* [Buildroot] [PATCH v13 1/8] policycoreutils: new package
@ 2016-10-25 19:26 Bryce Ferguson
2016-10-25 19:26 ` [Buildroot] [PATCH v13 2/8] refpolicy: " Bryce Ferguson
` (7 more replies)
0 siblings, 8 replies; 24+ messages in thread
From: Bryce Ferguson @ 2016-10-25 19:26 UTC (permalink / raw)
To: buildroot
From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
This package contains the core policy utilities that are required
for basic operation of an SELinux system.
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Tested-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
---
Changes: v12 -> v13:
- Incorporated changes found here: https://patchwork.ozlabs.org/patch/649176/
Changes v11 -> v12:
- splitted DESTDIR and CFLAGS patches into three patches( DESTDIR,PREFIX and removal of ARCH).
Changes v10 -> v11:
- Removed LDFLAGS="-Wl,-rpath,$(HOST_DIR)/usr/lib" as it is overriding LDFLAGS.
- Removed patch PREFIX number in the subject line .
- Replaced line LDFLAGS="-Wl,-rpath,$(HOST_DIR)/usr/lib" with LDFLAGS="$(HOST_LDFLAGS)".
- Added patch to disable dbuslib flags in policycoreutils .
- Added libglib2 dependency for restorecond.
Changes v9 -> v10:
- Added LDFLAGS for HOST_POLICYCOREUTILS_MAKE_OPTS:LDFLAGS="-Wl,-rpath,$(HOST_DIR)/usr/lib"
Changes v8 -> v9:
- Cleaned up DESTDIR references in patches to use PREFIX instead
(suggested by Samuel)
- Added the use of the ARCH to pass the host and target architectures
to the build (Suggested by Samuel)
Changes v7 -> v8:
- Cleaned up indentations in policycoreutils.mk (Suggested by
Thomas P.)
- Fixed sed separator (Suggested by Thomas P.)
- Cleaned up cross compile patches and make options (Suggested by
Thomas P.)
- Changed dbus-glib dependency to a select and cleaned up the
dependencies (Suggested by Thomas P.)
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- Updated depends and removed glibc dependency (Matt W.)
- Updated site to github (Matt W.)
- Added host python 2/3 support (Matt W.)
- Removed sandbox and mctrans support (Matt W.)
- Removed restorcon init script (Matt W.)
- Agree as optional settings were removed so menu isn't needed
(Suggested by Ryan B. and Thomas P.)
- added Config.in select for LIBCAP_NG (Suggested by Thomas P.)
- cleaned up pam/audit ifeq (Suggested by Thomas P.)
- fixed CFLAGS to include target_cflags instead of += (Suggested by
Thomas P.)
- Refactored lists of build/install steps into loops (Suggested by
Thomas P.)
- Removed += on first host depends assignment (Suggested by Thomas P.)
- Refactored host make opts assignments (Suggested by Thomas P.)
- Limited to glibc because of fts.h, some uclibc toolchains have it
others don't. Eventually this would be good to fix with the updated
method of file traversal. (Matt W.)
- Gettext fixups for uclibc support. Counter productive as we
now limit to glibc only. (Matt W.)
- Added musl as possible lib type (Matt W.)
- Removed largefile dependency (Clayton S.)
- Changed dbus-glib select to a depends on in the Config.in (suggested
by Ryan B.)
Changes v3 -> v4:
- Add a select for the libselinux Python bindings when debugging
is enabled. This will cause Python to be built for the target
(suggested by Thomas P.)
- Cleaned up the configure comments (suggested by Thomas).
- Added a dependency on BR2_USE_MMU for the debugging option
because python requires it (suggested by Thomas P.)
- Removed the dependencies on audit and linux-pam. Both packages
are now optional dependencies based on whether or not the package
has been selected
- Moved the dependency on dbus-glib to only the restorecond option
where it is used
- Added a INSTALL_INIT_SYSV for the restorecond daemon rather than
just installing it directly
- Adding a dependency on glibc
- Removed the clean commands
Changes v2 -> v3:
- Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and BR2_LARGEFILE
(suggested by Thomas P.)
- Changes patch naming convention (suggested by Thomas P.)
- Added selects for linux-pam and audit
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format
- Fixed the patch naming to avoid using the version number
- Cleaned up the patch to include a signed-off-by line
- Changed package dependencies into selects in the config
---
package/Config.in | 1 +
...IR-to-all-paths-that-use-an-absolute-path.patch | 131 +++++++++++++
.../0002-Add-PREFIX-to-host-paths.patch | 211 +++++++++++++++++++++
.../0003-Remove-hardcoded-arch-variable.patch | 43 +++++
...licy-python-install-arguments-to-be-a-var.patch | 42 ++++
.../0005-Check-to-see-if-DBUS-is-enabled.patch | 56 ++++++
package/policycoreutils/Config.in | 59 ++++++
package/policycoreutils/policycoreutils.hash | 2 +
package/policycoreutils/policycoreutils.mk | 111 +++++++++++
9 files changed, 656 insertions(+)
create mode 100644 package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
create mode 100644 package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch
create mode 100644 package/policycoreutils/0003-Remove-hardcoded-arch-variable.patch
create mode 100644 package/policycoreutils/0004-Change-sepolicy-python-install-arguments-to-be-a-var.patch
create mode 100644 package/policycoreutils/0005-Check-to-see-if-DBUS-is-enabled.patch
create mode 100644 package/policycoreutils/Config.in
create mode 100644 package/policycoreutils/policycoreutils.hash
create mode 100644 package/policycoreutils/policycoreutils.mk
diff --git a/package/Config.in b/package/Config.in
index 9399f63..8091e33 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1657,6 +1657,7 @@ menu "Real-Time"
endmenu
menu "Security"
+ source "package/policycoreutils/Config.in"
source "package/setools/Config.in"
endmenu
diff --git a/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
new file mode 100644
index 0000000..bbd6895
--- /dev/null
+++ b/package/policycoreutils/0001-Add-DESTDIR-to-all-paths-that-use-an-absolute-path.patch
@@ -0,0 +1,131 @@
+The addition of this patch makes the use of DESTDIR
+mandatory as there are conditional checks which would fail if it's not
+defined.
+
+This patch was updated from the patch provided by Niranjan Reddy to
+accomodate version 2.5
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
+Signed-off-by: Adam Duskett <AdamDuskett@outlook.com>
+Signed-off-by: Adam Duskett <Aduskett@gmail.com>
+---
+ policycoreutils/Makefile | 2 +-
+ policycoreutils/newrole/Makefile | 4 ++--
+ policycoreutils/restorecond/Makefile | 5 +++--
+ policycoreutils/run_init/Makefile | 4 ++--
+ policycoreutils/sepolicy/Makefile | 2 +-
+ policycoreutils/sestatus/Makefile | 2 +-
+ policycoreutils/setfiles/Makefile | 4 ++--
+ 7 files changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 962ac12..0634a2a 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,6 +1,6 @@
+ SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui hll
+
+-INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
++INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
+
+ ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
+ SUBDIRS += restorecond
+diff --git a/newrole/Makefile b/newrole/Makefile
+index 646cd4d..f124a6a 100644
+--- a/newrole/Makefile
++++ b/newrole/Makefile
+@@ -4,8 +4,8 @@ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+ LOCALEDIR = /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ # Enable capabilities to permit newrole to generate audit records.
+ # This will make newrole a setuid root program.
+ # The capabilities used are: CAP_AUDIT_WRITE.
+diff --git a/restorecond/Makefile b/restorecond/Makefile
+index f99e1e7..92a4a4d 100644
+--- a/restorecond/Makefile
++++ b/restorecond/Makefile
+@@ -11,11 +11,12 @@ autostart_DATA = sealertauto.desktop
+ INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
+ SELINUXDIR = $(DESTDIR)/etc/selinux
+
+-DBUSFLAGS = -DHAVE_DBUS -I/usr/include/dbus-1.0 -I/usr/lib64/dbus-1.0/include -I/usr/lib/dbus-1.0/include
++DBUSFLAGS = -DHAVE_DBUS -I$(DESTDIR)/usr/include/dbus-1.0 -I$(DESTDIR)/usr/lib64/dbus-1.0/include -I$(DESTDIR)/usr/lib/dbus-1.0/include
+ DBUSLIB = -ldbus-glib-1 -ldbus-1
+
+ CFLAGS ?= -g -Werror -Wall -W
+-override CFLAGS += -I$(PREFIX)/include $(DBUSFLAGS) -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/lib/glib-2.0/include
++override CFLAGS += -I$(DESTDIR)/usr/include $(DBUSFLAGS) -I$(DESTDIR)/usr/include/glib-2.0 \
++-I$(DESTDIR)/usr/lib64/glib-2.0/include -I$(DESTDIR)/usr/lib/glib-2.0/include
+
+ LDLIBS += -lselinux $(DBUSLIB) -lglib-2.0 -L$(LIBDIR)
+
+diff --git a/run_init/Makefile b/run_init/Makefile
+index 5815a08..c81179b 100644
+--- a/run_init/Makefile
++++ b/run_init/Makefile
+@@ -5,8 +5,8 @@ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+ LOCALEDIR ?= /usr/share/locale
+-PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+diff --git a/sepolicy/Makefile b/sepolicy/Makefile
+index 39d46e8..6624373 100644
+--- a/sepolicy/Makefile
++++ b/sepolicy/Makefile
+@@ -12,7 +12,7 @@ LOCALEDIR ?= /usr/share/locale
+ BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+ CFLAGS ?= -Wall -Werror -Wextra -W
+-override CFLAGS += -I$(PREFIX)/include -DPACKAGE="policycoreutils" -DSHARED -shared
++override CFLAGS = $(LDFLAGS) -I$(DESTDIR)/usr/include -DPACKAGE="policycoreutils" -Wall -Werror -Wextra -W -DSHARED -shared
+
+ BASHCOMPLETIONS=sepolicy-bash-completion.sh
+
+diff --git a/sestatus/Makefile b/sestatus/Makefile
+index c04ff00..e10c32c 100644
+--- a/sestatus/Makefile
++++ b/sestatus/Makefile
+@@ -6,7 +6,7 @@ ETCDIR ?= $(DESTDIR)/etc
+ LIBDIR ?= $(PREFIX)/lib
+
+ CFLAGS ?= -Werror -Wall -W
+-override CFLAGS += -I$(PREFIX)/include -D_FILE_OFFSET_BITS=64
++override CFLAGS += -I$(DESTDIR)/usr/include -D_FILE_OFFSET_BITS=64
+ LDLIBS = -lselinux -L$(LIBDIR)
+
+ all: sestatus
+diff --git a/setfiles/Makefile b/setfiles/Makefile
+index 98f4f7d..eb26ed0 100644
+--- a/setfiles/Makefile
++++ b/setfiles/Makefile
+@@ -3,13 +3,13 @@ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(DESTDIR)/sbin
+ MANDIR = $(PREFIX)/share/man
+ LIBDIR ?= $(PREFIX)/lib
+-AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
++AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+
+ PROGRESS_STEP=$(shell grep "^\#define STAR_COUNT" restore.h | awk -S '{ print $$3 }')
+ ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
+
+ CFLAGS ?= -g -Werror -Wall -W
+-override CFLAGS += -I$(PREFIX)/include
++override CFLAGS += -I$(DESTDIR)/usr/include
+ LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+
+ ifeq ($(AUDITH), /usr/include/libaudit.h)
+--
+2.7.4
+
diff --git a/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch b/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch
new file mode 100644
index 0000000..ba7a478
--- /dev/null
+++ b/package/policycoreutils/0002-Add-PREFIX-to-host-paths.patch
@@ -0,0 +1,211 @@
+From 7f99a727cdb8160d49bb0d0554fc88787980c971 Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Aduskett@gmail.com>
+Date: Thu, 14 Jul 2016 13:16:03 -0400
+Subject: [PATCH 2/5] Add PREFIX to host paths
+
+Updates the remaining hardcoded host paths used in the build to be
+prefixed with a PREFIX path to allow cross compilation.
+
+Updated to work with version 2.5
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
+Signed-off-by: Adam Duskett <AdamDuskett@outlook.com>
+Signed-off-by: Adam Duskett <Aduskett@gmail.com>
+---
+ policycoreutils/Makefile | 4 +++-
+ policycoreutils/audit2allow/Makefile | 2 +-
+ policycoreutils/load_policy/Makefile | 2 +-
+ policycoreutils/mcstrans/src/Makefile | 17 +++++++++--------
+ policycoreutils/newrole/Makefile | 8 ++++----
+ policycoreutils/run_init/Makefile | 8 ++++----
+ policycoreutils/sepolicy/Makefile | 2 +-
+ policycoreutils/setfiles/Makefile | 4 ++--
+ 8 files changed, 25 insertions(+), 22 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 0634a2a..bd99b1c 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1,8 +1,10 @@
++PREFIX ?= $(DESTDIR)/usr
++
+ SUBDIRS = sepolicy setfiles semanage load_policy newrole run_init sandbox secon audit2allow sestatus semodule_package semodule semodule_link semodule_expand semodule_deps sepolgen-ifgen setsebool scripts po man gui hll
+
+ INOTIFYH = $(shell ls $(DESTDIR)/usr/include/sys/inotify.h 2>/dev/null)
+
+-ifeq (${INOTIFYH}, /usr/include/sys/inotify.h)
++ifeq (${INOTIFYH}, $(PREFIX)/include/sys/inotify.h)
+ SUBDIRS += restorecond
+ endif
+
+diff --git a/audit2allow/Makefile b/audit2allow/Makefile
+index 87d2502..d4108fe 100644
+--- a/audit2allow/Makefile
++++ b/audit2allow/Makefile
+@@ -5,7 +5,7 @@ PREFIX ?= $(DESTDIR)/usr
+ BINDIR ?= $(PREFIX)/bin
+ LIBDIR ?= $(PREFIX)/lib
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(PREFIX)/share/locale
+
+ all: audit2why
+
+diff --git a/load_policy/Makefile b/load_policy/Makefile
+index 7c5bab0..5cd0bbb 100644
+--- a/load_policy/Makefile
++++ b/load_policy/Makefile
+@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(DESTDIR)/sbin
+ USRSBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(PREFIX)/share/locale
+
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
+index 907a1f1..6fda57e 100644
+--- a/mcstrans/src/Makefile
++++ b/mcstrans/src/Makefile
+@@ -1,23 +1,24 @@
+ ARCH = $(shell uname -i)
++# Installation directories.
++PREFIX ?= $(DESTDIR)/usr
++SBINDIR ?= $(DESTDIR)/sbin
++INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
++SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd
++
+ ifeq "$(ARCH)" "x86_64"
+ # In case of 64 bit system, use these lines
+- LIBDIR=/usr/lib64
++ LIBDIR=$(PREFIX)/lib64
+ else
+ ifeq "$(ARCH)" "i686"
+ # In case of 32 bit system, use these lines
+- LIBDIR=/usr/lib
++ LIBDIR=$(PREFIX)/lib
+ else
+ ifeq "$(ARCH)" "i386"
+ # In case of 32 bit system, use these lines
+- LIBDIR=/usr/lib
++ LIBDIR=$(PREFIX)/lib
+ endif
+ endif
+ endif
+-# Installation directories.
+-PREFIX ?= $(DESTDIR)/usr
+-SBINDIR ?= $(DESTDIR)/sbin
+-INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
+-SYSTEMDDIR ?= $(DESTDIR)/usr/lib/systemd
+
+ PROG_SRC=mcstrans.c mcscolor.c mcstransd.c mls_level.c
+ PROG_OBJS= $(patsubst %.c,%.o,$(PROG_SRC))
+diff --git a/newrole/Makefile b/newrole/Makefile
+index f124a6a..b687a09 100644
+--- a/newrole/Makefile
++++ b/newrole/Makefile
+@@ -3,7 +3,7 @@ PREFIX ?= $(DESTDIR)/usr
+ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR = /usr/share/locale
++LOCALEDIR = $(PREFIX)/share/locale
+ PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
+ AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+ # Enable capabilities to permit newrole to generate audit records.
+@@ -24,7 +24,7 @@ CFLAGS ?= -Werror -Wall -W
+ EXTRA_OBJS =
+ override CFLAGS += -DVERSION=\"$(VERSION)\" $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
+ override CFLAGS += -DUSE_PAM
+ EXTRA_OBJS += hashtab.o
+ LDLIBS += -lpam -lpam_misc
+@@ -32,7 +32,7 @@ else
+ override CFLAGS += -D_XOPEN_SOURCE=500
+ LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
+ override CFLAGS += -DUSE_AUDIT
+ LDLIBS += -laudit
+ endif
+@@ -66,7 +66,7 @@ install: all
+ test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
+ install -m $(MODE) newrole $(BINDIR)
+ install -m 644 newrole.1 $(MANDIR)/man1/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
+ test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
+ ifeq ($(LSPP_PRIV),y)
+ install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
+diff --git a/run_init/Makefile b/run_init/Makefile
+index c81179b..ce0df9f 100644
+--- a/run_init/Makefile
++++ b/run_init/Makefile
+@@ -4,21 +4,21 @@ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(PREFIX)/sbin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= $(DESTDIR)/etc
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(PREFIX)/share/locale
+ PAMH = $(shell ls $(DESTDIR)/usr/include/security/pam_appl.h 2>/dev/null)
+ AUDITH = $(shell ls $(DESTDIR)/usr/include/libaudit.h 2>/dev/null)
+
+ CFLAGS ?= -Werror -Wall -W
+ override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+ LDLIBS += -lselinux -L$(PREFIX)/lib
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
+ override CFLAGS += -DUSE_PAM
+ LDLIBS += -lpam -lpam_misc
+ else
+ override CFLAGS += -D_XOPEN_SOURCE=500
+ LDLIBS += -lcrypt
+ endif
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
+ override CFLAGS += -DUSE_AUDIT
+ LDLIBS += -laudit
+ endif
+@@ -38,7 +38,7 @@ install: all
+ install -m 755 open_init_pty $(SBINDIR)
+ install -m 644 run_init.8 $(MANDIR)/man8/
+ install -m 644 open_init_pty.8 $(MANDIR)/man8/
+-ifeq ($(PAMH), /usr/include/security/pam_appl.h)
++ifeq ($(PAMH), $(PREFIX)/include/security/pam_appl.h)
+ install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
+ endif
+
+diff --git a/sepolicy/Makefile b/sepolicy/Makefile
+index 6624373..a16f8de 100644
+--- a/sepolicy/Makefile
++++ b/sepolicy/Makefile
+@@ -8,7 +8,7 @@ BINDIR ?= $(PREFIX)/bin
+ SBINDIR ?= $(PREFIX)/sbin
+ DATADIR ?= $(PREFIX)/share
+ MANDIR ?= $(PREFIX)/share/man
+-LOCALEDIR ?= /usr/share/locale
++LOCALEDIR ?= $(PREFIX)/share/locale
+ BASHCOMPLETIONDIR ?= $(DESTDIR)/usr/share/bash-completion/completions
+ SHAREDIR ?= $(PREFIX)/share/sandbox
+ CFLAGS ?= -Wall -Werror -Wextra -W
+diff --git a/setfiles/Makefile b/setfiles/Makefile
+index eb26ed0..3c6b80d 100644
+--- a/setfiles/Makefile
++++ b/setfiles/Makefile
+@@ -12,7 +12,7 @@ CFLAGS ?= -g -Werror -Wall -W
+ override CFLAGS += -I$(DESTDIR)/usr/include
+ LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+
+-ifeq ($(AUDITH), /usr/include/libaudit.h)
++ifeq ($(AUDITH), $(PREFIX)/include/libaudit.h)
+ override CFLAGS += -DUSE_AUDIT
+ LDLIBS += -laudit
+ endif
+--
+2.7.4
+
diff --git a/package/policycoreutils/0003-Remove-hardcoded-arch-variable.patch b/package/policycoreutils/0003-Remove-hardcoded-arch-variable.patch
new file mode 100644
index 0000000..bf48051
--- /dev/null
+++ b/package/policycoreutils/0003-Remove-hardcoded-arch-variable.patch
@@ -0,0 +1,43 @@
+From 7424f2bea0cb412e96202f596ad8077131589f40 Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Aduskett@gmail.com>
+Date: Thu, 14 Jul 2016 13:18:24 -0400
+Subject: [PATCH 3/5] Remove hardcoded arch variable.
+
+Allow the ARCH value to be passed in as original configuration was
+solely based on host architecture.
+
+This patch was updated to work with version 2.5
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
+Signed-off-by: Adam Duskett <AdamDuskett@outlook.com>
+Signed-off-by: Adam Duskett <Aduskett@gmail.com>
+---
+ policycoreutils/mcstrans/src/Makefile | 1 -
+ policycoreutils/mcstrans/utils/Makefile | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/mcstrans/src/Makefile b/mcstrans/src/Makefile
+index 6fda57e..7b4489f 100644
+--- a/mcstrans/src/Makefile
++++ b/mcstrans/src/Makefile
+@@ -1,4 +1,3 @@
+-ARCH = $(shell uname -i)
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
+ SBINDIR ?= $(DESTDIR)/sbin
+diff --git a/mcstrans/utils/Makefile b/mcstrans/utils/Makefile
+index 1ffb027..912fe12 100644
+--- a/mcstrans/utils/Makefile
++++ b/mcstrans/utils/Makefile
+@@ -2,7 +2,6 @@
+ PREFIX ?= $(DESTDIR)/usr
+ BINDIR ?= $(PREFIX)/sbin
+
+-ARCH = $(shell uname -i)
+ ifeq "$(ARCH)" "x86_64"
+ # In case of 64 bit system, use these lines
+ LIBDIR=/usr/lib64
+--
+2.7.4
+
diff --git a/package/policycoreutils/0004-Change-sepolicy-python-install-arguments-to-be-a-var.patch b/package/policycoreutils/0004-Change-sepolicy-python-install-arguments-to-be-a-var.patch
new file mode 100644
index 0000000..7c4b417
--- /dev/null
+++ b/package/policycoreutils/0004-Change-sepolicy-python-install-arguments-to-be-a-var.patch
@@ -0,0 +1,42 @@
+From 27fd1c85ca95b5d66ab0241a08242a75b60b375c Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Aduskett@gmail.com>
+Date: Thu, 14 Jul 2016 13:22:57 -0400
+Subject: [PATCH 4/5] Change sepolicy python install arguments to be a variable
+
+To allow the python install arguments to be overwritten, change the
+arguments to be a variable. This also cleans up the DESTDIR detection a
+little bit.
