* [Buildroot] [PATCH 1/5] package/refpolicy: remove dependency on policycoreutils
@ 2020-02-03 13:29 Adam Duskett
2020-02-03 13:29 ` [Buildroot] [PATCH 2/5] package/refpolicy: bump version to 2.20190609 Adam Duskett
` (5 more replies)
0 siblings, 6 replies; 11+ messages in thread
From: Adam Duskett @ 2020-02-03 13:29 UTC (permalink / raw)
To: buildroot
Only host-policycoreutils is needed to build refpolicy. Remove the uneeded
target package.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
package/refpolicy/Config.in | 8 --------
package/refpolicy/refpolicy.mk | 3 +--
2 files changed, 1 insertion(+), 10 deletions(-)
diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index e775865317..d9cf6e6531 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -1,9 +1,5 @@
config BR2_PACKAGE_REFPOLICY
bool "refpolicy"
- depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
- depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS # policycoreutils
- depends on !BR2_STATIC_LIBS # policycoreutils
- select BR2_PACKAGE_POLICYCOREUTILS
select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX
help
The SELinux Reference Policy project (refpolicy) is a
@@ -26,10 +22,6 @@ config BR2_PACKAGE_REFPOLICY
https://github.com/TresysTechnology/refpolicy
-comment "refpolicy needs a toolchain w/ threads, dynamic library"
- depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS
- depends on BR2_STATIC_LIBS || !BR2_TOOLCHAIN_HAS_THREADS
-
if BR2_PACKAGE_REFPOLICY
config BR2_PACKAGE_REFPOLICY_POLICY_VERSION
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 1c3b1bc541..66bddd1aee 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -15,8 +15,7 @@ REFPOLICY_DEPENDENCIES = \
host-checkpolicy \
host-policycoreutils \
host-setools \
- host-gawk \
- policycoreutils
+ host-gawk
ifeq ($(BR2_PACKAGE_PYTHON3),y)
REFPOLICY_DEPENDENCIES += host-python3
--
2.24.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 2/5] package/refpolicy: bump version to 2.20190609
2020-02-03 13:29 [Buildroot] [PATCH 1/5] package/refpolicy: remove dependency on policycoreutils Adam Duskett
@ 2020-02-03 13:29 ` Adam Duskett
2020-02-03 14:59 ` Thomas Petazzoni
2020-02-03 13:29 ` [Buildroot] [PATCH 3/5] Move refpolicy policy version selection to libsepol Adam Duskett
` (4 subsequent siblings)
5 siblings, 1 reply; 11+ messages in thread
From: Adam Duskett @ 2020-02-03 13:29 UTC (permalink / raw)
To: buildroot
Other changes:
- Depend on host-python3, as python2 support was removed.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
package/refpolicy/refpolicy.hash | 2 +-
package/refpolicy/refpolicy.mk | 13 ++++---------
2 files changed, 5 insertions(+), 10 deletions(-)
diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash
index 856d8cb8a2..0c77b626cc 100644
--- a/package/refpolicy/refpolicy.hash
+++ b/package/refpolicy/refpolicy.hash
@@ -1,5 +1,5 @@
# From https://github.com/SELinuxProject/refpolicy/releases
-sha256 ed620dc91c4e09eee6271b373f7c61a364a82ea57bd2dc86ca1f7075304e2843 refpolicy-2.20190201.tar.bz2
+sha256 67bd1213e9d014ada15512028bb7f35ef6610c2d209cc5117b8577474aa6147f refpolicy-2.20190609.tar.bz2
# Locally computed
sha256 204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994 COPYING
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 66bddd1aee..d13be18f73 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -4,9 +4,9 @@
#
################################################################################
-REFPOLICY_VERSION = 2.20190201
+REFPOLICY_VERSION = 2.20190609
REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
-REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190201
+REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20190609
REFPOLICY_LICENSE = GPL-2.0
REFPOLICY_LICENSE_FILES = COPYING
REFPOLICY_INSTALL_STAGING = YES
@@ -14,18 +14,13 @@ REFPOLICY_DEPENDENCIES = \
host-m4 \
host-checkpolicy \
host-policycoreutils \
+ host-python3 \
host-setools \
host-gawk
-ifeq ($(BR2_PACKAGE_PYTHON3),y)
-REFPOLICY_DEPENDENCIES += host-python3
-else
-REFPOLICY_DEPENDENCIES += host-python
-endif
-
# Cannot use multiple threads to build the reference policy
REFPOLICY_MAKE = \
- PYTHON=$(HOST_DIR)/usr/bin/python \
+ PYTHON=$(HOST_DIR)/usr/bin/python3 \
TEST_TOOLCHAIN=$(HOST_DIR) \
$(TARGET_MAKE_ENV) \
$(MAKE1)
--
2.24.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 3/5] Move refpolicy policy version selection to libsepol
2020-02-03 13:29 [Buildroot] [PATCH 1/5] package/refpolicy: remove dependency on policycoreutils Adam Duskett
2020-02-03 13:29 ` [Buildroot] [PATCH 2/5] package/refpolicy: bump version to 2.20190609 Adam Duskett
@ 2020-02-03 13:29 ` Adam Duskett
2020-02-03 18:51 ` Thomas Petazzoni
2020-02-03 13:29 ` [Buildroot] [PATCH 4/5] package/libsepol: change policy version to an int Adam Duskett
` (3 subsequent siblings)
5 siblings, 1 reply; 11+ messages in thread
From: Adam Duskett @ 2020-02-03 13:29 UTC (permalink / raw)
To: buildroot
Currently, a user sets a policy version via the refpolicy package.
