.
>
> My use cases include:
> a. update refpolicy and build each type to make sure patch/build/install
> work;
That's not necessarily an argument against the change ...
> b. run world build with meta-selinux layer.
... but I think this is. Or, rather, I think what we have now makes more
sense from an end-user perspective, that your image wouldn't have more
than a single policy installed at a time and that if you tried to install
multiple policies for nearly everyone this represents a mistake and
undesirable behaviour so warnings / errors are appropriate.
But if this is breaking world builds with yocto+meta-selinux, that's
something I'd like to repair. Though I'm surprised that what we have
right now would break the world builds. Philip / Wenzong / Mark: Do you
have publicly-accessible world builds right now? I don't and I don't have
world builds for yocto+meta-selinux on my autobuilder, but I'll go set one
up if you don't have one.
-J.
>
> Thanks
> Wenzong
>
> >
> >Thanks,
> >Philip
> >
> >>>/buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/sepolgen.conf
> >>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
> >>>
> >>>/buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/config
> >>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
> >>>
> >>>/buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/sysroot-providers/virtual_refpolicy
> >>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
> >>>Please verify which recipe should provide the above files.
> >>>
> >>>Philip,
> >>>
> >>>Can you consider to withdraw the integration?
> >>>
> >>>Thanks
> >>>Wenzong
> >>>
> >>>On 04/04/2016 08:21 AM, Philip Tricca wrote:
> >>>>With the virutal package there's no need for a separate recipe to build
> >>>>the config. This can be generated and included as part of the policy
> >>>>package.
> >>>>
> >>>>Signed-off-by: Philip Tricca <flihp@twobit.us>
> >>>>---
> >>>> .../packagegroups/packagegroup-core-selinux.bb | 1 -
> >>>> .../packagegroups/packagegroup-selinux-minimal.bb | 1 -
> >>>> recipes-security/refpolicy/refpolicy_common.inc | 30 ++++++++++++++--
> >>>> recipes-security/selinux/selinux-config_0.1.bb | 40 ----------------------
> >>>> 4 files changed, 28 insertions(+), 44 deletions(-)
> >>>> delete mode 100644 recipes-security/selinux/selinux-config_0.1.bb
> >>>>
> >>>>diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
> >>>>index 62c5a76..c6d22b7 100644
> >>>>--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
> >>>>+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
> >>>>@@ -22,7 +22,6 @@ RDEPENDS_${PN} = " \
> >>>> packagegroup-selinux-policycoreutils \
> >>>> setools \
> >>>> setools-console \
> >>>>- selinux-config \
> >>>> selinux-autorelabel \
> >>>> selinux-init \
> >>>> selinux-labeldev \
> >>>>diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> >>>>index 87ae686..451ae8b 100644
> >>>>--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> >>>>+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> >>>>@@ -21,7 +21,6 @@ RDEPENDS_${PN} = "\
> >>>> policycoreutils-semodule \
> >>>> policycoreutils-sestatus \
> >>>> policycoreutils-setfiles \
> >>>>- selinux-config \
> >>>> selinux-labeldev \
> >>>> virtual/refpolicy \
> >>>> "
> >>>>diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
> >>>>index ba887e4..305675f 100644
> >>>>--- a/recipes-security/refpolicy/refpolicy_common.inc
> >>>>+++ b/recipes-security/refpolicy/refpolicy_common.inc
> >>>>@@ -1,3 +1,5 @@
> >>>>+DEFAULT_ENFORCING ??= "enforcing"
> >>>>+
> >>>> SECTION = "base"
> >>>> LICENSE = "GPLv2"
> >>>>
> >>>>@@ -14,7 +16,8 @@ SRC_URI += "file://customizable_types \
> >>>>
> >>>> S = "${WORKDIR}/refpolicy"
> >>>>
> >>>>-FILES_${PN} = " \
> >>>>+CONFFILES_${PN} += "${sysconfdir}/selinux/config"
> >>>>+FILES_${PN} += " \
> >>>> ${sysconfdir}/selinux/${POLICY_NAME}/ \
> >>>> ${datadir}/selinux/${POLICY_NAME}/*.pp \
> >>>> ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
> >>>>@@ -25,7 +28,6 @@ FILES_${PN}-dev =+ " \
> >>>> "
> >>>>
> >>>> DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
> >>>>-RDEPENDS_${PN} += "selinux-config"
> >>>>
> >>>> PACKAGE_ARCH = "${MACHINE_ARCH}"
> >>>>
> >>>>@@ -137,13 +139,37 @@ install_misc_files () {
> >>>> oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
> >>>> }
> >>>>
> >>>>+install_config () {
> >>>>+ echo "\
> >>>>+# This file controls the state of SELinux on the system.