+
+Updated to work with version 2.5
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Signed-off-by: Adam Duskett <AdamDuskett@outlook.com>
+Signed-off-by: Adam Duskett <Aduskett@gmail.com>
+---
+ policycoreutils/sepolicy/Makefile | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/sepolicy/Makefile b/sepolicy/Makefile
+index a16f8de..2013301 100644
+--- a/sepolicy/Makefile
++++ b/sepolicy/Makefile
+@@ -1,4 +1,7 @@
+ PYTHON ?= python
++ifneq ($(DESTDIR),)
++PYTHON_INSTALL_ARGS ?= --root $(DESTDIR)
++endif
+
+ # Installation directories.
+ PREFIX ?= $(DESTDIR)/usr
+@@ -32,7 +35,7 @@ test:
+ @$(PYTHON) test_sepolicy.py -v
+
+ install:
+- $(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++ $(PYTHON) setup.py install $(PYTHON_INSTALL_ARGS)
+ [ -d $(BINDIR) ] || mkdir -p $(BINDIR)
+ install -m 755 sepolicy.py $(BINDIR)/sepolicy
+ (cd $(BINDIR); ln -sf sepolicy sepolgen)
+--
+2.7.4
+
diff --git a/package/policycoreutils/0005-Check-to-see-if-DBUS-is-enabled.patch b/package/policycoreutils/0005-Check-to-see-if-DBUS-is-enabled.patch
new file mode 100644
index 0000000..1e57af1
--- /dev/null
+++ b/package/policycoreutils/0005-Check-to-see-if-DBUS-is-enabled.patch
@@ -0,0 +1,56 @@
+From d1bc28c5b2efe60a0ee04d9c171928d0f3475654 Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Aduskett@gmail.com>
+Date: Thu, 14 Jul 2016 13:26:23 -0400
+Subject: [PATCH 5/5] Check to see if DBUS is enabled.
+
+Adds a condition to prevent linking against dbus when at build time
+dbus has not been enabled.
+
+Updated for 2.5.
+
+Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
+Signed-off-by: Adam Duskett <AdamDuskett@outlook.com>
+Signed-off-by: Adam Duskett <Aduskett@gmail.com>
+---
+ policycoreutils/restorecond/Makefile | 2 ++
+ policycoreutils/restorecond/user.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/restorecond/Makefile b/restorecond/Makefile
+index 92a4a4d..95f38a6 100644
+--- a/restorecond/Makefile
++++ b/restorecond/Makefile
+@@ -11,8 +11,10 @@ autostart_DATA = sealertauto.desktop
+ INITDIR ?= $(DESTDIR)/etc/rc.d/init.d
+ SELINUXDIR = $(DESTDIR)/etc/selinux
+
++ifdef ENABLE_DBUS
+ DBUSFLAGS = -DHAVE_DBUS -I$(DESTDIR)/usr/include/dbus-1.0 -I$(DESTDIR)/usr/lib64/dbus-1.0/include -I$(DESTDIR)/usr/lib/dbus-1.0/include
+ DBUSLIB = -ldbus-glib-1 -ldbus-1
++endif
+
+ CFLAGS ?= -g -Werror -Wall -W
+ override CFLAGS += -I$(DESTDIR)/usr/include $(DBUSFLAGS) -I$(DESTDIR)/usr/include/glib-2.0 \
+diff --git a/restorecond/user.c b/restorecond/user.c
+index 714aae7..a04cddb 100644
+--- a/restorecond/user.c
++++ b/restorecond/user.c
+@@ -54,7 +54,6 @@ static const char *PATH="/org/selinux/Restorecond";
+ static const char *INTERFACE="org.selinux.RestorecondIface";
+ static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'";
+
+-static int local_lock_fd = -1;
+
+ static DBusHandlerResult
+ signal_filter (DBusConnection *connection __attribute__ ((__unused__)), DBusMessage *message, void *user_data)
+@@ -101,6 +100,7 @@ static int dbus_server(GMainLoop *loop) {
+ #include <selinux/selinux.h>
+ #include <sys/file.h>
+
++static int local_lock_fd = -1;
+ /* size of the event structure, not counting name */
+ #define EVENT_SIZE (sizeof (struct inotify_event))
+ /* reasonable guess as to size of 1024 events */
+--
+2.7.4
+
diff --git a/package/policycoreutils/Config.in b/package/policycoreutils/Config.in
new file mode 100644
index 0000000..519d1d9
--- /dev/null
+++ b/package/policycoreutils/Config.in
@@ -0,0 +1,59 @@
+config BR2_PACKAGE_POLICYCOREUTILS
+ bool "policycoreutils"
+ select BR2_PACKAGE_LIBSEMANAGE
+ select BR2_PACKAGE_LIBCAP_NG
+ select BR2_PACKAGE_GETTEXT if BR2_NEEDS_GETTEXT
+ depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
+ depends on !BR2_STATIC_LIBS #libsemanage
+ depends on !BR2_arc #libsemanage
+ depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # uses fts.h
+ help
+ Policycoreutils is a collection of policy utilities (originally
+ the "core" set of utilities needed to use SELinux, although it
+ has grown a bit over time), which have different dependencies.
+ sestatus, secon, run_init, and newrole only use libselinux.
+ load_policy and setfiles only use libselinux and libsepol.
+ semodule and semanage use libsemanage (and thus bring in
+ dependencies on libsepol and libselinux as well). setsebool
+ uses libselinux to make non-persistent boolean changes (via
+ the kernel interface) and uses libsemanage to make persistent
+ boolean changes.
+
+ The base package will install the following utilities:
+ load_policy
+ newrole
+ restorecond
+ run_init
+ secon
+ semodule
+ semodule_deps
+ semodule_expand
+ semodule_link
+ semodule_package
+ sepolgen-ifgen
+ sestatus
+ setfiles
+ setsebool
+
+ http://selinuxproject.org/page/Main_Page
+
+comment "policycoreutils needs a glibc or musl toolchain w/ threads"
+ depends on !BR2_TOOLCHAIN_HAS_THREADS \
+ || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
+
+if BR2_PACKAGE_POLICYCOREUTILS
+
+config BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND
+ bool "restorecond Utility"
+ select BR2_PACKAGE_LIBGLIB2 #glib2
+ depends on BR2_USE_WCHAR # glib2
+ depends on BR2_TOOLCHAIN_HAS_THREADS # glib2
+ depends on BR2_USE_MMU # glib2
+ help
+ Enable restorecond to be built
+
+comment "restorecond needs a toolchain w/ wchar, threads"
+ depends on BR2_USE_MMU
+ depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
+
+endif
diff --git a/package/policycoreutils/policycoreutils.hash b/package/policycoreutils/policycoreutils.hash
new file mode 100644
index 0000000..44cb0c3
--- /dev/null
+++ b/package/policycoreutils/policycoreutils.hash
@@ -0,0 +1,2 @@
+# https://github.com/SELinuxProject/selinux/wiki/Releases
+sha256 329382cfe9fa977678abf541dcd8fe3847cf0c83b24654c8f7322343907078a1 policycoreutils-2.5.tar.gz
diff --git a/package/policycoreutils/policycoreutils.mk b/package/policycoreutils/policycoreutils.mk
new file mode 100644
index 0000000..6611cdb
--- /dev/null
+++ b/package/policycoreutils/policycoreutils.mk
@@ -0,0 +1,111 @@
+################################################################################
+#
+# policycoreutils
+#
+################################################################################
+
+POLICYCOREUTILS_VERSION = 2.5
+POLICYCOREUTILS_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223
+POLICYCOREUTILS_LICENSE = GPLv2
+POLICYCOREUTILS_LICENSE_FILES = COPYING
+
+# gettext for load_policy.c use of libintl_* functions
+POLICYCOREUTILS_DEPENDENCIES = libsemanage libcap-ng $(if $(BR2_NEEDS_GETTEXT),gettext)
+
+ifeq ($(BR2_PACKAGE_LINUX_PAM),y)
+POLICYCOREUTILS_DEPENDENCIES += linux-pam
+POLICYCOREUTILS_MAKE_OPTS += NAMESPACE_PRIV=y
+define POLICYCOREUTILS_INSTALL_TARGET_LINUX_PAM_CONFS
+ $(INSTALL) -D -m 0644 $(@D)/newrole/newrole-lspp.pamd $(TARGET_DIR)/etc/pam.d/newrole
+ $(INSTALL) -D -m 0644 $(@D)/run_init/run_init.pamd $(TARGET_DIR)/etc/pam.d/run_init
+endef
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+POLICYCOREUTILS_DEPENDENCIES += audit
+POLICYCOREUTILS_MAKE_OPTS += AUDIT_LOG_PRIV=y
+endif
+
+# Enable LSPP_PRIV if both audit and linux pam are enabled
+ifeq ($(BR2_PACKAGE_LINUX_PAM)$(BR2_PACKAGE_AUDIT),yy)
+POLICYCOREUTILS_MAKE_OPTS += LSPP_PRIV=y
+endif
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+POLICYCOREUTILS_MAKE_OPTS += \
+ CC="$(TARGET_CC)" \
+ CFLAGS="$(TARGET_CFLAGS) -U_FILE_OFFSET_BITS" \
+ LDFLAGS="$(TARGET_LDFLAGS) $(if $(BR2_NEEDS_GETTEXT),-lintl)" \
+ ARCH="$(BR2_ARCH)"
+
+POLICYCOREUTILS_MAKE_DIRS = load_policy newrole run_init \
+ secon semodule semodule_deps semodule_expand semodule_link \
+ semodule_package sepolgen-ifgen sestatus setfiles setsebool
+
+ifeq ($(BR2_PACKAGE_POLICYCOREUTILS_RESTORECOND),y)
+POLICYCOREUTILS_MAKE_DIRS += restorecond
+endif
+#The source has been patched to require a DESTDIR path which is
+#prefixed to all filesystem paths which were by default hardcoded to
+#host system paths.
+define POLICYCOREUTILS_BUILD_CMDS
+ for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
+ $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(STAGING_DIR) all || exit 1 ; \
+ done
+endef
+
+define POLICYCOREUTILS_INSTALL_TARGET_CMDS
+ for dir in $(POLICYCOREUTILS_MAKE_DIRS) ; do \
+ $(MAKE) -C $(@D)/$${dir} $(POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install || exit 1 ; \
+ done
+endef
+
+HOST_POLICYCOREUTILS_DEPENDENCIES = host-libsemanage host-dbus-glib host-sepolgen host-setools
+
+# Undefining _FILE_OFFSET_BITS here because of a "bug" with glibc fts.h
+# large file support.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=574992 for more information
+HOST_POLICYCOREUTILS_MAKE_OPTS = \
+ CC="$(HOSTCC)" \
+ CFLAGS="$(HOST_CFLAGS) -U_FILE_OFFSET_BITS" \
+ PYTHON="$(HOST_DIR)/usr/bin/python" \
+ PYTHON_INSTALL_ARGS="$(HOST_PKG_PYTHON_DISTUTILS_INSTALL_OPTS)" \
+ ARCH="$(HOSTARCH)" \
+ LDFLAGS="$(HOST_LDFLAGS)"
+
+ifeq ($(BR2_PACKAGE_PYTHON3),y)
+HOST_POLICYCOREUTILS_DEPENDENCIES += host-python3
+HOST_POLICYCOREUTILS_MAKE_OPTS += \
+ PYLIBVER="python$(PYTHON3_VERSION_MAJOR)"
+else
+HOST_POLICYCOREUTILS_DEPENDENCIES += host-python
+HOST_POLICYCOREUTILS_MAKE_OPTS += \
+ PYLIBVER="python$(PYTHON_VERSION_MAJOR)"
+endif
+
+# Note: We are only building the programs required by the refpolicy build
+HOST_POLICYCOREUTILS_MAKE_DIRS = load_policy semodule semodule_deps semodule_expand semodule_link \
+ semodule_package setfiles restorecond audit2allow scripts semanage sepolicy
+
+define HOST_POLICYCOREUTILS_BUILD_CMDS
+ for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
+ $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) all || exit 1 ; \
+ done
+endef
+#The source has been patched to require a DESTDIR path which is
+#prefixed to all filesystem paths which were by default hardcoded to
+#host system paths.
+define HOST_POLICYCOREUTILS_INSTALL_CMDS
+ for dir in $(HOST_POLICYCOREUTILS_MAKE_DIRS) ; do \
+ $(MAKE) -C $(@D)/$${dir} $(HOST_POLICYCOREUTILS_MAKE_OPTS) DESTDIR=$(HOST_DIR) install || exit 1 ; \
+ done
+ # Fix python paths
+ $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/audit2allow
+ $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolgen-ifgen
+ $(SED) 's%/usr/bin/%$(HOST_DIR)/usr/bin/%g' $(HOST_DIR)/usr/bin/sepolicy
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))
--
1.9.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 2/8] refpolicy: new package
2016-10-25 19:26 [Buildroot] [PATCH v13 1/8] policycoreutils: new package Bryce Ferguson
@ 2016-10-25 19:26 ` Bryce Ferguson
2016-12-12 22:21 ` Thomas Petazzoni
2016-10-25 19:26 ` [Buildroot] [PATCH v13 3/8] linux-pam: add system auth file and host variant Bryce Ferguson
` (6 subsequent siblings)
7 siblings, 1 reply; 24+ messages in thread
From: Bryce Ferguson @ 2016-10-25 19:26 UTC (permalink / raw)
To: buildroot
From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
The patch is for adding selinux reference policy (refpolicy).
It is a complete SELinux policy that can be used as the system policy
for a variety of systems and used as the basis for creating other policies.
Changes were made to this patch in between versions 12 and 13 for which
the change history can be found here: https://patchwork.ozlabs.org/patch/649175/
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Signed-off-by: David Graziano <david.graziano@rockwellcollins.com>
Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
---
Changes: v12 -> v13:
- Incorporated changes found here: https://patchwork.ozlabs.org/patch/649175/
Changes v11 -> v12:
- No changes
Changes v10 -> v11:
- Removed refpolicy-contrib package to maintain it as a seperate patch (suggested by Thomas)
- Removed /sbin/restorecon condition check and added comments in S00selinux( how /proc/mounts are used to
discover tmpfs mounts)
- Removed variable REFPOLICY_POLICY_COMPILE and made Minor Indentation changes (suggested by Thomas).
Changed v9 -> v10:
- Removed trailing slash at the end (REFPOLICY_SITE = http://oss.tresys.com/files/refpolicy)
- Adds new menu option to select the SELinux state to be written
to the /etc/selinux/config file for the target (D. Graziano)
Changes v8 -> v9:
- Minor nit picks on spacing (Suggested by Samuel)
Changes v7 -> v8:
- Changes REFPOLICY_MAKE_CMDS to REFPOLICY_MAKE_OPTS (Suggested by
Samuel)
- Added a help section to the custom git repo to explain why the
refpolicy-contrib option is needed (Suggested by Samuel)
- Added rsync exclusions to ensure no unneeded files are copied during
the refpolicy-contrib sync (Suggested by Samuel)
Changes v6 -> v7:
- Moving the refpolicy patch into a version specific folder to
prevent it from being applied to the custom git repos. (Clayton S.)
Changes v5 -> v6:
- Fixed references to GIT in config files (Suggested by Ryan B.)
- Removed execute permissions on files (Suggested by Ryan B.)
- Fixed spelling error and changed staging install to always install
the documentation (Suggested by Samuel)
Changes v4 -> v5:
- Removed TODO and dependency on glibc (Matt W.)
- Added lib depends to meet policycoreutils limitation on std lib
(Matt W.)
- Added comment for when an option is not defined (Matt W.)
- Removed largefile, locale, and wchar dependencies (Clayton S.)
- Remove dependancy on host-python-pyxml (Ryan B.)
- Forced package to use $(HOST_DIR)/usr/bin/python2 for python
executable (Ryan B.)
- Added host-python dependency (Clayton S.)
- Removed config menu (suggested by Thomas P.)
- Added patch to fix awk issue (Clayton S.)
Changes v3 -> v4:
- Added a dependency on host-gawk and correct the awk calls
in the makefile to use $(AWK)
- Changed the default policy name to br_policy to differentiate
the policy generated from refpolicy
- Added a install step to create a /.autorelabel file to cause
the file system to be relabeled by S12SELinux init script
- Adding a default modules.conf file with an option to specify
a different one. This will decrease the build time for
refpolicy by removing unused policies. (implemented by
Thomas P.)
- Cleaned up the configure comments (implemented by Thomas).
- Added a check to only install the documentation if the
Buildroot option is enabled
- Removed the build because the install step completes the
same process. Also removed the clean step because it is
being removed globally from buildroot (implemented by
Thomas P.)
- Added more error handling to the startup script to print
a warning if SELinux fails to install the policy if it
exists. This can be caused by the kernel not being configured
with SELinux enabled
Changes v2 -> v3:
- Changes patch naming convention (suggested by Thomas P.)
- Added dependencies on BR2_TOOLCHAIN_HAS_THREADS and
BR2_LARGEFILE (suggested by Thomas P.)
- Removed configure option for a specific patch folder
(suggested by Thomas P.)
- Removed distribution configuration option (suggested by Thomas)
- Changed the monolithic configuration option to a modular
configuration option (suggested by Thomas P.)
- Removed the refpolicy name option (suggested by Thomas P.)
- Corrected gramatical and comment errors (suggested by Thomas P.)
- Multiple style corrections to the mk file (suggested by Thomas P.)
- Added a comment to clairfy the usage of the the host build
options for a target build
Changes v1 -> v2:
- General cleanup to the mk file to conform to the standard format
- Fixed the patch naming to match the standard 4 digit numbering
- Changed package dependencies into selects in the config
---
package/Config.in | 1 +
.../0001-Fix-awk-references-to-use-variable.patch | 42 +
package/refpolicy/Config.in | 146 +++
package/refpolicy/S00selinux | 126 ++
package/refpolicy/booleans.conf | 1278 ++++++++++++++++++++
package/refpolicy/config | 8 +
package/refpolicy/modules.conf | 430 +++++++
package/refpolicy/refpolicy.hash | 2 +
package/refpolicy/refpolicy.mk | 111 ++
9 files changed, 2144 insertions(+)
create mode 100644 package/refpolicy/0001-Fix-awk-references-to-use-variable.patch
create mode 100644 package/refpolicy/Config.in
create mode 100644 package/refpolicy/S00selinux
create mode 100644 package/refpolicy/booleans.conf
create mode 100644 package/refpolicy/config
create mode 100644 package/refpolicy/modules.conf
create mode 100644 package/refpolicy/refpolicy.hash
create mode 100644 package/refpolicy/refpolicy.mk
diff --git a/package/Config.in b/package/Config.in
index 8091e33..853fc6e 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1658,6 +1658,7 @@ endmenu
menu "Security"
source "package/policycoreutils/Config.in"
+ source "package/refpolicy/Config.in"
source "package/setools/Config.in"
endmenu
diff --git a/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch b/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch
new file mode 100644
index 0000000..8236fa2
--- /dev/null
+++ b/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch
@@ -0,0 +1,42 @@
+From 1d4c826e8de366bccb93f167cd9be834ab5911c8 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Fri, 8 May 2015 14:13:00 -0500
+Subject: [PATCH] Fix awk references to use variable
+
+Ensure all awk calls use the variable setup in the makefile rather than
+relying on the system.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 85d4cfb..3aa4b51 100644
+--- a/Makefile
++++ b/Makefile
+@@ -292,9 +292,9 @@ cmdline_mods := $(addsuffix .te,$(APPS_MODS))
+ cmdline_off := $(addsuffix .te,$(APPS_OFF))
+
+ # extract settings from modules.conf
+-mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
+-mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
+-mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_base := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_mods := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_off := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
+
+ base_mods := $(cmdline_base)
+ mod_mods := $(cmdline_mods)
+@@ -308,7 +308,7 @@ off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_c
+ off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+
+ # filesystems to be used in labeling targets
+-filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
++filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+ fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
+
+ ########################################
+--
+1.9.1
+
diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
new file mode 100644
index 0000000..5a46829
--- /dev/null
+++ b/package/refpolicy/Config.in
@@ -0,0 +1,146 @@
+config BR2_PACKAGE_REFPOLICY
+ bool "refpolicy"
+ select BR2_PACKAGE_POLICYCOREUTILS
+ select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX
+ depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
+ depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # policycoreutils
+ help
+ The SELinux Reference Policy project (refpolicy) is a
+ complete SELinux policy that can be used as the system
+ policy for a variety of systems and used as the basis
+ for creating other policies. Reference Policy was originally
+ based on the NSA example policy, but aims to accomplish
+ many additional goals.
+
+ The current refpolicy does not fully support Buildroot
+ and needs modifications to work with the default system
+ file layout. These changes should be added as patches to
+ the refpolicy that modify a single SELinux policy.
+
+ The refpolicy works for the most part in permissive mode. Only the
+ basic set of utilities are enabled in the example policy config and
+ some of the pathing in the policies is not correct. Individual
+ policies would need to be tweaked to get everything functioning
+ properly.
