[Buildroot] [PATCH v2 1/1] package/libsemanage: add option to manually define policy version

aduskett at gmail.com aduskett at gmail.com
Sun Dec 15 18:00:03 UTC 2019 

From: Adam Duskett <Aduskett at gmail.com>

The semodule package derives the maximum SELinux policy version from
the libsemanage library.

By default, libsemanage returns the highest supported policy version that
libsepol supports found in include/sepol/policydb/policydb.h and not just from
the Kernel. However, if the maximum supported SELinux policy version supported
by the Kernel is lower than the maximum supported policy version from
libsemanage, if a user attempts to build a policy using the semodule program,
semodule fails when creating a policy with the error:
  "policydb version X does not match my version range 15-X."

This default value may be overwrriten by setting the policy-version = line in
/etc/semanage/semanage.conf.

Create an option that allows a user to overwrite the default policy version to
ensure that semodule works on older kernels.

Signed-off-by: Adam Duskett <Aduskett at gmail.com>
---
Changes v1 -> v2:
  - Set the default value of the policy version based off of the toolchain
    header version (Thomas)
  - Remove the BR2_PACKAGE_LIBSEMANAGE_POLICY_MANUAL_VERSION option (Thomas)
  - Remove LIBSEMANAGE_MAX_POLICY_VERSION variable from libsemanage.mk (Thomas)
  - Fix the post install hook for hosts. (Thomas)


 package/libsemanage/Config.in      | 25 +++++++++++++++++++++++++
 package/libsemanage/libsemanage.mk | 24 ++++++++++++++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/package/libsemanage/Config.in b/package/libsemanage/Config.in
index 3c7050ee51..04fa046b0f 100644
--- a/package/libsemanage/Config.in
+++ b/package/libsemanage/Config.in
@@ -17,6 +17,31 @@ config BR2_PACKAGE_LIBSEMANAGE
 
 	  http://selinuxproject.org/page/Main_Page
 
+if BR2_PACKAGE_LIBSEMANAGE
+
+config BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION
+	int "maximum policy version"
+	default 31 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13
+	default 30 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_3
+	default 29 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_14
+	default 28 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_5
+	default 26 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_2_6
+	default 25
+	range 25 31
+	help
+	  The maximum SELinux policy version your kernel supports.
+
+	  Here's a handy table to help you choose:
+	  kernel version   SElinux policy max version
+	  <= 2.6.x         25
+	  > 2.6 <= 3.5     26
+	  > 3.5 <= 3.14    28 (27 and 28 were added at the same time)
+	  > 3.14 <= 4.3    29
+	  > 4.3 <= 4.13    30
+	  > 4.13 <= 5.5    31
+
+endif # BR2_PACKAGE_LIBSEMANAGE
+
 comment "libsemanage needs a toolchain w/ threads, dynamic library"
 	depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS
 	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS
diff --git a/package/libsemanage/libsemanage.mk b/package/libsemanage/libsemanage.mk
index fd90346049..74e3a91c5e 100644
--- a/package/libsemanage/libsemanage.mk
+++ b/package/libsemanage/libsemanage.mk
@@ -13,6 +13,30 @@ LIBSEMANAGE_INSTALL_STAGING = YES
 
 LIBSEMANAGE_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS)
 
+# Semodule derives the maximum SELinux policy version from libsemanage.
+# By default, libsemanage returns the highest supported policy version that
+# libsepol supports found in include/sepol/policydb/policydb.h and not just
+# from the Kernel. However, if the maximum supported SELinux policy version
+# supported by the Kernel is lower than the maximum supported policy version
+# from libsemanage, if a user attempts to build a policy using the semodule
+# program, semodule fails when creating a policy with the error:
+# policydb version X does not match my version range 15-X.
+
+# This default value may be overwrriten by setting the policy-version = line in
+# /etc/semanage/semanage.conf.
+LIBSEMANAGE_MAX_POLICY_VERSION = $(BR2_PACKAGE_LIBSEMANAGE_POLICY_MAX_VERSION)
+
+define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY_TARGET
+	$(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
+		$(TARGET_DIR)/etc/selinux/semanage.conf
+endef
+define LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY_HOST
+	$(SED) "/policy-version = /c\policy-version = $(LIBSEMANAGE_MAX_POLICY_VERSION)" \
+		$(HOST_DIR)/etc/selinux/semanage.conf
+endef
+LIBSEMANAGE_POST_INSTALL_TARGET_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY_TARGET
+HOST_LIBSEMANAGE_POST_INSTALL_HOOKS += LIBSEMANAGE_SET_SEMANAGE_MAX_POLICY_HOST
+
 define LIBSEMANAGE_BUILD_CMDS
 	$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) $(LIBSEMANAGE_MAKE_OPTS) all
 endef
-- 
2.23.0

More information about the buildroot mailing list