diff options
| author | Philip Tricca <flihp@twobit.us> | 2015-09-11 22:18:26 -0700 |
|---|---|---|
| committer | Joe MacDonald <joe_macdonald@mentor.com> | 2015-09-17 15:18:43 -0400 |
| commit | dfa1054f3330af3fa18f522488af88e4269e394c (patch) | |
| tree | 873e1d06607593512ecc5295001e5c2438d0a0d6 | |
| parent | e09eaef7a9acb552a4a5e1f90117154ae06b6fda (diff) | |
| download | meta-selinux-dfa1054f3330af3fa18f522488af88e4269e394c.tar.gz | |
refpolicy: Update policy install and bootstrap process for CIL.
The policy modules are now installed into /var/lib/selinux instead
of /etc/selinux.
Policies now have priorities. This is represented as part of the path
under /var/lib/selinux.
The new intermediate policy representation requires that we install
the policy package as 3 files (hll, cil & lang_ext) instead of just
the *.pp as before. The cil is generated from the hll (the pp file)
using the new 'pp' utility.
The base policy module now lives with all of the other modules.
policy.kern has gone away.
Signed-off-by: Philip Tricca <flihp@twobit.us>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
| -rw-r--r-- | recipes-security/refpolicy/refpolicy_common.inc | 40 |
1 files changed, 26 insertions, 14 deletions
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 620e7c0..de38dfc 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc | |||
| @@ -14,6 +14,7 @@ S = "${WORKDIR}/refpolicy" | |||
| 14 | FILES_${PN} = " \ | 14 | FILES_${PN} = " \ |
| 15 | ${sysconfdir}/selinux/${POLICY_NAME}/ \ | 15 | ${sysconfdir}/selinux/${POLICY_NAME}/ \ |
| 16 | ${datadir}/selinux/${POLICY_NAME}/*.pp \ | 16 | ${datadir}/selinux/${POLICY_NAME}/*.pp \ |
| 17 | ${localstatedir}/lib/selinux/${POLICY_NAME}/ \ | ||
| 17 | " | 18 | " |
| 18 | FILES_${PN}-dev =+ " \ | 19 | FILES_${PN}-dev =+ " \ |
| 19 | ${datadir}/selinux/${POLICY_NAME}/include/ \ | 20 | ${datadir}/selinux/${POLICY_NAME}/include/ \ |
| @@ -65,20 +66,33 @@ do_compile() { | |||
| 65 | 66 | ||
| 66 | prepare_policy_store () { | 67 | prepare_policy_store () { |
| 67 | oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install | 68 | oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install |
| 69 | POL_PRIORITY=100 | ||
| 70 | POL_SRC=${D}${datadir}/selinux/${POLICY_NAME} | ||
| 71 | POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME} | ||
| 72 | POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY} | ||
| 68 | 73 | ||
| 69 | # Prepare to create policy store | 74 | # Prepare to create policy store |
| 70 | mkdir -p ${D}${sysconfdir}/selinux/ | 75 | mkdir -p ${POL_STORE} |
| 71 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy | 76 | mkdir -p ${POL_ACTIVE_MODS} |
| 72 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules | 77 | |
| 73 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files | 78 | # get hll type from suffix on base policy module |
| 74 | touch ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/file_contexts.local | 79 | HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}') |
| 75 | for i in ${D}${datadir}/selinux/${POLICY_NAME}/*.pp; do | 80 | HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE} |
| 76 | bzip2 -f $i && mv -f $i.bz2 $i | 81 | |
| 77 | if [ "`basename $i`" != "base.pp" ]; then | 82 | for i in ${POL_SRC}/*.${HLL_TYPE}; do |
| 78 | cp $i ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/`basename $i` | 83 | MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//") |
| 84 | MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME} | ||
| 85 | mkdir -p ${MOD_DIR} | ||
| 86 | echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext | ||
| 87 | if ! bzip2 -qt $i 2>/dev/null; then | ||
| 88 | ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil | ||
| 89 | bzip2 -f $i && mv -f $i.bz2 $i | ||
| 79 | else | 90 | else |
| 80 | cp $i ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/`basename $i` | 91 | bunzip2 --stdout $i | \ |
| 92 | ${HLL_BIN} | \ | ||
| 93 | bzip2 --stdout > ${MOD_DIR}/cil | ||
| 81 | fi | 94 | fi |
| 95 | cp $i ${MOD_DIR}/hll | ||
| 82 | done | 96 | done |
| 83 | } | 97 | } |
| 84 | 98 | ||
| @@ -100,6 +114,8 @@ EOF | |||
| 100 | # Create policy store and build the policy | 114 | # Create policy store and build the policy |
| 101 | semodule -p ${D} -s ${POLICY_NAME} -n -B | 115 | semodule -p ${D} -s ${POLICY_NAME} -n -B |
| 102 | rm -f ${D}${sysconfdir}/selinux/semanage.conf | 116 | rm -f ${D}${sysconfdir}/selinux/semanage.conf |
| 117 | # no need to leave tmp dir created by semanage lanying around | ||
| 118 | rm -rf ${D}${localstatedir}/lib/selinux/tmp | ||
| 103 | } | 119 | } |
| 104 | 120 | ||
| 105 | install_misc_files () { | 121 | install_misc_files () { |
| @@ -114,10 +130,6 @@ install_misc_files () { | |||
| 114 | 130 | ||
| 115 | # install policy headers | 131 | # install policy headers |
| 116 | oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers | 132 | oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers |
| 117 | |||
| 118 | # Fix symbol link policy.kern | ||
| 119 | link_path=`readlink -f ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/policy.kern` | ||
| 120 | ln -sf ../../policy/`basename $link_path` ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/policy.kern | ||
| 121 | } | 133 | } |
| 122 | 134 | ||
| 123 | do_install () { | 135 | do_install () { |