| Message ID | 20251215135126.1605250-1-quic_sasikuma@quicinc.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-selinux,PATCH/V2] refpolicy: Add support for custom policy store | expand |
HiĀ Sasi, I got the following error with this patch: ERROR: refpolicy-standard-2.20250923+git-r0 do_package: QA Issue: FILES variable for package refpolicy-standard contains '//' which is invalid. Attempting to fix this but you should correct the metadata. [files-invalid] Can you have a look at this failure please ? //Yi On 12/15/25 21:51, Sasi Kumar Maddineni (QUIC) via lists.yoctoproject.org wrote: > By default, policy modules(*.pp) are stored in /var directory. > Features like: ostree remove files in folders like /var > variable data directory while build time. > > Added support for custom policy store. We can now configure > path to custom policy store to variable `POLICY_CUSTOM_STORE`. > > Signed-off-by: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com> > --- > .../refpolicy/refpolicy_common.inc | 9 ++++++--- > recipes-security/selinux/libsemanage_3.9.bb | 20 ++++++++++++++++--- > 2 files changed, 23 insertions(+), 6 deletions(-) > > diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc > index 964906b..5a4b500 100644 > --- a/recipes-security/refpolicy/refpolicy_common.inc > +++ b/recipes-security/refpolicy/refpolicy_common.inc > @@ -77,10 +77,12 @@ SRC_URI += " \ > S = "${UNPACKDIR}/refpolicy" > > CONFFILES:${PN} = "${sysconfdir}/selinux/config" > + > +POLICY_CUSTOM_STORE ?= "${localstatedir}/lib/selinux/" > FILES:${PN} += " \ > ${sysconfdir}/selinux/${POLICY_NAME}/ \ > ${datadir}/selinux/${POLICY_NAME}/*.pp \ > - ${localstatedir}/lib/selinux/${POLICY_NAME}/ \ > + ${POLICY_CUSTOM_STORE}/${POLICY_NAME}/ \ > " > FILES:${PN}-dev =+ " \ > ${datadir}/selinux/${POLICY_NAME}/include/ \ > @@ -165,7 +167,7 @@ prepare_policy_store() { > oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install > POL_PRIORITY=100 > POL_SRC=${D}${datadir}/selinux/${POLICY_NAME} > - POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME} > + POL_STORE=${D}${POLICY_CUSTOM_STORE}/${POLICY_NAME} > POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY} > > # Prepare to create policy store > @@ -207,13 +209,14 @@ args = \$@ > [end] > > policy-version = 35 > +store-root = "${POLICY_CUSTOM_STORE}" > EOF > > # Create policy store and build the policy > semodule -p ${D} -s ${POLICY_NAME} -n -B > rm -f ${D}${sysconfdir}/selinux/semanage.conf > # No need to leave final dir created by semanage laying around > - rm -rf ${D}${localstatedir}/lib/selinux/final > + rm -rf ${D}${POLICY_CUSTOM_STORE}/final > } > > install_misc_files() { > diff --git a/recipes-security/selinux/libsemanage_3.9.bb b/recipes-security/selinux/libsemanage_3.9.bb > index 2425a2e..98ff73d 100644 > --- a/recipes-security/selinux/libsemanage_3.9.bb > +++ b/recipes-security/selinux/libsemanage_3.9.bb > @@ -32,6 +32,8 @@ FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}/* \ > FILES:${PN}-dbg += "${PYTHON_SITEPACKAGES_DIR}/.debug/*" > FILES:${PN} += "${libexecdir}" > > +POLICY_CUSTOM_STORE ?= "${localstatedir}/lib/selinux/" > + > do_compile:append() { > oe_runmake pywrap \ > PYLIBVER='python${PYTHON_BASEVERSION}' \ > @@ -46,9 +48,21 @@ do_install:append() { > PYLIBVER='python${PYTHON_BASEVERSION}' \ > PYTHONLIBDIR='${PYTHON_SITEPACKAGES_DIR}' > > - # Update "policy-version" for semanage.conf > - sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 35/' \ > - ${D}/etc/selinux/semanage.conf > + conf_file="${D}/etc/selinux/semanage.conf" > + > + if [ -f "${conf_file}" ]; then > + # Update "policy-version" for semanage.conf > + sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 35/' \ > + ${D}/etc/selinux/semanage.conf > + > + # Update "store-root" for semanage.conf > + if grep -q '^store-root=' "${conf_file}"; then > + sed -i "s|^store-root=.*$|store-root=${POLICY_CUSTOM_STORE}|" "${conf_file}" > + else > + printf 'store-root=%s\n' "${POLICY_CUSTOM_STORE}" >> "${conf_file}" > + fi > + fi > + > } > > BBCLASSEXTEND = "native"