+
+comment "refpolicy needs a toolchain w/ threads, glibc or musl"
+ depends on !BR2_TOOLCHAIN_HAS_THREADS \
+ || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
+
+if BR2_PACKAGE_REFPOLICY
+
+choice
+prompt "SELinux policy type"
+default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+
+config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+bool "Standard"
+help
+Standard SELinux policy
+
+config BR2_PACKAGE_REFPOLICY_TYPE_MCS
+bool "MCS"
+help
+SELinux policy with multi-catagory support
+
+config BR2_PACKAGE_REFPOLICY_TYPE_MLS
+bool "MLS"
+help
+SELinux policy with multi-catagory and multi-level support
+endchoice
+
+config BR2_PACKAGE_REFPOLICY_TYPE
+ string
+ default "standard" if BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+ default "mcs" if BR2_PACKAGE_REFPOLICY_TYPE_MCS
+ default "mls" if BR2_PACKAGE_REFPOLICY_TYPE_MLS
+
+choice
+prompt "SELinux default state"
+default BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
+
+config BR2_PACKAGE_REFPOLICY_STATE_ENFORCE
+bool "Enforcing"
+help
+SELinux security policy is enforced
+
+config BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
+bool "Permissive"
+help
+SELinux prints warnings instead of enforcing
+
+config BR2_PACKAGE_REFPOLICY_STATE_DISABLE
+bool "Disabled"
+help
+No SELinux policy is loaded
+endchoice
+
+config BR2_PACKAGE_REFPOLICY_NAME
+ string "Custom policy Name"
+ default "Buildroot"
+
+config BR2_PACKAGE_REFPOLICY_STATE
+ string
+ default "permissive" if BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
+ default "enforcing" if BR2_PACKAGE_REFPOLICY_STATE_ENFORCE
+ default "disabled" if BR2_PACKAGE_REFPOLICY_STATE_DISABLE
+
+config BR2_PACKAGE_REFPOLICY_MODULES_FILE
+ string "Refpolicy modules configuration"
+ default "package/refpolicy/modules.conf"
+ help
+ Location of a custom modules.conf file that lists the
+ SELinux policy modules to be included in the compiled
+ policy. See policy/modules.conf in the refpolicy sources for
+ the complete list of available modules.
+ NOTE: This file is only used if a Custom Git repo is
+ not specified.
+
+config BR2_PACKAGE_REFPOLICY_BOOLEAN_FILE
+ string "Refpolicy boolean configuration"
+ default "package/refpolicy/booleans.conf"
+ help
+ Location of a custom booleans.conf file that lists the
+ SELinux booleans to be set in the compiled
+ policy. See policy/booleans.conf in the refpolicy sources for
+ the complete list of available modules.
+ NOTE: This file is only used if a Custom Git repo is
+ not specified.
+
+config BR2_PACKAGE_REFPOLICY_MODULAR
+ bool "Build a modular SELinux policy"
+ help
+ Select Y to build a modular SELinux policy. By default,
+ a monolithic policy will be built to save space on the
+ target. A modular policy can also be built if policies
+ need to be modified without reloading the target.
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
+ bool "Custom Git repository"
+ select BR2_PACKAGE_REFPOLICY_CONTRIB
+ help
+ This option allows Buildroot to get the refpolicy source
+ code from a Git repository. This option should generally
+ be used to add custom SELinux policy to the base refpolicy
+ without having to deal with lots of patches.
+
+ Please note that with the current configuration of the
+ mainline refpolicy git repositories, a refpolicy and a
+ refpolicy-contrib git repo must be specified. These are
+ linked using a git submodule which does not get initialized
+ during the Buildroot build.
+
+if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
+ string "URL of custom repository"
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
+ string "Custom repository version"
+ help
+ Revision to use in the typical format used by Git
+ e.g. a SHA id, a tag, branch, ..
+
+endif
+
+endif
diff --git a/package/refpolicy/S00selinux b/package/refpolicy/S00selinux
new file mode 100644
index 0000000..4faccfb
--- /dev/null
+++ b/package/refpolicy/S00selinux
@@ -0,0 +1,126 @@
+#!/bin/sh
+################################################################################
+#
+# This file labels the security contexts of memory based filesystems such as
+# /dev/ and checks for auto relabel request if '/.autorelabel' file exists.
+#
+# This script is a heavily stripped down and modified version of the one used
+# in CentOS 6.2
+#
+################################################################################
+
+failed()
+{
+ echo $1
+ exit 1
+}
+
+# Get SELinux config env vars
+. /etc/selinux/config || failed "Failed to source the SELinux config"
+
+setup_selinux() {
+ # Create required directories
+ mkdir -p /etc/selinux/${SELINUXTYPE}/policy/ ||
+ failed "Failed to create the policy folder"
+ mkdir -p /etc/selinux/${SELINUXTYPE}/modules/active/modules || \
+ failed "Failed to create the modules folder"
+ if [ ! -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local ]
+ then
+ touch /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local || \
+ failed "Failed to create the file_contexts.local file"
+ fi
+
+ # Load the policy to activate it
+ load_policy -i || failed "Failed to load the SELinux policy"
+}
+
+relabel_selinux() {
+ # if /sbin/init is not labeled correctly this process is running in the
+ # wrong context, so a reboot will be required after relabel
+ AUTORELABEL=
+
+ # Switch to Permissive mode
+ echo "0" > /sys/fs/selinux/enforce || failed "Failed to disable enforcing mode"
+
+ echo
+ echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
+ echo "*** Relabeling could take a very long time, depending on file"
+ echo "*** system size and speed of hard drives."
+
+ # Relabel mount points
+ restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) \
+ >/dev/null 2>&1 || failed "Failed to relabel the mount points"
+
+ # Relabel file system
+ echo "Relabeling file systems"
+ restorecon -R -F / || failed "Failed to relabel the file system"
+
+ # Remove label
+ rm -f /.autorelabel || failed "Failed to remove the autorelabel flag"
+
+ # Reboot to activate relabeled file system
+ echo "Automatic reboot in progress."
+ reboot -f
+}
+
+start() {
+ printf "Initializing SELinux: "
+
+ # Check to see if the default policy has been installed
+ if [ "`sestatus | grep "SELinux status" | grep enabled`" == "" ]; then
+ if [ ! -f /etc/selinux/${SELINUXTYPE}/policy/policy.* ]
+ then
+ setup_selinux
+ else
+ # Load the policy to activate it
+ load_policy -i || failed "Failed to load the SELinux policy"
+ fi
+ fi
+
+ # Check SELinux status
+ SELINUX_STATE=
+ if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then
+ if [ -r "/selinux/enforce" ] ; then
+ SELINUX_STATE=$(cat "/selinux/enforce")
+ else
+ # assume enforcing if you can't read it
+ SELINUX_STATE=1
+ fi
+ fi
+
+ # Context Label /dev/
+ /sbin/restorecon -R -F /dev 2>/dev/null
+
+ # Context Label tmpfs mounts.
+ # using /proc/mounts to discover tmpfs mounts
+ /sbin/restorecon -R -F $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// && $3 =="tmpfs" { print $2 }' /etc/fstab) >/dev/null 2>&1
+
+ # Clean up SELinux labels
+ restorecon -F /etc/mtab /etc/ld.so.cache /etc/resolv.conf >/dev/null 2>&1
+
+ # Check for filesystem relabel request
+ if [ -f /.autorelabel ] ; then
+ relabel_selinux
+ fi
+
+ echo "OK"
+}
+stop() {
+ # There is nothing to do
+ echo "OK"
+}
+
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ *)
+ echo "Usage: $0 {start|stop}"
+ exit 1
+ ;;
+esac
+
+exit $?
diff --git a/package/refpolicy/booleans.conf b/package/refpolicy/booleans.conf
new file mode 100644
index 0000000..31c70b9
--- /dev/null
+++ b/package/refpolicy/booleans.conf
@@ -0,0 +1,1278 @@
+#
+# Disable kernel module loading.
+#
+secure_mode_insmod = false
+
+#
+# Boolean to determine whether the system permits loading policy, setting
+# enforcing mode, and changing boolean values. Set this to true and you
+# have to reboot to set it back.
+#
+secure_mode_policyload = false
+
+#
+# Enabling secure mode disallows programs, such as
+# newrole, from transitioning to administrative
+# user domains.
+#
+secure_mode = false
+
+#
+# Control users use of ping and traceroute
+#
+user_ping = false
+
+#
+# Determine whether ABRT can modify
+# public files used for public file
+# transfer services.
+#
+abrt_anon_write = false
+
+#
+# Determine whether abrt-handle-upload
+# can modify public files used for public file
+# transfer services in /var/spool/abrt-upload/.
+#
+abrt_upload_watch_anon_write = true
+
+#
+# Determine whether ABRT can run in
+# the abrt_handle_event_t domain to
+# handle ABRT event scripts.
+#
+abrt_handle_event = false
+
+#
+# Determine whether amavis can
+# use JIT compiler.
+#
+amavis_use_jit = false
+
+#
+# Determine whether httpd can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+allow_httpd_anon_write = false
+
+#
+# Determine whether httpd can use mod_auth_pam.
+#
+allow_httpd_mod_auth_pam = false
+
+#
+# Determine whether httpd can use built in scripting.
+#
+httpd_builtin_scripting = false
+
+#
+# Determine whether httpd can check spam.
+#
+httpd_can_check_spam = false
+
+#
+# Determine whether httpd scripts and modules
+# can connect to the network using TCP.
+#
+httpd_can_network_connect = true
+
+#
+# Determine whether httpd scripts and modules
+# can connect to cobbler over the network.
+#
+httpd_can_network_connect_cobbler = false
+
+#
+# Determine whether scripts and modules can
+# connect to databases over the network.
+#
+httpd_can_network_connect_db = false
+
+#
+# Determine whether httpd can connect to
+# ldap over the network.
+#
+httpd_can_network_connect_ldap = false
+
+#
+# Determine whether httpd can connect
+# to memcache server over the network.
+#
+httpd_can_network_connect_memcache = false
+
+#
+# Determine whether httpd can act as a relay.
+#
+httpd_can_network_relay = false
+
+#
+# Determine whether httpd daemon can
+# connect to zabbix over the network.
+#
+httpd_can_network_connect_zabbix = false
+
+#
+# Determine whether httpd can send mail.
+#
+httpd_can_sendmail = false
+
+#
+# Determine whether httpd can communicate
+# with avahi service via dbus.
+#
+httpd_dbus_avahi = false
+
+#
+# Determine wether httpd can use support.
+#
+httpd_enable_cgi = false
+
+#
+# Determine whether httpd can act as a
+# FTP server by listening on the ftp port.
+#
+httpd_enable_ftp_server = false
+
+#
+# Determine whether httpd can traverse
+# user home directories.
+#
+httpd_enable_homedirs = false
+
+#
+# Determine whether httpd gpg can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+httpd_gpg_anon_write = false
+
+#
+# Determine whether httpd can execute
+# its temporary content.
+#
+httpd_tmp_exec = false
+
+#
+# Determine whether httpd scripts and
+# modules can use execmem and execstack.
+#
+httpd_execmem = true
+
+#
+# Determine whether httpd can connect
+# to port 80 for graceful shutdown.
+#
+httpd_graceful_shutdown = false
+
+#
+# Determine whether httpd can
+# manage IPA content files.
+#
+httpd_manage_ipa = false
+
+#
+# Determine whether httpd can use mod_auth_ntlm_winbind.
+#
+httpd_mod_auth_ntlm_winbind = false
+
+#
+# Determine whether httpd can read
+# generic user home content files.
+#
+httpd_read_user_content = true
+
+#
+# Determine whether httpd can change
+# its resource limits.
+#
+httpd_setrlimit = false
+
+#
+# Determine whether httpd can run
+# SSI executables in the same domain
+# as system CGI scripts.
+#
+httpd_ssi_exec = false
+
+#
+# Determine whether httpd can communicate
+# with the terminal. Needed for entering the
+# passphrase for certificates at the terminal.
+#
+httpd_tty_comm = false
+
+#
+# Determine whether httpd can have full access
+# to its content types.
+#
+httpd_unified = false
+
+#
+# Determine whether httpd can use
+# cifs file systems.
+#
+httpd_use_cifs = false
+
+#
+# Determine whether httpd can
+# use fuse file systems.
+#
+httpd_use_fusefs = false
+
+#
+# Determine whether httpd can use gpg.
+#
+httpd_use_gpg = false
+
+#
+# Determine whether httpd can use
+# nfs file systems.
+#
+httpd_use_nfs = false
+
+#
+# Determine whether awstats can
+# purge httpd log files.
+#
+awstats_purge_apache_log_files = false
+
+#
+# Determine whether Bind can bind tcp socket to http ports.
+#
+named_tcp_bind_http_port = false
+
+#
+# Determine whether Bind can write to master zone files.
+# Generally this is used for dynamic DNS or zone transfers.
+#
+named_write_master_zones = false
+
+#
+# Determine whether boinc can execmem/execstack.
+#
+boinc_execmem = true
+
+#
+# Determine whether cdrecord can read
+# various content. nfs, samba, removable
+# devices, user temp and untrusted
+# content files
+#
+cdrecord_read_content = false
+
+#
+# Determine whether clamscan can
+# read user content files.
+#
+clamav_read_user_content_files_clamscan = false
+
+#
+# Determine whether clamscan can read
+# all non-security files.
+#
+clamav_read_all_non_security_files_clamscan = false
+
+#
+# Determine whether can clamd use JIT compiler.
+#
+clamd_use_jit = false
+
+#
+# Determine whether Cobbler can modify
+# public files used for public file
+# transfer services.
+#
+cobbler_anon_write = false
+
+#
+# Determine whether Cobbler can connect
+# to the network using TCP.
+#
+cobbler_can_network_connect = false
+
+#
+# Determine whether Cobbler can access
+# cifs file systems.
+#
+cobbler_use_cifs = false
+
+#
+# Determine whether Cobbler can access
+# nfs file systems.
+#
+cobbler_use_nfs = false
+
+#
+# Determine whether collectd can connect
+# to the network using TCP.
+#
+collectd_tcp_network_connect = false
+
+#
+# Determine whether Condor can connect
+# to the network using TCP.
+#
+condor_tcp_network_connect = false
+
+#
+# Determine whether system cron jobs
+# can relabel filesystem for
+# restoring file contexts.
+#
+cron_can_relabel = false
+
+#
+# Determine whether crond can execute jobs
+# in the user domain as opposed to the
+# the generic cronjob domain.
+#
+cron_userdomain_transition = false
+
+#
+# Determine whether extra rules
+# should be enabled to support fcron.
+#
+fcron_crond = false
+
+#
+# Determine whether cvs can read shadow
+# password files.
+#
+allow_cvs_read_shadow = false
+
+#
+# Determine whether dbadm can manage
+# generic user files.
+#
+dbadm_manage_user_files = false
+
+#
+# Determine whether dbadm can read
+# generic user files.
+#
+dbadm_read_user_files = false
+
+#
+# Determine whether DHCP daemon
+# can use LDAP backends.
+#
+dhcpd_use_ldap = false
+
+#
+# Determine whether entropyd can use
+# audio devices as the source for
+# the entropy feeds.
+#
+entropyd_use_audio = false
+
+#
+# Determine whether exim can connect to
+# databases.
+#
+exim_can_connect_db = false
+
+#
+# Determine whether exim can read generic
+# user content files.
+#
+exim_read_user_files = false
+
+#
+# Determine whether exim can create,
+# read, write, and delete generic user
+# content files.
+#
+exim_manage_user_files = false
+
+#
+# Determine whether ftpd can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+allow_ftpd_anon_write = false
+
+#
+# Determine whether ftpd can login to
+# local users and can read and write
+# all files on the system, governed by DAC.
+#
+allow_ftpd_full_access = false
+
+#
+# Determine whether ftpd can use CIFS
+# used for public file transfer services.
+#
+allow_ftpd_use_cifs = false
+
+#
+# Determine whether ftpd can use NFS
+# used for public file transfer services.
+#
+allow_ftpd_use_nfs = false
+
+#
+# Determine whether ftpd can connect to
+# databases over the TCP network.
+#
+ftpd_connect_db = false
+
+#
+# Determine whether ftpd can bind to all
+# unreserved ports for passive mode.
+#
+ftpd_use_passive_mode = false
+
+#
+# Determine whether ftpd can connect to
+# all unreserved ports.
+#
+ftpd_connect_all_unreserved = false
+
+#
+# Determine whether ftpd can read and write
+# files in user home directories.
+#
+ftp_home_dir = false
+
+#
+# Determine whether sftpd can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+sftpd_anon_write = false
+
+#
+# Determine whether sftpd-can read and write
+# files in user home directories.
+#
+sftpd_enable_homedirs = false
+
+#
+# Determine whether sftpd-can login to
+# local users and read and write all
+# files on the system, governed by DAC.
+#
+sftpd_full_access = false
+
+#
+# Determine whether sftpd can read and write
+# files in user ssh home directories.
+#
+sftpd_write_ssh_home = false
+
+#
+# Determine whether Git CGI
+# can search home directories.
+#
+git_cgi_enable_homedirs = false
+
+#
+# Determine whether Git CGI
+# can access cifs file systems.
+#
+git_cgi_use_cifs = false
+
+#
+# Determine whether Git CGI
+# can access nfs file systems.
+#
+git_cgi_use_nfs = false
+
+#
+# Determine whether Git session daemon
+# can bind TCP sockets to all
+# unreserved ports.
+#
+git_session_bind_all_unreserved_ports = false
+
+#
+# Determine whether calling user domains
+# can execute Git daemon in the
+# git_session_t domain.
+#
+git_session_users = false
+
+#
+# Determine whether Git session daemons
+# can send syslog messages.
+#
+git_session_send_syslog_msg = false
+
+#
+# Determine whether Git system daemon
+# can search home directories.
+#
+git_system_enable_homedirs = false
+
+#
+# Determine whether Git system daemon
+# can access cifs file systems.
+#
+git_system_use_cifs = false
+
+#
+# Determine whether Git system daemon
+# can access nfs file systems.
+#
+git_system_use_nfs = false
+
+#
+# Determine whether Gitosis can send mail.
+#
+gitosis_can_sendmail = false
+
+#
+# Determine whether GPG agent can manage
+# generic user home content files. This is
+# required by the --write-env-file option.
+#
+gpg_agent_env_file = false
+
+#
+# Determine whether icecast can listen
+# on and connect to any TCP port.
+#
+icecast_use_any_tcp_ports = false
+
+#
+# Determine whether irc clients can
+# listen on and connect to any
+# unreserved TCP ports.
+#
+irc_use_any_tcp_ports = false
+
+#
+# Determine whether java can make
+# its stack executable.
+#
+allow_java_execstack = false
+
+#
+# Determine whether kerberos is supported.
+#
+allow_kerberos = false
+
+#
+# Determine whether logwatch can connect
+# to mail over the network.
+#
+logwatch_can_network_connect_mail = false
+
+#
+# Determine whether to support lpd server.
+#
+use_lpd_server = false
+
+#
+# Determine whether mcelog supports
+# client mode.
+#
+mcelog_client = false
+
+#
+# Determine whether mcelog can execute scripts.
+#
+mcelog_exec_scripts = true
+
+#
+# Determine whether mcelog can use all
+# the user ttys.
+#
+mcelog_foreground = false
+
+#
+# Determine whether mcelog supports
+# server mode.
+#
+mcelog_server = false
+
+#
+# Determine whether mcelog can use syslog.
+#
+mcelog_syslog = false
+
+#
+# Determine whether minidlna can read generic user content.
+#
+minidlna_read_generic_user_content = false
+
+#
+# Determine whether mozilla can
+# make its stack executable.
+#
+mozilla_execstack = false
+
+#
+# Determine whether mpd can traverse
+# user home directories.
+#
+mpd_enable_homedirs = false
+
+#
+# Determine whether mpd can use
+# cifs file systems.
+#
+mpd_use_cifs = false
+
+#
+# Determine whether mpd can use
+# nfs file systems.
+#
+mpd_use_nfs = false
+
+#
+# Determine whether mplayer can make
+# its stack executable.
+#
+allow_mplayer_execstack = false
+
+#
+# Determine whether mysqld can
+# connect to all TCP ports.
+#
+mysql_connect_any = false
+
+#
+# Determine whether confined applications
+# can use nscd shared memory.
+#
+nscd_use_shm = false
+
+#
+# Determine whether openvpn can
+# read generic user home content files.
+#
+openvpn_enable_homedirs = false
+
+#
+# Determine whether openvpn can
+# connect to the TCP network.
+#
+openvpn_can_network_connect = false
+
+#
+# Determine whether Polipo system
+# daemon can access CIFS file systems.
+#
+polipo_system_use_cifs = false
+
+#
+# Determine whether Polipo system
+# daemon can access NFS file systems.
+#
+polipo_system_use_nfs = false
+
+#
+# Determine whether calling user domains
+# can execute Polipo daemon in the
+# polipo_session_t domain.
+#
+polipo_session_users = false
+
+#
+# Determine whether Polipo session daemon
+# can send syslog messages.
+#
+polipo_session_send_syslog_msg = false
+
+#
+# Determine whether portage can
+# use nfs filesystems.
+#
+portage_use_nfs = false
+
+#
+# Determine whether postfix local
+# can manage mail spool content.
+#
+postfix_local_write_mail_spool = true
+
+#
+# Determine whether pppd can
+# load kernel modules.
+#
+pppd_can_insmod = false
+
+#
+# Determine whether common users can
+# run pppd with a domain transition.
+#
+pppd_for_user = false
+
+#
+# Determine whether privoxy can
+# connect to all tcp ports.
+#
+privoxy_connect_any = false
+
+#
+# Determine whether puppet can
+# manage all non-security files.
+#
+puppet_manage_all_files = false
+
+#
+# Determine whether qemu has full
+# access to the network.
+#
+qemu_full_network = false
+
+#
+# Determine whether rgmanager can
+# connect to the network using TCP.
+#
+rgmanager_can_network_connect = false
+
+#
+# Determine whether fenced can
+# connect to the TCP network.
+#
+fenced_can_network_connect = false
+
+#
+# Determine whether fenced can use ssh.
+#
+fenced_can_ssh = false
+
+#
+# Determine whether gssd can read
+# generic user temporary content.
+#
+allow_gssd_read_tmp = false
+
+#
+# Determine whether gssd can write
+# generic user temporary content.
+#
+allow_gssd_write_tmp = false
+
+#
+# Determine whether nfs can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+allow_nfsd_anon_write = false
+
+#
+# Determine whether rsync can use
+# cifs file systems.
+#
+rsync_use_cifs = false
+
+#
+# Determine whether rsync can
+# use fuse file systems.
+#
+rsync_use_fusefs = false
+
+#
+# Determine whether rsync can use
+# nfs file systems.
+#
+rsync_use_nfs = false
+
+#
+# Determine whether rsync can
+# run as a client
+#
+rsync_client = false
+
+#
+# Determine whether rsync can
+# export all content read only.
+#
+rsync_export_all_ro = false
+
+#
+# Determine whether rsync can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+allow_rsync_anon_write = false
+
+#
+# Determine whether samba can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+allow_smbd_anon_write = false
+
+#
+# Determine whether samba can
+# create home directories via pam.
