[gentoo-commits] proj/hardened-refpolicy:master commit in: / - gentoo-commits

From:	Sven Vermeulen <swift@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: /
Date:	Thu, 02 Mar 2017 10:17:55
Message-Id:	`1488449810.f95f7ed0d8bdb0bcfd8571363e5bb11799cf4678.swift@gentoo`

1

commit:     f95f7ed0d8bdb0bcfd8571363e5bb11799cf4678

2

Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>

3

AuthorDate: Mon Feb 27 21:02:52 2017 +0000

4

Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>

5

CommitDate: Thu Mar  2 10:16:50 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f95f7ed0

7

8

Make "validate" target verify file contexts

9

10

When I synchronized my personal policy with the git master branch, "git

11

rebase" merged the file contexts I have defined for some systemd

12

components with the ones which have recently been merged. This resulted

13

in duplicated file contexts in systemd.fc, which made the policy unable

14

to be loaded.

15

16

This issue has not been detected by "make validate" because this command

17

only verifies policy linking, not the correctness of the file contexts.

18

Moreover this behavior of "make validate" only happens when building a

19

modular policy. Indeed Rules.monolithic calls setfiles in order to

20

validate the file contexts:

21

22

    validate: $(fc) $(polver)

23

        @echo "Validating $(NAME) file_contexts."

24

        $(verbose) $(SETFILES) -q -c $(polver) $(fc)

25

        @echo "Success."

26

27

Invoke setfiles in Rules.modular too in order to catch issues in file

28

contexts with "make validate". With the issue I experienced, I would

29

have got the following message:

30

31

    Validating policy file contexts.

32

    /sbin/setfiles -q -c tmp/policy.bin tmp/all_mods.fc

33

    tmp/all_mods.fc: Multiple same specifications for /run/systemd/machines(/.*)?.

34

    tmp/all_mods.fc: Invalid argument

35

    make: *** [Rules.modular:210: validate] Error 1

36

37

While at it, simplify .SECONDARY definition with a newly-introduced

38

$(all_mod_fc) variable.

39

40

 Rules.modular | 12 +++++++++---

41

 1 file changed, 9 insertions(+), 3 deletions(-)

42

43

diff --git a/Rules.modular b/Rules.modular

44

index 60fe5549..49d3cca9 100644

45

--- a/Rules.modular

46

+++ b/Rules.modular

47

@@ -5,6 +5,7 @@

48

49

 all_modules := $(base_mods) $(mod_mods) $(off_mods)

50

 all_interfaces := $(all_modules:.te=.if)

51

+all_mod_fc := $(addprefix $(tmpdir)/,$(notdir $(all_modules:.te=.mod.fc)))

52

53

 base_pkg := $(builddir)base.pp

54

 base_fc := $(builddir)base.fc

55

@@ -30,7 +31,7 @@ vpath %.te $(all_layers)

56

 vpath %.if $(all_layers)

57

 vpath %.fc $(all_layers)

58

59

-.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc))

60

+.SECONDARY: $(all_mod_fc:.mod.fc=.mod) $(all_mod_fc)

61

62

 ########################################

63

#

64

@@ -85,6 +86,9 @@ $(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc

65

 	@test -d $(builddir) || mkdir -p $(builddir)

66

 	$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc

67

68

+$(tmpdir)/all_mods.fc: $(all_mod_fc)

69

+	$(verbose) cat $^ > $@

70

+

71

 ########################################

72

#

73

 # Create a base module package

74

@@ -198,10 +202,12 @@ $(appdir)/customizable_types: $(base_conf)

75

#

76

 # Validate linking and expanding of modules

77

#

78

-validate: $(base_pkg) $(mod_pkgs)

79

+validate: $(base_pkg) $(mod_pkgs) $(tmpdir)/all_mods.fc

80

 	@echo "Validating policy linking."

81

-	$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^

82

+	$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $(base_pkg) $(mod_pkgs)

83

 	$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin

84

+	@echo "Validating policy file contexts."

85

+	$(verbose) $(SETFILES) -q -c $(tmpdir)/policy.bin $(tmpdir)/all_mods.fc

86

 	@echo "Success."

