Date: Tue, 4 May 2004 09:43:36 -0700 (PDT) From: Chris Vance <cvance@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 52230 for review Message-ID: <200405041643.i44Ghaxp022365@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=52230 Change 52230 by cvance@cvance_g5 on 2004/05/04 09:43:03 Checkpoint the build system and the installation instructions. The build pieces seem to be fine at this point, but the target installation system still won't boot normally. Affected files ... .. //depot/projects/trustedbsd/sedarwin73/bootstrap_instructions.txt#4 edit .. //depot/projects/trustedbsd/sedarwin73/policy/Makefile#6 edit .. //depot/projects/trustedbsd/sedarwin73/policy/Makefile.install#1 add .. //depot/projects/trustedbsd/sedarwin73/policy/create-extattr.sh#2 edit .. //depot/projects/trustedbsd/sedarwin73/policy/sebsd-relabel.sh#2 edit .. //depot/projects/trustedbsd/sedarwin73/release/Makefile#4 edit .. //depot/projects/trustedbsd/sedarwin73/sebsd_system/wslogin/Makefile#4 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin73/bootstrap_instructions.txt#4 (text+ko) ==== @@ -56,7 +56,7 @@ and installation procedure. First, configure the SEDARWIN_ROOT variable to point at the sedarwin73 directory: - SEDARWIN_ROOT=/Users/andrew/p4/sedarwin/apsl/xnu + SEDARWIN_ROOT=/Users/cvance/p4/sedarwin/apsl/xnu Next, set the DESTDIR variable to point to a local destination directory; this directory will be created to store the modified @@ -73,15 +73,14 @@ in permission errors (unless you are building as root). EXPORT_OWNER = cvance - -Step 4: Build +Step 4: Build kernel, libraries, and program binaries A top-level makefile automates the build process. To build the kernel, libraries, and program binaries, run the following command from the top of the extracted source tree: - bsdmake + bsdmake NOTE: This step will fail if you have not installed bootstrap_cmds due to a dependence on the relpath tool. @@ -94,50 +93,86 @@ bsdmake install -XXX Danger below XXX -Step 10: Build, Install wslogin and WindowServer wrapper +Step 6: Create system upgrade tarfile + + To create a tarfile containing all the new libraries and system + binaries, run the following command from the top level of the source + tree: + + bsdmake dist + + This will create a compressed tarfile from the temporary + distribution directory. The file will be called, "sedarwin.tgz" and + it will be created in the root of the source tree. + + This tarfile can be used to install on the current machine, or any + other appropriately updated 10.3.3 system. The following steps + presume that you have copied the tar file to the target machine. + +Step 7: Backup files + + If the target machine contains binaries that you do not wish to + overwrite, you may wish to back them up first. In particular, if + you do not have a second bootable partition on the machine, you + probably want the kernel (and possibly turn on remote login). + +Step 8: Extract distribution + + Extract the distribution tarfile from the root of the target machine: - In order to allow users to select roles during GUI login, you must - install our WindowServer wrapper. This will cause a dialog box - prompting for a role selection to pop up during login prior to - launching user applications. The process here is somewhat complicated, - as LoginWindow appears not to offer any convenient hooks to allow - this to be done without some subversion of its mechanisms. + cd / + sudo gnutar xvzf sedarwin.tgz - First, build and install the wslogin dynamic library and wsloginui.app - dialog: +Step 9: Backup and Replace the WindowServer - cd sebsd_system/wslogin - make ; sudo make install + The distribution includes a shell script to replace Apple's Login + Window application with a wrapper that will allow a user role to be + selected during the login process. Run the script: - In order to run the WindowServer in our modified environment, you must - replace the existing WindowServer binary with our wrapper. NOTE: - It is extremely important that these commands be executed cautiously: - the new name for the old WindowServer must be RealWindowServer, and - you really don't want to fail to rename before you install the new - one, or you end up with no WindowServer at all: + sudo /etc/sedarwin/install-windowserver.sh - sudo make rotate-out-old-server # run exactly once - sudo make install-window-server-wrapper - cd ../.. +Step 10: Create Extended Attribute File + The distribution includes a shell script that creates an extended + attribute backing file for the SEBSD policy module. Run the script: -Step 16: Create extended attribute backing files + sudo /etc/sedarwin/create-extattr.sh This will allocate storage space for MAC labels on the root file system. You may wish to run similar commands on other file systems. Replace the - "/" in this command with the root of the file systme in question, and + "/" in the script with the root of the file systme in question, and insert the same directory in front of "/.attribute/system/sebsd" to - store the attributes in that file system. + store the attributes in that file system. For example: + + sudo extattrctl initattr -p /Volumes/Spare -i "system_u:object_r:file_t" \ + 256 /Volumes/Spare/.attribute/system/sebsd + +Step 11: Configure Policy path + + The system boot loader needs to know where the SEBSD policy file is + located; at boot time, it reads the location from the system + firmware. Set the location in the firmware with the following + command: + + sudo nvram load_sebsd_policy=policy.16 + + Our sample policy file ships with three users: root, andrew, and + rwatson. Chances are, you'll want to add a line for your own user + based on one of those lines. The policy sources were installed into + /etc/sedarwin/policy, make changes there and rebuild the binary + policy file: + + cd /etc/sedarwin/policy + [edit as root] + sudo bsdmake + sudo bsdmake install - sudo mkdir -p /.attribute/system - sudo extattrctl initattr -p / 256 /.attribute/system/sebsd -Step 18: Reboot +Step 12: Reboot At this point, you should now have a new Darwin kernel, support libraries, command line tools, and configuration files installed. Reboot to single- - user mode by pressing Command-S during the boot. Check the file system + user mode by holding down Command-S during the boot. Check the file system and mount the root file system writable: /sbin/fsck -y @@ -146,12 +181,7 @@ Now set the label on various binaries so they can transition during system startup: - cd policy; make relabel + sudo /etc/sedarwin/sebsd-relabel.sh Missing this step will result in login attempts failing, or the entire system not working if enforcing mode is enabled. - - If you want to run in enforcing mode, you can use the "kenv_sebsd_enforce" - OF variable. Set it with: - - sudo nvram kenv_sebsd_enforce=1 ==== //depot/projects/trustedbsd/sedarwin73/policy/Makefile#6 (text+ko) ==== @@ -33,7 +33,8 @@ install: $(INSTALL) -o ${BINOWN} -g ${BINGRP} -m 644 ${POLICY} ${POLICYDIR} - $(INSTALL) -o ${BINOWN} -g ${BINGRP} -m 700 ${SCRIPTS} ${DESTDIR}/private/etc/ + $(INSTALL) -o ${BINOWN} -g ${BINGRP} -m 700 ${SCRIPTS} ${DESTDIR}/private/etc/sedarwin (cd $(.CURDIR)/..; tar -cf - policy) | (cd $(DESTDIR)/private/etc/sedarwin/; tar -xf -) + cp Makefile.install $(DESTDIR)/private/etc/sedarwin/policy/Makefile .include <bsd.prog.mk> ==== //depot/projects/trustedbsd/sedarwin73/policy/create-extattr.sh#2 (text+ko) ==== @@ -2,5 +2,5 @@ mkdir -p /.attribute/system -extattrctl initattr -p / 256 -i "system_u:object_r:file_t" \ - /.attribute/system/sebsd +extattrctl initattr -p / -i "system_u:object_r:file_t" \ + 256 /.attribute/system/sebsd ==== //depot/projects/trustedbsd/sedarwin73/policy/sebsd-relabel.sh#2 (text+ko) ==== @@ -1,24 +1,24 @@ #!