+#
+samba_create_home_dirs = false
+
+#
+# Determine whether samba can act as the
+# domain controller, add users, groups
+# and change passwords.
+#
+samba_domain_controller = false
+
+#
+# Determine whether samba can
+# act as a portmapper.
+#
+samba_portmapper = false
+
+#
+# Determine whether samba can share
+# users home directories.
+#
+samba_enable_home_dirs = false
+
+#
+# Determine whether samba can share
+# any content read only.
+#
+samba_export_all_ro = false
+
+#
+# Determine whether samba can share any
+# content readable and writable.
+#
+samba_export_all_rw = false
+
+#
+# Determine whether samba can
+# run unconfined scripts.
+#
+samba_run_unconfined = false
+
+#
+# Determine whether samba can
+# use nfs file systems.
+#
+samba_share_nfs = false
+
+#
+# Determine whether samba can
+# use fuse file systems.
+#
+samba_share_fusefs = false
+
+#
+# Determine whether sanlock can use
+# nfs file systems.
+#
+sanlock_use_nfs = false
+
+#
+# Determine whether sanlock can use
+# cifs file systems.
+#
+sanlock_use_samba = false
+
+#
+# Determine whether sasl can
+# read shadow files.
+#
+allow_saslauthd_read_shadow = false
+
+#
+# Determine whether smartmon can support
+# devices on 3ware controllers.
+#
+smartmon_3ware = false
+
+#
+# Determine whether spamassassin
+# clients can use the network.
+#
+spamassassin_can_network = false
+
+#
+# Determine whether spamd can manage
+# generic user home content.
+#
+spamd_enable_home_dirs = false
+
+#
+# Determine whether squid can
+# connect to all TCP ports.
+#
+squid_connect_any = false
+
+#
+# Determine whether squid can run
+# as a transparent proxy.
+#
+squid_use_tproxy = false
+
+#
+# Determine whether telepathy connection
+# managers can connect to generic tcp ports.
+#
+telepathy_tcp_connect_generic_network_ports = false
+
+#
+# Determine whether telepathy connection
+# managers can connect to any port.
+#
+telepathy_connect_all_ports = false
+
+#
+# Determine whether tftp can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+tftp_anon_write = false
+
+#
+# Determine whether tftp can manage
+# generic user home content.
+#
+tftp_enable_homedir = false
+
+#
+# Determine whether tor can bind
+# tcp sockets to all unreserved ports.
+#
+tor_bind_all_unreserved_ports = false
+
+#
+# Determine whether varnishd can
+# use the full TCP network.
+#
+varnishd_connect_any = false
+
+#
+# Determine whether attempts by
+# vbetool to mmap low regions should
+# be silently blocked.
+#
+vbetool_mmap_zero_ignore = false
+
+#
+# Determine whether confined virtual guests
+# can use serial/parallel communication ports.
+#
+virt_use_comm = false
+
+#
+# Determine whether confined virtual guests
+# can use executable memory and can make
+# their stack executable.
+#
+virt_use_execmem = false
+
+#
+# Determine whether confined virtual guests
+# can use fuse file systems.
+#
+virt_use_fusefs = false
+
+#
+# Determine whether confined virtual guests
+# can use nfs file systems.
+#
+virt_use_nfs = false
+
+#
+# Determine whether confined virtual guests
+# can use cifs file systems.
+#
+virt_use_samba = false
+
+#
+# Determine whether confined virtual guests
+# can manage device configuration.
+#
+virt_use_sysfs = false
+
+#
+# Determine whether confined virtual guests
+# can use usb devices.
+#
+virt_use_usb = false
+
+#
+# Determine whether confined virtual guests
+# can interact with xserver.
+#
+virt_use_xserver = false
+
+#
+# Determine whether confined virtual guests
+# can use vfio for pci device pass through (vt-d).
+#
+virt_use_vfio = false
+
+#
+# Determine whether webadm can
+# manage generic user files.
+#
+webadm_manage_user_files = false
+
+#
+# Determine whether webadm can
+# read generic user files.
+#
+webadm_read_user_files = false
+
+#
+# Determine whether attempts by
+# wine to mmap low regions should
+# be silently blocked.
+#
+wine_mmap_zero_ignore = false
+
+#
+# Determine whether xend can
+# run blktapctrl and tapdisk.
+#
+xend_run_blktap = false
+
+#
+# Determine whether xen can
+# use fusefs file systems.
+#
+xen_use_fusefs = false
+
+#
+# Determine whether xen can
+# use nfs file systems.
+#
+xen_use_nfs = false
+
+#
+# Determine whether xen can
+# use samba file systems.
+#
+xen_use_samba = false
+
+#
+# Determine whether xguest can
+# mount removable media.
+#
+xguest_mount_media = false
+
+#
+# Determine whether xguest can
+# configure network manager.
+#
+xguest_connect_network = false
+
+#
+# Determine whether xguest can
+# use blue tooth devices.
+#
+xguest_use_bluetooth = false
+
+#
+# Determine whether zabbix can
+# connect to all TCP ports
+#
+zabbix_can_network = false
+
+#
+# Determine whether zebra daemon can
+# manage its configuration files.
+#
+allow_zebra_write_config = false
+
+#
+# Control the ability to mmap a low area of the address space,
+# as configured by /proc/sys/kernel/mmap_min_addr.
+#
+mmap_low_allowed = false
+
+#
+# Allow sysadm to debug or ptrace all processes.
+#
+allow_ptrace = false
+
+#
+# Allow unprived users to execute DDL statement
+#
+sepgsql_enable_users_ddl = false
+
+#
+# Allow transmit client label to foreign database
+#
+sepgsql_transmit_client_label = false
+
+#
+# Allow database admins to execute DML statement
+#
+sepgsql_unconfined_dbadm = false
+
+#
+# allow host key based authentication
+#
+allow_ssh_keysign = false
+
+#
+# Allow ssh logins as sysadm_r:sysadm_t
+#
+ssh_sysadm_login = false
+
+#
+# Allow ssh to use gpg-agent
+#
+ssh_use_gpg_agent = false
+
+#
+# Allows clients to write to the X server shared
+# memory segments.
+#
+allow_write_xshm = false
+
+#
+# Allow xdm logins as sysadm
+#
+xdm_sysadm_login = false
+
+#
+# Support X userspace object manager
+#
+xserver_object_manager = false
+
+#
+# Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
+#
+authlogin_nsswitch_use_ldap = false
+
+#
+# Enable support for upstart as the init program.
+#
+init_upstart = false
+
+#
+# Allow racoon to read shadow
+#
+racoon_read_shadow = false
+
+#
+# Allow the mount command to mount any directory or file.
+#
+allow_mount_anyfile = false
+
+#
+# Enable support for systemd-tmpfiles to manage all non-security files.
+#
+systemd_tmpfiles_manage_all = false
+
+#
+# Allow users to connect to mysql
+#
+allow_user_mysql_connect = false
+
+#
+# Allow users to connect to PostgreSQL
+#
+allow_user_postgresql_connect = false
+
+#
+# Allow regular users direct mouse access
+#
+user_direct_mouse = false
+
+#
+# Allow users to read system messages.
+#
+user_dmesg = false
+
+#
+# Allow user to r/w files on filesystems
+# that do not have extended attributes (FAT, CDROM, FLOPPY)
+#
+user_rw_noexattrfile = false
+
+#
+# Allow w to display everyone
+#
+user_ttyfile_stat = false
+
+#
+# Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+#
+allow_execheap = false
+
+#
+# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+#
+allow_execmem = false
+
+#
+# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+#
+allow_execmod = false
+
+#
+# Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+#
+allow_execstack = false
+
+#
+# Enable polyinstantiated directory support.
+#
+allow_polyinstantiation = false
+
+#
+# Allow system to run with NIS
+#
+allow_ypbind = false
+
+#
+# Allow logging in and using the system from /dev/console.
+#
+console_login = true
+
+#
+# Enable reading of urandom for all domains.
+#
+#
+#
+#
+# This should be enabled when all programs
+# are compiled with ProPolice/SSP
+# stack smashing protection. All domains will
+# be allowed to read from /dev/urandom.
+#
+global_ssp = false
+
+#
+# Allow email client to various content.
+# nfs, samba, removable devices, and user temp
+# files
+#
+mail_read_content = false
+
+#
+# Allow any files/directories to be exported read/write via NFS.
+#
+nfs_export_all_rw = false
+
+#
+# Allow any files/directories to be exported read/only via NFS.
+#
+nfs_export_all_ro = false
+
+#
+# Support NFS home directories
+#
+use_nfs_home_dirs = false
+
+#
+# Support SAMBA home directories
+#
+use_samba_home_dirs = false
+
+#
+# Allow users to run TCP servers (bind to ports and accept connection from
+# the same domain and outside users) disabling this forces FTP passive mode
+# and may change other protocols.
+#
+user_tcp_server = false
+
diff --git a/package/refpolicy/config b/package/refpolicy/config
new file mode 100644
index 0000000..5eee807
--- /dev/null
+++ b/package/refpolicy/config
@@ -0,0 +1,8 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=permissive
+# SELINUXTYPE= name of the selinux policy to use
+SELINUXTYPE=refpolicy
diff --git a/package/refpolicy/modules.conf b/package/refpolicy/modules.conf
new file mode 100644
index 0000000..2304dc4
--- /dev/null
+++ b/package/refpolicy/modules.conf
@@ -0,0 +1,430 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module. "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: kernel
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Layer: kernel
+# Module: alsa
+# Required in base
+#
+# alsa types and interfaces.
+#
+alsa = base
+
+# Layer: kernel
+# Module: mta
+# Required in base
+#
+# mta types and interfaces.
+#
+mta = base
+
+# Layer: kernel
+# Module: apache
+# Required in base
+#
+# apache types and interfaces.
+#
+apache = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,
+# and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# Multicategory security policy
+#
+mcs = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: kernel
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+# Required in base
+#
+# User-based access control policy
+#
+ubac = base
+
+# Layer: admin
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = module
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+#
+consoletype = module
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+#
+su = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+sudo = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = module
+
+# Layer: apps
+# Module: seunshare
+#
+# Filesystem namespacing/polyinstantiation application.
+#
+seunshare = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = module
+
+# Layer: roles
+# Module: auditadm
+#
+# Audit administrator role
+#
+auditadm = module
+
+# Layer: roles
+# Module: logadm
+#
+# Log administrator role
+#
+logadm = module
+
+# Layer: roles
+# Module: secadm
+#
+# Security administrator role
+#
+secadm = module
+
+# Layer: roles
+# Module: staff
+#
+# Administrator's unprivileged user role
+#
+staff = module
+
+# Layer: roles
+# Module: sysadm
+#
+# General system administration role
+#
+sysadm = module
+
+# Layer: roles
+# Module: unprivuser
+#
+# Generic unprivileged user role
+#
+unprivuser = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+#
+postgresql = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+#
+ssh = module
+
+# Layer: services
+# Module: xserver
+#
+# X Windows Server
+#
+xserver = module
+
+# Layer: system
+# Module: application
+#
+# Policy for user executable applications.
+#
+application = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = module
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+#
+hotplug = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+#
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+#
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# NetLabel/CIPSO labeled networking management
+#
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = module
+
+# Layer: system
+# Module: setrans
+#
+# SELinux MLS/MCS label translation service.
+#
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = module
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = module
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+#
+unconfined = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = module
+
diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash
new file mode 100644
index 0000000..c10de45
--- /dev/null
+++ b/package/refpolicy/refpolicy.hash
@@ -0,0 +1,2 @@
+#From https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease
+sha256 2dd2f45a7132137afe8302805c3b7839739759b9ab73dd1815c01afe34ac99de refpolicy-2.20151208.tar.bz2
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
new file mode 100644
index 0000000..3622b6e
--- /dev/null
+++ b/package/refpolicy/refpolicy.mk
@@ -0,0 +1,111 @@
+################################################################################
+#
+# refpolicy
+#
+################################################################################
+
+REFPOLICY_VERSION = RELEASE_2_20151208
+REFPOLICY_SITE = https://github.com/TresysTechnology/refpolicy.git
+REFPOLICY_SITE_METHOD = git
+REFPOLICY_GIT_SUBMODULES = y
+REFPOLICY_LICENSE = GPLv2
+REFPOLICY_LICENSE_FILES = COPYING
+
+# Cannot use multiple threads to build the reference policy
+REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)
+
+REFPOLICY_DEPENDENCIES += host-m4 host-checkpolicy host-policycoreutils \
+ host-setools host-gawk host-python policycoreutils
+
+REFPOLICY_INSTALL_STAGING = YES
+
+
+# To apply board specific customizations, create a refpolicy folder in
+# BR2_GLOBAL_PATCH_DIR. These patches will be applied after the patches
+# in package/refpolicy
+
+# Passing the HOST_CONFIGURE_OPTS to the target build because all of the
+# build utilities are expected to be on system. This fools the make files
+# into using the host built utilities to compile the SELinux policy for
+# the target.
+#
+# Note, the TEST_TOOLCHAIN option will also set the
+# LD_LIBRARY_PATH at run time.
+REFPOLICY_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
+ TEST_TOOLCHAIN="$(HOST_DIR)"
+
+# Build requires python2 to run
+REFPOLICY_MAKE_ENV = \
+ PYTHON="$(HOST_DIR)/usr/bin/python2" \
+ AWK="$(HOST_DIR)/usr/bin/gawk" \
+ M4="$(HOST_DIR)/usr/bin/m4"
+
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
+REFPOLICY_MONOLITHIC = n
+else
+REFPOLICY_MONOLITHIC = y
+endif
+
+REFPOLICY_MODULES_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_MODULES_FILE))
+define REFPOLICY_CUSTOM_MODULES_CONF
+ cp $(REFPOLICY_MODULES_FILE) $(@D)/policy/modules.conf
+endef
+
+REFPOLICY_BOOLEAN_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_BOOLEAN_FILE))
+define REFPOLICY_CUSTOM_BOOLEAN_CONF
+ cp $(REFPOLICY_BOOLEAN_FILE) $(@D)/policy/booleans.conf
+endef
+
+define REFPOLICY_CONFIGURE_CMDS
+ # If an external repo is used to build refpolicy, this preserves the
+ # custom modules.conf which defines the enabled components.
+ if [ -f $(@D)/policy/modules.conf ]; then \
+ mv $(@D)/policy/modules.conf $(@D)/modules.conf.bk ; \
+ fi
+ $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) bare \
+ $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+ $(SED) "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
+ $(SED) "/MONOLITHIC/c\MONOLITHIC = $(REFPOLICY_MONOLITHIC)" $(@D)/build.conf
+ $(SED) "/NAME/c\NAME = $(BR2_PACKAGE_REFPOLICY_NAME)" $(@D)/build.conf
+
+ $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) conf \
+ $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+ if [ -f $(@D)/modules.conf.bk ]; then \
+ echo "[Preserved modules.conf]" ; \
+ mv $(@D)/modules.conf.bk $(@D)/policy/modules.conf ; \
+ fi
+ $(REFPOLICY_CUSTOM_MODULES_CONF)
+ $(REFPOLICY_CUSTOM_BOOLEAN_CONF)
+endef
+
+define REFPOLICY_INSTALL_STAGING_CMDS
+ $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install-src install-headers \
+ install-docs $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_INSTALL_TARGET_CMDS
+ $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install \
+ $(REFPOLICY_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
+ $(INSTALL) -m 0755 -D package/refpolicy/config $(TARGET_DIR)/etc/selinux/config
+ $(SED) "/^SELINUXTYPE/c\SELINUXTYPE=$(BR2_PACKAGE_REFPOLICY_NAME)" \
+ $(TARGET_DIR)/etc/selinux/config
+ $(SED) "/^SELINUX=/c\SELINUX=$(BR2_PACKAGE_REFPOLICY_STATE)" \
+ $(TARGET_DIR)/etc/selinux/config
+ touch $(TARGET_DIR)/.autorelabel
+ $(RM) $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/booleans
+endef
+
+define REFPOLICY_INSTALL_INIT_SYSV
+ $(INSTALL) -m 0755 -D package/refpolicy/S00selinux \
+ $(TARGET_DIR)/etc/init.d/S00selinux
+endef
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
+$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/policy
+$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/modules/active/modules
+$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files
+touch $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files/file_contexts.local
+endif
+
+$(eval $(generic-package))
--
1.9.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 3/8] linux-pam: add system auth file and host variant
2016-10-25 19:26 [Buildroot] [PATCH v13 1/8] policycoreutils: new package Bryce Ferguson
2016-10-25 19:26 ` [Buildroot] [PATCH v13 2/8] refpolicy: " Bryce Ferguson
@ 2016-10-25 19:26 ` Bryce Ferguson
2016-12-06 20:27 ` [Buildroot] [PATCH 1/2] linux-pam: adjust login pam file for SELinux Thomas Petazzoni
2016-10-25 19:26 ` [Buildroot] [PATCH v13 4/8] util-linux: selinux, audit, and pam support Bryce Ferguson
` (5 subsequent siblings)
7 siblings, 1 reply; 24+ messages in thread
From: Bryce Ferguson @ 2016-10-25 19:26 UTC (permalink / raw)
To: buildroot
From: Niranjan <niranjan.reddy@rockwellcollins.com>
This patch creates system-auth.pamd file for pam services
and adds host-linux-pam variant for creating pam.d files.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
---
Changes v12 -> v13:
- No changes
Changes v11 -> v12:
- No changes
Changes v10 -> v11:
- Added host-linux-pam variant as it is the dependency for creating pam_conv1 files.
- Removed semicolon at the end of if condition (after fi).
- Merged system auth patch with host selinux dependencies patch
Changes v9 -> v10:
- Dropped host linux-pam variant,optional selinux and audit dependencies and created seperate
Patches (Suggedted by Thomas).
Changes v8 -> v9:
- No changes
Changes v7 -> v8:
- Removed sub-shell around the config file install block and
refactored the block to use absolute paths for the copying
(Suggested by Samuel)
- Changed the enable-db=no configure option to disable-db to be
consistent with the rest of the configure options (Suggested by
Samuel)
Changes v6 -> v7:
- Added missing host-pkgconf dependency and removed unneeded
host-autoconf dependency(Clayton S.)
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- Dropping unneeded patch (Clayton S.)
Changes v1 -> v4:
- Did not exist
---
package/linux-pam/linux-pam.mk | 41 +++++++++++++++++++++++++++++++++++++-
package/linux-pam/system-auth.pamd | 15 ++++++++++++++
2 files changed, 55 insertions(+), 1 deletion(-)
create mode 100644 package/linux-pam/system-auth.pamd
diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
index 6ce3839..57c2be2 100644
--- a/package/linux-pam/linux-pam.mk
+++ b/package/linux-pam/linux-pam.mk
@@ -8,15 +8,18 @@ LINUX_PAM_VERSION = 1.3.0
LINUX_PAM_SOURCE = Linux-PAM-$(LINUX_PAM_VERSION).tar.bz2
LINUX_PAM_SITE = http://linux-pam.org/library
LINUX_PAM_INSTALL_STAGING = YES
+# disable cracklib in linux pam config options
LINUX_PAM_CONF_OPTS = \
--disable-prelude \
--disable-isadir \
--disable-nis \
--disable-db \
+ --disable-cracklib \
--disable-regenerate-docu \
--enable-securedir=/lib/security \
--libdir=/lib
-LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf
+# host-linux-pam is needed for creating pam conf files
+LINUX_PAM_DEPENDENCIES = flex host-flex host-pkgconf host-linux-pam
LINUX_PAM_AUTORECONF = YES
LINUX_PAM_LICENSE = BSD-3c
LINUX_PAM_LICENSE_FILES = Copyright
@@ -48,6 +51,42 @@ define LINUX_PAM_INSTALL_CONFIG
$(TARGET_DIR)/etc/pam.d/other
endef
+# Use the host-pam pam_conv1 app to create the pam.d files
+define LINUX_PAM_CONFIG_FILE_TARGET_INSTALL
+ if [ -d $(TARGET_DIR)/etc/pam.d/ ]; then \
+ mv $(TARGET_DIR)/etc/pam.d/ $(TARGET_DIR)/etc/pam.d.orig/; \
+ fi
+ cd $(TARGET_DIR)/etc/ && cat $(@D)/conf/pam.conf | $(HOST_DIR)/usr/bin/pam_conv1; \
+ if [ -d $(TARGET_DIR)/etc/pam.d.orig ]; then \
+ cp -a $(TARGET_DIR)/etc/pam.d/* $(TARGET_DIR)/etc/pam.d.orig/; \
+ rm -rf $(TARGET_DIR)/etc/pam.d/; \
+ mv $(TARGET_DIR)/etc/pam.d.orig/ $(TARGET_DIR)/etc/pam.d/; \
+ fi
+ $(INSTALL) -D -m 0644 package/linux-pam/system-auth.pamd $(TARGET_DIR)/etc/pam.d/system-auth
+endef
+
+LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_CONFIG_FILE_TARGET_INSTALL
LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_INSTALL_CONFIG
+HOST_LINUX_PAM_DEPENDENCIES = host-flex host-pkgconf
+
+HOST_LINUX_PAM_CONF_OPTS = \
+ --disable-rpath \
+ --enable-read-both-confs \
+ --disable-regenerate-docu \
+ --disable-isadir \
+ --disable-nis \
+ --enable-securedir=/lib/security \
+ --disable-prelude \
+ --disable-cracklib \
+ --disable-lckpwdf \
+ --disable-db \
+ --disable-selinux \
+ --disable-audit \
+
+define HOST_LINUX_PAM_INSTALL_CMDS
+ $(INSTALL) -D -m 755 $(@D)/conf/pam_conv1/pam_conv1 $(HOST_DIR)/usr/bin/pam_conv1
+endef
+
$(eval $(autotools-package))
+$(eval $(host-autotools-package))
diff --git a/package/linux-pam/system-auth.pamd b/package/linux-pam/system-auth.pamd
new file mode 100644
index 0000000..2fa116a
--- /dev/null
+++ b/package/linux-pam/system-auth.pamd
@@ -0,0 +1,15 @@
+#%PAM-1.0
+auth required pam_env.so
+auth sufficient pam_unix.so
+auth required pam_deny.so
+
+account required pam_unix.so
+
+#password required pam_cracklib.so try_first_pass retry=3
+password sufficient pam_unix.so md5 shadow try_first_pass
+password required pam_deny.so
+
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session required pam_unix.so
--
1.9.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 4/8] util-linux: selinux, audit, and pam support
2016-10-25 19:26 [Buildroot] [PATCH v13 1/8] policycoreutils: new package Bryce Ferguson
2016-10-25 19:26 ` [Buildroot] [PATCH v13 2/8] refpolicy: " Bryce Ferguson
2016-10-25 19:26 ` [Buildroot] [PATCH v13 3/8] linux-pam: add system auth file and host variant Bryce Ferguson
@ 2016-10-25 19:26 ` Bryce Ferguson
2016-10-26 6:02 ` Rahul Bedarkar
` (2 more replies)
2016-10-25 19:26 ` [Buildroot] [PATCH v13 5/8] busybox: applets as individual binaries Bryce Ferguson
` (4 subsequent siblings)
7 siblings, 3 replies; 24+ messages in thread
From: Bryce Ferguson @ 2016-10-25 19:26 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
This patch adds optional libselinux ,audit and pam support to linux utilities.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
---
Changes v12 -> v13:
- No changes
Changes v11 -> v12:
- No changes
Changes v10 -> v11:
- Comment added to explain how the SED expression writes to pam files.
