[Buildroot] [PATCH 00/15] Improve SELinux support

[Buildroot] [PATCH 00/15] Improve SELinux support

[Antoine Tenart]

Hi all,

This series aims at providing proper SELinux support in Buildroot. Some
of the building blocks were available, such as packages for refpolicy,
policycoreutils or libselinux; but getting to a point were a generated
image could be used with a loaded SELinux policy was not
straightforward. The series also adds support for customizing the
SELinux policy through various ways.

The first missing block was the ability to generate an SELinux-ready
image. SELinux depends on files' extended attributes, set based on the
policy. Those attributes could be set from within a running system with
the restorecon utility but that meant we had to special case the first
boot. That also prevented to build an image with SELinux in enforcing
mode as the first boot would have failed. This is fixed by setting and
copying files' extended attributes when generating filesystem images.
See patches 1 to 3.

Then more control is provided over what is included in the refpolicy. By
default the refpolicy provides lots of modules and rules for many
packages. All of those packages are not necessarily part of the target
system but all are built, resulting in a large monolithic policy and
lots of unused rules. We reworked the refpolicy to only include by
default 'base' modules and a small list of always-needed others. The
result is a much smaller binary policy. See patch 4.

On top of the more minimal SELinux policy, ways are provided in patches
5 to 14 to enable or provide extra modules. That allows to:

- Enable modules provided within the refpolicy from Buildroot packages
  so that the resulting policy do include all the required rules. For
  example, the dbus Buildroot packages enables the 'dbus' SELinux module
  available in the refpolicy.

- Provide extra SELinux modules to be built in the policy, from
  Buildroot packages.

- Enable modules available in the refpolicy from the Buildroot
  configuration.

- Provide extra modules in user-defined folders.

- Override the refpolicy sources location and all of the above
  mechanisms, as when designing a fully custom system, one could want to
  provide a fully custom SELinux policy.

Finally, the documentation is updated in patch 15 to explain how to use
SELinux within Buildroot.

Thanks!
Antoine

Antoine Tenart (15):
  package/e2fsprogs: set xattrs for the root dir as well
  fs/common.mk: set SELinux file security contexts
  fs/common.mk: move down ROOTFS_REPRODUCIBLE for consistency
  package/refpolicy: smaller monolithic policy
  package/refpolicy: allow packages to select SELinux modules
  package/systemd: select SELinux modules
  package/dbus: select SELinux module
  package/util-linux: select SELinux module
  package/e2fsprogs: select SELinux module
  package/refpolicy: allow providing user defined modules
  package/refpolicy: allow selecting additional modules
  package/refpolicy: allow to provide a custom refpolicy
  package/refpolicy: allow packages to provide their own SELinux modules
  package/refpolicy: fix the configure, build and install steps
  docs/manual: add a section about SELinux

 docs/manual/manual.txt                        |  2 +
 docs/manual/selinux-support.txt               | 66 ++++++++++++++++
 fs/common.mk                                  | 23 ++++--
 package/dbus/dbus.mk                          |  2 +
 ...-xattrs-to-the-root-directory-as-wel.patch | 46 +++++++++++
 package/e2fsprogs/e2fsprogs.mk                |  2 +
 package/pkg-generic.mk                        |  6 ++
 package/refpolicy/Config.in                   | 54 +++++++++++++
 package/refpolicy/refpolicy.mk                | 78 +++++++++++++++++--
 package/systemd/systemd.mk                    |  2 +
 package/util-linux/util-linux.mk              |  4 +
 11 files changed, 274 insertions(+), 11 deletions(-)
 create mode 100644 docs/manual/selinux-support.txt
 create mode 100644 package/e2fsprogs/0001-create_inode-set-xattrs-to-the-root-directory-as-wel.patch

-- 
2.26.2

[Buildroot] [PATCH 01/15] package/e2fsprogs: set xattrs for the root dir as well

[Antoine Tenart]

The mke2fs binary copies the xattrs of the source directory when
creating an image, but this logic did not include the root directory of
the resulting image. A patch was sent upstream to fix this. Include the
patch in Buildroot to allow creating SELinux ready images at build time.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 ...-xattrs-to-the-root-directory-as-wel.patch | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 package/e2fsprogs/0001-create_inode-set-xattrs-to-the-root-directory-as-wel.patch

diff --git a/package/e2fsprogs/0001-create_inode-set-xattrs-to-the-root-directory-as-wel.patch b/package/e2fsprogs/0001-create_inode-set-xattrs-to-the-root-directory-as-wel.patch
new file mode 100644
index 000000000000..2e9c3ccef0aa
--- /dev/null
+++ b/package/e2fsprogs/0001-create_inode-set-xattrs-to-the-root-directory-as-wel.patch
@@ -0,0 +1,46 @@
+From 1826d8965057bd84517156a4b75c81bdfdae9ebc Mon Sep 17 00:00:00 2001
+From: Antoine Tenart <antoine.tenart@bootlin.com>
+Date: Wed, 1 Jul 2020 10:06:03 +0200
+Subject: [PATCH] create_inode: set xattrs to the root directory as well
+
+populate_fs do copy the xattrs for all files and directories, but the
+root directory is skipped and as a result its extended attributes aren't
+set. This is an issue when using mkfs to build a full system image that
+can be used with SElinux in enforcing mode without making any runtime
+fix at first boot.
+
+This patch adds logic to set the root directory's extended attributes.
+
+[Uspstream status: sent to the mailing list and has a Reviewed-by tag,
+https://lore.kernel.org/linux-ext4/20200717100846.497546-1-antoine.tenart at bootlin.com/]
+
+Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
+---
+ misc/create_inode.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/misc/create_inode.c b/misc/create_inode.c
+index e8d1df6b55a5..fe66faf1b53d 100644
+--- a/misc/create_inode.c
++++ b/misc/create_inode.c
+@@ -1050,9 +1050,17 @@ errcode_t populate_fs2(ext2_filsys fs, ext2_ino_t parent_ino,
+ 	file_info.path_max_len = 255;
+ 	file_info.path = calloc(file_info.path_max_len, 1);
+ 
++	retval = set_inode_xattr(fs, root, source_dir);
++	if (retval) {
++		com_err(__func__, retval,
++			_("while copying xattrs on root directory"));
++		goto out;
++	}
++
+ 	retval = __populate_fs(fs, parent_ino, source_dir, root, &hdlinks,
+ 			       &file_info, fs_callbacks);
+ 
++out:
+ 	free(file_info.path);
+ 	free(hdlinks.hdl);
+ 	return retval;
+-- 
+2.26.2
+
-- 
2.26.2

[Buildroot] [PATCH 02/15] fs/common.mk: set SELinux file security contexts

[Antoine Tenart]

Set the SELinux file security contexts using setfiles when generating
root filesystem images.

Without such security contexts created at build time, they need to be
setup at first boot by running the restorecon utility on the target.
This has two drawbacks:

 - You have to special case the first boot, which cannot be done in
   enforcing mode, and will have to run restorecon, then reboot.

 - You cannot support read-only filesystems.

By setting up the security contexts at build time, we can have a
filesystem image that is immediately ready to boot an SELinux system
in enforcing mode, including if the root filesystem is read-only.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 fs/common.mk | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/fs/common.mk b/fs/common.mk
index 842ea924a5e0..d915a8795b74 100644
--- a/fs/common.mk
+++ b/fs/common.mk
@@ -49,6 +49,16 @@ ROOTFS_COMMON_DEPENDENCIES = \
 	$(BR2_TAR_HOST_DEPENDENCY) \
 	$(if $(PACKAGES_USERS)$(ROOTFS_USERS_TABLES),host-mkpasswd)
 
+ifeq ($(BR2_PACKAGE_REFPOLICY)$(BR2_PACKAGE_POLICYCOREUTILS),yy)
+define ROOTFS_SELINUX
+	$(HOST_DIR)/sbin/setfiles -m -r $(TARGET_DIR) \
+		-c $(TARGET_DIR)/etc/selinux/targeted/policy/policy.$(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION) \
+		$(TARGET_DIR)/etc/selinux/targeted/contexts/files/file_contexts \
+		$(TARGET_DIR)
+endef
+ROOTFS_COMMON_DEPENDENCIES += refpolicy host-policycoreutils
+endif
+
 ROOTFS_COMMON_FINAL_RECURSIVE_DEPENDENCIES = $(sort \
 	$(if $(filter undefined,$(origin ROOTFS_COMMON_FINAL_RECURSIVE_DEPENDENCIES__X)), \
 		$(eval ROOTFS_COMMON_FINAL_RECURSIVE_DEPENDENCIES__X := \
@@ -172,6 +182,7 @@ $$(BINARIES_DIR)/$$(ROOTFS_$(2)_FINAL_IMAGE_NAME): $$(ROOTFS_$(2)_DEPENDENCIES)
 	$$(foreach hook,$$(ROOTFS_$(2)_PRE_GEN_HOOKS),\
 		$$(call PRINTF,$$($$(hook))) >> $$(FAKEROOT_SCRIPT)$$(sep))
 	$$(call PRINTF,$$(ROOTFS_REPRODUCIBLE)) >> $$(FAKEROOT_SCRIPT)
+	$$(call PRINTF,$$(ROOTFS_SELINUX)) >> $$(FAKEROOT_SCRIPT)
 	$$(call PRINTF,$$(ROOTFS_$(2)_CMD)) >> $$(FAKEROOT_SCRIPT)
 	chmod a+x $$(FAKEROOT_SCRIPT)
 	PATH=$$(BR_PATH) FAKEROOTDONTTRYCHOWN=1 $$(HOST_DIR)/bin/fakeroot -- $$(FAKEROOT_SCRIPT)
-- 
2.26.2