> >>>>+# SELINUX= can take one of these three values:
> >>>>+# enforcing - SELinux security policy is enforced.
> >>>>+# permissive - SELinux prints warnings instead of enforcing.
> >>>>+# disabled - No SELinux policy is loaded.
> >>>>+SELINUX=${DEFAULT_ENFORCING}
> >>>>+# SELINUXTYPE= can take one of these values:
> >>>>+# standard - Standard Security protection.
> >>>>+# mls - Multi Level Security protection.
> >>>>+# targeted - Targeted processes are protected.
> >>>>+# mcs - Multi Category Security protection.
> >>>>+SELINUXTYPE=${POLICY_TYPE}
> >>>>+" > ${WORKDIR}/config
> >>>>+ install -d ${D}/${sysconfdir}/selinux
> >>>>+ install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
> >>>>+}
> >>>>+
> >>>> do_install () {
> >>>> prepare_policy_store
> >>>> rebuild_policy
> >>>> install_misc_files
> >>>>+ install_config
> >>>> }
> >>>>
> >>>> do_install_append(){
> >>>> # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
> >>>> echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
> >>>> }
> >>>>+
> >>>>+sysroot_stage_all_append () {
> >>>>+ sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
> >>>>+}
> >>>>diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
> >>>>deleted file mode 100644
> >>>>index e902e98..0000000
> >>>>--- a/recipes-security/selinux/selinux-config_0.1.bb
> >>>>+++ /dev/null
> >>>>@@ -1,40 +0,0 @@
> >>>>-DEFAULT_ENFORCING ??= "enforcing"
> >>>>-
> >>>>-SUMMARY = "SELinux configuration"
> >>>>-DESCRIPTION = "\
> >>>>-SELinux configuration files for Yocto. \
> >>>>-"
> >>>>-
> >>>>-SECTION = "base"
> >>>>-LICENSE = "MIT"
> >>>>-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
> >>>>-PR = "r4"
> >>>>-
> >>>>-S = "${WORKDIR}"
> >>>>-
> >>>>-CONFFILES_${PN} += "${sysconfdir}/selinux/config"
> >>>>-
> >>>>-PACKAGE_ARCH = "${MACHINE_ARCH}"
> >>>>-
> >>>>-do_install () {
> >>>>- echo "\
> >>>>-# This file controls the state of SELinux on the system.
> >>>>-# SELINUX= can take one of these three values:
> >>>>-# enforcing - SELinux security policy is enforced.
> >>>>-# permissive - SELinux prints warnings instead of enforcing.
> >>>>-# disabled - No SELinux policy is loaded.
> >>>>-SELINUX=${DEFAULT_ENFORCING}
> >>>>-# SELINUXTYPE= can take one of these values:
> >>>>-# standard - Standard Security protection.
> >>>>-# mls - Multi Level Security protection.
> >>>>-# targeted - Targeted processes are protected.
> >>>>-# mcs - Multi Category Security protection.
> >>>>-SELINUXTYPE=${@d.getVar("PREFERRED_PROVIDER_virtual/refpolicy", False)[len("refpolicy-"):]}
> >>>>-" > ${WORKDIR}/config
> >>>>- install -d ${D}/${sysconfdir}/selinux
> >>>>- install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
> >>>>-}
> >>>>-
> >>>>-sysroot_stage_all_append () {
> >>>>- sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
> >>>>-}
> >>>>
> >>
> >
> >
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.
2016-04-12 14:05 ` Joe MacDonald
@ 2016-04-13 7:23 ` wenzong fan
2016-04-17 5:10 ` Philip Tricca
0 siblings, 1 reply; 12+ messages in thread
From: wenzong fan @ 2016-04-13 7:23 UTC (permalink / raw)
To: Joe MacDonald; +Cc: yocto
On 04/12/2016 10:05 PM, Joe MacDonald wrote:
> Philip / Wenzong,
>
> [Re: [yocto] [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.] On 16.04.12 (Tue 13:54) wenzong fan wrote:
>
>> On 04/12/2016 11:55 AM, Philip Tricca wrote:
>>> Hello,
>>>
>>> On 04/11/2016 05:54 AM, Joe MacDonald wrote:
>>>>> This causes do_populate_sysroot error if build two or more types of
>>>>> refpolicy:
>>>>>
>>>>> $ bitbake refpolicy-minimum && bitbake refpolicy-mls
>>>>>
>>>>> ERROR: refpolicy-mls-git-r0 do_populate_sysroot: The recipe refpolicy-mls is
>>>>> trying to install files into a shared area when those files already exist.