Changes v9 -> v10:
- No changes
Changes v8 -> v9:
- No changes
Changes v7 -> v8:
- No changes
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- Update the selinux busybox config to the latest version of busybox
(Clayton S.)
Changes v1 -> v4:
- Did not exist
---
package/util-linux/util-linux.mk | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
index bd6508c..934fe2f 100644
--- a/package/util-linux/util-linux.mk
+++ b/package/util-linux/util-linux.mk
@@ -63,6 +63,20 @@ endif
UTIL_LINUX_CONF_ENV += LIBS="$(UTIL_LINUX_LIBS)"
UTIL_LINUX_MAKE_OPTS += LIBS="$(UTIL_LINUX_LIBS)"
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+UTIL_LINUX_DEPENDENCIES += libselinux
+UTIL_LINUX_CONF_OPTS += --with-selinux
+else
+UTIL_LINUX_CONF_OPTS += --without-selinux
+endif
+
+ifeq ($(BR2_PACKAGE_AUDIT),y)
+UTIL_LINUX_DEPENDENCIES += audit
+UTIL_LINUX_CONF_OPTS += --with-audit
+else
+UTIL_LINUX_CONF_OPTS += --without-audit
+endif
+
# Used by cramfs utils
UTIL_LINUX_DEPENDENCIES += $(if $(BR2_PACKAGE_ZLIB),zlib)
@@ -179,9 +193,25 @@ define UTIL_LINUX_INSTALL_PAMFILES
$(INSTALL) -m 0644 package/util-linux/su.pam \
$(TARGET_DIR)/etc/pam.d/su-l
endef
+
+# Add the required hooks to the pam files if SELinux is enabled
+# SED expression adds these lines to /etc/pam.d/login,/etc/pam.d/su-l and /etc/pam.d/su files
+# session required pam_selinux.so close
+# session required pam_selinux.so open
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+define UTIL_LINUX_FIXUP_PAMFILES
+ for file in login su su-l ; do \
+ $(SED) '/selinux/d' $(TARGET_DIR)/etc/pam.d/$${file}; \
+ $(SED) '0,/session/s/session/session required pam_selinux.so close\nsession/' $(TARGET_DIR)/etc/pam.d/$${file}; \
+ echo "session required pam_selinux.so open" >> $(TARGET_DIR)/etc/pam.d/$${file}; \
+ done
+endef
+endif
+
endif
UTIL_LINUX_POST_INSTALL_TARGET_HOOKS += UTIL_LINUX_INSTALL_PAMFILES
+UTIL_LINUX_POST_INSTALL_TARGET_HOOKS += UTIL_LINUX_FIXUP_PAMFILES
# Install agetty->getty symlink to avoid breakage when there's no busybox
ifeq ($(BR2_PACKAGE_UTIL_LINUX_AGETTY),y)
--
1.9.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 5/8] busybox: applets as individual binaries
2016-10-25 19:26 [Buildroot] [PATCH v13 1/8] policycoreutils: new package Bryce Ferguson
` (2 preceding siblings ...)
2016-10-25 19:26 ` [Buildroot] [PATCH v13 4/8] util-linux: selinux, audit, and pam support Bryce Ferguson
@ 2016-10-25 19:26 ` Bryce Ferguson
2016-10-25 19:26 ` [Buildroot] [PATCH v13 6/8] qemu x86 selinux: base br defconfig Bryce Ferguson
` (3 subsequent siblings)
7 siblings, 0 replies; 24+ messages in thread
From: Bryce Ferguson @ 2016-10-25 19:26 UTC (permalink / raw)
To: buildroot
From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
The individual binaries option of busybox allows for the applets
that would usually be symlinks to be built as individual applications
that link against a shared library.
This feature is needed for SELinux to allow the applications to run
under the correct SELinux context.
The patch being added allows the individual applications to be
installed and will be upstreamed to the busybox developers.
The initial work for this change was done by Thomas Petazzoni
<thomas.petazzoni@free-electrons.com>.
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
---
Changes v12 -> v13:
- Fixed indentation issue in makedevs.c line:590
Changes v11 -> v12:
- No changes
Changes v10 -> v11:
- Removed BUSYBOX_MAKEDEV_PERMISSIONS logic and added all 12 applets to
BUSYBOX_PERMISSIONS variable.
- Changed makedevs.c file to ignore optional files with type=F ( files which does not exist).
Changes v9 -> v10:
- Removed 0002-applets-Add-installation-of-individual-binaries.patch as it was upstreamed.
Changes v8 -> v9:
- No changes
Changes v7 -> v8:
- Changed individual binaries comment to be !BR2_bfin (Suggested by
Samuel)
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- Renamed to follow latest patch naming convention (Matt W.)
- Updated to use BR2_STATIC_LIBS instead of old PREFERRED (Matt W.)
- Added depends to make sure bfin can't build shared lib
busybox lib for individual binary use. Looks like shared
lib creation doesn't error out but the objects don't get
placed into the elf. Then the trylink fails on linking
the first individual applet. (Matt W.)
- Made suid permissions setting dynamic for applets actually being
installed (Clayton S.)
Changes v1 -> v4:
- Did not exist
---
package/busybox/Config.in | 9 +++++++++
package/busybox/busybox.mk | 40 ++++++++++++++++++++++++++++++++++++++++
package/makedevs/makedevs.c | 2 ++
3 files changed, 51 insertions(+)
diff --git a/package/busybox/Config.in b/package/busybox/Config.in
index 7ef3f0e..d4c85b0 100644
--- a/package/busybox/Config.in
+++ b/package/busybox/Config.in
@@ -54,6 +54,15 @@ config BR2_PACKAGE_BUSYBOX_SELINUX
crond, then individual binaries have to be enabled for the
SELinux type transitions to occur properly.
+config BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES
+ bool "Individual binaries"
+ depends on !BR2_STATIC_LIBS
+ depends on !BR2_bfin # libbusybox.so link issue
+
+comment "Busybox individual binaries depends on dynamic libraries"
+ depends on BR2_STATIC_LIBS
+ depends on !BR2_bfin
+
config BR2_PACKAGE_BUSYBOX_WATCHDOG
bool "Install the watchdog daemon startup script"
help
diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
index fc23a90..7d14209 100644
--- a/package/busybox/busybox.mk
+++ b/package/busybox/busybox.mk
@@ -54,9 +54,36 @@ BUSYBOX_KCONFIG_FRAGMENT_FILES = $(call qstrip,$(BR2_PACKAGE_BUSYBOX_CONFIG_FRAG
BUSYBOX_KCONFIG_EDITORS = menuconfig xconfig gconfig
BUSYBOX_KCONFIG_OPTS = $(BUSYBOX_MAKE_OPTS)
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
+define BUSYBOX_PERMISSIONS
+ /usr/share/udhcpc/default.script f 755 0 0 - - - - -
+# Set permissions on all applets with BB_SUID_REQUIRE and BB_SUID_MAYBE.
+# 12 Applets are pulled from applets.h using grep command :
+# grep -r -e "APPLET.*BB_SUID_REQUIRE\|APPLET.*BB_SUID_MAYBE" \
+# $(@D)/include/applets.h
+# o/p:
+# wall,ping,ping6,crontab,findfs,login,mount,passwd,su,traceroute
+# traceroute6 and vlock.
+# These applets are added to the device table and the makedev file
+# ignores the files with type 'F' ( optional files).
+ /usr/bin/wall F 4755 0 0 - - - - -
+ /bin/ping f 4755 0 0 - - - - -
+ /bin/ping6 F 4755 0 0 - - - - -
+ /usr/bin/crontab f 4755 0 0 - - - - -
+ /sbin/findfs F 4755 0 0 - - - - -
+ /bin/login F 4755 0 0 - - - - -
+ /bin/mount f 4755 0 0 - - - - -
+ /usr/bin/passwd F 4755 0 0 - - - - -
+ /bin/su F 4755 0 0 - - - - -
+ /usr/bin/traceroute f 4755 0 0 - - - - -
+ /usr/bin/traceroute6 F 4755 0 0 - - - - -
+ /usr/bin/vlock F 4755 0 0 - - - - -
+endef
+else
define BUSYBOX_PERMISSIONS
/bin/busybox f 4755 0 0 - - - - -
endef
+endif
# If mdev will be used for device creation enable it and copy S10mdev to /etc/init.d
ifeq ($(BR2_ROOTFS_DEVICE_CREATION_DYNAMIC_MDEV),y)
@@ -164,6 +191,17 @@ define BUSYBOX_SET_SELINUX
endef
endif
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),y)
+define BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES
+ $(call KCONFIG_ENABLE_OPT,CONFIG_BUILD_LIBBUSYBOX,$(BUSYBOX_BUILD_CONFIG))
+ $(call KCONFIG_ENABLE_OPT,CONFIG_FEATURE_INDIVIDUAL,$(BUSYBOX_BUILD_CONFIG))
+endef
+
+define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
+ rm -f $(TARGET_DIR)/bin/busybox
+endef
+endif
+
define BUSYBOX_INSTALL_LOGGING_SCRIPT
if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
$(INSTALL) -m 0755 -D package/busybox/S01logging \
@@ -221,6 +259,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
$(BUSYBOX_SET_INIT)
$(BUSYBOX_SET_WATCHDOG)
$(BUSYBOX_SET_SELINUX)
+ $(BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES)
$(BUSYBOX_MUSL_TWEAKS)
endef
@@ -244,6 +283,7 @@ define BUSYBOX_INSTALL_INIT_SYSV
$(BUSYBOX_INSTALL_LOGGING_SCRIPT)
$(BUSYBOX_INSTALL_WATCHDOG_SCRIPT)
$(BUSYBOX_INSTALL_TELNET_SCRIPT)
+ $(BUSYBOX_INSTALL_INDIVIDUAL_BINARIES)
endef
# Checks to give errors that the user can understand
diff --git a/package/makedevs/makedevs.c b/package/makedevs/makedevs.c
index cacb144..0909e2d 100644
--- a/package/makedevs/makedevs.c
+++ b/package/makedevs/makedevs.c
@@ -587,6 +587,8 @@ int main(int argc, char **argv)
ret = EXIT_FAILURE;
goto loop;
}
+ } else if (type == 'F') {
+ continue; /*Ignore optional files*/
} else if (type == 'r') {
recursive_uid = uid;
recursive_gid = gid;
--
1.9.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 6/8] qemu x86 selinux: base br defconfig
2016-10-25 19:26 [Buildroot] [PATCH v13 1/8] policycoreutils: new package Bryce Ferguson
` (3 preceding siblings ...)
2016-10-25 19:26 ` [Buildroot] [PATCH v13 5/8] busybox: applets as individual binaries Bryce Ferguson
@ 2016-10-25 19:26 ` Bryce Ferguson
2016-10-25 19:26 ` [Buildroot] [PATCH v13 7/8] qemu x86 selinux: added common selinux support files Bryce Ferguson
` (2 subsequent siblings)
7 siblings, 0 replies; 24+ messages in thread
From: Bryce Ferguson @ 2016-10-25 19:26 UTC (permalink / raw)
To: buildroot
From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
This will build a base SELinux system that boots with SELinux
in permissive mode. Also adding documentation on how to use it.
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
---
Changes v12 -> v13:
- Bump kernel to 4.8
- Fixed error in fragment config line: 6 (ONFIG_EXT2_FS -> CONFIG_EXT2_FS)
Changes v11 -> v12:
- Bump kernel to 4.6
- Renamed fragment config to be 4.x vs 4.0
Changes v10 -> v11:
- Removed configs BR2_ROOTFS_XXX (post build script,device table and overlay) from this patch
and added these configs to another patch (common-selinux-support-files.patch)
- Included configuration BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES in defconfig.
Changes v9 -> v10:
- Changed version number of QEMU from 2.2.1 to 2.3.0
Changes v8 -> v9:
- No changes
Changes v7 -> v8:
- No changes
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- Update the qemu_x86_defconfig to the 4.0 kernel series (Clayton S.)
Changes v1 -> v4:
- Did not exist
---
board/qemu/x86/linux-4.x-selinux.config | 19 +++++++++++++++++++
board/qemu/x86/readme.txt | 17 +++++++++++++++++
configs/qemu_x86_selinux_defconfig | 31 +++++++++++++++++++++++++++++++
3 files changed, 67 insertions(+)
create mode 100644 board/qemu/x86/linux-4.x-selinux.config
create mode 100644 configs/qemu_x86_selinux_defconfig
diff --git a/board/qemu/x86/linux-4.x-selinux.config b/board/qemu/x86/linux-4.x-selinux.config
new file mode 100644
index 0000000..6c715f0
--- /dev/null
+++ b/board/qemu/x86/linux-4.x-selinux.config
@@ -0,0 +1,19 @@
+CONFIG_AUDIT=y
+CONFIG_MODULES=y
+CONFIG_IP_PNP=y
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_EXT2_FS=y
+CONFIG_EXT2_FS_XATTR=y
+CONFIG_EXT2_FS_POSIX_ACL=y
+CONFIG_EXT2_FS_SECURITY=y
+CONFIG_EXT3_FS=y
+CONFIG_EXT3_FS_POSIX_ACL=y
+CONFIG_EXT3_FS_SECURITY=y
+CONFIG_NFS_FS=y
+CONFIG_ROOT_NFS=y
+CONFIG_SECURITY=y
+CONFIG_SECURITY_NETWORK=y
+CONFIG_SECURITY_SELINUX=y
+CONFIG_SECURITY_SELINUX_BOOTPARAM=y
+CONFIG_CRYPTO_ANSI_CPRNG=y
diff --git a/board/qemu/x86/readme.txt b/board/qemu/x86/readme.txt
index 4f2e4c7..f7bf256 100644
--- a/board/qemu/x86/readme.txt
+++ b/board/qemu/x86/readme.txt
@@ -7,3 +7,20 @@ Optionally add -smp N to emulate a SMP system with N CPUs.
The login prompt will appear in the graphical window.
Tested with QEMU 2.5.0
+
+-------------------------------------------------------------------
+
+Run the SElinux target emulation with:
+
+ qemu-system-i386 -M pc -kernel output/images/bzImage -drive file=output/images/rootfs.ext2,if=ide -append "root=/dev/sda rw console=ttyS0 selinux=1" -net nic,model=rtl8139 -net user -display none -serial stdio
+
+The emulation should reboot once the first time for relabeling and
+then provide a login prompt. The login is username root and password
+root because PAM requires a password in this secure configuration. To
+enable SELinux enforcing at boot, login and edit the
+/etc/selinux/config and set SELINUX to enforcing. Save and make sure
+to "sync" before restarting the emulation as the ext2 fs would
+otherwise corrupt when the emulation exits. After enforcing is
+default, the selinux= provided as part of the qemu "append" above can
+be used to turn enforcing on/off. This configuration would be tailored
+as part of a targets refpolicy customization.
diff --git a/configs/qemu_x86_selinux_defconfig b/configs/qemu_x86_selinux_defconfig
new file mode 100644
index 0000000..ebfe4ca
--- /dev/null
+++ b/configs/qemu_x86_selinux_defconfig
@@ -0,0 +1,31 @@
+BR2_x86_pentiumpro=y
+
+# Internal tool chain glibc
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_8=y
+BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
+
+# Select SYSV init to provide selinux enabled init
+BR2_INIT_SYSV=y
+BR2_ROOTFS_DEVICE_TABLE="system/device_table.txt board/common_selinux/skeleton_permissions.txt"
+BR2_TARGET_GENERIC_ROOT_PASSWD="root"
+BR2_ROOTFS_OVERLAY="board/common_selinux/skeleton"
+BR2_ROOTFS_POST_BUILD_SCRIPT="board/common_selinux/post_build.sh"
+BR2_LINUX_KERNEL=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="4.8"
+BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
+BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/x86/linux-4.8.config"
+BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/qemu/x86/linux-4.x-selinux.config"
+
+# Ensure busybox is built as individual binaries for the
+# SELinux refpolicy to work correctly
+BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES=y
+BR2_PACKAGE_OPENSSH=y
+BR2_PACKAGE_REFPOLICY=y
+BR2_PACKAGE_RSYSLOG=y
+BR2_PACKAGE_UTIL_LINUX=y
+BR2_PACKAGE_UTIL_LINUX_BINARIES=y
+BR2_PACKAGE_UTIL_LINUX_LOGIN_UTILS=y
+BR2_TARGET_ROOTFS_EXT2=y
+BR2_TARGET_ROOTFS_EXT2_RESBLKS=5
+BR2_PACKAGE_HOST_CHECKPOLICY=y
--
1.9.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 7/8] qemu x86 selinux: added common selinux support files
2016-10-25 19:26 [Buildroot] [PATCH v13 1/8] policycoreutils: new package Bryce Ferguson
` (4 preceding siblings ...)
2016-10-25 19:26 ` [Buildroot] [PATCH v13 6/8] qemu x86 selinux: base br defconfig Bryce Ferguson
@ 2016-10-25 19:26 ` Bryce Ferguson
2016-10-25 19:26 ` [Buildroot] [PATCH v13 8/8] skeleton: busybox individual apps no symlink Bryce Ferguson
2016-12-10 14:59 ` [Buildroot] [PATCH v13 1/8] policycoreutils: new package Thomas Petazzoni
7 siblings, 0 replies; 24+ messages in thread
From: Bryce Ferguson @ 2016-10-25 19:26 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
Add a default busybox SELinux config which disables init and uses
sysvinit. Add base skeleton with inittab and fstab tailored to selinux
Add base skeleton audit configuration (didn't seem to merit being
the package default).
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
---
Changes v12 -> v13:
- Converted busybox config to fragment config (busybox-selinux-fragment.config)
Changes v11 -> v12:
- No changes
Changes v10 -> v11:
- Added defconfig selinux specific file overlay and busybox config files to this patch as these are
introduced in this patch (Suggested by Thomas).
Changes v9 -> v10:
- No changes
Changes v8 -> v9:
- No changes
Changes v7 -> v8:
- No changes
Changes v6 -> v7:
- No changes
Changes v5 -> v6:
- No changes
Changes v4 -> v5:
- Update the selinux busybox config to the latest version of busybox
(Clayton S.)
Changes v1 -> v4:
- Did not exist
---
.../common_selinux/busybox-selinux-fragment.config | 32 ++++++++++++++++++++++
board/common_selinux/post_build.sh | 30 ++++++++++++++++++++
.../common_selinux/skeleton/etc/audit/auditd.conf | 32 ++++++++++++++++++++++
.../skeleton/etc/audit/rules.d/audit.rules | 3 ++
board/common_selinux/skeleton/etc/fstab | 15 ++++++++++
board/common_selinux/skeleton/etc/inittab | 29 ++++++++++++++++++++
board/common_selinux/skeleton_permissions.txt | 26 ++++++++++++++++++
configs/qemu_x86_selinux_defconfig | 10 +++++++
8 files changed, 177 insertions(+)
create mode 100644 board/common_selinux/busybox-selinux-fragment.config
create mode 100755 board/common_selinux/post_build.sh
create mode 100644 board/common_selinux/skeleton/etc/audit/auditd.conf
create mode 100644 board/common_selinux/skeleton/etc/audit/rules.d/audit.rules
create mode 100755 board/common_selinux/skeleton/etc/fstab
create mode 100755 board/common_selinux/skeleton/etc/inittab
create mode 100755 board/common_selinux/skeleton_permissions.txt
diff --git a/board/common_selinux/busybox-selinux-fragment.config b/board/common_selinux/busybox-selinux-fragment.config
new file mode 100644
index 0000000..7222fac
--- /dev/null
+++ b/board/common_selinux/busybox-selinux-fragment.config
@@ -0,0 +1,32 @@
+CONFIG_BUILD_LIBBUSYBOX=y
+CONFIG_CHCON=y
+CONFIG_DEFAULT_DEPMOD_FILE=""
+CONFIG_DEFAULT_MODULES_DIR=""
+CONFIG_FATATTR=y
+CONFIG_FEATURE_BASH_IS_ASH=y
+CONFIG_FEATURE_CHCON_LONG_OPTIONS=y
+CONFIG_FEATURE_DEFAULT_PASSWD_ALGO=""
+CONFIG_FEATURE_FIND_INUM=y
+CONFIG_FEATURE_HAVE_RPC=y
+CONFIG_FEATURE_INDIVIDUAL=y
+CONFIG_FEATURE_LAST_SMALL=y
+CONFIG_FEATURE_MOUNT_HELPERS=y
+CONFIG_FEATURE_MOUNT_LABEL=y
+CONFIG_FEATURE_MOUNT_NFS=y
+CONFIG_FEATURE_MOUNT_VERBOSE=y
+CONFIG_FEATURE_RUNCON_LONG_OPTIONS=y
+CONFIG_FEATURE_SWAPON_DISCARD=y
+CONFIG_FEATURE_SYSLOGD_READ_BUFFER_SIZE=0
+CONFIG_FEATURE_TAR_SELINUX=y
+CONFIG_FEATURE_TOUCH_NODEREF=y
+CONFIG_FIRST_SYSTEM_ID=0
+CONFIG_GROUPS=y
+CONFIG_INIT_TERMINAL_TYPE=""
+CONFIG_LAST_ID=0
+CONFIG_LAST_SYSTEM_ID=0
+CONFIG_PAM=y
+CONFIG_RUNCON=y
+CONFIG_SELINUXENABLED=y
+CONFIG_SELINUX=y
+CONFIG_SHUF=y
+CONFIG_USERS=y
diff --git a/board/common_selinux/post_build.sh b/board/common_selinux/post_build.sh
new file mode 100755
index 0000000..3509de9
--- /dev/null
+++ b/board/common_selinux/post_build.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+################################################################################
+#
+# DESCRIPTION:
+# This script will do any "post-build" steps (after all packages are built
+# but before image creation). Any filesystem permission issues should be
+# fixed in this script.