[Buildroot] [PATCH 03/15] fs/common.mk: move down ROOTFS_REPRODUCIBLE for consistency

[Antoine Tenart]

This patch is cosmetic and moves down ROOTFS_REPRODUCIBLE for
consistency.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 fs/common.mk | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/fs/common.mk b/fs/common.mk
index d915a8795b74..a7137b8e89cf 100644
--- a/fs/common.mk
+++ b/fs/common.mk
@@ -36,12 +36,6 @@ ROOTFS_USERS_TABLES = $(call qstrip,$(BR2_ROOTFS_USERS_TABLES))
 ROOTFS_FULL_DEVICES_TABLE = $(FS_DIR)/full_devices_table.txt
 ROOTFS_FULL_USERS_TABLE = $(FS_DIR)/full_users_table.txt
 
-ifeq ($(BR2_REPRODUCIBLE),y)
-define ROOTFS_REPRODUCIBLE
-	find $(TARGET_DIR) -print0 | xargs -0 -r touch -hd @$(SOURCE_DATE_EPOCH)
-endef
-endif
-
 ROOTFS_COMMON_NAME = rootfs-common
 ROOTFS_COMMON_TYPE = rootfs
 ROOTFS_COMMON_DEPENDENCIES = \
@@ -49,6 +43,12 @@ ROOTFS_COMMON_DEPENDENCIES = \
 	$(BR2_TAR_HOST_DEPENDENCY) \
 	$(if $(PACKAGES_USERS)$(ROOTFS_USERS_TABLES),host-mkpasswd)
 
+ifeq ($(BR2_REPRODUCIBLE),y)
+define ROOTFS_REPRODUCIBLE
+	find $(TARGET_DIR) -print0 | xargs -0 -r touch -hd @$(SOURCE_DATE_EPOCH)
+endef
+endif
+
 ifeq ($(BR2_PACKAGE_REFPOLICY)$(BR2_PACKAGE_POLICYCOREUTILS),yy)
 define ROOTFS_SELINUX
 	$(HOST_DIR)/sbin/setfiles -m -r $(TARGET_DIR) \
-- 
2.26.2

[Buildroot] [PATCH 04/15] package/refpolicy: smaller monolithic policy

[Antoine Tenart]

The refpolicy is configured to use a monolithic build, compiling all the
available modules (whether they're 'base' or 'modules' ones) in the
binary policy. The result is a quite big SELinux policy, with a lot more
rules than what would be needed in a Buildroot image.

Refactor the refpolicy build configuration to enable less modules by
default. To achieve this, all the modules marked as being part of the
'base' policy are kept but all the modules marked as being only
'modules' are disabled. Then a static list of modules (in addition to
the already selected 'base' ones) are enabled. The result is a much
smaller refpolicy: my tests showed a reduction of the binary policy from
2.4M to 249K (~90% smaller).

This minimal set of SELinux modules should allow to boot a system in
enforcing mode in the future. It currently does not work, not because
extra modules are needed, but because of required changes within the
selected modules.

This patch would break backward compatibility as the refpolicy will no
longer have all the modules provided by the project, but only those
selected. This should not be an issue as this configuration was not
suitable directly for a real system. Modifications had to be done. If we
still find out later that this is an issue for someone, we'll have the
ability to mimic what was done previously thanks to other mechanisms
(such as providing the upstream policy as a "custom" policy location).

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 package/refpolicy/refpolicy.mk | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 9346649b2c57..0ce83d2cbdcb 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -29,6 +29,33 @@ REFPOLICY_POLICY_VERSION = $(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION)
 REFPOLICY_POLICY_STATE = \
 	$(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE))
 
+REFPOLICY_MODULES = \
+	application \
+	authlogin \
+	getty \
+	init \
+	libraries \
+	locallogin \
+	logging \
+	miscfiles \
+	modutils \
+	mount \
+	selinuxutil \
+	storage \
+	sysadm \
+	sysnetwork \
+	unconfined \
+	userdomain
+
+# In the context of a monolithic policy enabling a piece of the policy as
+# 'base' or 'module' is equivalent, so we enable them as 'base'.
+define REFPOLICY_CONFIGURE_MODULES
+	$(SED) "s/ = module/ = no/g" $(@D)/policy/modules.conf
+	$(foreach m,$(REFPOLICY_MODULES),
+		$(SED) "/^$(m) =/c\$(m) = base" $(@D)/policy/modules.conf
+	)
+endef
+
 ifeq ($(BR2_INIT_SYSTEMD),y)
 define REFPOLICY_CONFIGURE_SYSTEMD
 	$(SED) "/SYSTEMD/c\SYSTEMD = y" $(@D)/build.conf
@@ -45,6 +72,7 @@ endef
 
 define REFPOLICY_BUILD_CMDS
 	$(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) bare conf
+	$(REFPOLICY_CONFIGURE_MODULES)
 endef
 
 define REFPOLICY_INSTALL_STAGING_CMDS
-- 
2.26.2

[Buildroot] [PATCH 05/15] package/refpolicy: allow packages to select SELinux modules

[Antoine Tenart]

Add support for packages to enable SELinux modules already supported by
the refpolicy, but not selected by default in its policy.

With this commit, packages will be able to do something like:

SYSTEMD_SELINUX_MODULES = systemd udev

to enable additional SELinux modules.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 package/pkg-generic.mk         | 4 ++++
 package/refpolicy/refpolicy.mk | 5 +++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index c63807047b29..71d6357836f0 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -1088,6 +1088,10 @@ TARGET_FINALIZE_HOOKS += $$($(2)_TARGET_FINALIZE_HOOKS)
 ROOTFS_PRE_CMD_HOOKS += $$($(2)_ROOTFS_PRE_CMD_HOOKS)
 KEEP_PYTHON_PY_FILES += $$($(2)_KEEP_PY_FILES)
 
+ifneq ($$($(2)_SELINUX_MODULES),)
+PACKAGES_SELINUX_MODULES += $$($(2)_SELINUX_MODULES)
+endif
+
 ifeq ($$($(2)_SITE_METHOD),svn)
 DL_TOOLS_DEPENDENCIES += svn
 else ifeq ($$($(2)_SITE_METHOD),git)
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 0ce83d2cbdcb..c29912a53b0b 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -45,13 +45,14 @@ REFPOLICY_MODULES = \
 	sysadm \
 	sysnetwork \
 	unconfined \
-	userdomain
+	userdomain \
+	$(PACKAGES_SELINUX_MODULES)
 
 # In the context of a monolithic policy enabling a piece of the policy as
 # 'base' or 'module' is equivalent, so we enable them as 'base'.
 define REFPOLICY_CONFIGURE_MODULES
 	$(SED) "s/ = module/ = no/g" $(@D)/policy/modules.conf
-	$(foreach m,$(REFPOLICY_MODULES),
+	$(foreach m,$(sort $(REFPOLICY_MODULES)),
 		$(SED) "/^$(m) =/c\$(m) = base" $(@D)/policy/modules.conf
 	)
 endef
-- 
2.26.2

[Buildroot] [PATCH 06/15] package/systemd: select SELinux modules

[Antoine Tenart]

Select the systemd and udev SELinux modules so that they will be
compiled in the refpolicy. This way, if an SELinux policy is generated,
Systemd will be supported.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 package/systemd/systemd.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index 107fcbe66a6c..76dcee408226 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -18,6 +18,8 @@ SYSTEMD_DEPENDENCIES = \
 	util-linux \
 	$(TARGET_NLS_DEPENDENCIES)
 
+SYSTEMD_SELINUX_MODULES = systemd udev
+
 SYSTEMD_PROVIDES = udev
 
 SYSTEMD_CONF_OPTS += \
-- 
2.26.2

[Buildroot] [PATCH 07/15] package/dbus: select SELinux module

[Antoine Tenart]