>>>>> Those files and their manifest location are:
>>>>
>>>> I think this was always the intent with the series Philip submitted last
>>>> week (for reference, the thread is
>>>> https://www.mail-archive.com/yocto@yoctoproject.org/msg28530.html).
>>>> Isn't this (part of) the expected behaviour of the virtual provider
>>>> mechanism?
>>>
>>> This is the question I think we need to figure out. My understanding
>>> (quite possibly wrong) is that the virtual provider stuff would prevent
>>> the installation of more than one provider. I hadn't considered the
>>> implications for the sysroot.
>>>
>>> Is the ability to install multiple providers in the sysroot expected? I
>>> imagine that this problem must have been solved before in another
>>> package with virtual providers that install the same file. I'm happy to
>>> doing some digging here but if anyone knows of a good example I'd
>>> appreciate a pointer.
>>>
>>>> We did discuss what it would mean to be trying out multiple
>>>> policies on a system at the same time and at the time it seemed like the
>>>> "just works" angle was more important than "buffet style" when it came
>>>> to providing policy on the image.
>>>
>>> I guess the thing I like the most about setting the policy package up as
>>> a virtual package is the ability to select the policy type as a distro
>>> config. The virtual provider seemed like a natural fit as it's a pattern
>>> that similar packages (kernel etc) use extensively.
>>>
>>>> It might be worth considering extending the changes to only do some
>>>> install steps at, say, do_rootfs but I don't know if that even makes
>>>> sense, this is really the first I've thought of it. I think Philip's
>>>> original changes are good, though, for our maintenance and for clients
>>>> of meta-selinux.
>>>
>>> There may be a middle ground and I think that would be leaving the
>>> configuration file as a separate package. Personally I liked the idea of
>>> rolling the config file into the policy package as it was always a bit
>>> awkward requiring coordination of some variables across the policy and
>>> the config package which made it a bit brittle.
>>>
>>> Wenzong: A few questions: What's your use case for building multiple
>>> policy packages? Would you suggest just backing out the removal of the
>>> config package or the whole virtual provider thing?
>>
>> Hi Philip,
>>
>> The virtual provider is OK, just restore the config package is the simplest
>> ways for fixing such issue I think.
>>
>> My use cases include:
>> a. update refpolicy and build each type to make sure patch/build/install
>> work;
>
> That's not necessarily an argument against the change ...
>
>> b. run world build with meta-selinux layer.
>
> ... but I think this is. Or, rather, I think what we have now makes more
> sense from an end-user perspective, that your image wouldn't have more
> than a single policy installed at a time and that if you tried to install
> multiple policies for nearly everyone this represents a mistake and
> undesirable behaviour so warnings / errors are appropriate.
>
> But if this is breaking world builds with yocto+meta-selinux, that's
> something I'd like to repair. Though I'm surprised that what we have
> right now would break the world builds. Philip / Wenzong / Mark: Do you
> have publicly-accessible world builds right now? I don't and I don't have
> world builds for yocto+meta-selinux on my autobuilder, but I'll go set one
> up if you don't have one.
Oh, it's my fault. I can't reproduce the issue with a fresh build now,
it must be I had been run refpolicy-* build manually :(
I don't want to install multiple policies to target as well, so I have
no objection now.
Thanks all for your patience.
Wenzong
>
> -J.
>
>>
>> Thanks
>> Wenzong
>>
>>>
>>> Thanks,
>>> Philip
>>>
>>>>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/sepolgen.conf
>>>>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>>>>>
>>>>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/config
>>>>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>>>>>
>>>>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/sysroot-providers/virtual_refpolicy
>>>>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>>>>> Please verify which recipe should provide the above files.
>>>>>
>>>>> Philip,
>>>>>
>>>>> Can you consider to withdraw the integration?
>>>>>
>>>>> Thanks
>>>>> Wenzong
>>>>>
>>>>> On 04/04/2016 08:21 AM, Philip Tricca wrote:
>>>>>> With the virutal package there's no need for a separate recipe to build
>>>>>> the config. This can be generated and included as part of the policy
>>>>>> package.
