From patchwork Mon Dec 29 09:00:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sasi Kumar Maddineni X-Patchwork-Id: 77590 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D8DDD3B7E5 for ; Mon, 29 Dec 2025 09:00:11 +0000 (UTC) Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.40298.1766998809140709441 for ; Mon, 29 Dec 2025 01:00:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@quicinc.com header.s=qcppdkim1 header.b=AKj6ZDqA; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: qualcomm.com, ip: 205.220.180.131, mailfrom: sasikuma@qualcomm.com) Received: from pps.filterd (m0279871.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 5BSMkiEN032385 for ; Mon, 29 Dec 2025 09:00:08 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= cc:content-transfer-encoding:date:from:message-id:mime-version :subject:to; s=qcppdkim1; bh=EogHV+5G/ewHp1++08alDSPmFKsVGj2qNYT oJB+IoT8=; b=AKj6ZDqAMLsFDq/xZzCQ4c/aSYKfxh5aDQcjEapV7YuaFLhCUrc MxQ48f0xoNDdQIf1nVCK/jYFH//0xrpIuikVL9wNU0I/Va03WvmcAPNjD6Hzzy/0 DSmb2UJTYAeNDceM7qOqrZ03y4LCdoaCraMFrr9kwpO/yLeEMZ/3M2iELm9iUWfl tfXU5g/EgDopp3DXjF/L3eMufi6iNuGnaaOEkUPJ710YIp00tviDL5HnbxKR1tYg m5IE6sW+yjOVWW93HtvF03TJFK6N43ROMOl02WGJs1Y7IdRlQh/Xp9tt+zngVs5Z 8Slm27rfm39AkB+sttgN8y8ZT/RRHUPNHYw== Received: from apblrppmta02.qualcomm.com (blr-bdr-fw-01_GlobalNAT_AllZones-Outside.qualcomm.com [103.229.18.19]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4ba71wuwd3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 29 Dec 2025 09:00:07 +0000 (GMT) Received: from pps.filterd (APBLRPPMTA02.qualcomm.com [127.0.0.1]) by APBLRPPMTA02.qualcomm.com (8.18.1.2/8.18.1.2) with ESMTP id 5BT9035I026667 for ; Mon, 29 Dec 2025 09:00:03 GMT Received: from pps.reinject (localhost [127.0.0.1]) by APBLRPPMTA02.qualcomm.com (PPS) with ESMTPS id 4ba8hkvrey-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 29 Dec 2025 09:00:03 +0000 Received: from APBLRPPMTA02.qualcomm.com (APBLRPPMTA02.qualcomm.com [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 5BT8vXwQ023569 for ; Mon, 29 Dec 2025 09:00:03 GMT Received: from hu-devc-hyd-u24-a.qualcomm.com ([10.213.102.143]) by APBLRPPMTA02.qualcomm.com (PPS) with ESMTPS id 5BT903ah026654 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 29 Dec 2025 09:00:03 +0000 Received: by hu-devc-hyd-u24-a.qualcomm.com (Postfix, from userid 4060212) id CF45021D33; Mon, 29 Dec 2025 14:30:02 +0530 (+0530) From: Sasi Kumar Maddineni To: yocto-patches@lists.yoctoproject.org Cc: Sasi Kumar Maddineni Subject: [meta-selinux][PATCH/V6] refpolicy: Add support to configure policy store root Date: Mon, 29 Dec 2025 14:30:00 +0530 Message-ID: <20251229090000.3305357-1-quic_sasikuma@quicinc.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-QCInternal: smtphost X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjI5MDA4MCBTYWx0ZWRfXy7s5kUmKEPr+ DNqch+aPYXwzLjIxxLLoytdwcCeCN9nmVs1MrflUhtVITnM6ZC0gYE6SS7EZRC5OJGSZa6hhlhB ACjXLET521aECt2v/wE6xK6PqNxSpj0PYWDv3s0Z0NBwG2YVZlGtlex6iicuiH4YmRRJ1TmcY3d MvomkiV7paYbr5U05/7RKYU26tWeFpohqfaj1JIiiFMGQ0rFaKFbtf8kp70dTPbsIVHEDCe9R6U fMK2YlgOf25AMkxIouyHlZXrq+hJ5IUTT5RfALyaIUDOpfwetn0B+vPKUHEtmb2LGOddV0fP9VI F/XXpz3fMKmCua7lJJC7tNVkAoZiVdJ5+KW0jGXkVt+w3VqZNd3n7qSF8OhJ7SPxMutBJVDbNrK dWfdEUrCxBVUamLyYSO3pn6fIsj2GI8yziow1l60OH7oiZN0yf0zXEaDV9W0c8I1lR3vw2bqSde m4ZAA84Rlau/8qs0P2g== X-Proofpoint-ORIG-GUID: kduhEou8PaU6tXcu_H73qT9tLrPK6chU X-Proofpoint-GUID: kduhEou8PaU6tXcu_H73qT9tLrPK6chU X-Authority-Analysis: v=2.4 cv=CK4nnBrD c=1 sm=1 tr=0 ts=69524317 cx=c_pps a=Ou0eQOY4+eZoSc0qltEV5Q==:117 a=Ou0eQOY4+eZoSc0qltEV5Q==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=COk6AnOGAAAA:8 