Select the dbus SElinux module so that it will be compiled in the
refpolicy. This way, if an SELinux policy is generated, dbus will be
supported.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 package/dbus/dbus.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/dbus/dbus.mk b/package/dbus/dbus.mk
index 3c6762568871..70f2c6fef48d 100644
--- a/package/dbus/dbus.mk
+++ b/package/dbus/dbus.mk
@@ -20,6 +20,8 @@ endef
 
 DBUS_DEPENDENCIES = host-pkgconf expat
 
+DBUS_SELINUX_MODULES = dbus
+
 DBUS_CONF_OPTS = \
 	--with-dbus-user=dbus \
 	--disable-tests \
-- 
2.26.2

[Buildroot] [PATCH 08/15] package/util-linux: select SELinux module

[Antoine Tenart]

Select the fstools SELinux module to be compiled in the policy for the
relevant binaries of util-linux.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 package/util-linux/util-linux.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/util-linux/util-linux.mk b/package/util-linux/util-linux.mk
index 6c8f295eedd9..4779fe766544 100644
--- a/package/util-linux/util-linux.mk
+++ b/package/util-linux/util-linux.mk
@@ -43,6 +43,10 @@ HOST_UTIL_LINUX_CONF_OPTS = \
 	--with-systemdsystemunitdir=no \
 	--without-python
 
+ifneq ($(BR2_PACKAGE_UTIL_LINUX_BINARIES)$(BR2_PACKAGE_UTIL_LINUX_CRAMFS)$(BR2_PACKAGE_UTIL_LINUX_FSCK)$(BR2_PACKAGE_UTIL_LINUX_LOSETUP),)
+UTIL_LINUX_SELINUX_MODULES = fstools
+endif
+
 # Prevent the installation from attempting to move shared libraries from
 # ${usrlib_execdir} (/usr/lib) to ${libdir} (/lib), since both paths are
 # the same when merged usr is in use.
-- 
2.26.2

[Buildroot] [PATCH 09/15] package/e2fsprogs: select SELinux module

[Antoine Tenart]

Select the fstools SELinux module when e2fsprogs binaries are compiled
and installed in the target filesystem, so that they'll be supported by
the SELinux policy.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 package/e2fsprogs/e2fsprogs.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/e2fsprogs/e2fsprogs.mk b/package/e2fsprogs/e2fsprogs.mk
index f6642d8de164..eb82a55ce79d 100644
--- a/package/e2fsprogs/e2fsprogs.mk
+++ b/package/e2fsprogs/e2fsprogs.mk
@@ -17,6 +17,8 @@ E2FSPROGS_INSTALL_STAGING = YES
 E2FSPROGS_DEPENDENCIES = host-pkgconf util-linux
 HOST_E2FSPROGS_DEPENDENCIES = host-pkgconf host-util-linux
 
+E2FSPROGS_SELINUX_MODULES = fstools
+
 # e4defrag doesn't build on older systems like RHEL5.x, and we don't
 # need it on the host anyway.
 # Disable fuse2fs as well to avoid carrying over deps, and it's unused
-- 
2.26.2

[Buildroot] [PATCH 10/15] package/refpolicy: allow providing user defined modules

[Antoine Tenart]

Allow users to provide custom SELinux modules to be part of the final
policy. A new configuration variable is added, pointing to list of
directories containing the custom modules.

SELinux modules do require a metadata.xml file to be well integrated in
the refpolicy build. If this file isn't provided, it will be
automatically created.

For now, this option requires the extra modules to be directly into the
BR2_REFPOLICY_EXTRA_MODULES directory, and subfolders aren't supported.
They may never be, as having subfolders could introduce issues when two
different modules have the same name (which isn't supported by the
refpolicy).

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 package/refpolicy/Config.in    | 10 ++++++++++
 package/refpolicy/refpolicy.mk | 23 ++++++++++++++++++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index b50b2f09ff79..030b1e93c9bd 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -54,6 +54,16 @@ config BR2_PACKAGE_REFPOLICY_POLICY_STATE
 	default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
 	default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
 
+config BR2_REFPOLICY_EXTRA_MODULES_DIRS
+	string "Extra modules directories"
+	help
+	  Specify directories containing SELinux modules that will be build
+	  in the SELinux policy. The modules will be automatically enabled in
+	  the policy.
+
+	  Each of those directories must contain the SELinux policy .fc, .if
+	  and .te files directly at the top-level, with no sub-directories.
+
 endif
 
 comment "refpolicy needs a toolchain w/ threads"
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index c29912a53b0b..edbb5a228f55 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -46,7 +46,26 @@ REFPOLICY_MODULES = \
 	sysnetwork \
 	unconfined \
 	userdomain \
-	$(PACKAGES_SELINUX_MODULES)
+	$(PACKAGES_SELINUX_MODULES) \
+	$(foreach d,$(call qstrip,$(REFPOLICY_EXTRA_MODULES)),\
+		$(basename $(notdir $(wildcard $(d)/*.te))))
+
+# Allow to provide out-of-tree SELinux modules in addition to the ones in the
+# refpolicy.
+REFPOLICY_EXTRA_MODULES = $(BR2_REFPOLICY_EXTRA_MODULES_DIRS)
+$(foreach dir,$(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES_DIRS)),\
+	$(if $(wildcard $(dir)),,\
+		$(error BR2_REFPOLICY_EXTRA_MODULES_DIRS contains nonexistent directory $(dir))))
+
+define REFPOLICY_COPY_MODULES
+	mkdir -p $(@D)/policy/modules/buildroot
+	rsync -au $(addsuffix /*,$(call qstrip,$(REFPOLICY_EXTRA_MODULES))) \
+		$(@D)/policy/modules/buildroot/
+	if [ ! -f $(@D)/policy/modules/buildroot/metadata.xml ]; then \
+		echo "<summary>Buildroot extra modules</summary>" > \
+			$(@D)/policy/modules/buildroot/metadata.xml; \
+	fi
+endef
 
 # In the context of a monolithic policy enabling a piece of the policy as
 # 'base' or 'module' is equivalent, so we enable them as 'base'.
@@ -72,6 +91,8 @@ define REFPOLICY_CONFIGURE_CMDS
 endef
 
 define REFPOLICY_BUILD_CMDS
+	$(if $(call qstrip,$(REFPOLICY_EXTRA_MODULES)),\
+		$(REFPOLICY_COPY_MODULES))
 	$(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) bare conf
 	$(REFPOLICY_CONFIGURE_MODULES)
 endef
-- 
2.26.2

[Buildroot] [PATCH 11/15] package/refpolicy: allow selecting additional modules

[Antoine Tenart]

Allow users to select additional modules available in the refpolicy, to
be built in the binary policy. This will allow non-base modules to be
selected based on the user use-case and to select extra module
dependencies when providing out-of-tree modules.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 package/refpolicy/Config.in    | 5 +++++
 package/refpolicy/refpolicy.mk | 1 +
 2 files changed, 6 insertions(+)

diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index 030b1e93c9bd..73274920000a 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -64,6 +64,11 @@ config BR2_REFPOLICY_EXTRA_MODULES_DIRS
 	  Each of those directories must contain the SELinux policy .fc, .if
 	  and .te files directly at the top-level, with no sub-directories.
 
+config BR2_REFPOLICY_EXTRA_MODULES
+	string "Extra modules to enable"
+	help
+	  List of extra SELinux modules to enable in the refpolicy.
+
 endif
 
 comment "refpolicy needs a toolchain w/ threads"
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index edbb5a228f55..de1fe9217a80 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -47,6 +47,7 @@ REFPOLICY_MODULES = \
 	unconfined \
 	userdomain \
 	$(PACKAGES_SELINUX_MODULES) \
+	$(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES)) \
 	$(foreach d,$(call qstrip,$(REFPOLICY_EXTRA_MODULES)),\
 		$(basename $(notdir $(wildcard $(d)/*.te))))
 
-- 
2.26.2

[Buildroot] [PATCH 12/15] package/refpolicy: allow to provide a custom refpolicy

[Antoine Tenart]

Add support for the user to provide a fully custom refpolicy. When this
is used, modules aren't disabled anymore and packages do not select
refpolicy available modules either. The custom refpolicy must define
the full policy explicitly, and must be a fork of the original
refpolicy, to have the same build system.

