smithmcgriff / Fedora-on-pinebookpro

15 stars 1 forks source link

Build scripts? #5

Open westurner opened 4 years ago

westurner commented 4 years ago

Are there build scripts for this?

westurner commented 4 years ago

selinux modules, logging commands run (as root)

In reading /root/.bash_history (and /var/log/dnf.log*) in fedora-pinebookpro-gnome-0.8.img.xz, I noticed the SELinux policy modules /root/modules/disk1.pp and /root/modules/*.te. What are these for / [why] are they necessary [after relabeling]?

With fedora-arm-image-installer, you can specify fedora-arm-image-installer --selinux=on --relabel; which enables selinux by setting SELINUX=enforcing in /etc/selinux/config and touches /.autorelabel (which causes the next boot to take quite awhile due to running restorecon on everything in /): https://pagure.io/arm-image-installer/blob/master/f/arm-image-installer

Inlined copy of `/root/modules/*.te` ```bash [root@mb2 modules]# (for f in *.te; do echo "#### $f ####"; cat "$f"; echo -e "\n"; done) #### disk1.te #### module disk1 1.0; require { type unlabeled_t; type local_login_t; class file read; } #============= local_login_t ============== allow local_login_t unlabeled_t:file read; #### mod1.te #### module mod1 1.0; require { type iptables_t; type kernel_t; class fifo_file read; } #============= iptables_t ============== allow iptables_t kernel_t:fifo_file read; #### mod2.te #### module mod2 1.0; require { type systemd_logind_t; type unlabeled_t; type system_dbusd_t; type systemd_hostnamed_t; type systemd_localed_t; type xdm_t; class file { getattr open read }; } #============= system_dbusd_t ============== allow system_dbusd_t unlabeled_t:file { getattr open }; #============= systemd_hostnamed_t ============== allow systemd_hostnamed_t unlabeled_t:file { getattr open read }; #============= systemd_localed_t ============== allow systemd_localed_t unlabeled_t:file { getattr open read }; #============= systemd_logind_t ============== allow systemd_logind_t unlabeled_t:file { getattr open read }; #============= xdm_t ============== allow xdm_t unlabeled_t:file { getattr open read }; #### mod4.te #### module mod4 1.0; require { type initrc_t; type policykit_auth_t; type init_t; type chkpwd_t; type unconfined_service_t; type policykit_t; type user_devpts_t; class process { noatsecure rlimitinh siginh }; class chr_file { read write }; } #============= chkpwd_t ============== allow chkpwd_t user_devpts_t:chr_file { read write }; #============= init_t ============== allow init_t initrc_t:process siginh; allow init_t unconfined_service_t:process siginh; #============= policykit_t ============== allow policykit_t policykit_auth_t:process { noatsecure rlimitinh siginh }; #### mod5.te #### module mod5 1.0; require { type chkpwd_t; type unconfined_t; type unlabeled_t; type xdm_t; class file { getattr open read }; class process noatsecure; } #============= xdm_t ============== allow xdm_t chkpwd_t:process noatsecure; allow xdm_t unconfined_t:process noatsecure; #!!!! This avc is allowed in the current policy allow xdm_t unlabeled_t:file { getattr open read }; #### mod6.te #### module mod6 1.0; require { type rpm_var_lib_t; type xdm_t; type unlabeled_t; type init_t; type chkpwd_t; type unconfined_t; type abrt_t; class dir mounton; class process { noatsecure rlimitinh siginh }; class file write; } #============= abrt_t ============== allow abrt_t rpm_var_lib_t:file write; #============= init_t ============== allow init_t chkpwd_t:process siginh; allow init_t unconfined_t:process siginh; allow init_t unlabeled_t:dir mounton; #============= xdm_t ============== #!!!! This avc is allowed in the current policy allow xdm_t chkpwd_t:process noatsecure; allow xdm_t chkpwd_t:process { rlimitinh siginh }; #!!!! This avc is allowed in the current policy allow xdm_t unconfined_t:process noatsecure; allow xdm_t unconfined_t:process siginh; #### mod8.te #### module mod8 1.0; require { type unlabeled_t; type groupadd_t; type useradd_t; class file read; } #============= groupadd_t ============== allow groupadd_t unlabeled_t:file read; #============= useradd_t ============== allow useradd_t unlabeled_t:file read; #### mod9.te #### module mod9 1.0; require { type session_dbusd_tmp_t; type systemd_logind_t; class sock_file unlink; } #============= systemd_logind_t ============== allow systemd_logind_t session_dbusd_tmp_t:sock_file unlink; ```

/root/.bash_history is not at all a complete log of the image build. FWIW, you can log all commands run as any user with auditd:

$ cat >> /etc/audit/audit.rules <<EOF

# Log all commands
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve
EOF

$ cat >> /etc/audit/audit.rules <<EOF

# Log all commands run as root (effective UID=0)
-a exit,always -F arch=b32 -F euid=0 -S execve 
-a exit,always -F arch=b64 -F euid=0 -S execve 
EOF

I think -F b64 just works on aarch64, but haven't tested it yet: https://github.com/linux-audit/audit-userspace/blob/4e03eb0c5c/lib/libaudit.c#L1316

$ man audit.rules
# [...]