+#
+# The script requires following variables to be passed into it.
+# $1 - the target directory (passed in by default by buildroot if
+# script is BR2_ROOTFS_POST_BUILD_SCRIPT)
+#
+################################################################################
+
+DEST_DIR=$1
+
+# For SELinux targets, the /var directory symlinks need to be removed
+# and replaced with actual folders. The removal is done here and the
+# recreation is done in the permissions file for the common_selinux
+# local_skeleton
+for link in ${DEST_DIR}/var/{cache,lock,log,run,spool,tmp} ${DEST_DIR}/var/lib/misc; do
+ if [ -h ${link} ]; then
+ echo "Removing symlink ${link}"
+ unlink ${link}
+ fi
+done
+
+# Replace the /run folder with a symlink to /var/run
+rm -rf ${DEST_DIR}/run
+ln -sf -t ${DEST_DIR} run var/run
diff --git a/board/common_selinux/skeleton/etc/audit/auditd.conf b/board/common_selinux/skeleton/etc/audit/auditd.conf
new file mode 100644
index 0000000..039b7f0
--- /dev/null
+++ b/board/common_selinux/skeleton/etc/audit/auditd.conf
@@ -0,0 +1,32 @@
+#
+# This file controls the configuration of the audit daemon
+#
+
+log_file = /var/log/audit/audit.log
+log_format = RAW
+log_group = root
+priority_boost = 4
+flush = INCREMENTAL
+freq = 20
+num_logs = 5
+disp_qos = lossy
+dispatcher = /usr/sbin/audispd
+name_format = NONE
+##name = mydomain
+max_log_file = 6
+max_log_file_action = ROTATE
+space_left = 75
+space_left_action = IGNORE
+action_mail_acct = root
+admin_space_left = 50
+admin_space_left_action = IGNORE
+disk_full_action = IGNORE
+disk_error_action = IGNORE
+##tcp_listen_port =
+tcp_listen_queue = 5
+tcp_max_per_addr = 1
+##tcp_client_ports = 1024-65535
+tcp_client_max_idle = 0
+enable_krb5 = no
+krb5_principal = auditd
+##krb5_key_file = /etc/audit/audit.key
diff --git a/board/common_selinux/skeleton/etc/audit/rules.d/audit.rules b/board/common_selinux/skeleton/etc/audit/rules.d/audit.rules
new file mode 100644
index 0000000..7c90606
--- /dev/null
+++ b/board/common_selinux/skeleton/etc/audit/rules.d/audit.rules
@@ -0,0 +1,3 @@
+-D
+-b 1024
+-e 2
diff --git a/board/common_selinux/skeleton/etc/fstab b/board/common_selinux/skeleton/etc/fstab
new file mode 100755
index 0000000..d772349
--- /dev/null
+++ b/board/common_selinux/skeleton/etc/fstab
@@ -0,0 +1,15 @@
+# /etc/fstab: static file system information.
+#
+# <file system> <mount pt> <type> <options> <dump> <pass>
+/dev/root / ext3 rw,noauto 0 1
+proc /proc proc defaults 0 0
+devpts /dev/pts devpts defaults,gid=5,mode=620 0 0
+tmpfs /dev/shm tmpfs mode=0700,nodev,nosuid,noexec,size=1M 0 0
+tmpfs /tmp tmpfs mode=0700,nodev,nosuid,noexec,size=200M 0 0
+tmpfs /var/cache tmpfs mode=0700,nodev,nosuid,noexec,size=1M 0 0
+tmpfs /var/lock tmpfs mode=0700,nodev,nosuid,noexec,size=1M 0 0
+tmpfs /var/log tmpfs mode=0700,nodev,nosuid,noexec,size=50M 0 0
+tmpfs /var/run tmpfs mode=0700,nodev,nosuid,noexec,size=1M 0 0
+tmpfs /var/spool tmpfs mode=0700,nodev,nosuid,noexec,size=1M 0 0
+sysfs /sys sysfs defaults 0 0
+none /selinux selinuxfs noauto 0 0
diff --git a/board/common_selinux/skeleton/etc/inittab b/board/common_selinux/skeleton/etc/inittab
new file mode 100755
index 0000000..05e05b2
--- /dev/null
+++ b/board/common_selinux/skeleton/etc/inittab
@@ -0,0 +1,29 @@
+# /etc/inittab
+#
+# This inittab is a basic inittab sample for sysvinit, which mimics
+# Buildroot's default inittab for BusyBox.
+id:1:initdefault:
+
+proc::sysinit:/bin/mount -t proc proc /proc
+sysf::sysinit:/bin/mount -t sysfs sysfs /sys
+dpts::sysinit:/bin/mkdir -p /dev/pts -Z `matchpathcon -n /dev/pts`
+dshm::sysinit:/bin/mkdir -p /dev/shm -Z `matchpathcon -n /dev/shm`
+mpts::sysinit:/bin/mkdir -p /dev/pts
+mshm::sysinit:/bin/mkdir -p /dev/shm
+fsck::sysinit:/sbin/fsck -ARy
+moun::sysinit:/bin/mount -a
+host::sysinit:/bin/hostname -F /etc/hostname
+
+# now run any rc scripts
+init::bootwait:/etc/init.d/rcS
+
+S0::respawn:/sbin/getty -L ttyS0 115200 vt100 # GENERIC_SERIAL
+
+# Stuff to do before rebooting
+shd0:06:wait:/etc/init.d/rcK
+shd1:06:wait:/sbin/swapoff -a
+shd2:06:wait:/bin/umount -a -r
+
+# The usual halt or reboot actions
+lt0:0:wait:/sbin/halt -dhp
+reb0:6:wait:/sbin/reboot
diff --git a/board/common_selinux/skeleton_permissions.txt b/board/common_selinux/skeleton_permissions.txt
new file mode 100755
index 0000000..374adbc
--- /dev/null
+++ b/board/common_selinux/skeleton_permissions.txt
@@ -0,0 +1,26 @@
+################################################################################
+#
+# See <buildroot-source>/package/makedevs/README for details
+#
+# This device table is used to assign proper ownership and permissions
+# on the files in the local-skeleton directory. It doesn't create any device
+# file, as it is used in both static device configurations (where /dev/ is static)
+# and in dynamic configurations (where devtmpfs, mdev or udev are used).
+#
+# <name> <type> <mode> <uid> <gid> <major> <minor> <start> <inc> <count>
+
+# All the necessary file permissions for /etc
+/etc/audit/auditd.conf f 644 0 0 - - - - -
+/etc/audit/rules.d/audit.rules f 644 0 0 - - - - -
+/etc/fstab f 644 0 0 - - - - -
+/etc/inittab f 644 0 0 - - - - -
+
+# Setup entries for all of the /var/* directories that need proper
+# mount points
+/var/cache d 755 0 0 - - - - -
+/var/lib/misc d 755 0 0 - - - - -
+/var/lock d 755 0 0 - - - - -
+/var/log d 755 0 0 - - - - -
+/var/run d 755 0 0 - - - - -
+/var/spool d 755 0 0 - - - - -
+/var/tmp d 755 0 0 - - - - -
diff --git a/configs/qemu_x86_selinux_defconfig b/configs/qemu_x86_selinux_defconfig
index ebfe4ca..54e9142 100644
--- a/configs/qemu_x86_selinux_defconfig
+++ b/configs/qemu_x86_selinux_defconfig
@@ -17,6 +17,16 @@ BR2_LINUX_KERNEL_USE_CUSTOM_CONFIG=y
BR2_LINUX_KERNEL_CUSTOM_CONFIG_FILE="board/qemu/x86/linux-4.8.config"
BR2_LINUX_KERNEL_CONFIG_FRAGMENT_FILES="board/qemu/x86/linux-4.x-selinux.config"
+# Customized busybox config providing a tailored
+# balance of applets vs full apps
+BR2_PACKAGE_BUSYBOX_CONFIG_FRAGMENT_FILES="board/common_selinux/busybox-selinux-fragment.config"
+
+# Pull in SELinux specific file overlay to allow login
+# in enforcing mode.
+BR2_ROOTFS_DEVICE_TABLE="system/device_table.txt board/common_selinux/skeleton_permissions.txt"
+BR2_ROOTFS_OVERLAY="board/common_selinux/skeleton"
+BR2_ROOTFS_POST_BUILD_SCRIPT="board/common_selinux/post_build.sh"
+
# Ensure busybox is built as individual binaries for the
# SELinux refpolicy to work correctly
BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES=y
--
1.9.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 8/8] skeleton: busybox individual apps no symlink
2016-10-25 19:26 [Buildroot] [PATCH v13 1/8] policycoreutils: new package Bryce Ferguson
` (5 preceding siblings ...)
2016-10-25 19:26 ` [Buildroot] [PATCH v13 7/8] qemu x86 selinux: added common selinux support files Bryce Ferguson
@ 2016-10-25 19:26 ` Bryce Ferguson
2016-12-10 14:59 ` [Buildroot] [PATCH v13 1/8] policycoreutils: new package Thomas Petazzoni
7 siblings, 0 replies; 24+ messages in thread
From: Bryce Ferguson @ 2016-10-25 19:26 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
Ignore the creation of a symlink when individual binaries are
used.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
Changes v12 -> v13:
- No changes
Changes v11 -> v12:
- Added a comment " allow busybox shell binary to remain when symlink are enabled"
Changes v1 -> v11:
- No changes
---
package/skeleton/skeleton.mk | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/package/skeleton/skeleton.mk b/package/skeleton/skeleton.mk
index 1000161..40ac3b1 100644
--- a/package/skeleton/skeleton.mk
+++ b/package/skeleton/skeleton.mk
@@ -203,10 +203,14 @@ define SKELETON_BIN_SH
rm -f $(TARGET_DIR)/bin/sh
endef
else
+#Allow a busybox shell binary to remain and not get replaced by a symlink
+#if individual binaries are enabled
+ifeq ($(BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES),)
define SKELETON_BIN_SH
ln -sf $(SKELETON_TARGET_GENERIC_BIN_SH) $(TARGET_DIR)/bin/sh
endef
endif
+endif
TARGET_FINALIZE_HOOKS += SKELETON_BIN_SH
ifeq ($(BR2_TARGET_GENERIC_GETTY),y)
--
1.9.1
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 4/8] util-linux: selinux, audit, and pam support
2016-10-25 19:26 ` [Buildroot] [PATCH v13 4/8] util-linux: selinux, audit, and pam support Bryce Ferguson
@ 2016-10-26 6:02 ` Rahul Bedarkar
2016-12-06 20:25 ` Thomas Petazzoni
2017-03-10 21:59 ` Thomas Petazzoni
2 siblings, 0 replies; 24+ messages in thread
From: Rahul Bedarkar @ 2016-10-26 6:02 UTC (permalink / raw)
To: buildroot
Hello,
On Wednesday 26 October 2016 12:56 AM, Bryce Ferguson wrote:
>
> diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
> index bd6508c..934fe2f 100644
> --- a/package/util-linux/util-linux.mk
> +++ b/package/util-linux/util-linux.mk
> @@ -63,6 +63,20 @@ endif
> UTIL_LINUX_CONF_ENV += LIBS="$(UTIL_LINUX_LIBS)"
> UTIL_LINUX_MAKE_OPTS += LIBS="$(UTIL_LINUX_LIBS)"
>
> +ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
> +UTIL_LINUX_DEPENDENCIES += libselinux
> +UTIL_LINUX_CONF_OPTS += --with-selinux
> +else
> +UTIL_LINUX_CONF_OPTS += --without-selinux
> +endif
> +
> +ifeq ($(BR2_PACKAGE_AUDIT),y)
> +UTIL_LINUX_DEPENDENCIES += audit
> +UTIL_LINUX_CONF_OPTS += --with-audit
> +else
> +UTIL_LINUX_CONF_OPTS += --without-audit
> +endif
> +
util-linux already has optional dependency on audit package.
Regards,
Rahul
^ permalink raw reply [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 4/8] util-linux: selinux, audit, and pam support
2016-10-25 19:26 ` [Buildroot] [PATCH v13 4/8] util-linux: selinux, audit, and pam support Bryce Ferguson
2016-10-26 6:02 ` Rahul Bedarkar
@ 2016-12-06 20:25 ` Thomas Petazzoni
2017-03-10 21:59 ` Thomas Petazzoni
2 siblings, 0 replies; 24+ messages in thread
From: Thomas Petazzoni @ 2016-12-06 20:25 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 25 Oct 2016 14:26:06 -0500, Bryce Ferguson wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> This patch adds optional libselinux ,audit and pam support to linux utilities.
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Reviewed-by: Samuel Martin <s.martin49@gmail.com>
> Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
There are a few things I don't like in this patch. I'm going to submit
two alternative patches as a replacement. I'm interested in your
feedback about those replacement patches (especially if they work fine
for you).
> +ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
> +UTIL_LINUX_DEPENDENCIES += libselinux
> +UTIL_LINUX_CONF_OPTS += --with-selinux
> +else
> +UTIL_LINUX_CONF_OPTS += --without-selinux
> +endif
> +
> +ifeq ($(BR2_PACKAGE_AUDIT),y)
> +UTIL_LINUX_DEPENDENCIES += audit
> +UTIL_LINUX_CONF_OPTS += --with-audit
> +else
> +UTIL_LINUX_CONF_OPTS += --without-audit
> +endif
As was already stated, optional audit support is already in
util-linux.mk.
> +
> # Used by cramfs utils
> UTIL_LINUX_DEPENDENCIES += $(if $(BR2_PACKAGE_ZLIB),zlib)
>
> @@ -179,9 +193,25 @@ define UTIL_LINUX_INSTALL_PAMFILES
> $(INSTALL) -m 0644 package/util-linux/su.pam \
> $(TARGET_DIR)/etc/pam.d/su-l
> endef
> +
> +# Add the required hooks to the pam files if SELinux is enabled
> +# SED expression adds these lines to /etc/pam.d/login,/etc/pam.d/su-l and /etc/pam.d/su files
> +# session required pam_selinux.so close
> +# session required pam_selinux.so open
> +ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
> +define UTIL_LINUX_FIXUP_PAMFILES
> + for file in login su su-l ; do \
> + $(SED) '/selinux/d' $(TARGET_DIR)/etc/pam.d/$${file}; \
> + $(SED) '0,/session/s/session/session required pam_selinux.so close\nsession/' $(TARGET_DIR)/etc/pam.d/$${file}; \
> + echo "session required pam_selinux.so open" >> $(TARGET_DIR)/etc/pam.d/$${file}; \
> + done
> +endef
> +endif
I don't like this, for two reasons:
- The SED expressions are really really complicated.
- You're tweaking /etc/pam.d/login, which has not been installed by
this package, but by the linux-pam package.
See my alternate proposal, which I'll send in a few minutes.
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH 1/2] linux-pam: adjust login pam file for SELinux
2016-10-25 19:26 ` [Buildroot] [PATCH v13 3/8] linux-pam: add system auth file and host variant Bryce Ferguson
@ 2016-12-06 20:27 ` Thomas Petazzoni
2016-12-06 20:27 ` [Buildroot] [PATCH 2/2] util-linux: add selinux support Thomas Petazzoni
` (2 more replies)
0 siblings, 3 replies; 24+ messages in thread
From: Thomas Petazzoni @ 2016-12-06 20:27 UTC (permalink / raw)
To: buildroot
When SELinux support is enabled, the login pam file installed by
linux-pam should be adjusted to use the pam_selinux.so module.
To achieve this in a reasonably simple manner, we introduce the SELinux
related lines in login.pam as comments, and if SELinux support is
enabled, turn those commented lines into real lines.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
package/linux-pam/linux-pam.mk | 5 +++++
package/linux-pam/login.pam | 2 ++
2 files changed, 7 insertions(+)
diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
index 6ce3839..c8ba30f 100644
--- a/package/linux-pam/linux-pam.mk
+++ b/package/linux-pam/linux-pam.mk
@@ -29,6 +29,10 @@ endif
ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
LINUX_PAM_CONF_OPTS += --enable-selinux
LINUX_PAM_DEPENDENCIES += libselinux
+define LINUX_PAM_SELINUX_PAMFILE_TWEAK
+ $(SED) 's/^# \(.*pam_selinux.so.*\)$$/\1/' \
+ $(TARGET_DIR)/etc/pam.d/login
+endef
else
LINUX_PAM_CONF_OPTS += --disable-selinux
endif
@@ -46,6 +50,7 @@ define LINUX_PAM_INSTALL_CONFIG
$(TARGET_DIR)/etc/pam.d/login
$(INSTALL) -m 0644 -D package/linux-pam/other.pam \
$(TARGET_DIR)/etc/pam.d/other
+ $(LINUX_PAM_SELINUX_PAMFILE_TWEAK)
endef
LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_INSTALL_CONFIG
diff --git a/package/linux-pam/login.pam b/package/linux-pam/login.pam
index 01f5632..5df7db6 100644
--- a/package/linux-pam/login.pam
+++ b/package/linux-pam/login.pam
@@ -4,7 +4,9 @@ account required pam_unix.so
password required pam_unix.so nullok
+# session required pam_selinux.so close
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_lastlog.so
+# session required pam_selinux.so open
--
2.7.4
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH 2/2] util-linux: add selinux support
2016-12-06 20:27 ` [Buildroot] [PATCH 1/2] linux-pam: adjust login pam file for SELinux Thomas Petazzoni
@ 2016-12-06 20:27 ` Thomas Petazzoni
2016-12-22 16:32 ` Bryce Ferguson
2016-12-22 16:25 ` [Buildroot] [PATCH 1/2] linux-pam: adjust login pam file for SELinux Bryce Ferguson
2017-01-25 10:06 ` Thomas Petazzoni
2 siblings, 1 reply; 24+ messages in thread
From: Thomas Petazzoni @ 2016-12-06 20:27 UTC (permalink / raw)
To: buildroot
From: Matt Weber <matthew.weber@rockwellcollins.com>
This patch adds optional libselinux support to the util-linux package,
and also tweaks the PAM files instealled by util-linux to work properly
in an SELinux context.
Like was done for linux-pam, the tweak is done by having the SELinux
related lines commented out in the original PAM file, and uncommented
when SELinux support is enabled.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Reviewed-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
---
package/util-linux/su.pam | 2 ++
package/util-linux/util-linux.mk | 14 ++++++++++++++
2 files changed, 16 insertions(+)
diff --git a/package/util-linux/su.pam b/package/util-linux/su.pam
index f000c39..84b1860 100644
--- a/package/util-linux/su.pam
+++ b/package/util-linux/su.pam
@@ -7,7 +7,9 @@ account required pam_unix.so
password required pam_unix.so nullok
+# session required pam_selinux.so close
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_lastlog.so
+# session required pam_selinux.so open
diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
index cf03fd4..7140554 100644
--- a/package/util-linux/util-linux.mk
+++ b/package/util-linux/util-linux.mk
@@ -63,6 +63,19 @@ endif
UTIL_LINUX_CONF_ENV += LIBS="$(UTIL_LINUX_LIBS)"
UTIL_LINUX_MAKE_OPTS += LIBS="$(UTIL_LINUX_LIBS)"
+ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
+UTIL_LINUX_DEPENDENCIES += libselinux
+UTIL_LINUX_CONF_OPTS += --with-selinux
+define UTIL_LINUX_SELINUX_PAMFILES_TWEAK
+ $(foreach f,su su-l,
+ $(SED) 's/^# \(.*pam_selinux.so.*\)$$/\1/' \
+ $(TARGET_DIR)/etc/pam.d/$(f)
+ )
+endef
+else
+UTIL_LINUX_CONF_OPTS += --without-selinux
+endif
+
# Used by cramfs utils
UTIL_LINUX_DEPENDENCIES += $(if $(BR2_PACKAGE_ZLIB),zlib)
@@ -179,6 +192,7 @@ define UTIL_LINUX_INSTALL_PAMFILES
$(TARGET_DIR)/etc/pam.d/su
$(INSTALL) -m 0644 package/util-linux/su.pam \
$(TARGET_DIR)/etc/pam.d/su-l
+ $(UTIL_LINUX_SELINUX_PAMFILES_TWEAK)
endef
endif
--
2.7.4
^ permalink raw reply related [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 1/8] policycoreutils: new package
2016-10-25 19:26 [Buildroot] [PATCH v13 1/8] policycoreutils: new package Bryce Ferguson
` (6 preceding siblings ...)
2016-10-25 19:26 ` [Buildroot] [PATCH v13 8/8] skeleton: busybox individual apps no symlink Bryce Ferguson
@ 2016-12-10 14:59 ` Thomas Petazzoni
2016-12-12 19:11 ` Matthew Weber
2016-12-12 19:28 ` Bryce Ferguson
7 siblings, 2 replies; 24+ messages in thread
From: Thomas Petazzoni @ 2016-12-10 14:59 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 25 Oct 2016 14:26:03 -0500, Bryce Ferguson wrote:
> From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>
> This package contains the core policy utilities that are required
> for basic operation of an SELinux system.
>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
> Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
> Tested-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
> Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
I've applied your patch to master, with the following changes:
[Thomas:
- Move the Config.in comment at the top of the Config.in file rather
than between the main option and its sub-options, as this breaks
menuconfig indentation.
- Fix the propagation of the libsemanage dependencies. libsemanage
depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS and
BR2_TOOLCHAIN_USES_GLIBC which were not accounted for. Since it
depends on BR2_TOOLCHAIN_USES_GLIBC, then all the gettext related
handling becomes useless and has been removed.