This is added to allow users to fully control an SELinux policy, by
providing a complete custom policy.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 package/refpolicy/Config.in    | 39 ++++++++++++++++++++++++++++++++++
 package/refpolicy/refpolicy.mk | 18 +++++++++++++---
 2 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index 73274920000a..5e1fa0e93c6a 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -28,6 +28,41 @@ config BR2_PACKAGE_REFPOLICY
 
 if BR2_PACKAGE_REFPOLICY
 
+choice
+	prompt "Refpolicy version"
+	default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
+
+config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
+	bool "Upstream version"
+	help
+	  Use the refpolicy as provided by Buildroot.
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
+	bool "Custom git repository"
+	help
+	  Allows to get the refpolicy from a custom git repository.
+
+	  The custom refpolicy must define the full policy explicitly, and must
+	  be a fork of the original refpolicy, to have the same build system.
+	  When this is selected, only the custom policy definition are taken
+	  into account and all the modules of the policy are built into the
+	  binary policy.
+
+endchoice
+
+if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
+	string "URL of custom repository"
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
+	string "Custom repository version"
+	help
+	  Revision to use in the typical format used by Git.
+	  E.g. a sha id, tag, branch...
+
+endif
+
 choice
 	prompt "SELinux default state"
 	default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
@@ -54,6 +89,8 @@ config BR2_PACKAGE_REFPOLICY_POLICY_STATE
 	default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
 	default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
 
+if BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
+
 config BR2_REFPOLICY_EXTRA_MODULES_DIRS
 	string "Extra modules directories"
 	help
@@ -71,5 +108,7 @@ config BR2_REFPOLICY_EXTRA_MODULES
 
 endif
 
+endif
+
 comment "refpolicy needs a toolchain w/ threads"
 	depends on !BR2_TOOLCHAIN_HAS_THREADS
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index de1fe9217a80..74d2733f7d10 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -4,9 +4,6 @@
 #
 ################################################################################
 
-REFPOLICY_VERSION = 2.20200229
-REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
-REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20200229
 REFPOLICY_LICENSE = GPL-2.0
 REFPOLICY_LICENSE_FILES = COPYING
 REFPOLICY_INSTALL_STAGING = YES
@@ -18,6 +15,17 @@ REFPOLICY_DEPENDENCIES = \
 	host-setools \
 	host-gawk
 
+ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
+REFPOLICY_VERSION = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
+REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
+REFPOLICY_SITE_METHOD = git
+BR_NO_CHECK_HASH_FOR += $(REFPOLICY_SOURCE)
+else
+REFPOLICY_VERSION = 2.20200229
+REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
+REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20200229
+endif
+
 # Cannot use multiple threads to build the reference policy
 REFPOLICY_MAKE = \
 	PYTHON=$(HOST_DIR)/usr/bin/python3 \
@@ -29,6 +37,8 @@ REFPOLICY_POLICY_VERSION = $(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION)
 REFPOLICY_POLICY_STATE = \
 	$(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE))
 
+ifeq ($(BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION),y)
+
 REFPOLICY_MODULES = \
 	application \
 	authlogin \
@@ -77,6 +87,8 @@ define REFPOLICY_CONFIGURE_MODULES
 	)
 endef
 
+endif # BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION = y
+
 ifeq ($(BR2_INIT_SYSTEMD),y)
 define REFPOLICY_CONFIGURE_SYSTEMD
 	$(SED) "/SYSTEMD/c\SYSTEMD = y" $(@D)/build.conf
-- 
2.26.2

[Buildroot] [PATCH 13/15] package/refpolicy: allow packages to provide their own SELinux modules

[Antoine Tenart]

Allow packages to have an 'selinux' subfolder containing SELinux modules
(sources) to be synced and compiled within the refpolicy, if the package
is selected.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 package/pkg-generic.mk         | 2 ++
 package/refpolicy/refpolicy.mk | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 71d6357836f0..e52456b1ca5d 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -1091,6 +1091,8 @@ KEEP_PYTHON_PY_FILES += $$($(2)_KEEP_PY_FILES)
 ifneq ($$($(2)_SELINUX_MODULES),)
 PACKAGES_SELINUX_MODULES += $$($(2)_SELINUX_MODULES)
 endif
+PACKAGES_SELINUX_EXTRA_MODULES_DIRS += \
+	$$(if $$(wildcard $$($(2)_PKGDIR)/selinux),$$($(2)_PKGDIR)/selinux)
 
 ifeq ($$($(2)_SITE_METHOD),svn)
 DL_TOOLS_DEPENDENCIES += svn
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 74d2733f7d10..51ac71075fb8 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -63,7 +63,7 @@ REFPOLICY_MODULES = \
 
 # Allow to provide out-of-tree SELinux modules in addition to the ones in the
 # refpolicy.
-REFPOLICY_EXTRA_MODULES = $(BR2_REFPOLICY_EXTRA_MODULES_DIRS)
+REFPOLICY_EXTRA_MODULES = $(BR2_REFPOLICY_EXTRA_MODULES_DIRS) $(PACKAGES_SELINUX_EXTRA_MODULES_DIRS)
 $(foreach dir,$(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES_DIRS)),\
 	$(if $(wildcard $(dir)),,\
 		$(error BR2_REFPOLICY_EXTRA_MODULES_DIRS contains nonexistent directory $(dir))))
-- 
2.26.2

[Buildroot] [PATCH 14/15] package/refpolicy: fix the configure, build and install steps

[Antoine Tenart]

The refpolicy configure and build step were not correctly defined. The
configuration was split between the configure and build step, while both
the compilation and the installation were done in the install step. Fix
this by moving all the configuration within the configuration step and
by adding a call to make in the build step to compile the policy.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 package/refpolicy/refpolicy.mk | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 51ac71075fb8..5c100168401c 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -95,7 +95,7 @@ define REFPOLICY_CONFIGURE_SYSTEMD
 endef
 endif
 
-define REFPOLICY_CONFIGURE_CMDS
+define REFPOLICY_CONFIGURE_BUILD
 	$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \
 		$(@D)/build.conf
 	$(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(@D)/build.conf
@@ -103,13 +103,18 @@ define REFPOLICY_CONFIGURE_CMDS
 	$(REFPOLICY_CONFIGURE_SYSTEMD)
 endef
 
-define REFPOLICY_BUILD_CMDS
+define REFPOLICY_CONFIGURE_CMDS
+	$(REFPOLICY_CONFIGURE_BUILD)
 	$(if $(call qstrip,$(REFPOLICY_EXTRA_MODULES)),\
 		$(REFPOLICY_COPY_MODULES))
-	$(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) bare conf
+	$(REFPOLICY_MAKE) -C $(@D) bare conf
 	$(REFPOLICY_CONFIGURE_MODULES)
 endef
 
+define REFPOLICY_BUILD_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) policy
+endef
+
 define REFPOLICY_INSTALL_STAGING_CMDS
 	$(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) \
 		install-src install-headers
-- 
2.26.2

[Buildroot] [PATCH 15/15] docs/manual: add a section about SELinux

[Antoine Tenart]

Add documentation about how to use SELinux in Buildroot, and what are
the available mechanisms to extend and customize the SELinux policy.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
---
 docs/manual/manual.txt          |  2 +
 docs/manual/selinux-support.txt | 66 +++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+)
 create mode 100644 docs/manual/selinux-support.txt

diff --git a/docs/manual/manual.txt b/docs/manual/manual.txt
index 48de65ee1033..b5cc044805b1 100644
--- a/docs/manual/manual.txt
+++ b/docs/manual/manual.txt
@@ -38,6 +38,8 @@ include::common-usage.txt[]
 
 include::customize.txt[]
 
+include::selinux-support.txt[]
+
 include::faq-troubleshooting.txt[]
 
