[[yocto] [meta-selinux] Updated meta-selinux -- master-next] On 13.09.19 (Thu 13:41) Mark Hatle wrote:
> I have updated meta-selinux, and placed the update into the 'master-next'
> branch.
>
> This was locally tested with Poky as of commit
> 853bc53cd58a621918f0e5ce662dba263d1befb4.
>
> Note, when building the core-image-selinux, the internal refpolicies
> cause a lot of failures. I'm not an expert on how this should be
> configured, so I'm looking for help/patches from others.
>
> If you know of any other additional patches that should be applied,
> or are able to help with the refpolicies, please let me know!
>
> Thanks!
> --Mark
I just pushed a new (non-ff!) update to master-next. It includes the
following:
- Mark Hatle: policycoreutils: avoid shell for checking target-special
actions
- Mark Hatle: setools: Uprev setools
- Mark Hatle: README: Update status
- Mark Hatle: libcap-ng: Uprev libcap-ng
- Mark Hatle: audit: Uprev to audit 2.3.2
- Mark Hatle: swig: Update to latest swig from meta-openembedded
- Mark Hatle: python-ipy: Uprev to latest 0.81 version
- Mark Hatle: distro/*: Update the distro files
- Christopher Larson: layer.conf: avoid unnecessary early expansion with :=
- Qiang Chen: selinux: remove reference to locale env files from login
- Mark Hatle: linux-yocto: Add support for the 3.10 kernel
- Xin Ouyang: kernel: add BBAPPEND for linux 3.10
- Xin Ouyang: busybox: alternatives link to sh wrappers for commands
- Xin Ouyang: refpolicy*: remove old version recipes and patches.
- Xin Ouyang: refpolicy*: add new version 2.20130424
- Joe MacDonald: udev/init: work around dev-cache restore problems
- Mark Hatle: udev/init: sync to latest poky version
- Xin Ouyang: always force to restore file contexts in initscripts
- Xin Ouyang: policycoreutils: fix wrong newrole/run_init pam config
- Xin Ouyang: sepolgen: migrate SRC_URI to 1.1.9
- Xin Ouyang: policycoreutils: migrate SRC_URI and patches to 2.1.14
- Xin Ouyang: libsepol: migrate SRC_URI to 2.1.9
- Xin Ouyang: libsemanage: migrate SRC_URI to 2.1.10
- Xin Ouyang: libselinux: migrate SRC_URI and patches to 2.1.13
- Xin Ouyang: checkpolicy: migrate SRC_URI to 2.1.12
- Xin Ouyang: selinux userspace: uprev packages to release 20130423
- Philip Tricca: Add ${bindir}/sepolgen to system-config-selinux package.
- Philip Tricca: Check for the availability of 'secon' and 'setenforce' in
the selinux-init.sh script.
- Philip Tricca: Resend: Install policy headers and include them in the
refpolicy dev package.
- Joe Slater: openssh: add PACKAGECONFIG data regarding audit
- Philip Tricca: Add util-linux-agetty to core-image-selinux IMAGE_INSTALL.
- Joe MacDonald: documentation: update guidance for runqemu
- Philip Tricca: Stage SELinux config file in the sysroot.
- Philip Tricca: Add leading whitespace to DISTRO_FEATURES_append in
oe-selinux.conf
It's still not as clean as I would like it, but at least I understand
(most of) the current failures. I'll probably not get another chance to
look at this until Monday, though.
First boot and auto-relabel works fine.
Second boot generates the following audit warnings:
type=1401 audit(1380309719.391:4): security_validate_transition: denied for
oldcontext=system_u:object_r:device_t:s15:c0.c1023
newcontext=system_u:object_r:framebuf_device_t:s0
taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
udevd[135]: setfilecon /dev/fb0 failed: Operation not permitted
type=1401 audit(1380309729.653:5): security_validate_transition: denied for
oldcontext=system_u:object_r:device_t:s15:c0.c1023
newcontext=system_u:object_r:tty_device_t:s0
taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380309729.663:6): security_validate_transition: denied for
oldcontext=system_u:object_r:device_t:s15:c0.c1023
newcontext=system_u:object_r:tty_device_t:s0
taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
udevd[86]: setfilecon /dev/vcs2 failed: Operation not permitted
udevd[93]: setfilecon /dev/vcsa2 failed: Operation not permitted
I initially sunk a lot of time into these until I realized the problem
is present (and just not reported) in master. I haven't yet opened a
bug on it, but I intend to unless I can fix it myself (or someone sends
me a patch) in the very short term.
Subsequent boots are less happy:
type=1401 audit(1380310608.155:5): security_validate_transition: denied for
oldcontext=system_u:object_r:device_t:s0
newcontext=system_u:object_r:memory_device_t:s15:c0.c1023
taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380310608.164:6): security_validate_transition: denied for
oldcontext=system_u:object_r:device_t:s0
newcontext=system_u:object_r:memory_device_t:s15:c0.c1023
taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380310608.178:7): security_validate_transition: denied for
oldcontext=system_u:object_r:device_t:s0
newcontext=system_u:object_r:memory_device_t:s15:c0.c1023
taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380310608.203:8): security_validate_transition: denied for
oldcontext=system_u:object_r:device_t:s0
newcontext=system_u:object_r:kmsg_device_t:s15:c0.c1023
taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=chr_file
type=1401 audit(1380310608.783:9): security_validate_transition: denied for
oldcontext=system_u:object_r:fixed_disk_device_t:s0
newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023
taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
type=1401 audit(1380310608.789:10): security_validate_transition: denied
for oldcontext=system_u:object_r:fixed_disk_device_t:s0
newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023
taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
type=1401 audit(1380310608.793:11): security_validate_transition: denied
for oldcontext=system_u:object_r:fixed_disk_device_t:s0
newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023
taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
type=1401 audit(1380310608.798:12): security_validate_transition: denied
for oldcontext=system_u:object_r:fixed_disk_device_t:s0
newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023
taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
type=1401 audit(1380310608.802:13): security_validate_transition: denied
for oldcontext=system_u:object_r:fixed_disk_device_t:s0
newcontext=system_u:object_r:fixed_disk_device_t:s15:c0.c1023
taskcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023 tclass=blk_file
udevd[86]: starting version 182
Starting Bootlog daemon: bootlogd.
Populating dev cache
ALSA: Restoring mixer settings...
audit_printk_skb: 87 callbacks suppressed
type=1400 audit(1380310625.861:43): avc: denied { read write } for
pid=249 comm="alsactl" path="/dev/ttyS0" dev="devtmpfs" ino=6092
scontext=system_u:system_r:alsa_t:s0-s15:c0.c1023
tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file
Configuring network interfaces... done.
Starting rpcbind daemon...type=1400 audit(1380310628.230:44): avc: denied
{ read write } for pid=265 comm="rpcbind" path="/dev/ttyS0" dev="devtmpfs"
ino=6092 scontext=system_u:system_r:rpcbind_t:s0-s15:c0.c1023
tcontext=root:object_r:user_tty_device_t:s0 tclass=chr_file
done.
But these are all due to problems I detail in "udev/init: work around
dev-cache restore problems". There's a simple workaround for it, but
it's hacky (less hacky than not using the dev cache at all? more? not
sure) so I'd rather come up with a cleaner solution.
Anyway, that's the state of meta-selinux's master-next as of right now.
As mentioned (somewhere) elsewhere, master-next will continue to be
non-ff for the foreseeable future, so anyone else should use it with
caution. master is, of course, perfectly stable (and I hope up-to-date
with all current submissions merged).
--
-Joe MacDonald.
:wq
signature.asc
Description: Digital signature
_______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