>>>>>>
>>>>>> Signed-off-by: Philip Tricca <flihp@twobit.us>
>>>>>> ---
>>>>>> .../packagegroups/packagegroup-core-selinux.bb | 1 -
>>>>>> .../packagegroups/packagegroup-selinux-minimal.bb | 1 -
>>>>>> recipes-security/refpolicy/refpolicy_common.inc | 30 ++++++++++++++--
>>>>>> recipes-security/selinux/selinux-config_0.1.bb | 40 ----------------------
>>>>>> 4 files changed, 28 insertions(+), 44 deletions(-)
>>>>>> delete mode 100644 recipes-security/selinux/selinux-config_0.1.bb
>>>>>>
>>>>>> diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>>>>> index 62c5a76..c6d22b7 100644
>>>>>> --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>>>>> +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>>>>> @@ -22,7 +22,6 @@ RDEPENDS_${PN} = " \
>>>>>> packagegroup-selinux-policycoreutils \
>>>>>> setools \
>>>>>> setools-console \
>>>>>> - selinux-config \
>>>>>> selinux-autorelabel \
>>>>>> selinux-init \
>>>>>> selinux-labeldev \
>>>>>> diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>>>>> index 87ae686..451ae8b 100644
>>>>>> --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>>>>> +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>>>>> @@ -21,7 +21,6 @@ RDEPENDS_${PN} = "\
>>>>>> policycoreutils-semodule \
>>>>>> policycoreutils-sestatus \
>>>>>> policycoreutils-setfiles \
>>>>>> - selinux-config \
>>>>>> selinux-labeldev \
>>>>>> virtual/refpolicy \
>>>>>> "
>>>>>> diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
>>>>>> index ba887e4..305675f 100644
>>>>>> --- a/recipes-security/refpolicy/refpolicy_common.inc
>>>>>> +++ b/recipes-security/refpolicy/refpolicy_common.inc
>>>>>> @@ -1,3 +1,5 @@
>>>>>> +DEFAULT_ENFORCING ??= "enforcing"
>>>>>> +
>>>>>> SECTION = "base"
>>>>>> LICENSE = "GPLv2"
>>>>>>
>>>>>> @@ -14,7 +16,8 @@ SRC_URI += "file://customizable_types \
>>>>>>
>>>>>> S = "${WORKDIR}/refpolicy"
>>>>>>
>>>>>> -FILES_${PN} = " \
>>>>>> +CONFFILES_${PN} += "${sysconfdir}/selinux/config"
>>>>>> +FILES_${PN} += " \
>>>>>> ${sysconfdir}/selinux/${POLICY_NAME}/ \
>>>>>> ${datadir}/selinux/${POLICY_NAME}/*.pp \
>>>>>> ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
>>>>>> @@ -25,7 +28,6 @@ FILES_${PN}-dev =+ " \
>>>>>> "
>>>>>>
>>>>>> DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
>>>>>> -RDEPENDS_${PN} += "selinux-config"
>>>>>>
>>>>>> PACKAGE_ARCH = "${MACHINE_ARCH}"
>>>>>>
>>>>>> @@ -137,13 +139,37 @@ install_misc_files () {
>>>>>> oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
>>>>>> }
>>>>>>
>>>>>> +install_config () {
>>>>>> + echo "\
>>>>>> +# This file controls the state of SELinux on the system.
>>>>>> +# SELINUX= can take one of these three values:
>>>>>> +# enforcing - SELinux security policy is enforced.
>>>>>> +# permissive - SELinux prints warnings instead of enforcing.
>>>>>> +# disabled - No SELinux policy is loaded.
>>>>>> +SELINUX=${DEFAULT_ENFORCING}
>>>>>> +# SELINUXTYPE= can take one of these values:
>>>>>> +# standard - Standard Security protection.
>>>>>> +# mls - Multi Level Security protection.
>>>>>> +# targeted - Targeted processes are protected.
>>>>>> +# mcs - Multi Category Security protection.