 include::known-issues.txt[]
diff --git a/docs/manual/selinux-support.txt b/docs/manual/selinux-support.txt
new file mode 100644
index 000000000000..613b1c8f2275
--- /dev/null
+++ b/docs/manual/selinux-support.txt
@@ -0,0 +1,66 @@
+// -*- mode:doc; -*-
+// vim: set syntax=asciidoc:
+
+[[selinux]]
+== Using +SELinux+ in Buildroot
+
+https://selinuxproject.org[SELinux] is a Linux kernel security module enforcing
+access control policies. In addition to the traditional file permissions and
+access control lists, +SELinux+ allows to write rules for users or processes to
+access specific functions of resources (files, sockets...).
+
++SELinux+ has three modes of operating: +Enforcing+, +Permissive+ and
++Disabled+.  If not +Disabled+, the kernel will apply the policy and
+non-authorized actions will be denied in +Enforcing+ mode or logged and reported
+in +Permissive+ mode.  +Permissive+ mode is often used for troubleshooting
+SELinux issues. In Buildroot this is controlled by the
++BR2_PACKAGE_REFPOLICY_POLICY_STATE_*+ configuration options.
+
+By default in Buildroot the +SELinux+ policy is provided by the upstream
+https://github.com/SELinuxProject/refpolicy[refpolicy] project, enabled with
++BR2_PACKAGE_REFPOLICY+.
+
+[[enabling-selinux]]
+=== Enabling SELinux support
+
+To have proper support for +SELinux+ in a Buildroot generated system, the
+following configuration needs to be enabled:
+
+* +BR2_PACKAGE_REFPOLICY+
+* +BR2_PACKAGE_POLICYCOREUTILS+
+
+The Linux kernel configuration must also enable +SELinux+ support with
++CONFIG_SECURITY_SELINUX+, +CONFIG_LSM+ (or using the +lsm+ kernel
+parameter) and extended attributes in filesystems (+CONFIG_EXT2_FS_XATTR+ for
++ext2+, +CONFIG_SQUASHFS_XATTR+ for +squashfs+, etc...).
+
+[[selinux-policy-tweaking]]
+=== SELinux policy tweaking
+
+The +SELinux refpolicy+ contains modules that can be enabled or disabled when
+being built. In Buildroot the non-base modules are disabled by default and ways
+to enable them are provided:
+
+- Packages can enable a list of +SELinux+ modules within the +refpolicy+ with
+  the +<packagename>_SELINUX_MODULES+ variable.
+- Packages can provide additional +SELinux+ modules by putting them (.fc, .if
+  and .te files) in +package/<packagename>/selinux/+.
+- Extra +SELinux+ modules can be added if in directories pointed by the
+  +BR2_REFPOLICY_EXTRA_MODULES_DIRS+ configuration variable.
+- Additional modules in the +refpolicy+ can be enabled if listed in the
+  +BR2_REFPOLICY_EXTRA_MODULES_DEPENDENCIES+ configuration variable.
+
+Buildroot also allows to completely override the +refpolicy+. This allows to
+provide a full custom policy designed specifically for a given system. When
+going this way, all of the above mechanisms are disabled: no extra +SElinux+
+module is added to the policy, and all the available modules within the custom
+policy are enabled and built into the final binary policy. The custom policy
+must be a fork of the official
+https://github.com/SELinuxProject/refpolicy[refpolicy].
+
+In order to fully override the +refpolicy+ the following configuration variables
+have to be set:
+
+- +BR2_PACKAGE_REFPOLICY_CUSTOM_GIT+
+- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL+
+- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION+
-- 
2.26.2

[Buildroot] [PATCH 15/15] docs/manual: add a section about SELinux

[Matthew Weber]

Antoine,


On Fri, Jul 31, 2020 at 5:16 AM Antoine Tenart
<antoine.tenart@bootlin.com> wrote:
>
> Add documentation about how to use SELinux in Buildroot, and what are
> the available mechanisms to extend and customize the SELinux policy.
>
> Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
> ---
>  docs/manual/manual.txt          |  2 +
>  docs/manual/selinux-support.txt | 66 +++++++++++++++++++++++++++++++++
>  2 files changed, 68 insertions(+)
>  create mode 100644 docs/manual/selinux-support.txt
>
> diff --git a/docs/manual/manual.txt b/docs/manual/manual.txt
> index 48de65ee1033..b5cc044805b1 100644
> --- a/docs/manual/manual.txt
> +++ b/docs/manual/manual.txt
> @@ -38,6 +38,8 @@ include::common-usage.txt[]
>
>  include::customize.txt[]
>
> +include::selinux-support.txt[]
> +
>  include::faq-troubleshooting.txt[]
>
>  include::known-issues.txt[]
> diff --git a/docs/manual/selinux-support.txt b/docs/manual/selinux-support.txt
> new file mode 100644
> index 000000000000..613b1c8f2275
> --- /dev/null
> +++ b/docs/manual/selinux-support.txt
> @@ -0,0 +1,66 @@
> +// -*- mode:doc; -*-
> +// vim: set syntax=asciidoc:
> +
> +[[selinux]]
> +== Using +SELinux+ in Buildroot
> +
> +https://selinuxproject.org[SELinux] is a Linux kernel security module enforcing
> +access control policies. In addition to the traditional file permissions and
> +access control lists, +SELinux+ allows to write rules for users or processes to
> +access specific functions of resources (files, sockets...).
> +
> ++SELinux+ has three modes of operating: +Enforcing+, +Permissive+ and
> ++Disabled+.  If not +Disabled+, the kernel will apply the policy and
> +non-authorized actions will be denied in +Enforcing+ mode or logged and reported
> +in +Permissive+ mode.  +Permissive+ mode is often used for troubleshooting
> +SELinux issues. In Buildroot this is controlled by the
> ++BR2_PACKAGE_REFPOLICY_POLICY_STATE_*+ configuration options.

It may be worth also mentioning that the kernel has configuration
options that play into if the modes are respected.  For example the
kernel could have bootargs set, development mode or policy disabled.
Maybe just adding a reference to the kernel.org kconfig would be
enough (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/Kconfig)?

> +
> +By default in Buildroot the +SELinux+ policy is provided by the upstream
> +https://github.com/SELinuxProject/refpolicy[refpolicy] project, enabled with
> ++BR2_PACKAGE_REFPOLICY+.
> +
> +[[enabling-selinux]]
> +=== Enabling SELinux support
> +
> +To have proper support for +SELinux+ in a Buildroot generated system, the
> +following configuration needs to be enabled:
> +
> +* +BR2_PACKAGE_REFPOLICY+
> +* +BR2_PACKAGE_POLICYCOREUTILS+
> +
> +The Linux kernel configuration must also enable +SELinux+ support with
> ++CONFIG_SECURITY_SELINUX+, +CONFIG_LSM+ (or using the +lsm+ kernel
> +parameter) and extended attributes in filesystems (+CONFIG_EXT2_FS_XATTR+ for
> ++ext2+, +CONFIG_SQUASHFS_XATTR+ for +squashfs+, etc...).
> +

It looks like Buildroot via libselinux pkg is setting at least the
following so the user won't have to be concerned with their kernel
support.  Unsure how to tie this into the documentation as the user
won't have to enable more then the filesystem xattrs.  Maybe xattrs
would make sense to globally turn on as well?

define LIBSELINUX_LINUX_CONFIG_FIXUPS
        $(call KCONFIG_ENABLE_OPT,CONFIG_AUDIT)
        $(call KCONFIG_ENABLE_OPT,CONFIG_DEFAULT_SECURITY_SELINUX)
        $(call KCONFIG_ENABLE_OPT,CONFIG_INET)
        $(call KCONFIG_ENABLE_OPT,CONFIG_NET)
        $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY)
        $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY_NETWORK)
        $(call KCONFIG_ENABLE_OPT,CONFIG_SECURITY_SELINUX)
endef


Regards,
Matt

[Buildroot] [PATCH 15/15] docs/manual: add a section about SELinux

[Antoine Tenart]

Hello Matthew,

Quoting Matthew Weber (2020-07-31 14:15:50)
> On Fri, Jul 31, 2020 at 5:16 AM Antoine Tenart
> <antoine.tenart@bootlin.com> wrote:
> > +
> > +https://selinuxproject.org[SELinux] is a Linux kernel security module enforcing
> > +access control policies. In addition to the traditional file permissions and
> > +access control lists, +SELinux+ allows to write rules for users or processes to
> > +access specific functions of resources (files, sockets...).
> > +
> > ++SELinux+ has three modes of operating: +Enforcing+, +Permissive+ and
> > ++Disabled+.  If not +Disabled+, the kernel will apply the policy and
> > +non-authorized actions will be denied in +Enforcing+ mode or logged and reported
> > +in +Permissive+ mode.  +Permissive+ mode is often used for troubleshooting
> > +SELinux issues. In Buildroot this is controlled by the
> > ++BR2_PACKAGE_REFPOLICY_POLICY_STATE_*+ configuration options.
> 
> It may be worth also mentioning that the kernel has configuration
> options that play into if the modes are respected.  For example the
> kernel could have bootargs set, development mode or policy disabled.
> Maybe just adding a reference to the kernel.org kconfig would be
> enough (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/security/selinux/Kconfig)?

I think we could mention other Kconfig options are available in the
kernel and may have an impact on the SELinux policy behaviour. There's a
part about the kernel configuration below, I'll add it there.

> > +By default in Buildroot the +SELinux+ policy is provided by the upstream
> > +https://github.com/SELinuxProject/refpolicy[refpolicy] project, enabled with
> > ++BR2_PACKAGE_REFPOLICY+.
> > +
> > +[[enabling-selinux]]
> > +=== Enabling SELinux support
> > +
> > +To have proper support for +SELinux+ in a Buildroot generated system, the
> > +following configuration needs to be enabled:
> > +
> > +* +BR2_PACKAGE_REFPOLICY+
> > +* +BR2_PACKAGE_POLICYCOREUTILS+
> > +
> > +The Linux kernel configuration must also enable +SELinux+ support with
> > ++CONFIG_SECURITY_SELINUX+, +CONFIG_LSM+ (or using the +lsm+ kernel
> > +parameter) and extended attributes in filesystems (+CONFIG_EXT2_FS_XATTR+ for
> > ++ext2+, +CONFIG_SQUASHFS_XATTR+ for +squashfs+, etc...).
> > +
> 
> It looks like Buildroot via libselinux pkg is setting at least the
> following so the user won't have to be concerned with their kernel
> support.