- Rename the prompt of the restorecond sub-option to just
"restorecond".
- Use TARGET_CONFIGURE_OPTS and HOST_CONFIGURE_OPTS instead of
passing LDFLAGS, CC, etc. manually.
- Use make "foreach" function for loops instead of shell "for" loops.
- Rework the explanation of why we're passing DESTDIR at build time.
- Minor formatting tweaks here and there.]
I've also added Clayton as the contact in the DEVELOPERS file for this
package. If this is not correct, please send another patch to fix that
up. We really want your help to fix build issues that may arise from
this package.
Also, could you please have a look at what I answered to:
[PATCH v13 4/8] util-linux: selinux, audit, and pam support
and look at the alternative proposals I made:
https://patchwork.ozlabs.org/patch/703332/
https://patchwork.ozlabs.org/patch/703333/
Thanks,
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 1/8] policycoreutils: new package
2016-12-10 14:59 ` [Buildroot] [PATCH v13 1/8] policycoreutils: new package Thomas Petazzoni
@ 2016-12-12 19:11 ` Matthew Weber
2016-12-12 19:28 ` Bryce Ferguson
1 sibling, 0 replies; 24+ messages in thread
From: Matthew Weber @ 2016-12-12 19:11 UTC (permalink / raw)
To: buildroot
Thomas,
On Sat, Dec 10, 2016 at 8:59 AM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
>
> Hello,
>
> On Tue, 25 Oct 2016 14:26:03 -0500, Bryce Ferguson wrote:
> > From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> >
> > This package contains the core policy utilities that are required
> > for basic operation of an SELinux system.
> >
> > Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> > Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
> > Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
> > Tested-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
> > Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
>
> I've applied your patch to master, with the following changes:
>
> [Thomas:
> - Move the Config.in comment at the top of the Config.in file rather
> than between the main option and its sub-options, as this breaks
> menuconfig indentation.
> - Fix the propagation of the libsemanage dependencies. libsemanage
> depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS and
> BR2_TOOLCHAIN_USES_GLIBC which were not accounted for. Since it
> depends on BR2_TOOLCHAIN_USES_GLIBC, then all the gettext related
> handling becomes useless and has been removed.
> - Rename the prompt of the restorecond sub-option to just
> "restorecond".
> - Use TARGET_CONFIGURE_OPTS and HOST_CONFIGURE_OPTS instead of
> passing LDFLAGS, CC, etc. manually.
> - Use make "foreach" function for loops instead of shell "for" loops.
> - Rework the explanation of why we're passing DESTDIR at build time.
> - Minor formatting tweaks here and there.]
>
> I've also added Clayton as the contact in the DEVELOPERS file for this
> package. If this is not correct, please send another patch to fix that
> up. We really want your help to fix build issues that may arise from
> this package.
Clayton is still a good contact and if not we'll update.
Definitely will be watching the autobuilder. I'm currently looking at
a issue with "-D_FILE_OFFSET_BITS==64"
>
>
> Also, could you please have a look at what I answered to:
>
> [PATCH v13 4/8] util-linux: selinux, audit, and pam support
>
> and look at the alternative proposals I made:
>
> https://patchwork.ozlabs.org/patch/703332/
> https://patchwork.ozlabs.org/patch/703333/
I'll let Bryce follow up on these.
Thanks!
--
Matthew L Weber / Pr Software Engineer
Airborne Information Systems / Security Systems and Software / Secure Platforms
MS 131-100, C Ave NE, Cedar Rapids, IA, 52498, USA
www.rockwellcollins.com
Note: Any Export License Required Information and License Restricted
Third Party Intellectual Property (TPIP) content must be encrypted and
sent to matthew.weber at corp.rockwellcollins.com.
^ permalink raw reply [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 1/8] policycoreutils: new package
2016-12-10 14:59 ` [Buildroot] [PATCH v13 1/8] policycoreutils: new package Thomas Petazzoni
2016-12-12 19:11 ` Matthew Weber
@ 2016-12-12 19:28 ` Bryce Ferguson
2016-12-12 20:14 ` Thomas Petazzoni
1 sibling, 1 reply; 24+ messages in thread
From: Bryce Ferguson @ 2016-12-12 19:28 UTC (permalink / raw)
To: buildroot
Hello,
On Sat, Dec 10, 2016 at 8:59 AM, Thomas Petazzoni <
thomas.petazzoni@free-electrons.com> wrote:
> Hello,
>
> On Tue, 25 Oct 2016 14:26:03 -0500, Bryce Ferguson wrote:
>> From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>>
>> This package contains the core policy utilities that are required
>> for basic operation of an SELinux system.
>>
>> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
>> Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
>> Tested-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
>> Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
>
> I've applied your patch to master, with the following changes:
>
> [Thomas:
> - Move the Config.in comment at the top of the Config.in file rather
> than between the main option and its sub-options, as this breaks
> menuconfig indentation.
> - Fix the propagation of the libsemanage dependencies. libsemanage
> depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS and
> BR2_TOOLCHAIN_USES_GLIBC which were not accounted for. Since it
> depends on BR2_TOOLCHAIN_USES_GLIBC, then all the gettext related
> handling becomes useless and has been removed.
> - Rename the prompt of the restorecond sub-option to just
> "restorecond".
> - Use TARGET_CONFIGURE_OPTS and HOST_CONFIGURE_OPTS instead of
> passing LDFLAGS, CC, etc. manually.
> - Use make "foreach" function for loops instead of shell "for" loops.
> - Rework the explanation of why we're passing DESTDIR at build time.
> - Minor formatting tweaks here and there.]
>
> I've also added Clayton as the contact in the DEVELOPERS file for this
> package. If this is not correct, please send another patch to fix that
> up. We really want your help to fix build issues that may arise from
> this package.
>
> Also, could you please have a look at what I answered to:
>
> [PATCH v13 4/8] util-linux: selinux, audit, and pam support
>
> and look at the alternative proposals I made:
>
> https://patchwork.ozlabs.org/patch/703332/
> https://patchwork.ozlabs.org/patch/703333/
I will perform a test build with these patches and provide tested-by
feedback. I think we will want to use these patches instead of [PATCH v13
4/8]. So, to confirm, I will remove that patch completely as yours will
supersede it, correct?
Thanks
--
Bryce Ferguson
Software Engineer
Airborne Information Solutions \ Secure Platforms
400 Collins Rd NE Cedar Rapids, Iowa 52498
Bryce.Ferguson at rockwellcollins.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20161212/f4273781/attachment.html>
^ permalink raw reply [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 1/8] policycoreutils: new package
2016-12-12 19:28 ` Bryce Ferguson
@ 2016-12-12 20:14 ` Thomas Petazzoni
0 siblings, 0 replies; 24+ messages in thread
From: Thomas Petazzoni @ 2016-12-12 20:14 UTC (permalink / raw)
To: buildroot
Hello,
On Mon, 12 Dec 2016 13:28:04 -0600, Bryce Ferguson wrote:
> > Also, could you please have a look at what I answered to:
> >
> > [PATCH v13 4/8] util-linux: selinux, audit, and pam support
> >
> > and look at the alternative proposals I made:
> >
> > https://patchwork.ozlabs.org/patch/703332/
> > https://patchwork.ozlabs.org/patch/703333/
>
> I will perform a test build with these patches and provide tested-by
> feedback. I think we will want to use these patches instead of [PATCH v13
> 4/8]. So, to confirm, I will remove that patch completely as yours will
> supersede it, correct?
Yes, that's the idea. Thanks for the feedback.
Also, I'm on IRC #buildroot, usually starting from 9/9:30 PM CET, which
should conveniently fall into the afternoon for you. It would be great
if a few folks interested in SELinux in Buildroot on your side could be
on IRC so we can quickly exchange on how to move forward with this.
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 2/8] refpolicy: new package
2016-10-25 19:26 ` [Buildroot] [PATCH v13 2/8] refpolicy: " Bryce Ferguson
@ 2016-12-12 22:21 ` Thomas Petazzoni
2016-12-13 22:08 ` Thomas Petazzoni
2017-01-05 18:11 ` Bryce Ferguson
0 siblings, 2 replies; 24+ messages in thread
From: Thomas Petazzoni @ 2016-12-12 22:21 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 25 Oct 2016 14:26:04 -0500, Bryce Ferguson wrote:
> From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>
> The patch is for adding selinux reference policy (refpolicy).
> It is a complete SELinux policy that can be used as the system policy
> for a variety of systems and used as the basis for creating other policies.
>
> Changes were made to this patch in between versions 12 and 13 for which
> the change history can be found here: https://patchwork.ozlabs.org/patch/649175/
>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
> Reviewed-by: Samuel Martin <s.martin49@gmail.com>
> Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
> Signed-off-by: David Graziano <david.graziano@rockwellcollins.com>
> Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
This patch/commit is too complicated / too long. Please try to split it
into smaller chunks by only introducing the very mandatory
functionality first, and progressively add more capabilities.
It also has a number of issues. See below for the details.
> diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
> new file mode 100644
> index 0000000..5a46829
> --- /dev/null
> +++ b/package/refpolicy/Config.in
> @@ -0,0 +1,146 @@
> +config BR2_PACKAGE_REFPOLICY
> + bool "refpolicy"
> + select BR2_PACKAGE_POLICYCOREUTILS
> + select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX
> + depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
> + depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # policycoreutils
This does not properly account for the dependencies of policycoreutils
and SELinux support in Busybox, which are:
depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS # libsemanage
depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
depends on !BR2_STATIC_LIBS #libsemanage
depends on !BR2_arc # libsemanage
depends on BR2_TOOLCHAIN_USES_GLIBC # libsemanage
> +comment "refpolicy needs a toolchain w/ threads, glibc or musl"
> + depends on !BR2_TOOLCHAIN_HAS_THREADS \
> + || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
So this comment needs fixing. It should be:
comment "refpolicy needs a glibc toolchain w/ thread, dynamic library"
depends on !BR2_arc
depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS
depends on BR2_STATIC_LIBS || !BR2_TOOLCHAIN_HAS_THREADS || \
!BR2_TOOLCHAIN_USES_GLIBC
> +if BR2_PACKAGE_REFPOLICY
> +
> +choice
> +prompt "SELinux policy type"
> +default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
> +
> +config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
> +bool "Standard"
> +help
> +Standard SELinux policy
What is a "Standard SELinux policy" ?
> +
> +config BR2_PACKAGE_REFPOLICY_TYPE_MCS
> +bool "MCS"
> +help
> +SELinux policy with multi-catagory support
Typo: category
> +
> +config BR2_PACKAGE_REFPOLICY_TYPE_MLS
> +bool "MLS"
> +help
> +SELinux policy with multi-catagory and multi-level support
Typo: category
> +endchoice
The indentation of the choice is all wrong. It should be like this:
choice
prompt "SELinux policy type
default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
bool "Standard"
help
....
config ...
bool ...
help
....
endchoice
> +choice
> +prompt "SELinux default state"
> +default BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
> +
> +config BR2_PACKAGE_REFPOLICY_STATE_ENFORCE
> +bool "Enforcing"
> +help
> +SELinux security policy is enforced
> +
> +config BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
> +bool "Permissive"
> +help
> +SELinux prints warnings instead of enforcing
> +
> +config BR2_PACKAGE_REFPOLICY_STATE_DISABLE
> +bool "Disabled"
> +help
> +No SELinux policy is loaded
> +endchoice
Please fix the choice indentation.
> +config BR2_PACKAGE_REFPOLICY_NAME
> + string "Custom policy Name"
> + default "Buildroot"
Is it really useful to be able to customize this? I guess it can be
dropped in a first iteration.
> +
> +config BR2_PACKAGE_REFPOLICY_STATE
> + string
> + default "permissive" if BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
> + default "enforcing" if BR2_PACKAGE_REFPOLICY_STATE_ENFORCE
> + default "disabled" if BR2_PACKAGE_REFPOLICY_STATE_DISABLE
This should be close to the refpolicy state choice.
> +config BR2_PACKAGE_REFPOLICY_MODULES_FILE
> + string "Refpolicy modules configuration"
> + default "package/refpolicy/modules.conf"
> + help
> + Location of a custom modules.conf file that lists the
> + SELinux policy modules to be included in the compiled
> + policy. See policy/modules.conf in the refpolicy sources for
> + the complete list of available modules.
> + NOTE: This file is only used if a Custom Git repo is
> + not specified.
> +
> +config BR2_PACKAGE_REFPOLICY_BOOLEAN_FILE
> + string "Refpolicy boolean configuration"
> + default "package/refpolicy/booleans.conf"
> + help
> + Location of a custom booleans.conf file that lists the
> + SELinux booleans to be set in the compiled
> + policy. See policy/booleans.conf in the refpolicy sources for
> + the complete list of available modules.
> + NOTE: This file is only used if a Custom Git repo is
> + not specified.
Both of these options can be removed in the first patch, just
unconditionally use package/refpolicy/*.conf to start.
> +
> +config BR2_PACKAGE_REFPOLICY_MODULAR
> + bool "Build a modular SELinux policy"
> + help
> + Select Y to build a modular SELinux policy. By default,
> + a monolithic policy will be built to save space on the
> + target. A modular policy can also be built if policies
> + need to be modified without reloading the target.
Same: please drop in the first patch, and do that in a subsequent patch
in the series.
> +
> +config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
> + bool "Custom Git repository"
> + select BR2_PACKAGE_REFPOLICY_CONTRIB
This package no longer exists, and you're actually fetching it from the
refpolicy Git repo through the submodule if I understand correctly.
> + help
> + This option allows Buildroot to get the refpolicy source
> + code from a Git repository. This option should generally
> + be used to add custom SELinux policy to the base refpolicy
> + without having to deal with lots of patches.
> +
> + Please note that with the current configuration of the
> + mainline refpolicy git repositories, a refpolicy and a
> + refpolicy-contrib git repo must be specified. These are
> + linked using a git submodule which does not get initialized
> + during the Buildroot build.
> +
> +if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
> +
> +config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
> + string "URL of custom repository"
> +
> +config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
> + string "Custom repository version"
> + help
> + Revision to use in the typical format used by Git
> + e.g. a SHA id, a tag, branch, ..
> +
> +endif
Same for this functionality: separate patch. I'm also not sure to
understand why we would want this exactly. What does this repository
typically contains? Can you show the layout of what it contains, so we
can understand what it's like?
> +stop() {
> + # There is nothing to do
> + echo "OK"
> +}
Don't print "OK" then.
> +
> +case "$1" in
> + start)
> + start
> + ;;
> + stop)
> + stop
> + ;;
> + *)
> + echo "Usage: $0 {start|stop}"
> + exit 1
> + ;;
> +esac
> +
> +exit $?
exit $? is not needed.
> diff --git a/package/refpolicy/booleans.conf b/package/refpolicy/booleans.conf
> new file mode 100644
> index 0000000..31c70b9
> --- /dev/null
> +++ b/package/refpolicy/booleans.conf
How was this file generated?
> diff --git a/package/refpolicy/config b/package/refpolicy/config
> new file mode 100644
> index 0000000..5eee807
> --- /dev/null
> +++ b/package/refpolicy/config
> @@ -0,0 +1,8 @@
> +# This file controls the state of SELinux on the system.
> +# SELINUX= can take one of these three values:
> +# enforcing - SELinux security policy is enforced.
> +# permissive - SELinux prints warnings instead of enforcing.
> +# disabled - No SELinux policy is loaded.
> +SELINUX=permissive
> +# SELINUXTYPE= name of the selinux policy to use
> +SELINUXTYPE=refpolicy
Instead of having a template, what about simply generating this file
from the .mk file, since it contains only two lines? In your .mk file:
echo SELINUX=$(BR2_PACKAGE_REFPOLICY_STATE) > $(TARGET_DIR)/etc/selinux/config
echo SELINUXTYPE=$(BR2_PACKAGE_REFPOLICY_NAME) >> $(TARGET_DIR)/etc/selinux/config
and that's it?
> diff --git a/package/refpolicy/modules.conf b/package/refpolicy/modules.conf
> new file mode 100644
> index 0000000..2304dc4
> --- /dev/null
> +++ b/package/refpolicy/modules.conf
How was this file generated? Do we need to keep it inside Buildroot?
> diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash
> new file mode 100644
> index 0000000..c10de45
> --- /dev/null
> +++ b/package/refpolicy/refpolicy.hash
> @@ -0,0 +1,2 @@
> +#From https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease
> +sha256 2dd2f45a7132137afe8302805c3b7839739759b9ab73dd1815c01afe34ac99de refpolicy-2.20151208.tar.bz2
This doesn't match the version used in the .mk file.
> diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
> new file mode 100644
> index 0000000..3622b6e
> --- /dev/null
> +++ b/package/refpolicy/refpolicy.mk
> @@ -0,0 +1,111 @@
> +################################################################################
> +#
> +# refpolicy
> +#
> +################################################################################
> +
> +REFPOLICY_VERSION = RELEASE_2_20151208
> +REFPOLICY_SITE = https://github.com/TresysTechnology/refpolicy.git
> +REFPOLICY_SITE_METHOD = git
Please add a comment about why you're not using the Github helper.
> +REFPOLICY_GIT_SUBMODULES = y
Please add a comment that explains why you're using submodules here (I
guess it's because of refpolicy-contrib).
> +REFPOLICY_LICENSE = GPLv2
> +REFPOLICY_LICENSE_FILES = COPYING
> +
> +# Cannot use multiple threads to build the reference policy
> +REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)
> +
> +REFPOLICY_DEPENDENCIES += host-m4 host-checkpolicy host-policycoreutils \
> + host-setools host-gawk host-python policycoreutils
It's not clear to me why we need to have a build dependency on
policycoreutils. Could you explain?
> +REFPOLICY_INSTALL_STAGING = YES
> +
> +
> +# To apply board specific customizations, create a refpolicy folder in
> +# BR2_GLOBAL_PATCH_DIR. These patches will be applied after the patches
> +# in package/refpolicy
Not useful, this is generic Buildroot knowledge.
> +
> +# Passing the HOST_CONFIGURE_OPTS to the target build because all of the
> +# build utilities are expected to be on system. This fools the make files
> +# into using the host built utilities to compile the SELinux policy for
> +# the target.
> +#
> +# Note, the TEST_TOOLCHAIN option will also set the
> +# LD_LIBRARY_PATH at run time.
> +REFPOLICY_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
> + TEST_TOOLCHAIN="$(HOST_DIR)"
That's really weird, and makes me wonder if we shouldn't have a
host-refpolicy package to build whatever host tool is needed, and a
refpolicy target package to actually build/install the policy on the
target.
> +# Build requires python2 to run
> +REFPOLICY_MAKE_ENV = \
> + PYTHON="$(HOST_DIR)/usr/bin/python2" \
> + AWK="$(HOST_DIR)/usr/bin/gawk" \
> + M4="$(HOST_DIR)/usr/bin/m4"
> +
> +
> +ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
> +REFPOLICY_MONOLITHIC = n
> +else
> +REFPOLICY_MONOLITHIC = y
> +endif
It's a little bit odd that the option is backwards, but I guess it's
because building monolithic is what makes most sense by default (hence
the BR2_PACKAGE_REFPOLICY_MODULAR being disabled by default). So, OK.
> +
> +REFPOLICY_MODULES_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_MODULES_FILE))
> +define REFPOLICY_CUSTOM_MODULES_CONF
> + cp $(REFPOLICY_MODULES_FILE) $(@D)/policy/modules.conf
> +endef
> +
> +REFPOLICY_BOOLEAN_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_BOOLEAN_FILE))
> +define REFPOLICY_CUSTOM_BOOLEAN_CONF
> + cp $(REFPOLICY_BOOLEAN_FILE) $(@D)/policy/booleans.conf
> +endef
Please simplify by just using the *.conf files from package/refpolicy/
for now (see above).
> +define REFPOLICY_CONFIGURE_CMDS
> + # If an external repo is used to build refpolicy, this preserves the
> + # custom modules.conf which defines the enabled components.
> + if [ -f $(@D)/policy/modules.conf ]; then \
> + mv $(@D)/policy/modules.conf $(@D)/modules.conf.bk ; \
> + fi
> + $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) bare \
> + $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
> + $(SED) "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
> + $(SED) "/MONOLITHIC/c\MONOLITHIC = $(REFPOLICY_MONOLITHIC)" $(@D)/build.conf
> + $(SED) "/NAME/c\NAME = $(BR2_PACKAGE_REFPOLICY_NAME)" $(@D)/build.conf
> +
> + $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) conf \
> + $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
> + if [ -f $(@D)/modules.conf.bk ]; then \
> + echo "[Preserved modules.conf]" ; \
> + mv $(@D)/modules.conf.bk $(@D)/policy/modules.conf ; \
> + fi
Not clear at all why we need this modules.conf.bk dance. Since it's
only for "an external repo", can we get rid of this for now, or at
least have it as part of a subsequent patch.
> + $(REFPOLICY_CUSTOM_MODULES_CONF)
> + $(REFPOLICY_CUSTOM_BOOLEAN_CONF)
> +endef
> +
> +define REFPOLICY_INSTALL_STAGING_CMDS
> + $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install-src install-headers \
> + install-docs $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
> +endef
> +
> +define REFPOLICY_INSTALL_TARGET_CMDS
> + $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install \
> + $(REFPOLICY_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
> + $(INSTALL) -m 0755 -D package/refpolicy/config $(TARGET_DIR)/etc/selinux/config
> + $(SED) "/^SELINUXTYPE/c\SELINUXTYPE=$(BR2_PACKAGE_REFPOLICY_NAME)" \
> + $(TARGET_DIR)/etc/selinux/config
> + $(SED) "/^SELINUX=/c\SELINUX=$(BR2_PACKAGE_REFPOLICY_STATE)" \
> + $(TARGET_DIR)/etc/selinux/config
> + touch $(TARGET_DIR)/.autorelabel
> + $(RM) $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/booleans
> +endef
> +
> +define REFPOLICY_INSTALL_INIT_SYSV
> + $(INSTALL) -m 0755 -D package/refpolicy/S00selinux \
> + $(TARGET_DIR)/etc/init.d/S00selinux
> +endef
> +
> +ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
> +$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/policy
> +$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/modules/active/modules
> +$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files
> +touch $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files/file_contexts.local
This definitely cannot work at all, it's not part of any command.