>>>>>> +SELINUXTYPE=${POLICY_TYPE}
>>>>>> +" > ${WORKDIR}/config
>>>>>> + install -d ${D}/${sysconfdir}/selinux
>>>>>> + install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
>>>>>> +}
>>>>>> +
>>>>>> do_install () {
>>>>>> prepare_policy_store
>>>>>> rebuild_policy
>>>>>> install_misc_files
>>>>>> + install_config
>>>>>> }
>>>>>>
>>>>>> do_install_append(){
>>>>>> # While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
>>>>>> echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
>>>>>> }
>>>>>> +
>>>>>> +sysroot_stage_all_append () {
>>>>>> + sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
>>>>>> +}
>>>>>> diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
>>>>>> deleted file mode 100644
>>>>>> index e902e98..0000000
>>>>>> --- a/recipes-security/selinux/selinux-config_0.1.bb
>>>>>> +++ /dev/null
>>>>>> @@ -1,40 +0,0 @@
>>>>>> -DEFAULT_ENFORCING ??= "enforcing"
>>>>>> -
>>>>>> -SUMMARY = "SELinux configuration"
>>>>>> -DESCRIPTION = "\
>>>>>> -SELinux configuration files for Yocto. \
>>>>>> -"
>>>>>> -
>>>>>> -SECTION = "base"
>>>>>> -LICENSE = "MIT"
>>>>>> -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
>>>>>> -PR = "r4"
>>>>>> -
>>>>>> -S = "${WORKDIR}"
>>>>>> -
>>>>>> -CONFFILES_${PN} += "${sysconfdir}/selinux/config"
>>>>>> -
>>>>>> -PACKAGE_ARCH = "${MACHINE_ARCH}"
>>>>>> -
>>>>>> -do_install () {
>>>>>> - echo "\
>>>>>> -# This file controls the state of SELinux on the system.
>>>>>> -# SELINUX= can take one of these three values:
>>>>>> -# enforcing - SELinux security policy is enforced.
>>>>>> -# permissive - SELinux prints warnings instead of enforcing.
>>>>>> -# disabled - No SELinux policy is loaded.
>>>>>> -SELINUX=${DEFAULT_ENFORCING}
>>>>>> -# SELINUXTYPE= can take one of these values:
>>>>>> -# standard - Standard Security protection.
>>>>>> -# mls - Multi Level Security protection.
>>>>>> -# targeted - Targeted processes are protected.
>>>>>> -# mcs - Multi Category Security protection.
>>>>>> -SELINUXTYPE=${@d.getVar("PREFERRED_PROVIDER_virtual/refpolicy", False)[len("refpolicy-"):]}
>>>>>> -" > ${WORKDIR}/config
>>>>>> - install -d ${D}/${sysconfdir}/selinux
>>>>>> - install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
>>>>>> -}
>>>>>> -
>>>>>> -sysroot_stage_all_append () {
>>>>>> - sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
>>>>>> -}
>>>>>>
>>>>
>>>
>>>
>
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.
2016-04-13 7:23 ` wenzong fan
@ 2016-04-17 5:10 ` Philip Tricca
0 siblings, 0 replies; 12+ messages in thread
From: Philip Tricca @ 2016-04-17 5:10 UTC (permalink / raw)
To: wenzong fan; +Cc: yocto
On 04/13/2016 12:23 AM, wenzong fan wrote:
> On 04/12/2016 10:05 PM, Joe MacDonald wrote:
>> Philip / Wenzong,
>>
>> [Re: [yocto] [meta-selinux][PATCH 2/3] Integrate selinux-config into
>> refpolicy_common.] On 16.04.12 (Tue 13:54) wenzong fan wrote:
>>
>>> On 04/12/2016 11:55 AM, Philip Tricca wrote:
>>>> Hello,
>>>>
>>>> On 04/11/2016 05:54 AM, Joe MacDonald wrote:
>>>>>> This causes do_populate_sysroot error if build two or more types of
>>>>>> refpolicy:
>>>>>>
>>>>>> $ bitbake refpolicy-minimum && bitbake refpolicy-mls
>>>>>>
>>>>>> ERROR: refpolicy-mls-git-r0 do_populate_sysroot: The recipe
>>>>>> refpolicy-mls is
>>>>>> trying to install files into a shared area when those files
>>>>>> already exist.
>>>>>> Those files and their manifest location are:
>>>>>
>>>>> I think this was always the intent with the series Philip submitted
>>>>> last
>>>>> week (for reference, the thread is
>>>>> https://www.mail-archive.com/yocto@yoctoproject.org/msg28530.html).
>>>>> Isn't this (part of) the expected behaviour of the virtual provider
>>>>> mechanism?
>>>>
>>>> This is the question I think we need to figure out. My understanding
>>>> (quite possibly wrong) is that the virtual provider stuff would prevent
>>>> the installation of more than one provider. I hadn't considered the
>>>> implications for the sysroot.
>>>>
>>>> Is the ability to install multiple providers in the sysroot expected? I
>>>> imagine that this problem must have been solved before in another
>>>> package with virtual providers that install the same file. I'm happy to
>>>> doing some digging here but if anyone knows of a good example I'd
>>>> appreciate a pointer.