Right. I'll keep this part, but say the configuration should be
magically fixed by libselinux.

> Unsure how to tie this into the documentation as the user won't have
> to enable more then the filesystem xattrs.  Maybe xattrs would make
> sense to globally turn on as well?

That should be possible, I don't know to what extend do we want to fix
the kernel configuration. As other SELinux Kconfig options are already
turned on by libselinux, I'd say that could make sense.

Thanks!
Antoine

-- 
Antoine T?nart, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 15/15] docs/manual: add a section about SELinux

[Thomas Petazzoni]

On Fri, 31 Jul 2020 14:52:14 +0200
Antoine Tenart <antoine.tenart@bootlin.com> wrote:

> > Unsure how to tie this into the documentation as the user won't have
> > to enable more then the filesystem xattrs.  Maybe xattrs would make
> > sense to globally turn on as well?  
> 
> That should be possible, I don't know to what extend do we want to fix
> the kernel configuration. As other SELinux Kconfig options are already
> turned on by libselinux, I'd say that could make sense.

The problem with xattr is that it is typically a per-filesystem option:

./fs/jffs2/Kconfig:config JFFS2_FS_XATTR
./fs/cifs/Kconfig:config CIFS_XATTR
./fs/f2fs/Kconfig:config F2FS_FS_XATTR
./fs/Kconfig:config TMPFS_XATTR
./fs/reiserfs/Kconfig:config REISERFS_FS_XATTR
./fs/erofs/Kconfig:config EROFS_FS_XATTR
./fs/ext2/Kconfig:config EXT2_FS_XATTR
./fs/squashfs/Kconfig:config SQUASHFS_XATTR
./fs/ubifs/Kconfig:config UBIFS_FS_XATTR

Which one do we enable ? All of them, and if the corresponding
filesystem is not enabled, the option will be re-disabled ? That's a
possible option, I'm not sure it's really nice but it should work.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 15/15] docs/manual: add a section about SELinux

[Matthew Weber]

Thomas,

On Fri, Jul 31, 2020 at 8:16 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> On Fri, 31 Jul 2020 14:52:14 +0200
> Antoine Tenart <antoine.tenart@bootlin.com> wrote:
>
> > > Unsure how to tie this into the documentation as the user won't have
> > > to enable more then the filesystem xattrs.  Maybe xattrs would make
> > > sense to globally turn on as well?
> >
> > That should be possible, I don't know to what extend do we want to fix
> > the kernel configuration. As other SELinux Kconfig options are already
> > turned on by libselinux, I'd say that could make sense.
>
> The problem with xattr is that it is typically a per-filesystem option:
>
> ./fs/jffs2/Kconfig:config JFFS2_FS_XATTR
> ./fs/cifs/Kconfig:config CIFS_XATTR
> ./fs/f2fs/Kconfig:config F2FS_FS_XATTR
> ./fs/Kconfig:config TMPFS_XATTR
> ./fs/reiserfs/Kconfig:config REISERFS_FS_XATTR
> ./fs/erofs/Kconfig:config EROFS_FS_XATTR
> ./fs/ext2/Kconfig:config EXT2_FS_XATTR
> ./fs/squashfs/Kconfig:config SQUASHFS_XATTR
> ./fs/ubifs/Kconfig:config UBIFS_FS_XATTR
>
> Which one do we enable ? All of them, and if the corresponding
> filesystem is not enabled, the option will be re-disabled ? That's a
> possible option, I'm not sure it's really nice but it should work.
>

Agree. not ideal.  But it does create a bug, (funny timing) we
actually just had a review come through internally where the developer
missed enabling JFFS2_FS_XATTR and it resulted in some unnecessary
churn.

Matt

[Buildroot] [PATCH 15/15] docs/manual: add a section about SELinux

[Antoine Tenart]

Hi Thomas,

Quoting Thomas Petazzoni (2020-07-31 15:15:57)
> On Fri, 31 Jul 2020 14:52:14 +0200
> Antoine Tenart <antoine.tenart@bootlin.com> wrote:
> 
> > > Unsure how to tie this into the documentation as the user won't have
> > > to enable more then the filesystem xattrs.  Maybe xattrs would make
> > > sense to globally turn on as well?  
> > 
> > That should be possible, I don't know to what extend do we want to fix
> > the kernel configuration. As other SELinux Kconfig options are already
> > turned on by libselinux, I'd say that could make sense.
> 
> The problem with xattr is that it is typically a per-filesystem option:
> 
> ./fs/jffs2/Kconfig:config JFFS2_FS_XATTR
> ./fs/cifs/Kconfig:config CIFS_XATTR
> ./fs/f2fs/Kconfig:config F2FS_FS_XATTR
> ./fs/Kconfig:config TMPFS_XATTR
> ./fs/reiserfs/Kconfig:config REISERFS_FS_XATTR
> ./fs/erofs/Kconfig:config EROFS_FS_XATTR
> ./fs/ext2/Kconfig:config EXT2_FS_XATTR
> ./fs/squashfs/Kconfig:config SQUASHFS_XATTR
> ./fs/ubifs/Kconfig:config UBIFS_FS_XATTR
> 
> Which one do we enable ? All of them, and if the corresponding
> filesystem is not enabled, the option will be re-disabled ? That's a
> possible option, I'm not sure it's really nice but it should work.

If we do enable xattr support, that's what I had in mind. I agree it's
not a perfect solution.

Thanks!
Antoine

-- 
Antoine T?nart, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 00/15] Improve SELinux support

[Adam Duskett]

Hello;

On Fri, Jul 31, 2020 at 3:15 AM Antoine Tenart
<antoine.tenart@bootlin.com> wrote:
>
> Hi all,
>
> This series aims at providing proper SELinux support in Buildroot. Some
> of the building blocks were available, such as packages for refpolicy,
> policycoreutils or libselinux; but getting to a point were a generated
> image could be used with a loaded SELinux policy was not
> straightforward. The series also adds support for customizing the
> SELinux policy through various ways.
>
I have been meaning to do this for a very long time! Thank you for going
through this hassle for me!


> The first missing block was the ability to generate an SELinux-ready
> image. SELinux depends on files' extended attributes, set based on the
> policy. Those attributes could be set from within a running system with
> the restorecon utility but that meant we had to special case the first
> boot. That also prevented to build an image with SELinux in enforcing
> mode as the first boot would have failed. This is fixed by setting and
> copying files' extended attributes when generating filesystem images.
> See patches 1 to 3.

I have been bothered by this for years as well, and this is  a great first
step.

>
> Then more control is provided over what is included in the refpolicy. By
> default the refpolicy provides lots of modules and rules for many
> packages. All of those packages are not necessarily part of the target
> system but all are built, resulting in a large monolithic policy and
> lots of unused rules. We reworked the refpolicy to only include by
> default 'base' modules and a small list of always-needed others. The
> result is a much smaller binary policy. See patch 4.
>
> On top of the more minimal SELinux policy, ways are provided in patches
> 5 to 14 to enable or provide extra modules. That allows to:
>
> - Enable modules provided within the refpolicy from Buildroot packages
>   so that the resulting policy does include all the required rules. For
>   example, the dbus Buildroot packages enable the 'dbus' SELinux module
>   available in the refpolicy.

Excellent idea!
>
> - Provide extra SELinux modules to be built in the policy, from
>   Buildroot packages.

This was a huge feature I also wanted to provide, as there are several
packages that will need custom support such as the login application. (iirc)

>
> - Enable modules available in the refpolicy from the Buildroot
>   configuration.
>
> - Provide extra modules in user-defined folders.
>
> - Override the location of the refpolicy source and all of the above
>   mechanisms, as when designing a fully custom system, one could want to
>   provide a fully custom SELinux policy.
>

Any chance of supporting a modular policy in the future? :)

> Finally, the documentation is updated in patch 15 to explain how to use
> SELinux within Buildroot.
>
Perhaps a test-case would be in order as well?

> Thanks!
> Antoine
>

Overall, this is a wonderful, long-needed patch series of which I am incredibly
excited to review!

I will provide feedback hopefully by the end of today!

