Versions Compared

Old Version 2

changes.mady.by.user Ross Philipson

Saved on

compared with

New Version Current

changes.mady.by.user Ross Philipson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Info
iconNone

Image Added

Copyright 2013 by Citrix Systems, Inc. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.

Table of Contents

Building SELinux and integrating it into the OpenXT predecessor's build system isn't a simple task. Our recent push to separate the XT specific policy from the core reference policy isn't going to make this any less complex. This page will track my efforts to do just this. In the process I'll document our current approach and my proposed changes. This is mostly to get input from zh and other concerned parties.

...

This step is intended to get rid of the SELinux recipes we created for bitbake in XT. The upstream meta-selinux layer make our recipes redundant.

Extract XT Modules

Status: in progress

In this step we will keep the existing fork of the refpol (including our changes) but will migrate to building the XT policy modules in a separate recipe and source tree.This will complicate:

1) linking the policy

2) labeling the root file system

Currently our policy recipe as well as the refpolicy from meta-selinux link the policy in the install step and package it. When we move the XT modules out into a separate recipe we won't be able to do this any longer. My current plan move the policy linking step into an image post processing step. This will allow all of the modules to be built before the link step. Specifically this will allow policy modules to be built in recipes separate from the reference policy recipe.The file system labeling isn't completely consistent. The NDVM fs is labeled in the image recipe while dom0 is not. The dom0 FS is still an unlabled archive (according to ZH). So long as file system labeling is done after the policy modules are linked everything should work. Eventually we should try to make the FS labeling consistent but since it works currently and I don't expect these changes will disrupt the current approach I'm going to leave it alone.

De-fork

Status: pending

This is by far the most painful of the steps in this process and will thusly be saved for last. Here we need to find the XT specific stuff in our policy fork and pry it out into a patch queue. This would then be applied on top of the meta-selinux policy. This will allow us to build the XT policy modules against the meta-selinux policy. I've already exeprimented with setting up a patche queue which was simple enough. It's up