Building a modular policy should only be added in a follow-up patch, to
keep the initial patch simpler.
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 2/8] refpolicy: new package
2016-12-12 22:21 ` Thomas Petazzoni
@ 2016-12-13 22:08 ` Thomas Petazzoni
2016-12-21 14:45 ` Bryce Ferguson
2017-01-05 18:11 ` Bryce Ferguson
1 sibling, 1 reply; 24+ messages in thread
From: Thomas Petazzoni @ 2016-12-13 22:08 UTC (permalink / raw)
To: buildroot
Hello,
On Mon, 12 Dec 2016 23:21:21 +0100, Thomas Petazzoni wrote:
> > +REFPOLICY_DEPENDENCIES += host-m4 host-checkpolicy host-policycoreutils \
> > + host-setools host-gawk host-python policycoreutils
>
> It's not clear to me why we need to have a build dependency on
> policycoreutils. Could you explain?
I checked by doing a build test: the target policycoreutils dependency
is not needed for build time, and it seems like the host-setools
dependency is also not needed.
Could you double check this, by doing a build which has *only*
refpolicy enabled and nothing else, and verify that the dependencies
are really necessary?
Thanks a lot,
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 2/8] refpolicy: new package
2016-12-13 22:08 ` Thomas Petazzoni
@ 2016-12-21 14:45 ` Bryce Ferguson
0 siblings, 0 replies; 24+ messages in thread
From: Bryce Ferguson @ 2016-12-21 14:45 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, Dec 13, 2016 at 4:08 PM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Hello,
>
> On Mon, 12 Dec 2016 23:21:21 +0100, Thomas Petazzoni wrote:
>
>> > +REFPOLICY_DEPENDENCIES += host-m4 host-checkpolicy host-policycoreutils \
>> > + host-setools host-gawk host-python policycoreutils
>>
>> It's not clear to me why we need to have a build dependency on
>> policycoreutils. Could you explain?
>
> I checked by doing a build test: the target policycoreutils dependency
> is not needed for build time, and it seems like the host-setools
> dependency is also not needed.
>
> Could you double check this, by doing a build which has *only*
> refpolicy enabled and nothing else, and verify that the dependencies
> are really necessary?
I have performed a build with only refpolicy enabled and you are
correct. I will update this to remove that dependency. I am also
currently working to address your other comments.
>
> Thanks a lot,
>
> Thomas
> --
> Thomas Petazzoni, CTO, Free Electrons
> Embedded Linux and Kernel engineering
> http://free-electrons.com
Thanks for your feedback!
--
Bryce Ferguson
Software Engineer
Airborne Information Solutions \ Secure Platforms
400 Collins Rd NE Cedar Rapids, Iowa 52498
Bryce.Ferguson at rockwellcollins.com
^ permalink raw reply [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH 1/2] linux-pam: adjust login pam file for SELinux
2016-12-06 20:27 ` [Buildroot] [PATCH 1/2] linux-pam: adjust login pam file for SELinux Thomas Petazzoni
2016-12-06 20:27 ` [Buildroot] [PATCH 2/2] util-linux: add selinux support Thomas Petazzoni
@ 2016-12-22 16:25 ` Bryce Ferguson
2017-01-25 10:06 ` Thomas Petazzoni
2 siblings, 0 replies; 24+ messages in thread
From: Bryce Ferguson @ 2016-12-22 16:25 UTC (permalink / raw)
To: buildroot
On Tue, Dec 6, 2016 at 2:27 PM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> When SELinux support is enabled, the login pam file installed by
> linux-pam should be adjusted to use the pam_selinux.so module.
>
> To achieve this in a reasonably simple manner, we introduce the SELinux
> related lines in login.pam as comments, and if SELinux support is
> enabled, turn those commented lines into real lines.
>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Performed a build with this package enabled using the qemu selinux
defconfig which is part of the outstanding v13 patchset found
here:http://patchwork.ozlabs.org/bundle/UraniumKnight/rc_selinux_v13/.
For the test, this was applied in the stead of PATCH 4/8
(http://patchwork.ozlabs.org/patch/686677/)
Tested-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
> ---
> package/linux-pam/linux-pam.mk | 5 +++++
> package/linux-pam/login.pam | 2 ++
> 2 files changed, 7 insertions(+)
>
> diff --git a/package/linux-pam/linux-pam.mk b/package/linux-pam/linux-pam.mk
> index 6ce3839..c8ba30f 100644
> --- a/package/linux-pam/linux-pam.mk
> +++ b/package/linux-pam/linux-pam.mk
> @@ -29,6 +29,10 @@ endif
> ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
> LINUX_PAM_CONF_OPTS += --enable-selinux
> LINUX_PAM_DEPENDENCIES += libselinux
> +define LINUX_PAM_SELINUX_PAMFILE_TWEAK
> + $(SED) 's/^# \(.*pam_selinux.so.*\)$$/\1/' \
> + $(TARGET_DIR)/etc/pam.d/login
> +endef
> else
> LINUX_PAM_CONF_OPTS += --disable-selinux
> endif
> @@ -46,6 +50,7 @@ define LINUX_PAM_INSTALL_CONFIG
> $(TARGET_DIR)/etc/pam.d/login
> $(INSTALL) -m 0644 -D package/linux-pam/other.pam \
> $(TARGET_DIR)/etc/pam.d/other
> + $(LINUX_PAM_SELINUX_PAMFILE_TWEAK)
> endef
>
> LINUX_PAM_POST_INSTALL_TARGET_HOOKS += LINUX_PAM_INSTALL_CONFIG
> diff --git a/package/linux-pam/login.pam b/package/linux-pam/login.pam
> index 01f5632..5df7db6 100644
> --- a/package/linux-pam/login.pam
> +++ b/package/linux-pam/login.pam
> @@ -4,7 +4,9 @@ account required pam_unix.so
>
> password required pam_unix.so nullok
>
> +# session required pam_selinux.so close
> session required pam_limits.so
> session required pam_env.so
> session required pam_unix.so
> session optional pam_lastlog.so
> +# session required pam_selinux.so open
> --
> 2.7.4
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH 2/2] util-linux: add selinux support
2016-12-06 20:27 ` [Buildroot] [PATCH 2/2] util-linux: add selinux support Thomas Petazzoni
@ 2016-12-22 16:32 ` Bryce Ferguson
0 siblings, 0 replies; 24+ messages in thread
From: Bryce Ferguson @ 2016-12-22 16:32 UTC (permalink / raw)
To: buildroot
On Tue, Dec 6, 2016 at 2:27 PM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> This patch adds optional libselinux support to the util-linux package,
> and also tweaks the PAM files instealled by util-linux to work properly
> in an SELinux context.
>
> Like was done for linux-pam, the tweak is done by having the SELinux
> related lines commented out in the original PAM file, and uncommented
> when SELinux support is enabled.
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Reviewed-by: Samuel Martin <s.martin49@gmail.com>
> Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Performed a build with this package enabled using the qemu selinux
defconfig which is part of the outstanding v13 patchset found
here:http://patchwork.ozlabs.org/bundle/UraniumKnight/rc_selinux_v13/.
For the test, this was applied in the stead of PATCH 4/8
(http://patchwork.ozlabs.org/patch/686677/)
Tested-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
> ---
> package/util-linux/su.pam | 2 ++
> package/util-linux/util-linux.mk | 14 ++++++++++++++
> 2 files changed, 16 insertions(+)
>
> diff --git a/package/util-linux/su.pam b/package/util-linux/su.pam
> index f000c39..84b1860 100644
> --- a/package/util-linux/su.pam
> +++ b/package/util-linux/su.pam
> @@ -7,7 +7,9 @@ account required pam_unix.so
>
> password required pam_unix.so nullok
>
> +# session required pam_selinux.so close
> session required pam_limits.so
> session required pam_env.so
> session required pam_unix.so
> session optional pam_lastlog.so
> +# session required pam_selinux.so open
> diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
> index cf03fd4..7140554 100644
> --- a/package/util-linux/util-linux.mk
> +++ b/package/util-linux/util-linux.mk
> @@ -63,6 +63,19 @@ endif
> UTIL_LINUX_CONF_ENV += LIBS="$(UTIL_LINUX_LIBS)"
> UTIL_LINUX_MAKE_OPTS += LIBS="$(UTIL_LINUX_LIBS)"
>
> +ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
> +UTIL_LINUX_DEPENDENCIES += libselinux
> +UTIL_LINUX_CONF_OPTS += --with-selinux
> +define UTIL_LINUX_SELINUX_PAMFILES_TWEAK
> + $(foreach f,su su-l,
> + $(SED) 's/^# \(.*pam_selinux.so.*\)$$/\1/' \
> + $(TARGET_DIR)/etc/pam.d/$(f)
> + )
> +endef
> +else
> +UTIL_LINUX_CONF_OPTS += --without-selinux
> +endif
> +
> # Used by cramfs utils
> UTIL_LINUX_DEPENDENCIES += $(if $(BR2_PACKAGE_ZLIB),zlib)
>
> @@ -179,6 +192,7 @@ define UTIL_LINUX_INSTALL_PAMFILES
> $(TARGET_DIR)/etc/pam.d/su
> $(INSTALL) -m 0644 package/util-linux/su.pam \
> $(TARGET_DIR)/etc/pam.d/su-l
> + $(UTIL_LINUX_SELINUX_PAMFILES_TWEAK)
> endef
> endif
>
> --
> 2.7.4
>
^ permalink raw reply [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 2/8] refpolicy: new package
2016-12-12 22:21 ` Thomas Petazzoni
2016-12-13 22:08 ` Thomas Petazzoni
@ 2017-01-05 18:11 ` Bryce Ferguson
1 sibling, 0 replies; 24+ messages in thread
From: Bryce Ferguson @ 2017-01-05 18:11 UTC (permalink / raw)
To: buildroot
Hello,
On Mon, Dec 12, 2016 at 4:21 PM, Thomas Petazzoni <
thomas.petazzoni@free-electrons.com> wrote:
>
> Hello,
>
> On Tue, 25 Oct 2016 14:26:04 -0500, Bryce Ferguson wrote:
> > From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> >
> > The patch is for adding selinux reference policy (refpolicy).
> > It is a complete SELinux policy that can be used as the system policy
> > for a variety of systems and used as the basis for creating other
policies.
> >
> > Changes were made to this patch in between versions 12 and 13 for which
> > the change history can be found here: https://patchwork.ozlabs.org/p
atch/649175/
> >
> > Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> > Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
> > Reviewed-by: Samuel Martin <s.martin49@gmail.com>
> > Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
> > Signed-off-by: David Graziano <david.graziano@rockwellcollins.com>
> > Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
>
> This patch/commit is too complicated / too long. Please try to split it
> into smaller chunks by only introducing the very mandatory
> functionality first, and progressively add more capabilities.
>
> It also has a number of issues. See below for the details.
I have split this commit in three which should replace this one. In these
commits, I have also addressed your comments.
>
> > diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
> > new file mode 100644
> > index 0000000..5a46829
> > --- /dev/null
> > +++ b/package/refpolicy/Config.in
> > @@ -0,0 +1,146 @@
> > +config BR2_PACKAGE_REFPOLICY
> > + bool "refpolicy"
> > + select BR2_PACKAGE_POLICYCOREUTILS
> > + select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX
> > + depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
> > + depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL #
policycoreutils
>
> This does not properly account for the dependencies of policycoreutils
> and SELinux support in Busybox, which are:
>
> depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS # libsemanage
> depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
> depends on !BR2_STATIC_LIBS #libsemanage
> depends on !BR2_arc # libsemanage
> depends on BR2_TOOLCHAIN_USES_GLIBC # libsemanage
>
Fixed in new set of commits.
> > +comment "refpolicy needs a toolchain w/ threads, glibc or musl"
> > + depends on !BR2_TOOLCHAIN_HAS_THREADS \
> > + || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
>
> So this comment needs fixing. It should be:
>
> comment "refpolicy needs a glibc toolchain w/ thread, dynamic library"
> depends on !BR2_arc
> depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS
> depends on BR2_STATIC_LIBS || !BR2_TOOLCHAIN_HAS_THREADS || \
> !BR2_TOOLCHAIN_USES_GLIBC
>
Fixed in new set of commits.
> > +if BR2_PACKAGE_REFPOLICY
> > +
> > +choice
> > +prompt "SELinux policy type"
> > +default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
> > +
> > +config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
> > +bool "Standard"
> > +help
> > +Standard SELinux policy
>
> What is a "Standard SELinux policy" ?
>
The "Standard SELinux policy" is type enforcement only. I have specified
that in the new set of commits.
> > +
> > +config BR2_PACKAGE_REFPOLICY_TYPE_MCS
> > +bool "MCS"
> > +help
> > +SELinux policy with multi-catagory support
>
> Typo: category
>
Fixed typos in new set of commits.
> > +
> > +config BR2_PACKAGE_REFPOLICY_TYPE_MLS
> > +bool "MLS"
> > +help
> > +SELinux policy with multi-catagory and multi-level support
>
> Typo: category
>
> > +endchoice
>
> The indentation of the choice is all wrong. It should be like this:
>
> choice
> prompt "SELinux policy type
> default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
>
> config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
> bool "Standard"
> help
> ....
>
> config ...
> bool ...
> help
> ....
>
> endchoice
Fixed indentation in new set of commits.
> > +config BR2_PACKAGE_REFPOLICY_NAME
> > + string "Custom policy Name"
> > + default "Buildroot"
>
> Is it really useful to be able to customize this? I guess it can be
> dropped in a first iteration.
>
Dropped in new set of commits.
> > +config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
> > + bool "Custom Git repository"
> > + select BR2_PACKAGE_REFPOLICY_CONTRIB
>
> This package no longer exists, and you're actually fetching it from the
> refpolicy Git repo through the submodule if I understand correctly.
Yes refpolicy uses the git submodule. This has been removed in the new set
of commits.
> Same for this functionality: separate patch. I'm also not sure to
> understand why we would want this exactly. What does this repository
> typically contains? Can you show the layout of what it contains, so we
> can understand what it's like?
The custom git repository stuff was an artifact of an outdated method we
were using. I have removed it in the new set of commits.
> > diff --git a/package/refpolicy/booleans.conf
b/package/refpolicy/booleans.conf
> > new file mode 100644
> > index 0000000..31c70b9
> > --- /dev/null
> > +++ b/package/refpolicy/booleans.conf
>
> How was this file generated?
Refpolicy generates modules.conf and booleans.conf as part of the build.
The files here are taken from the build and paired down to a minimal amount
of functionality to cut down on build times. Each of them I have added as
a separate commit to keep the patch sizes down.
> > diff --git a/package/refpolicy/modules.conf b/package/refpolicy/
modules.conf
> > new file mode 100644
> > index 0000000..2304dc4
> > --- /dev/null
> > +++ b/package/refpolicy/modules.conf
>
> How was this file generated? Do we need to keep it inside Buildroot?
See comment above.
> > +
> > +# Passing the HOST_CONFIGURE_OPTS to the target build because all of
the
> > +# build utilities are expected to be on system. This fools the make
files
> > +# into using the host built utilities to compile the SELinux policy for
> > +# the target.
> > +#
> > +# Note, the TEST_TOOLCHAIN option will also set the
> > +# LD_LIBRARY_PATH at run time.
> > +REFPOLICY_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
> > + TEST_TOOLCHAIN="$(HOST_DIR)"
>
> That's really weird, and makes me wonder if we shouldn't have a
> host-refpolicy package to build whatever host tool is needed, and a
> refpolicy target package to actually build/install the policy on the
> target.
>
We tracked this problem down and it ended up being one support tool that
wasn't building correctly. The reason it previously worked was because
refpolicy doesn't build C application or binaries. It uses python to build
bytecode binary files for the policy. A fix has been added for this in the
new set of patches.
> > +
> > + $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) conf \
> > + $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
> > + if [ -f $(@D)/modules.conf.bk ]; then \
> > + echo "[Preserved modules.conf]" ; \
> > + mv $(@D)/modules.conf.bk $(@D)/policy/modules.conf ; \
> > + fi
>
> Not clear at all why we need this modules.conf.bk dance. Since it's
> only for "an external repo", can we get rid of this for now, or at
> least have it as part of a subsequent patch.
This was another artifact from an internal build process and has been
removed in the new set of patches.
> > +
> > +define REFPOLICY_INSTALL_INIT_SYSV
> > + $(INSTALL) -m 0755 -D package/refpolicy/S00selinux \
> > + $(TARGET_DIR)/etc/init.d/S00selinux
> > +endef
> > +
> > +ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
> > +$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR
2_PACKAGE_REFPOLICY_NAME)/policy
> > +$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR
2_PACKAGE_REFPOLICY_NAME)/modules/active/modules
> > +$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR
2_PACKAGE_REFPOLICY_NAME)/contexts/files
> > +touch $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/cont
exts/files/file_contexts.local
>
> This definitely cannot work at all, it's not part of any command.
> Building a modular policy should only be added in a follow-up patch, to
> keep the initial patch simpler.
>
I have removed the modular policy option in the new set of patches.
> Thanks!
>
> Thomas
> --
> Thomas Petazzoni, CTO, Free Electrons
> Embedded Linux and Kernel engineering
> http://free-electrons.com
Thank you so much for the feedback!
--
Bryce Ferguson
Software Engineer
Airborne Information Solutions \ Secure Platforms
400 Collins Rd NE Cedar Rapids, Iowa 52498
Bryce.Ferguson at rockwellcollins.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20170105/62137b3a/attachment.html>
^ permalink raw reply [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH 1/2] linux-pam: adjust login pam file for SELinux
2016-12-06 20:27 ` [Buildroot] [PATCH 1/2] linux-pam: adjust login pam file for SELinux Thomas Petazzoni
2016-12-06 20:27 ` [Buildroot] [PATCH 2/2] util-linux: add selinux support Thomas Petazzoni
2016-12-22 16:25 ` [Buildroot] [PATCH 1/2] linux-pam: adjust login pam file for SELinux Bryce Ferguson
@ 2017-01-25 10:06 ` Thomas Petazzoni
2 siblings, 0 replies; 24+ messages in thread
From: Thomas Petazzoni @ 2017-01-25 10:06 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 6 Dec 2016 21:27:03 +0100, Thomas Petazzoni wrote:
> When SELinux support is enabled, the login pam file installed by
> linux-pam should be adjusted to use the pam_selinux.so module.
>
> To achieve this in a reasonably simple manner, we introduce the SELinux
> related lines in login.pam as comments, and if SELinux support is
> enabled, turn those commented lines into real lines.
>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
> ---
> package/linux-pam/linux-pam.mk | 5 +++++
> package/linux-pam/login.pam | 2 ++
> 2 files changed, 7 insertions(+)
I've applied both patches. They have been tested by Bryce, and nobody
objected to the approach.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 24+ messages in thread
* [Buildroot] [PATCH v13 4/8] util-linux: selinux, audit, and pam support
2016-10-25 19:26 ` [Buildroot] [PATCH v13 4/8] util-linux: selinux, audit, and pam support Bryce Ferguson
2016-10-26 6:02 ` Rahul Bedarkar
2016-12-06 20:25 ` Thomas Petazzoni
@ 2017-03-10 21:59 ` Thomas Petazzoni
2 siblings, 0 replies; 24+ messages in thread
From: Thomas Petazzoni @ 2017-03-10 21:59 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 25 Oct 2016 14:26:06 -0500, Bryce Ferguson wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> This patch adds optional libselinux ,audit and pam support to linux utilities.
>
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Reviewed-by: Samuel Martin <s.martin49@gmail.com>
> Signed-off-by: Niranjan Reddy <niranjan.reddy@rockwellcollins.com>
Instead of this patch, we have applied commit
373b7efdb308fcb7607cbef63ee4d2644b46136f, which serves the same
purpose. So I've marked this patch as Rejected in patchwork.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2017-03-10 21:59 UTC | newest]
Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-25 19:26 [Buildroot] [PATCH v13 1/8] policycoreutils: new package Bryce Ferguson
2016-10-25 19:26 ` [Buildroot] [PATCH v13 2/8] refpolicy: " Bryce Ferguson
2016-12-12 22:21 ` Thomas Petazzoni
2016-12-13 22:08 ` Thomas Petazzoni
2016-12-21 14:45 ` Bryce Ferguson
2017-01-05 18:11 ` Bryce Ferguson
2016-10-25 19:26 ` [Buildroot] [PATCH v13 3/8] linux-pam: add system auth file and host variant Bryce Ferguson
2016-12-06 20:27 ` [Buildroot] [PATCH 1/2] linux-pam: adjust login pam file for SELinux Thomas Petazzoni
2016-12-06 20:27 ` [Buildroot] [PATCH 2/2] util-linux: add selinux support Thomas Petazzoni
2016-12-22 16:32 ` Bryce Ferguson
2016-12-22 16:25 ` [Buildroot] [PATCH 1/2] linux-pam: adjust login pam file for SELinux Bryce Ferguson
2017-01-25 10:06 ` Thomas Petazzoni
2016-10-25 19:26 ` [Buildroot] [PATCH v13 4/8] util-linux: selinux, audit, and pam support Bryce Ferguson
2016-10-26 6:02 ` Rahul Bedarkar
2016-12-06 20:25 ` Thomas Petazzoni
2017-03-10 21:59 ` Thomas Petazzoni
2016-10-25 19:26 ` [Buildroot] [PATCH v13 5/8] busybox: applets as individual binaries Bryce Ferguson
2016-10-25 19:26 ` [Buildroot] [PATCH v13 6/8] qemu x86 selinux: base br defconfig Bryce Ferguson
2016-10-25 19:26 ` [Buildroot] [PATCH v13 7/8] qemu x86 selinux: added common selinux support files Bryce Ferguson
2016-10-25 19:26 ` [Buildroot] [PATCH v13 8/8] skeleton: busybox individual apps no symlink Bryce Ferguson
2016-12-10 14:59 ` [Buildroot] [PATCH v13 1/8] policycoreutils: new package Thomas Petazzoni
2016-12-12 19:11 ` Matthew Weber
2016-12-12 19:28 ` Bryce Ferguson
2016-12-12 20:14 ` Thomas Petazzoni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.