[Buildroot] [PATCH 1/2] package/libsemanage: add option to manually define policy version

Adam Duskett aduskett at gmail.com
Sun Dec 15 17:36:49 UTC 2019


On Sun, Dec 15, 2019 at 3:50 AM Thomas Petazzoni
<thomas.petazzoni at bootlin.com> wrote:
>
> Hello Adam,
>
> Thanks for this patch. With the explanations of the commit log and the
> cover letter, I understand a bit better what's going on.
>
> On Sat, 14 Dec 2019 17:15:16 -0800
> aduskett at gmail.com wrote:
>
> > +if BR2_PACKAGE_LIBSEMANAGE
> > +
> > +config BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
> > +     bool "Manually specify the policy version"
> > +     help
> > +       Manually specify the policy version to build.
>
> Do we really need this boolean ? Why not always have the option BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION ?
>
> > +if BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION
> > +
> > +config BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION
> > +     int "maximum policy version"
> > +     default 25
> > +     range 25 31
> > +     help
> > +       The maximum SELinux policy version your kernel supports.
> > +
> > +       Here's a handy table to help you choose:
> > +       kernel version   SElinux policy max version
> > +       <= 2.6.x         25
> > +       > 2.6 <= 3.5     26
> > +       > 3.5 <= 3.14    28 (27 and 28 were added at the same time)
> > +       > 3.14 <= 4.3    29
> > +       > 4.3 <= 4.13    30
> > +       > 4.13 <= 5.5    31
>
> I think on top of PATCH 1/2, another patch could be added to make
> things a little bit smarter in terms of defaults:
>
>         default 31 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13
>         default 30 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_3
>         default 29 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_14
>         default 28 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_5
>         default 26 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_2_6
>         default 25
>
I'm not sure I like this, as toolchain header versions can be
misleading, but it's up
to you.

> This would at least allow the default value to be a bit more sensible
> than just using "25", which is ancient.
>
> > +# This default value may be overwritten by setting the policy-version = line in
> > +# /etc/semanage/semanage.conf.
> > +LIBSEMANAGE_MAX_POLICY_VERSION = 31
>
> Here, what you're basically doing is assuming that if
> BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION is not enabled, we
> default to "31". But "31" may be wrong. That's why I suggest to drop BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION and always have a BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION option.
>
I made it like this as a fallback. If you want to use the max, then
you don't have to select anything.
Although that could be misleading.

> > +ifeq ($(BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION),y)
> > +LIBSEMANAGE_MAX_POLICY_VERSION = $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION)
> > +endif
> > +
> > +define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
> > +     $(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
> > +             $(TARGET_DIR)/etc/selinux/semanage.conf
> > +endef
> > +LIBSEMANAGE_POST_INSTALL_TARGET_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
> > +HOST_LIBSEMANAGE_POST_INSTALL_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY
>
> The host hook is not appropriate: it tweaks a file in $(TARGET_DIR),
> which is not good.
>
Yeah,  my bad.
> Best regards,
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com


More information about the buildroot mailing list