>>>>
>>>>> We did discuss what it would mean to be trying out multiple
>>>>> policies on a system at the same time and at the time it seemed
>>>>> like the
>>>>> "just works" angle was more important than "buffet style" when it came
>>>>> to providing policy on the image.
>>>>
>>>> I guess the thing I like the most about setting the policy package
>>>> up as
>>>> a virtual package is the ability to select the policy type as a distro
>>>> config. The virtual provider seemed like a natural fit as it's a
>>>> pattern
>>>> that similar packages (kernel etc) use extensively.
>>>>
>>>>> It might be worth considering extending the changes to only do some
>>>>> install steps at, say, do_rootfs but I don't know if that even makes
>>>>> sense, this is really the first I've thought of it. I think Philip's
>>>>> original changes are good, though, for our maintenance and for clients
>>>>> of meta-selinux.
>>>>
>>>> There may be a middle ground and I think that would be leaving the
>>>> configuration file as a separate package. Personally I liked the
>>>> idea of
>>>> rolling the config file into the policy package as it was always a bit
>>>> awkward requiring coordination of some variables across the policy and
>>>> the config package which made it a bit brittle.
>>>>
>>>> Wenzong: A few questions: What's your use case for building multiple
>>>> policy packages? Would you suggest just backing out the removal of the
>>>> config package or the whole virtual provider thing?
>>>
>>> Hi Philip,
>>>
>>> The virtual provider is OK, just restore the config package is the
>>> simplest
>>> ways for fixing such issue I think.
>>>
>>> My use cases include:
>>> a. update refpolicy and build each type to make sure patch/build/install
>>> work;
>>
>> That's not necessarily an argument against the change ...
>>
>>> b. run world build with meta-selinux layer.
>>
>> ... but I think this is. Or, rather, I think what we have now makes more
>> sense from an end-user perspective, that your image wouldn't have more
>> than a single policy installed at a time and that if you tried to install
>> multiple policies for nearly everyone this represents a mistake and
>> undesirable behaviour so warnings / errors are appropriate.
>>
>> But if this is breaking world builds with yocto+meta-selinux, that's
>> something I'd like to repair. Though I'm surprised that what we have
>> right now would break the world builds. Philip / Wenzong / Mark: Do you
>> have publicly-accessible world builds right now? I don't and I don't
>> have
>> world builds for yocto+meta-selinux on my autobuilder, but I'll go set
>> one
>> up if you don't have one.
>
> Oh, it's my fault. I can't reproduce the issue with a fresh build now,
> it must be I had been run refpolicy-* build manually :(
I tested a few days back and wasn't able to reproduce. Glad we both
ended up with the same results. I'm looking into setting up a world
build since that sounds like an additional level of testing that would
be good to have.
Philip
> I don't want to install multiple policies to target as well, so I have
> no objection now.
>
> Thanks all for your patience.
>
> Wenzong
>
>>
>> -J.
>>
>>>
>>> Thanks
>>> Wenzong
>>>
>>>>
>>>> Thanks,
>>>> Philip
>>>>
>>>>>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/sepolgen.conf
>>>>>>
>>>>>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>>>>>>
>>>>>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/etc/selinux/config
>>>>>>
>>>>>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>>>>>>
>>>>>> /buildarea/raid5/wfan/yocto/builds/selinux_sysvinit/tmp/sysroots/qemux86-64/sysroot-providers/virtual_refpolicy
>>>>>>
>>>>>> Matched in manifest-qemux86-64-refpolicy-minimum.populate_sysroot
>>>>>> Please verify which recipe should provide the above files.
>>>>>>
>>>>>> Philip,
>>>>>>
>>>>>> Can you consider to withdraw the integration?
>>>>>>
>>>>>> Thanks
>>>>>> Wenzong
>>>>>>
>>>>>> On 04/04/2016 08:21 AM, Philip Tricca wrote:
>>>>>>> With the virutal package there's no need for a separate recipe to
>>>>>>> build
>>>>>>> the config. This can be generated and included as part of the policy
>>>>>>> package.