Having the option here has a few disadvantages:
- The Refpolicy package is not technically needed to use SELinux.
- When building a modular policy, Refpolicy will ignore the version string
and build the highest version possible which will cause libsemanage to
possibly fail when loading the policy.
Specifying a manual policy version in /etc/selinux/semanage.conf forces
libsemanage to load a specific policy version, which fixes the above issue.
However, because refpolicy currently defines the policy version, libsemanage
does not have a way to determine the policy version, as refpolicy is not a
dependency of libsemanage.
To work around these limitations, move the policy version number
selection to libsepol, as a system using SELinux always requires this library.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
Config.in.legacy | 6 ++++++
package/libsepol/Config.in | 7 +++++++
package/refpolicy/Config.in | 11 +++++++----
package/refpolicy/refpolicy.mk | 5 +++--
4 files changed, 23 insertions(+), 6 deletions(-)
diff --git a/Config.in.legacy b/Config.in.legacy
index 4b84116e0c..3bddca9be0 100644
--- a/Config.in.legacy
+++ b/Config.in.legacy
@@ -146,6 +146,12 @@ endif
comment "Legacy options removed in 2020.02"
+config BR2_PACKAGE_REFPOLICY_POLICY_VERSION
+ bool "refpolicy version selection moved to libsepol"
+ select BR2_LEGACY
+ help
+ The policy version selection was moved to libsepol
+
config BR2_PACKAGE_CELT051
bool "celt051 package was removed"
select BR2_LEGACY
diff --git a/package/libsepol/Config.in b/package/libsepol/Config.in
index cfa923e452..4453e298a6 100644
--- a/package/libsepol/Config.in
+++ b/package/libsepol/Config.in
@@ -7,5 +7,12 @@ config BR2_PACKAGE_LIBSEPOL
http://selinuxproject.org/page/Main_Page
+if BR2_PACKAGE_LIBSEPOL
+
+config BR2_PACKAGE_LIBSEPOL_POLICY_VERSION
+ string "Policy version"
+ default "30"
+endif
+
comment "libsepol needs a toolchain w/ threads"
depends on !BR2_TOOLCHAIN_HAS_THREADS
diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index d9cf6e6531..ecb662600d 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -1,6 +1,10 @@
config BR2_PACKAGE_REFPOLICY
bool "refpolicy"
+ depends on BR2_TOOLCHAIN_HAS_THREADS # libsepol
select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX
+ # Even though libsepol is not necessary for building, we get the policy
+ # version from libsepol
+ select BR2_PACKAGE_LIBSEPOL
help
The SELinux Reference Policy project (refpolicy) is a
complete SELinux policy that can be used as the system
@@ -24,10 +28,6 @@ config BR2_PACKAGE_REFPOLICY
if BR2_PACKAGE_REFPOLICY
-config BR2_PACKAGE_REFPOLICY_POLICY_VERSION
- string "Policy version"
- default "30"
-
choice
prompt "SELinux default state"
default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
@@ -55,3 +55,6 @@ config BR2_PACKAGE_REFPOLICY_POLICY_STATE
default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
endif
+
+comment "refpolicy needs a toolchain w/ threads"
+ depends on !BR2_TOOLCHAIN_HAS_THREADS
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index d13be18f73..001519f8cd 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -16,7 +16,8 @@ REFPOLICY_DEPENDENCIES = \
host-policycoreutils \
host-python3 \
host-setools \
- host-gawk
+ host-gawk \
+ libsepol
# Cannot use multiple threads to build the reference policy
REFPOLICY_MAKE = \
@@ -26,7 +27,7 @@ REFPOLICY_MAKE = \
$(MAKE1)
REFPOLICY_POLICY_VERSION = \
- $(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_VERSION))
+ $(call qstrip,$(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION))
REFPOLICY_POLICY_STATE = \
$(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE))
--
2.24.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 4/5] package/libsepol: change policy version to an int
2020-02-03 13:29 [Buildroot] [PATCH 1/5] package/refpolicy: remove dependency on policycoreutils Adam Duskett