Adam

> Antoine Tenart (15):
>   package/e2fsprogs: set xattrs for the root dir as well
>   fs/common.mk: set SELinux file security contexts
>   fs/common.mk: move down ROOTFS_REPRODUCIBLE for consistency
>   package/refpolicy: smaller monolithic policy
>   package/refpolicy: allow packages to select SELinux modules
>   package/systemd: select SELinux modules
>   package/dbus: select SELinux module
>   package/util-linux: select SELinux module
>   package/e2fsprogs: select SELinux module
>   package/refpolicy: allow providing user defined modules
>   package/refpolicy: allow selecting additional modules
>   package/refpolicy: allow to provide a custom refpolicy
>   package/refpolicy: allow packages to provide their own SELinux modules
>   package/refpolicy: fix the configure, build and install steps
>   docs/manual: add a section about SELinux
>
>  docs/manual/manual.txt                        |  2 +
>  docs/manual/selinux-support.txt               | 66 ++++++++++++++++
>  fs/common.mk                                  | 23 ++++--
>  package/dbus/dbus.mk                          |  2 +
>  ...-xattrs-to-the-root-directory-as-wel.patch | 46 +++++++++++
>  package/e2fsprogs/e2fsprogs.mk                |  2 +
>  package/pkg-generic.mk                        |  6 ++
>  package/refpolicy/Config.in                   | 54 +++++++++++++
>  package/refpolicy/refpolicy.mk                | 78 +++++++++++++++++--
>  package/systemd/systemd.mk                    |  2 +
>  package/util-linux/util-linux.mk              |  4 +
>  11 files changed, 274 insertions(+), 11 deletions(-)
>  create mode 100644 docs/manual/selinux-support.txt
>  create mode 100644 package/e2fsprogs/0001-create_inode-set-xattrs-to-the-root-directory-as-wel.patch
>
> --
> 2.26.2
>

[Buildroot] [PATCH 00/15] Improve SELinux support

[Adam Duskett]

All;

After some testing I figured I would give my thoughts:

1) with this patch series it seems like host-systemd breaks with several
"src/shared/libsystemd-shared-245.so: undefined reference to
`$SELINUX_MODULE'" errors.

The easy fix is to explicitly set -Dselinux=disabled in the
HOST_SYSTEMD_CONF_OPTS.


2) As I thought, there are several packages that are broken when
selinux is enabled still. I know the original goal
    of this project is not to fix these packages, but if you are
interested, here is a quick .te output I made from audit2allow
    on my Fedora32 system (which is why there are several "allowed in
the current policy" warnings.

module foo 1.0;

require {
type sysctl_kernel_t;
type sysctl_t;
type system_dbusd_t;
type bin_t;
type init_t;
type net_conf_t;
type systemd_networkd_t;
type getty_t;
type local_login_t;
type initrc_t;
type var_run_t;
class process2 nnp_transition;
class dir { add_name getattr open read search write };
class unix_stream_socket connectto;
class file { create execute lock open read write };
}

#============= getty_t ==============

#!!!! This avc is allowed in the current policy
allow getty_t init_t:unix_stream_socket connectto;

#!!!! This avc is allowed in the current policy
allow getty_t sysctl_kernel_t:dir search;

#!!!! This avc is allowed in the current policy
allow getty_t sysctl_kernel_t:file { open read };

#!!!! This avc is allowed in the current policy
allow getty_t sysctl_t:dir search;

#============= init_t ==============

#!!!! This avc is allowed in the current policy
allow init_t initrc_t:process2 nnp_transition;

#============= local_login_t ==============

#!!!! This avc is allowed in the current policy
allow local_login_t bin_t:file execute;

#!!!! This avc is allowed in the current policy
allow local_login_t var_run_t:dir { add_name write };
allow local_login_t var_run_t:file { create lock open read write };

#============= system_dbusd_t ==============

#!!!! This avc is allowed in the current policy
allow system_dbusd_t init_t:unix_stream_socket connectto;

#============= systemd_networkd_t ==============

#!!!! This avc is allowed in the current policy
allow systemd_networkd_t net_conf_t:dir { getattr open read search };

#!!!! This avc is allowed in the current policy
allow systemd_networkd_t var_run_t:dir read;


We should probably look into creating selinux policies for Getty,
init, login, dbus, and networkd,
If we don't, then setting selinux to enforcing mode by default will
result in an unusable system where
a user won't even be able to login!

Thanks again for the patch series! Other than the systemd issue,
everything looks great!

Adam

On Fri, Jul 31, 2020 at 10:08 AM Adam Duskett <aduskett@gmail.com> wrote:
>
> Hello;
>
> On Fri, Jul 31, 2020 at 3:15 AM Antoine Tenart
> <antoine.tenart@bootlin.com> wrote:
> >
> > Hi all,
> >
> > This series aims at providing proper SELinux support in Buildroot. Some
> > of the building blocks were available, such as packages for refpolicy,
> > policycoreutils or libselinux; but getting to a point were a generated
> > image could be used with a loaded SELinux policy was not
> > straightforward. The series also adds support for customizing the
> > SELinux policy through various ways.
> >
> I have been meaning to do this for a very long time! Thank you for going
> through this hassle for me!
>
>
> > The first missing block was the ability to generate an SELinux-ready
> > image. SELinux depends on files' extended attributes, set based on the
> > policy. Those attributes could be set from within a running system with
> > the restorecon utility but that meant we had to special case the first
> > boot. That also prevented to build an image with SELinux in enforcing
> > mode as the first boot would have failed. This is fixed by setting and
> > copying files' extended attributes when generating filesystem images.
> > See patches 1 to 3.
>
> I have been bothered by this for years as well, and this is  a great first
> step.
>
> >
> > Then more control is provided over what is included in the refpolicy. By
> > default the refpolicy provides lots of modules and rules for many
> > packages. All of those packages are not necessarily part of the target
> > system but all are built, resulting in a large monolithic policy and
> > lots of unused rules. We reworked the refpolicy to only include by
> > default 'base' modules and a small list of always-needed others. The
> > result is a much smaller binary policy. See patch 4.
> >
> > On top of the more minimal SELinux policy, ways are provided in patches
> > 5 to 14 to enable or provide extra modules. That allows to:
> >
> > - Enable modules provided within the refpolicy from Buildroot packages
> >   so that the resulting policy does include all the required rules. For
> >   example, the dbus Buildroot packages enable the 'dbus' SELinux module
> >   available in the refpolicy.
>
> Excellent idea!
> >
> > - Provide extra SELinux modules to be built in the policy, from
> >   Buildroot packages.
>
> This was a huge feature I also wanted to provide, as there are several
> packages that will need custom support such as the login application. (iirc)
>
> >
> > - Enable modules available in the refpolicy from the Buildroot
> >   configuration.
> >
> > - Provide extra modules in user-defined folders.
> >
> > - Override the location of the refpolicy source and all of the above
> >   mechanisms, as when designing a fully custom system, one could want to
> >   provide a fully custom SELinux policy.
> >
>
> Any chance of supporting a modular policy in the future? :)
>
> > Finally, the documentation is updated in patch 15 to explain how to use
> > SELinux within Buildroot.
> >
> Perhaps a test-case would be in order as well?
>
> > Thanks!
> > Antoine
> >
>
> Overall, this is a wonderful, long-needed patch series of which I am incredibly
> excited to review!
>
> I will provide feedback hopefully by the end of today!
>
> Adam
>
> > Antoine Tenart (15):
> >   package/e2fsprogs: set xattrs for the root dir as well
> >   fs/common.mk: set SELinux file security contexts
> >   fs/common.mk: move down ROOTFS_REPRODUCIBLE for consistency
> >   package/refpolicy: smaller monolithic policy
> >   package/refpolicy: allow packages to select SELinux modules
> >   package/systemd: select SELinux modules
> >   package/dbus: select SELinux module
> >   package/util-linux: select SELinux module
> >   package/e2fsprogs: select SELinux module
> >   package/refpolicy: allow providing user defined modules
> >   package/refpolicy: allow selecting additional modules
> >   package/refpolicy: allow to provide a custom refpolicy
> >   package/refpolicy: allow packages to provide their own SELinux modules
> >   package/refpolicy: fix the configure, build and install steps
> >   docs/manual: add a section about SELinux
> >
> >  docs/manual/manual.txt                        |  2 +
> >  docs/manual/selinux-support.txt               | 66 ++++++++++++++++
> >  fs/common.mk                                  | 23 ++++--
> >  package/dbus/dbus.mk                          |  2 +
> >  ...-xattrs-to-the-root-directory-as-wel.patch | 46 +++++++++++
> >  package/e2fsprogs/e2fsprogs.mk                |  2 +
> >  package/pkg-generic.mk                        |  6 ++
> >  package/refpolicy/Config.in                   | 54 +++++++++++++
> >  package/refpolicy/refpolicy.mk                | 78 +++++++++++++++++--
> >  package/systemd/systemd.mk                    |  2 +
> >  package/util-linux/util-linux.mk              |  4 +
> >  11 files changed, 274 insertions(+), 11 deletions(-)
> >  create mode 100644 docs/manual/selinux-support.txt
> >  create mode 100644 package/e2fsprogs/0001-create_inode-set-xattrs-to-the-root-directory-as-wel.patch
> >
> > --
> > 2.26.2
> >

[Buildroot] [PATCH 00/15] Improve SELinux support

[Antoine Tenart]

Hi Adam,

Quoting Adam Duskett (2020-07-31 19:08:12)
> On Fri, Jul 31, 2020 at 3:15 AM Antoine Tenart
> <antoine.tenart@bootlin.com> wrote:
> >
> > - Override the location of the refpolicy source and all of the above
> >   mechanisms, as when designing a fully custom system, one could want to
> >   provide a fully custom SELinux policy.
> 
> Any chance of supporting a modular policy in the future? :)

I don't have such plans for now, but if someone wants to tackle this I
believe it should be doable.

