diff options
| author | Wenzong Fan <wenzong.fan@windriver.com> | 2016-04-08 04:19:32 -0400 |
|---|---|---|
| committer | Philip Tricca <flihp@twobit.us> | 2016-04-17 06:11:42 +0000 |
| commit | 3eab039fd081069c3088601d8e5b515dfccc26e8 (patch) | |
| tree | 9738c21850e231d0808d3a2a439c42ace2ecda04 | |
| parent | a9e8f834d7a7bd94c649af89205c354ffbe1d3a6 (diff) | |
| download | meta-selinux-3eab039fd081069c3088601d8e5b515dfccc26e8.tar.gz | |
refpolicy-minimum: port changes for prepare_policy_store
Apply the changes to refpolicy-minimum_2.20151208.bb:
commit bfaf278116e6c3a04bb82c9f8a4f8629a0a85df8
Author: Wenzong Fan <wenzong.fan@windriver.com>
Date: Tue Oct 27 06:25:04 2015 -0400
refpolicy-minimum: update prepare_policy_store
* update prepare_policy_store() for supporting SELinux 2.4 & CIL, the
logic is from refpolicy_common.inc but with minimum set of policy
modules;
* add extra policy modules that required by sysnetwork, without those
modules the install process will fail with error:
| Failed to resolve roletype statement at 62 of \
.../image/var/lib/selinux/minimum/tmp/modules/100/sysnetwork/cil
| Failed to resolve ast
| semodule: Failed!
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
| -rw-r--r-- | recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb | 41 |
1 files changed, 30 insertions, 11 deletions
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index b275821..47ed558 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb | |||
| @@ -26,23 +26,42 @@ EXTRA_POLICY_MODULES += "nscd" | |||
| 26 | # "login", so "login" process will access to /var/spool/mail. | 26 | # "login", so "login" process will access to /var/spool/mail. |
| 27 | EXTRA_POLICY_MODULES += "mta" | 27 | EXTRA_POLICY_MODULES += "mta" |
| 28 | 28 | ||
| 29 | # sysnetwork requires type definitions (insmod_t, consoletype_t, | ||
| 30 | # hostname_t, ping_t, netutils_t) from modules: | ||
| 31 | EXTRA_POLICY_MODULES += "modutils consoletype hostname netutils" | ||
| 32 | |||
| 29 | POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}" | 33 | POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}" |
| 30 | 34 | ||
| 31 | # re-write the same func from refpolicy_common.inc | 35 | # re-write the same func from refpolicy_common.inc |
| 32 | prepare_policy_store () { | 36 | prepare_policy_store () { |
| 33 | oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install | 37 | oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install |
| 38 | POL_PRIORITY=100 | ||
| 39 | POL_SRC=${D}${datadir}/selinux/${POLICY_NAME} | ||
| 40 | POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME} | ||
| 41 | POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY} | ||
| 34 | 42 | ||
| 35 | # Prepare to create policy store | 43 | # Prepare to create policy store |
| 36 | mkdir -p ${D}${sysconfdir}/selinux/ | 44 | mkdir -p ${POL_STORE} |
| 37 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy | 45 | mkdir -p ${POL_ACTIVE_MODS} |
| 38 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules | 46 | |
| 39 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files | 47 | # get hll type from suffix on base policy module |
| 40 | touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local | 48 | HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}') |
| 41 | for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do | 49 | HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE} |
| 42 | bzip2 -f $i && mv -f $i.bz2 $i | 50 | |
| 43 | done | 51 | for i in base ${POLICY_MODULES_MIN}; do |
| 44 | cp base.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp | 52 | MOD_FILE=${POL_SRC}/${i}.${HLL_TYPE} |
| 45 | for i in ${POLICY_MODULES_MIN}; do | 53 | MOD_DIR=${POL_ACTIVE_MODS}/${i} |
| 46 | cp ${i}.pp ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i.pp` | 54 | mkdir -p ${MOD_DIR} |
| 55 | echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext | ||
| 56 | |||
| 57 | if ! bzip2 -t ${MOD_FILE} >/dev/null 2>&1; then | ||
| 58 | ${HLL_BIN} ${MOD_FILE} | bzip2 --stdout > ${MOD_DIR}/cil | ||
| 59 | bzip2 -f ${MOD_FILE} && mv -f ${MOD_FILE}.bz2 ${MOD_FILE} | ||
| 60 | else | ||
| 61 | bunzip2 --stdout ${MOD_FILE} | \ | ||
| 62 | ${HLL_BIN} | \ | ||
| 63 | bzip2 --stdout > ${MOD_DIR}/cil | ||
| 64 | fi | ||
| 65 | cp ${MOD_FILE} ${MOD_DIR}/hll | ||
| 47 | done | 66 | done |
| 48 | } | 67 | } |