On 12/15/25 21:51, Sasi Kumar Maddineni (QUIC) via lists.yoctoproject.org wrote: > By default, policy modules(*.pp) are stored in /var directory. > Features like: ostree remove files in folders like /var > variable data directory while build time. > > Added support for custom policy store. We can now configure > path to custom policy store to variable `POLICY_CUSTOM_STORE`. > > Signed-off-by: Sasi Kumar Maddineni<quic_sasikuma@quicinc.com> > --- > .../refpolicy/refpolicy_common.inc | 9 ++++++--- > recipes-security/selinux/libsemanage_3.9.bb | 20 ++++++++++++++++--- > 2 files changed, 23 insertions(+), 6 deletions(-) > > diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc > index 964906b..5a4b500 100644 > --- a/recipes-security/refpolicy/refpolicy_common.inc > +++ b/recipes-security/refpolicy/refpolicy_common.inc > @@ -77,10 +77,12 @@ SRC_URI += " \ > S = "${UNPACKDIR}/refpolicy" > > CONFFILES:${PN} = "${sysconfdir}/selinux/config" > + > +POLICY_CUSTOM_STORE ?= "${localstatedir}/lib/selinux/" I have some reservationsĀ about the variable name `POLICY_CUSTOM_STORE`. By default, it's assigned to the system's default path, not a "customer-defined" path. Therefore, I think a variable name like `POLICY_STORE_ROOT` would be more appropriate. //Yi > FILES:${PN} += " \ > ${sysconfdir}/selinux/${POLICY_NAME}/ \ > ${datadir}/selinux/${POLICY_NAME}/*.pp \ > - ${localstatedir}/lib/selinux/${POLICY_NAME}/ \ > + ${POLICY_CUSTOM_STORE}/${POLICY_NAME}/ \ > " > FILES:${PN}-dev =+ " \ > ${datadir}/selinux/${POLICY_NAME}/include/ \ > @@ -165,7 +167,7 @@ prepare_policy_store() { > oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install > POL_PRIORITY=100 > POL_SRC=${D}${datadir}/selinux/${POLICY_NAME} > - POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME} > + POL_STORE=${D}${POLICY_CUSTOM_STORE}/${POLICY_NAME} > POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY} > > # Prepare to create policy store > @@ -207,13 +209,14 @@ args = \$@ > [end] > > policy-version = 35 > +store-root = "${POLICY_CUSTOM_STORE}" > EOF > > # Create policy store and build the policy > semodule -p ${D} -s ${POLICY_NAME} -n -B > rm -f ${D}${sysconfdir}/selinux/semanage.conf > # No need to leave final dir created by semanage laying around > - rm -rf ${D}${localstatedir}/lib/selinux/final > + rm -rf ${D}${POLICY_CUSTOM_STORE}/final > } > > install_misc_files() { > diff --git a/recipes-security/selinux/libsemanage_3.9.bb b/recipes-security/selinux/libsemanage_3.9.bb > index 2425a2e..98ff73d 100644 > --- a/recipes-security/selinux/libsemanage_3.9.bb > +++ b/recipes-security/selinux/libsemanage_3.9.bb > @@ -32,6 +32,8 @@ FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}/* \ > FILES:${PN}-dbg += "${PYTHON_SITEPACKAGES_DIR}/.debug/*" > FILES:${PN} += "${libexecdir}" > > +POLICY_CUSTOM_STORE ?= "${localstatedir}/lib/selinux/" > + > do_compile:append() { > oe_runmake pywrap \ > PYLIBVER='python${PYTHON_BASEVERSION}' \ > @@ -46,9 +48,21 @@ do_install:append() { > PYLIBVER='python${PYTHON_BASEVERSION}' \ > PYTHONLIBDIR='${PYTHON_SITEPACKAGES_DIR}' > > - # Update "policy-version" for semanage.conf > - sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 35/' \ > - ${D}/etc/selinux/semanage.conf > + conf_file="${D}/etc/selinux/semanage.conf" > + > + if [ -f "${conf_file}" ]; then > + # Update "policy-version" for semanage.conf > + sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 35/' \ > + ${D}/etc/selinux/semanage.conf > + > + # Update "store-root" for semanage.conf > + if grep -q '^store-root=' "${conf_file}"; then > + sed -i "s|^store-root=.*$|store-root=${POLICY_CUSTOM_STORE}|" "${conf_file}" > + else > + printf 'store-root=%s\n' "${POLICY_CUSTOM_STORE}" >> "${conf_file}" > + fi > + fi > + > } > > BBCLASSEXTEND = "native"