2020-02-03 13:29 ` [Buildroot] [PATCH 2/5] package/refpolicy: bump version to 2.20190609 Adam Duskett
2020-02-03 13:29 ` [Buildroot] [PATCH 3/5] Move refpolicy policy version selection to libsepol Adam Duskett
@ 2020-02-03 13:29 ` Adam Duskett
2020-02-03 18:51 ` Thomas Petazzoni
2020-02-03 13:29 ` [Buildroot] [PATCH 5/5] package/libsepol: set default policy version Adam Duskett
` (2 subsequent siblings)
5 siblings, 1 reply; 11+ messages in thread
From: Adam Duskett @ 2020-02-03 13:29 UTC (permalink / raw)
To: buildroot
The policy version has to be a number, as such, set the type to int.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
package/libsepol/Config.in | 4 ++--
package/refpolicy/refpolicy.mk | 3 +--
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/package/libsepol/Config.in b/package/libsepol/Config.in
index 4453e298a6..aac31c21b8 100644
--- a/package/libsepol/Config.in
+++ b/package/libsepol/Config.in
@@ -10,8 +10,8 @@ config BR2_PACKAGE_LIBSEPOL
if BR2_PACKAGE_LIBSEPOL
config BR2_PACKAGE_LIBSEPOL_POLICY_VERSION
- string "Policy version"
- default "30"
+ int "Policy version"
+ default 30
endif
comment "libsepol needs a toolchain w/ threads"
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 001519f8cd..05c1bf270d 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -26,8 +26,7 @@ REFPOLICY_MAKE = \
$(TARGET_MAKE_ENV) \
$(MAKE1)
-REFPOLICY_POLICY_VERSION = \
- $(call qstrip,$(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION))
+REFPOLICY_POLICY_VERSION = $(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION)
REFPOLICY_POLICY_STATE = \
$(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE))
--
2.24.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 5/5] package/libsepol: set default policy version
2020-02-03 13:29 [Buildroot] [PATCH 1/5] package/refpolicy: remove dependency on policycoreutils Adam Duskett
` (2 preceding siblings ...)
2020-02-03 13:29 ` [Buildroot] [PATCH 4/5] package/libsepol: change policy version to an int Adam Duskett
@ 2020-02-03 13:29 ` Adam Duskett
2020-02-03 18:52 ` Thomas Petazzoni
2020-02-03 14:59 ` [Buildroot] [PATCH 1/5] package/refpolicy: remove dependency on policycoreutils Thomas Petazzoni
2020-02-03 18:46 ` Thomas Petazzoni
5 siblings, 1 reply; 11+ messages in thread
From: Adam Duskett @ 2020-02-03 13:29 UTC (permalink / raw)
To: buildroot
If a policy is built that is newer than the kernel can support, the
libsepol will fail to load that policy.
Indeed, a user can manually select the policy version in the config
as-is. However, it is not a friendly solution. The best solution available
is to set a default policy version based off of the toolchain header kernel
version. While a user may have a toolchain that has older kernel headers than
the built kernel, it is still better than setting the default to the maximum
available version that SELinux can support.
The following defaults policy versions are as follows for the given toolchain
headers:
31 >= 4.13
30 >= 4.3
29 >= 3.14
28 >= 3.5
26 >= 2.6
default 25
Note: Version 27 was never released.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
---
package/libsepol/Config.in | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/package/libsepol/Config.in b/package/libsepol/Config.in
index aac31c21b8..4e2a145011 100644
--- a/package/libsepol/Config.in
+++ b/package/libsepol/Config.in
@@ -11,7 +11,24 @@ if BR2_PACKAGE_LIBSEPOL
config BR2_PACKAGE_LIBSEPOL_POLICY_VERSION
int "Policy version"
- default 30
+ default 31 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13
+ default 30 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_3
+ default 29 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_14
+ default 28 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_5
+ default 26 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_2_6
+ default 25
+ help
+ The maximum SELinux policy version your kernel supports.