/bin/sh -SETFMAC= "/usr/bin/setfmac -h" +SETFMAC='/usr/bin/setfmac -h' if [ ! -f /.attribute/system/sebsd ]; then echo "ERROR, can't find attribute backing file" exit; fi -$SETFMAC system_u:object_r:bin_t /sbin/* -$SETFMAC system_u:object_r:bin_t /usr/sbin/* -$SETFMAC system_u:object_r:bin_t /bin/* -$SETFMAC system_u:object_r:bin_t /usr/bin/* -$SETFMAC system_u:object_r:bin_t /usr/local/bin/* -$SETFMAC system_u:object_r:shell_exec_t /bin/*sh -$SETFMAC system_u:object_r:lookupd_exec_t /usr/sbin/lookupd -$SETFMAC -R system_u:object_r:appl_t /Applications/* -$SETFMAC system_u:object_r:systemstarter_exec_t /sbin/SystemStarter -$SETFMAC system_u:object_r:coreservices_exec_t /System/Library/CoreServices/coreservicesd -$SETFMAC system_u:object_r:loginwindow_exec_t /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow -$SETFMAC system_u:object_r:pbs_exec_t /System/Library/CoreServices/pbs -$SETFMAC system_u:object_r:windowserver_exec_t /System/Library/Frameworks/ApplicationServices.framework/Frameworks/CoreGraphics.framework/Resources/WindowServer* -$SETFMAC system_u:object_r:securityserver_exec_t /System/Library/CoreServices/SecurityServer -$SETFMAC system_u:object_r:coreservices_exec_t /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/Support/coreservicesd+$SETFMAC sebsd/system_u:object_r:bin_t /sbin/* +$SETFMAC sebsd/system_u:object_r:bin_t /usr/sbin/* +$SETFMAC sebsd/system_u:object_r:bin_t /bin/* +$SETFMAC sebsd/system_u:object_r:bin_t /usr/bin/* +$SETFMAC sebsd/system_u:object_r:bin_t /usr/local/bin/* +$SETFMAC sebsd/system_u:object_r:shell_exec_t /bin/*sh +$SETFMAC sebsd/system_u:object_r:lookupd_exec_t /usr/sbin/lookupd +$SETFMAC -R sebsd/system_u:object_r:appl_t /Applications/* +$SETFMAC sebsd/system_u:object_r:systemstarter_exec_t /sbin/SystemStarter +$SETFMAC sebsd/system_u:object_r:coreservices_exec_t /System/Library/CoreServices/coreservicesd +$SETFMAC sebsd/system_u:object_r:loginwindow_exec_t /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow +$SETFMAC sebsd/system_u:object_r:pbs_exec_t /System/Library/CoreServices/pbs +$SETFMAC sebsd/system_u:object_r:windowserver_exec_t /System/Library/Frameworks/ApplicationServices.framework/Frameworks/CoreGraphics.framework/Resources/WindowServer* +$SETFMAC sebsd/system_u:object_r:securityserver_exec_t /System/Library/CoreServices/SecurityServer +$SETFMAC sebsd/system_u:object_r:coreservices_exec_t /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/Support/coreservicesd ==== //depot/projects/trustedbsd/sedarwin73/release/Makefile#4 (text+ko) ==== @@ -9,7 +9,7 @@ $(DESTDIR)/usr/share/man/man8 \ $(DESTDIR)/System/Library/CoreServices \ $(DESTDIR)/usr/include/sebsd \ - $(DESTDIR)/System/Library/Frameworks/ApplicationServices.framework/Frameworks/CoreGraphics.framework/Resources/ + $(DESTDIR)System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources all: mkdir -p $(DIRS) ==== //depot/projects/trustedbsd/sedarwin73/sebsd_system/wslogin/Makefile#4 (text+ko) ==== @@ -11,11 +11,11 @@ xcodebuild install: - $(INSTALL) -o $(LIBOWN) -g $(LIBGRP) -m 644 \ + $(INSTALL) -o $(LIBOWN) -g $(LIBGRP) -m 755 \ wslogin.dylib $(DESTDIR)/usr/lib (cd build ; tar -cf - wsloginui.app) | (cd \ $(DESTDIR)/System/Library/CoreServices ; tar -xf -) - $(INSTALL) -o $(LIBOWN) -g $(LIBGRP) -m 644 WindowServer.sedarwin $(DESTDIR)/System/Library/Frameworks/ApplicationServices.framework/Frameworks/CoreGraphics.framework/Resources/ + $(INSTALL) -o $(LIBOWN) -g $(LIBGRP) -m 755 WindowServer.sedarwin $(DESTDIR)/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Resources/ $(INSTALL) -o $(BINOWN) -g $(BINGRP) -m 700 install-windowserver.sh $(DESTDIR)/private/etc/sedarwin/ clean:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200405041643.i44Ghaxp022365>