 When you specify a syscall name, auditctl will look up the name and get
 its syscall number. This leads to some problems on bi-arch  machines.
 The  32  and  64  bit syscall  numbers sometimes, but not always, line
 up. So, to solve this problem, you would generally need to break the
 rule into 2 with one specify‐ing -F arch=b32 and the other specifying
 -F arch=b64. This needs to go in front of the -S option so that
 auditctl looks at the right  lookup  table when returning the number.

Boot config

Search terms:

Rockchip docs:

fedora-arm-image-installer

https://pagure.io/arm-image-installer/blob/master/f/arm-image-installer

how to dd u-boot for rk3399 devices

manjaro-arm-tools

pbp-uboot: U-Boot with Pinebook Pro support patches

"U-Boot with pinebook pro support patches" https://git.eno.space/pbp-uboot.git

debian u-boot package

The debian u-boot changelog mentions "pinebookpro" and "rk3399": https://launchpad.net/debian/+source/u-boot/2020.04+dfsg-2 :

  u-boot (2020.04+dfsg-2) unstable; urgency=medium

  * debian/patches:
    - Remove dreamplug cache patch, fixed upstream.
    - Add patches submitted upstream to support pinebook pro.
  * u-boot-rockchip:
    - Add support for rockpro64-rk3399.
    - Add support for pinebook-pro-rk3399.
    - Add u-boot-install-rockchip helper script.

-- Vagrant Cascadian <vagrant@debian.org>  Mon, 20 Apr 2020 19:34:37 -0700

fedora uboot-images-armv8

Source: https://apps.fedoraproject.org/packages/uboot-tools Source: https://apps.fedoraproject.org/packages/uboot-images-armv8

Changelog: https://apps.fedoraproject.org/packages/uboot-images-armv8/changelog/ :

2020-04-20 - Peter Robinson <pbrobinson@fedoraproject.org> - 2020.04-2
- Fix ATF for new aarch64 devices
- Fix Wandboard board detection (rhbz 1825247)
- Fix mSD card on RockPro64
- Enable (inital) Pinebook Pro

Package Build Spec: https://apps.fedoraproject.org/packages/uboot-images-armv8/sources/spec/

pinebook-pro files in https://fedora.pkgs.org/32/fedora-aarch64/uboot-images-armv8-2020.04-2.fc32.noarch.rpm.html :

/usr/share/uboot/pinebook-pro-rk3399/idbloader.img
/usr/share/uboot/pinebook-pro-rk3399/u-boot-dtb.img
/usr/share/uboot/pinebook-pro-rk3399/u-boot.bin
/usr/share/uboot/pinebook-pro-rk3399/u-boot.dtb
/usr/share/uboot/pinebook-pro-rk3399/u-boot.img
/usr/share/uboot/pinebook-pro-rk3399/u-boot.itb

rockchip U-Boot Custodian Tree

rockchip-linux

https://github.com/rockchip-linux/u-boot/tree/next-dev/board/rockchip

kernel args

ethaddr=${ethaddr} eth1addr=${eth1addr} serial=${serial#} 
video=HDMI-A-1:1920x1080@60 video=eDP-1:1920x1080@60 vga=current
earlycon=uart8250,mmio32,0xff1a0000
#maxcpus=4
#maxcpus=6
westurner commented 4 years ago

https://pagure.io/arm-image-installer/issue/52#comment-658679 suggests:

Had success installing F32 with the arm-image-installer using sudo arm-image-installer --addconsole --addkey ~/.ssh/id_rsa.pub --relabel --resizefs --image=/opt/downloads/Pine64/Fedora-Minimal-32-1.6.aarch64.raw.xz --media=/dev/sdb --target=rock64-rk3328

However, I had to rename or create the board file /usr/share/arm-image-installer/boards.d/rock64-rk3328

# write uboot
echo "= Writing idbloader.img for $TARGET .... on media $MEDIA"
dd if=$PREFIX/usr/share/uboot/$TARGET/idbloader.img of=$MEDIA seek=64; sync; sleep 5
echo "= Writing u-boot FIT image for $TARGET .... on media $MEDIA"
dd if=$PREFIX/usr/share/uboot/$TARGET/u-boot.itb of=$MEDIA seek=16384; sync; sleep 5
# set console for Rockchips
SYSCON=ttyS2,1500000n8
westurner commented 4 years ago

Wondering how much of these setup scripts can be used for the Pinebook Pro? https://github.com/nikhiljha/pp-fedora-sdsetup

Is this script all that's specific to the PinePhone? https://github.com/nikhiljha/pp-fedora-sdsetup/blob/master/phone-scripts/02-install-packages.sh

bengtfredh commented 4 years ago

I copy/paste together a script that is working. It is nice if somone can help testing. https://github.com/bengtfredh/pinebook-pro-fedora-installer.git

westurner commented 4 years ago

Hey are those selinux modules (from fedora-pinebookpro-gnome-0.8.img.xz) that I inlined in https://github.com/smithmcgriff/Fedora-on-pinebookpro/issues/5#issuecomment-621065372 from audit2allow? Who could advise on these .pp policies for Fedora 33+?

westurner commented 4 years ago

https://github.com/major/stopdisablingselinux.com