+
+ Here's a handy table to help you choose:
+ kernel version SElinux policy max version
+ <= 2.6.x 25
+ > 2.6 <= 3.5 26
+ > 3.5 <= 3.14 28 (27 and 28 were added@the same time)
+ > 3.14 <= 4.3 29
+ > 4.3 <= 4.13 30
+ > 4.13 <= 5.5 31
+
endif
comment "libsepol needs a toolchain w/ threads"
--
2.24.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 1/5] package/refpolicy: remove dependency on policycoreutils
2020-02-03 13:29 [Buildroot] [PATCH 1/5] package/refpolicy: remove dependency on policycoreutils Adam Duskett
` (3 preceding siblings ...)
2020-02-03 13:29 ` [Buildroot] [PATCH 5/5] package/libsepol: set default policy version Adam Duskett
@ 2020-02-03 14:59 ` Thomas Petazzoni
2020-02-03 18:46 ` Thomas Petazzoni
5 siblings, 0 replies; 11+ messages in thread
From: Thomas Petazzoni @ 2020-02-03 14:59 UTC (permalink / raw)
To: buildroot
On Mon, 3 Feb 2020 05:29:47 -0800
Adam Duskett <aduskett@gmail.com> wrote:
> Only host-policycoreutils is needed to build refpolicy. Remove the uneeded
> target package.
>
> Signed-off-by: Adam Duskett <aduskett@gmail.com>
> ---
> package/refpolicy/Config.in | 8 --------
> package/refpolicy/refpolicy.mk | 3 +--
> 2 files changed, 1 insertion(+), 10 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 2/5] package/refpolicy: bump version to 2.20190609
2020-02-03 13:29 ` [Buildroot] [PATCH 2/5] package/refpolicy: bump version to 2.20190609 Adam Duskett
@ 2020-02-03 14:59 ` Thomas Petazzoni
0 siblings, 0 replies; 11+ messages in thread
From: Thomas Petazzoni @ 2020-02-03 14:59 UTC (permalink / raw)
To: buildroot
On Mon, 3 Feb 2020 05:29:48 -0800
Adam Duskett <aduskett@gmail.com> wrote:
> Other changes:
> - Depend on host-python3, as python2 support was removed.
>
> Signed-off-by: Adam Duskett <aduskett@gmail.com>
> ---
> package/refpolicy/refpolicy.hash | 2 +-
> package/refpolicy/refpolicy.mk | 13 ++++---------
> 2 files changed, 5 insertions(+), 10 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 1/5] package/refpolicy: remove dependency on policycoreutils
2020-02-03 13:29 [Buildroot] [PATCH 1/5] package/refpolicy: remove dependency on policycoreutils Adam Duskett
` (4 preceding siblings ...)
2020-02-03 14:59 ` [Buildroot] [PATCH 1/5] package/refpolicy: remove dependency on policycoreutils Thomas Petazzoni
@ 2020-02-03 18:46 ` Thomas Petazzoni
5 siblings, 0 replies; 11+ messages in thread
From: Thomas Petazzoni @ 2020-02-03 18:46 UTC (permalink / raw)
To: buildroot
On Mon, 3 Feb 2020 05:29:47 -0800
Adam Duskett <aduskett@gmail.com> wrote:
> Only host-policycoreutils is needed to build refpolicy. Remove the uneeded
> target package.
>
> Signed-off-by: Adam Duskett <aduskett@gmail.com>
So, this commit had the side effect of causing a build issue:
http://autobuild.buildroot.net/results/5d8/5d8fda7c488a03c14942d87467d501acd633d24a/build-end.log
this is due to policycoreutils selecting BR2_PACKAGE_BUSYBOX_SELINUX
when BR2_PACKAGE_BUSYBOX, which in turns causes busybox to select
BR2_PACKAGE_LIBSELINUX and depend on it from a makefile point of view.
But since we dropped the "depends on" of policycoreutils, we now
violate the "depends on" of libselinux.
However, it probably isn't the best idea of have refpolicy take care of
forcing Busybox's SELinux support, so I've committed a change to
Busybox that makes it enable by default its SELinux support when
libselinux is enabled:
https://git.buildroot.org/buildroot/commit/?id=bc2e241bce5c1f70e93d22aceee180ee26db0e77
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 3/5] Move refpolicy policy version selection to libsepol
2020-02-03 13:29 ` [Buildroot] [PATCH 3/5] Move refpolicy policy version selection to libsepol Adam Duskett
@ 2020-02-03 18:51 ` Thomas Petazzoni
0 siblings, 0 replies; 11+ messages in thread
From: Thomas Petazzoni @ 2020-02-03 18:51 UTC (permalink / raw)
To: buildroot
Hello,
I improved the commit title to fit our standard format. And also other
changes, see below.