a=oCwQqg7PNz2VNpKvC5cA:9 a=TjNXssC_j7lpFel5tvFf:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-29_02,2025-12-29_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 impostorscore=0 lowpriorityscore=0 clxscore=1015 spamscore=0 adultscore=0 suspectscore=0 priorityscore=1501 phishscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2512120000 definitions=main-2512290080 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 29 Dec 2025 09:00:11 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2878 By default, policy modules(*.pp) are stored in /var directory. Features like: ostree remove files in folders like /var variable data directory while build time. Added support for custom policy store. We can now configure path to custom policy store to variable `POLICY_STORE_ROOT`. Signed-off-by: Sasi Kumar Maddineni --- .../refpolicy/refpolicy_common.inc | 9 ++++++--- recipes-security/selinux/libsemanage_3.9.bb | 20 ++++++++++++++++--- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 964906b..59dfecd 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -77,10 +77,12 @@ SRC_URI += " \ S = "${UNPACKDIR}/refpolicy" CONFFILES:${PN} = "${sysconfdir}/selinux/config" + +POLICY_STORE_ROOT ?= "${localstatedir}/lib/selinux" FILES:${PN} += " \ ${sysconfdir}/selinux/${POLICY_NAME}/ \ ${datadir}/selinux/${POLICY_NAME}/*.pp \ - ${localstatedir}/lib/selinux/${POLICY_NAME}/ \ + ${POLICY_STORE_ROOT}/${POLICY_NAME}/ \ " FILES:${PN}-dev =+ " \ ${datadir}/selinux/${POLICY_NAME}/include/ \ @@ -165,7 +167,7 @@ prepare_policy_store() { oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install POL_PRIORITY=100 POL_SRC=${D}${datadir}/selinux/${POLICY_NAME} - POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME} + POL_STORE=${D}${POLICY_STORE_ROOT}/${POLICY_NAME} POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY} # Prepare to create policy store @@ -207,13 +209,14 @@ args = \$@ [end] policy-version = 35 +store-root = "${POLICY_STORE_ROOT}" EOF # Create policy store and build the policy semodule -p ${D} -s ${POLICY_NAME} -n -B rm -f ${D}${sysconfdir}/selinux/semanage.conf # No need to leave final dir created by semanage laying around - rm -rf ${D}${localstatedir}/lib/selinux/final + rm -rf ${D}${POLICY_STORE_ROOT}/final } install_misc_files() { diff --git a/recipes-security/selinux/libsemanage_3.9.bb b/recipes-security/selinux/libsemanage_3.9.bb index 2425a2e..1279cce 100644 --- a/recipes-security/selinux/libsemanage_3.9.bb +++ b/recipes-security/selinux/libsemanage_3.9.bb @@ -32,6 +32,8 @@ FILES:${PN}-python = "${PYTHON_SITEPACKAGES_DIR}/* \ FILES:${PN}-dbg += "${PYTHON_SITEPACKAGES_DIR}/.debug/*" FILES:${PN} += "${libexecdir}" +POLICY_STORE_ROOT ?= "${localstatedir}/lib/selinux" + do_compile:append() { oe_runmake pywrap \ PYLIBVER='python${PYTHON_BASEVERSION}' \ @@ -46,9 +48,21 @@ do_install:append() { PYLIBVER='python${PYTHON_BASEVERSION}' \ PYTHONLIBDIR='${PYTHON_SITEPACKAGES_DIR}' - # Update "policy-version" for semanage.conf - sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 35/' \ - ${D}/etc/selinux/semanage.conf + conf_file="${D}/etc/selinux/semanage.conf" + + if [ -f "${conf_file}" ]; then + # Update "policy-version" for semanage.conf + sed -i 's/^#\s*\(policy-version\s*=\).*$/\1 35/' \ + ${D}/etc/selinux/semanage.conf + + # Update "store-root" for semanage.conf + if grep -q '^store-root=' "${conf_file}"; then + sed -i "s|^store-root=.*$|store-root=${POLICY_STORE_ROOT}|" "${conf_file}" + else + printf 'store-root=%s\n' "${POLICY_STORE_ROOT}" >> "${conf_file}" + fi + fi + } BBCLASSEXTEND = "native"