>>>>>>>
>>>>>>> Signed-off-by: Philip Tricca <flihp@twobit.us>
>>>>>>> ---
>>>>>>> .../packagegroups/packagegroup-core-selinux.bb | 1 -
>>>>>>> .../packagegroups/packagegroup-selinux-minimal.bb | 1 -
>>>>>>> recipes-security/refpolicy/refpolicy_common.inc | 30
>>>>>>> ++++++++++++++--
>>>>>>> recipes-security/selinux/selinux-config_0.1.bb | 40
>>>>>>> ----------------------
>>>>>>> 4 files changed, 28 insertions(+), 44 deletions(-)
>>>>>>> delete mode 100644 recipes-security/selinux/selinux-config_0.1.bb
>>>>>>>
>>>>>>> diff --git
>>>>>>> a/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>>>>>> b/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>>>>>> index 62c5a76..c6d22b7 100644
>>>>>>> --- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>>>>>> +++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
>>>>>>> @@ -22,7 +22,6 @@ RDEPENDS_${PN} = " \
>>>>>>> packagegroup-selinux-policycoreutils \
>>>>>>> setools \
>>>>>>> setools-console \
>>>>>>> - selinux-config \
>>>>>>> selinux-autorelabel \
>>>>>>> selinux-init \
>>>>>>> selinux-labeldev \
>>>>>>> diff --git
>>>>>>> a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>>>>>> b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>>>>>> index 87ae686..451ae8b 100644
>>>>>>> --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>>>>>> +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>>>>>>> @@ -21,7 +21,6 @@ RDEPENDS_${PN} = "\
>>>>>>> policycoreutils-semodule \
>>>>>>> policycoreutils-sestatus \
>>>>>>> policycoreutils-setfiles \
>>>>>>> - selinux-config \
>>>>>>> selinux-labeldev \
>>>>>>> virtual/refpolicy \
>>>>>>> "
>>>>>>> diff --git a/recipes-security/refpolicy/refpolicy_common.inc
>>>>>>> b/recipes-security/refpolicy/refpolicy_common.inc
>>>>>>> index ba887e4..305675f 100644
>>>>>>> --- a/recipes-security/refpolicy/refpolicy_common.inc
>>>>>>> +++ b/recipes-security/refpolicy/refpolicy_common.inc
>>>>>>> @@ -1,3 +1,5 @@
>>>>>>> +DEFAULT_ENFORCING ??= "enforcing"
>>>>>>> +
>>>>>>> SECTION = "base"
>>>>>>> LICENSE = "GPLv2"
>>>>>>>
>>>>>>> @@ -14,7 +16,8 @@ SRC_URI += "file://customizable_types \
>>>>>>>
>>>>>>> S = "${WORKDIR}/refpolicy"
>>>>>>>
>>>>>>> -FILES_${PN} = " \
>>>>>>> +CONFFILES_${PN} += "${sysconfdir}/selinux/config"
>>>>>>> +FILES_${PN} += " \
>>>>>>> ${sysconfdir}/selinux/${POLICY_NAME}/ \
>>>>>>> ${datadir}/selinux/${POLICY_NAME}/*.pp \
>>>>>>> ${localstatedir}/lib/selinux/${POLICY_NAME}/ \
>>>>>>> @@ -25,7 +28,6 @@ FILES_${PN}-dev =+ " \
>>>>>>> "
>>>>>>>
>>>>>>> DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
>>>>>>> -RDEPENDS_${PN} += "selinux-config"
>>>>>>>
>>>>>>> PACKAGE_ARCH = "${MACHINE_ARCH}"
>>>>>>>
>>>>>>> @@ -137,13 +139,37 @@ install_misc_files () {
>>>>>>> oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}'
>>>>>>> install-headers
>>>>>>> }
>>>>>>>
>>>>>>> +install_config () {
>>>>>>> + echo "\
>>>>>>> +# This file controls the state of SELinux on the system.
>>>>>>> +# SELINUX= can take one of these three values:
>>>>>>> +# enforcing - SELinux security policy is enforced.
>>>>>>> +# permissive - SELinux prints warnings instead of enforcing.
>>>>>>> +# disabled - No SELinux policy is loaded.
>>>>>>> +SELINUX=${DEFAULT_ENFORCING}
>>>>>>> +# SELINUXTYPE= can take one of these values:
>>>>>>> +# standard - Standard Security protection.
>>>>>>> +# mls - Multi Level Security protection.
>>>>>>> +# targeted - Targeted processes are protected.
>>>>>>> +# mcs - Multi Category Security protection.