87

88

 ########################################

1	commit: f95f7ed0d8bdb0bcfd8571363e5bb11799cf4678
2	Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
3	AuthorDate: Mon Feb 27 21:02:52 2017 +0000
4	Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5	CommitDate: Thu Mar 2 10:16:50 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f95f7ed0
7
8	Make "validate" target verify file contexts
9
10	When I synchronized my personal policy with the git master branch, "git
11	rebase" merged the file contexts I have defined for some systemd
12	components with the ones which have recently been merged. This resulted
13	in duplicated file contexts in systemd.fc, which made the policy unable
14	to be loaded.
15
16	This issue has not been detected by "make validate" because this command
17	only verifies policy linking, not the correctness of the file contexts.
18	Moreover this behavior of "make validate" only happens when building a
19	modular policy. Indeed Rules.monolithic calls setfiles in order to
20	validate the file contexts:
21
22	validate: $(fc) $(polver)
23	@echo "Validating $(NAME) file_contexts."
24	$(verbose) $(SETFILES) -q -c $(polver) $(fc)
25	@echo "Success."
26
27	Invoke setfiles in Rules.modular too in order to catch issues in file
28	contexts with "make validate". With the issue I experienced, I would
29	have got the following message:
30
31	Validating policy file contexts.
32	/sbin/setfiles -q -c tmp/policy.bin tmp/all_mods.fc
33	tmp/all_mods.fc: Multiple same specifications for /run/systemd/machines(/.*)?.
34	tmp/all_mods.fc: Invalid argument
35	make: *** [Rules.modular:210: validate] Error 1
36
37	While at it, simplify .SECONDARY definition with a newly-introduced
38	$(all_mod_fc) variable.
39
40	Rules.modular \| 12 +++++++++---
41	1 file changed, 9 insertions(+), 3 deletions(-)
42
43	diff --git a/Rules.modular b/Rules.modular
44	index 60fe5549..49d3cca9 100644
45	--- a/Rules.modular
46	+++ b/Rules.modular
47	@@ -5,6 +5,7 @@
48
49	all_modules := $(base_mods) $(mod_mods) $(off_mods)
50	all_interfaces := $(all_modules:.te=.if)
51	+all_mod_fc := $(addprefix $(tmpdir)/,$(notdir $(all_modules:.te=.mod.fc)))
52
53	base_pkg := $(builddir)base.pp
54	base_fc := $(builddir)base.fc
55	@@ -30,7 +31,7 @@ vpath %.te $(all_layers)
56	vpath %.if $(all_layers)
57	vpath %.fc $(all_layers)
58
59	-.SECONDARY: $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod)) $(addprefix $(tmpdir)/,$(mod_pkgs:.pp=.mod.fc))
60	+.SECONDARY: $(all_mod_fc:.mod.fc=.mod) $(all_mod_fc)
61
62	########################################
63	#
64	@@ -85,6 +86,9 @@ $(builddir)%.pp: $(tmpdir)/%.mod $(tmpdir)/%.mod.fc
65	@test -d $(builddir) \|\| mkdir -p $(builddir)
66	$(verbose) $(SEMOD_PKG) -o $@ -m $< -f $<.fc
67
68	+$(tmpdir)/all_mods.fc: $(all_mod_fc)
69	+ $(verbose) cat $^ > $@
70	+
71	########################################
72	#
73	# Create a base module package
74	@@ -198,10 +202,12 @@ $(appdir)/customizable_types: $(base_conf)
75	#
76	# Validate linking and expanding of modules
77	#
78	-validate: $(base_pkg) $(mod_pkgs)
79	+validate: $(base_pkg) $(mod_pkgs) $(tmpdir)/all_mods.fc
80	@echo "Validating policy linking."
81	- $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
82	+ $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $(base_pkg) $(mod_pkgs)
83	$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
84	+ @echo "Validating policy file contexts."
85	+ $(verbose) $(SETFILES) -q -c $(tmpdir)/policy.bin $(tmpdir)/all_mods.fc
86	@echo "Success."
87
88	########################################

Gentoo Archives: gentoo-commits