On Mon, 3 Feb 2020 05:29:49 -0800
Adam Duskett <aduskett@gmail.com> wrote:
> +config BR2_PACKAGE_REFPOLICY_POLICY_VERSION
> + bool "refpolicy version selection moved to libsepol"
> + select BR2_LEGACY
This is not the correct way of doing legacy handling for string
options. See the header of Config.in.legacy for details. I fixed that
up.
> diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
> index d13be18f73..001519f8cd 100644
> --- a/package/refpolicy/refpolicy.mk
> +++ b/package/refpolicy/refpolicy.mk
> @@ -16,7 +16,8 @@ REFPOLICY_DEPENDENCIES = \
> host-policycoreutils \
> host-python3 \
> host-setools \
> - host-gawk
> + host-gawk \
> + libsepol
We don't need libsepol as a build time dependency, so I dropped this.
Applied with the above things changed. Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 4/5] package/libsepol: change policy version to an int
2020-02-03 13:29 ` [Buildroot] [PATCH 4/5] package/libsepol: change policy version to an int Adam Duskett
@ 2020-02-03 18:51 ` Thomas Petazzoni
0 siblings, 0 replies; 11+ messages in thread
From: Thomas Petazzoni @ 2020-02-03 18:51 UTC (permalink / raw)
To: buildroot
On Mon, 3 Feb 2020 05:29:50 -0800
Adam Duskett <aduskett@gmail.com> wrote:
> The policy version has to be a number, as such, set the type to int.
>
> Signed-off-by: Adam Duskett <aduskett@gmail.com>
> ---
> package/libsepol/Config.in | 4 ++--
> package/refpolicy/refpolicy.mk | 3 +--
> 2 files changed, 3 insertions(+), 4 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 11+ messages in thread
* [Buildroot] [PATCH 5/5] package/libsepol: set default policy version
2020-02-03 13:29 ` [Buildroot] [PATCH 5/5] package/libsepol: set default policy version Adam Duskett
@ 2020-02-03 18:52 ` Thomas Petazzoni
0 siblings, 0 replies; 11+ messages in thread
From: Thomas Petazzoni @ 2020-02-03 18:52 UTC (permalink / raw)
To: buildroot
On Mon, 3 Feb 2020 05:29:51 -0800
Adam Duskett <aduskett@gmail.com> wrote:
> config BR2_PACKAGE_LIBSEPOL_POLICY_VERSION
> int "Policy version"
> - default 30
> + default 31 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_13
> + default 30 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_4_3
> + default 29 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_14
> + default 28 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_5
> + default 26 if BR2_TOOLCHAIN_HEADERS_AT_LEAST_2_6
> + default 25
> + help
> + The maximum SELinux policy version your kernel supports.
> +
> + Here's a handy table to help you choose:
> + kernel version SElinux policy max version
> + <= 2.6.x 25
> + > 2.6 <= 3.5 26
> + > 3.5 <= 3.14 28 (27 and 28 were added@the same time)
> + > 3.14 <= 4.3 29
> + > 4.3 <= 4.13 30
> + > 4.13 <= 5.5 31
The <= 5.5 didn't make much sense here. As of now, 31 is the policy
version of anything > 4.13, which includes kernels also above 5.5. We
can update that when version 32 starts to be used.
I've fixed that when applying. Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2020-02-03 18:52 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-03 13:29 [Buildroot] [PATCH 1/5] package/refpolicy: remove dependency on policycoreutils Adam Duskett
2020-02-03 13:29 ` [Buildroot] [PATCH 2/5] package/refpolicy: bump version to 2.20190609 Adam Duskett
2020-02-03 14:59 ` Thomas Petazzoni
2020-02-03 13:29 ` [Buildroot] [PATCH 3/5] Move refpolicy policy version selection to libsepol Adam Duskett
2020-02-03 18:51 ` Thomas Petazzoni
2020-02-03 13:29 ` [Buildroot] [PATCH 4/5] package/libsepol: change policy version to an int Adam Duskett
2020-02-03 18:51 ` Thomas Petazzoni
2020-02-03 13:29 ` [Buildroot] [PATCH 5/5] package/libsepol: set default policy version Adam Duskett
2020-02-03 18:52 ` Thomas Petazzoni
2020-02-03 14:59 ` [Buildroot] [PATCH 1/5] package/refpolicy: remove dependency on policycoreutils Thomas Petazzoni
2020-02-03 18:46 ` Thomas Petazzoni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.