>>>>>>> +SELINUXTYPE=${POLICY_TYPE}
>>>>>>> +" > ${WORKDIR}/config
>>>>>>> + install -d ${D}/${sysconfdir}/selinux
>>>>>>> + install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
>>>>>>> +}
>>>>>>> +
>>>>>>> do_install () {
>>>>>>> prepare_policy_store
>>>>>>> rebuild_policy
>>>>>>> install_misc_files
>>>>>>> + install_config
>>>>>>> }
>>>>>>>
>>>>>>> do_install_append(){
>>>>>>> # While building policies on target, Makefile will be
>>>>>>> searched from SELINUX_DEVEL_PATH
>>>>>>> echo
>>>>>>> "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" >
>>>>>>> ${D}${sysconfdir}/selinux/sepolgen.conf
>>>>>>> }
>>>>>>> +
>>>>>>> +sysroot_stage_all_append () {
>>>>>>> + sysroot_stage_dir ${D}${sysconfdir}
>>>>>>> ${SYSROOT_DESTDIR}${sysconfdir}
>>>>>>> +}
>>>>>>> diff --git a/recipes-security/selinux/selinux-config_0.1.bb
>>>>>>> b/recipes-security/selinux/selinux-config_0.1.bb
>>>>>>> deleted file mode 100644
>>>>>>> index e902e98..0000000
>>>>>>> --- a/recipes-security/selinux/selinux-config_0.1.bb
>>>>>>> +++ /dev/null
>>>>>>> @@ -1,40 +0,0 @@
>>>>>>> -DEFAULT_ENFORCING ??= "enforcing"
>>>>>>> -
>>>>>>> -SUMMARY = "SELinux configuration"
>>>>>>> -DESCRIPTION = "\
>>>>>>> -SELinux configuration files for Yocto. \
>>>>>>> -"
>>>>>>> -
>>>>>>> -SECTION = "base"
>>>>>>> -LICENSE = "MIT"
>>>>>>> -LIC_FILES_CHKSUM =
>>>>>>> "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
>>>>>>>
>>>>>>> -PR = "r4"
>>>>>>> -
>>>>>>> -S = "${WORKDIR}"
>>>>>>> -
>>>>>>> -CONFFILES_${PN} += "${sysconfdir}/selinux/config"
>>>>>>> -
>>>>>>> -PACKAGE_ARCH = "${MACHINE_ARCH}"
>>>>>>> -
>>>>>>> -do_install () {
>>>>>>> - echo "\
>>>>>>> -# This file controls the state of SELinux on the system.
>>>>>>> -# SELINUX= can take one of these three values:
>>>>>>> -# enforcing - SELinux security policy is enforced.
>>>>>>> -# permissive - SELinux prints warnings instead of enforcing.
>>>>>>> -# disabled - No SELinux policy is loaded.
>>>>>>> -SELINUX=${DEFAULT_ENFORCING}
>>>>>>> -# SELINUXTYPE= can take one of these values:
>>>>>>> -# standard - Standard Security protection.
>>>>>>> -# mls - Multi Level Security protection.
>>>>>>> -# targeted - Targeted processes are protected.
>>>>>>> -# mcs - Multi Category Security protection.
>>>>>>> -SELINUXTYPE=${@d.getVar("PREFERRED_PROVIDER_virtual/refpolicy",
>>>>>>> False)[len("refpolicy-"):]}
>>>>>>> -" > ${WORKDIR}/config
>>>>>>> - install -d ${D}/${sysconfdir}/selinux
>>>>>>> - install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
>>>>>>> -}
>>>>>>> -
>>>>>>> -sysroot_stage_all_append () {
>>>>>>> - sysroot_stage_dir ${D}${sysconfdir}
>>>>>>> ${SYSROOT_DESTDIR}${sysconfdir}
>>>>>>> -}
>>>>>>>
>>>>>
>>>>
>>>>
>>
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2016-04-17 5:09 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-04 0:21 [meta-selinux][PATCH 0/3] refpolicy virtual package Philip Tricca
2016-04-04 0:21 ` [meta-selinux][PATCH 1/3] refpolicy: Setup virtual/refpolicy provider Philip Tricca
2016-04-04 0:21 ` [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common Philip Tricca
2016-04-08 8:27 ` wenzong fan
2016-04-11 12:54 ` Joe MacDonald
2016-04-12 3:55 ` Philip Tricca
2016-04-12 5:54 ` wenzong fan
2016-04-12 14:05 ` Joe MacDonald
2016-04-13 7:23 ` wenzong fan
2016-04-17 5:10 ` Philip Tricca
2016-04-04 0:21 ` [meta-selinux][PATCH 3/3] refpolicy_common: Sanity test DEFAULT_ENFORCING value and set default Philip Tricca
2016-04-04 17:53 ` [meta-selinux][PATCH 0/3] refpolicy virtual package Joe MacDonald
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.