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 964906b..5a4b500 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -77,10 +77,12 @@ SRC_URI += " \ S = "${UNPACKDIR}/refpolicy" CONFFILES:${PN} = "${sysconfdir}/selinux/config" + +POLICY_CUSTOM_STORE ?= "${localstatedir}/lib/selinux/" FILES:${PN} += " \ ${sysconfdir}/selinux/${POLICY_NAME}/ \ ${datadir}/selinux/${POLICY_NAME}/*.pp \ - ${localstatedir}/lib/selinux/${POLICY_NAME}/ \ + ${POLICY_CUSTOM_STORE}/${POLICY_NAME}/ \ " FILES:${PN}-dev =+ " \ ${datadir}/selinux/${POLICY_NAME}/include/ \ @@ -165,7 +167,7 @@ prepare_policy_store() { oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install POL_PRIORITY=100 POL_SRC=${D}${datadir}/selinux/${POLICY_NAME} - POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME} + POL_STORE=${D}${POLICY_CUSTOM_STORE}/${POLICY_NAME} POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY} # Prepare to create policy store @@ -207,13 +209,14 @@ args = \$@ [end] policy-version = 35 +store-root = "${POLICY_CUSTOM_STORE}" EOF # Create policy store and build the policy semodule -p ${D} -s ${POLICY_NAME} -n -B rm -f ${D}${sysconfdir}/selinux/semanage.conf # No need to leave final dir created by semanage laying around - rm -rf ${D}${localstatedir}/lib/selinux/final + rm -rf ${D}${POLICY_CUSTOM_STORE}/final } install_misc_files() { diff --git a/recipes-security/selinux/libsemanage_3.9.bb b/recipes-security/selinux/libsemanage_3.9.bb index 2425a2e..98ff73d 100644 --- a/recipes-security/selinux/libsemanage_3.9.bb +++ b/recipes-security/selinux/libsemanage_3.9.bb @@ -32,6 +32,8 @@ FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}/* \ FILES:${PN}-dbg += "${PYTHON_SITEPACKAGES_DIR}/.debug/*" FILES:${PN} += "${libexecdir}" +POLICY_CUSTOM_STORE ?= "${localstatedir}/lib/selinux/" + do_compile:append() { oe_runmake pywrap \ PYLIBVER='python${PYTHON_BASEVERSION}' \ @@ -46,9 +48,21 @@ do_install:append() { PYLIBVER='python${PYTHON_BASEVERSION}' \ PYTHONLIBDIR='${PYTHON_SITEPACKAGES_DIR}' - # Update "policy-version" for semanage.conf - sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 35/' \ - ${D}/etc/selinux/semanage.conf + conf_file="${D}/etc/selinux/semanage.conf" + + if [ -f "${conf_file}" ]; then + # Update "policy-version" for semanage.conf + sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 35/' \ + ${D}/etc/selinux/semanage.conf + + # Update "store-root" for semanage.conf + if grep -q '^store-root=' "${conf_file}"; then + sed -i "s|^store-root=.*$|store-root=${POLICY_CUSTOM_STORE}|" "${conf_file}" + else + printf 'store-root=%s\n' "${POLICY_CUSTOM_STORE}" >> "${conf_file}" + fi + fi + } BBCLASSEXTEND = "native"
By default, policy modules(*.pp) are stored in /var directory. Features like: ostree remove files in folders like /var variable data directory while build time. Added support for custom policy store. We can now configure path to custom policy store to variable `POLICY_CUSTOM_STORE`. Signed-off-by: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com> --- .../refpolicy/refpolicy_common.inc | 9 ++++++--- recipes-security/selinux/libsemanage_3.9.bb | 20 ++++++++++++++++--- 2 files changed, 23 insertions(+), 6 deletions(-)