Out of curiosity, what would be the use case of having a modular policy
on a Buildroot generated image where packages can't be installed at
runtime?

> > Finally, the documentation is updated in patch 15 to explain how to use
> > SELinux within Buildroot.
> >
> Perhaps a test-case would be in order as well?

Yes, I'll send another series with an example qemu selinux defconfig and
new SELinux tests after this one.

> Overall, this is a wonderful, long-needed patch series of which I am
> incredibly excited to review!

Thanks!
Antoine

-- 
Antoine T?nart, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 00/15] Improve SELinux support

[Antoine Tenart]

Hi Adam,

Quoting Adam Duskett (2020-07-31 22:48:13)
> 
> After some testing I figured I would give my thoughts:
> 
> 1) with this patch series it seems like host-systemd breaks with several
> "src/shared/libsystemd-shared-245.so: undefined reference to
> `$SELINUX_MODULE'" errors.
> 
> The easy fix is to explicitly set -Dselinux=disabled in the
> HOST_SYSTEMD_CONF_OPTS.

I didn't run into this one, but I'll try reproducing it.

> 2) As I thought, there are several packages that are broken when
> selinux is enabled still. I know the original goal of this project is
> not to fix these packages, but if you are interested, here is a quick
> .te output I made from audit2allow on my Fedora32 system (which is why
> there are several "allowed in the current policy" warnings.

Thanks! I also have made such a module on my side, to test images in
enforcing mode. I'm trying to see what could go in the upstream
refpolicy and what would need to be in "out-of-tree" modules.

In any case, fixing all of those denied actions would be really nice.

Thanks!
Antoine

-- 
Antoine T?nart, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 00/15] Improve SELinux support

[Thomas Petazzoni]

Hello Antoine,

On Fri, 31 Jul 2020 12:10:25 +0200
Antoine Tenart <antoine.tenart@bootlin.com> wrote:

> Antoine Tenart (15):
>   package/e2fsprogs: set xattrs for the root dir as well
>   fs/common.mk: set SELinux file security contexts
>   fs/common.mk: move down ROOTFS_REPRODUCIBLE for consistency
>   package/refpolicy: smaller monolithic policy
>   package/refpolicy: allow packages to select SELinux modules
>   package/systemd: select SELinux modules
>   package/dbus: select SELinux module
>   package/util-linux: select SELinux module
>   package/e2fsprogs: select SELinux module
>   package/refpolicy: allow providing user defined modules
>   package/refpolicy: allow selecting additional modules
>   package/refpolicy: allow to provide a custom refpolicy
>   package/refpolicy: allow packages to provide their own SELinux modules
>   package/refpolicy: fix the configure, build and install steps
>   docs/manual: add a section about SELinux

Thanks for this work! Since there was positive feedback from Adam, and
no other feedback, and the patch series was there for more than a
month, I applied it.

I did quite a few changes in some of the patches. I will reply
individually to those patches. For the other patches, if I'm not making
any comments, it means I applied them as-is, or with changes that are
so small and trivial that they are not worth mentioning.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 02/15] fs/common.mk: set SELinux file security contexts

[Thomas Petazzoni]

Hello,

On Fri, 31 Jul 2020 12:10:27 +0200
Antoine Tenart <antoine.tenart@bootlin.com> wrote:

> +ifeq ($(BR2_PACKAGE_REFPOLICY)$(BR2_PACKAGE_POLICYCOREUTILS),yy)

In fact, BR2_PACKAGE_POLICYCOREUTILS=y is not at all a requirement for
a working SELinux system. While host-policycoreutils is needed to have
the setfiles utility that you use below, having policycoreutils on the
target is not needed. So I've simplified this condition to:

ifeq ($(BR2_PACKAGE_REFPOLICY),y)

> +define ROOTFS_SELINUX
> +	$(HOST_DIR)/sbin/setfiles -m -r $(TARGET_DIR) \
> +		-c $(TARGET_DIR)/etc/selinux/targeted/policy/policy.$(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION) \
> +		$(TARGET_DIR)/etc/selinux/targeted/contexts/files/file_contexts \
> +		$(TARGET_DIR)
> +endef
> +ROOTFS_COMMON_DEPENDENCIES += refpolicy host-policycoreutils

While it doesn't hurt, I don't think it makes sense to have "refpolicy"
in the dependencies here. Indeed, all this rootfs creation logic
happens after all packages have been built. Due to the
BR2_PACKAGE_REFPOLICY=y condition above, we know refpolicy is enabled,
and therefore it has already been built prior to the rootfs being
generated.

The ROOTFS_xyz_DEPENDENCIES are mainly useful for dependencies on host
tools that are needed to generate the root filesystem. Which is the
case here with host-policycoreutils. So I've simplified to:

ROOTFS_COMMON_DEPENDENCIES += host-policycoreutils

Applied with those changes. Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 10/15] package/refpolicy: allow providing user defined modules

[Thomas Petazzoni]

Hello,

On Fri, 31 Jul 2020 12:10:35 +0200
Antoine Tenart <antoine.tenart@bootlin.com> wrote:

> +config BR2_REFPOLICY_EXTRA_MODULES_DIRS
> +	string "Extra modules directories"
> +	help
> +	  Specify directories containing SELinux modules that will be build
> +	  in the SELinux policy. The modules will be automatically enabled in
> +	  the policy.
> +
> +	  Each of those directories must contain the SELinux policy .fc, .if
> +	  and .te files directly at the top-level, with no sub-directories.

I've slightly tweaked the help text here:

+config BR2_REFPOLICY_EXTRA_MODULES_DIRS
+       string "Extra modules directories"
+       help
+         Specify a space-separated list of directories containing
+         SELinux modules that will be built into the SELinux
+         policy. The modules will be automatically enabled in the
+         policy.
+
+         Each of those directories must contain the SELinux policy
+         .fc, .if and .te files directly at the top-level, with no
+         sub-directories. Also, you cannot have several modules with
+         the same name in different directories.

Also, I think your lines were too long, causing "make check-package"
warnings.

> -	$(PACKAGES_SELINUX_MODULES)
> +	$(PACKAGES_SELINUX_MODULES) \
> +	$(foreach d,$(call qstrip,$(REFPOLICY_EXTRA_MODULES)),\
> +		$(basename $(notdir $(wildcard $(d)/*.te))))
> +
> +# Allow to provide out-of-tree SELinux modules in addition to the ones in the
> +# refpolicy.
> +REFPOLICY_EXTRA_MODULES = $(BR2_REFPOLICY_EXTRA_MODULES_DIRS)

It was a bit silly to not do the qstrip here once for all, and use that
everywhere else. Also, the variable name REFPOLICY_EXTRA_MODULES wasn't
so good, since it really contains a list of directories, not a list of
modules.

So I've changed that to:

REFPOLICY_EXTRA_MODULES_DIRS = $(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES_DIRS))

I've moved it a bit further up so that the REFPOLICY_MODULES variable
can use it:

-       $(PACKAGES_SELINUX_MODULES)
+       $(PACKAGES_SELINUX_MODULES) \
+       $(foreach d,$(REFPOLICY_EXTRA_MODULES_DIRS),\
+               $(basename $(notdir $(wildcard $(d)/*.te))))

> +$(foreach dir,$(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES_DIRS)),\

I've used REFPOLICY_EXTRA_MODULES_DIRS here as well.

> +	$(if $(wildcard $(dir)),,\
> +		$(error BR2_REFPOLICY_EXTRA_MODULES_DIRS contains nonexistent directory $(dir))))
> +
> +define REFPOLICY_COPY_MODULES
> +	mkdir -p $(@D)/policy/modules/buildroot
> +	rsync -au $(addsuffix /*,$(call qstrip,$(REFPOLICY_EXTRA_MODULES))) \

And here as well.

> +		$(@D)/policy/modules/buildroot/
> +	if [ ! -f $(@D)/policy/modules/buildroot/metadata.xml ]; then \
> +		echo "<summary>Buildroot extra modules</summary>" > \
> +			$(@D)/policy/modules/buildroot/metadata.xml; \
> +	fi
> +endef

I've enclosed this REFPOLICY_COPY_MODULES macro definition in a:

ifneq ($(REFPOLICY_EXTRA_MODULES_DIRS),)
...
endif 

condition.

>  # In the context of a monolithic policy enabling a piece of the policy as
>  # 'base' or 'module' is equivalent, so we enable them as 'base'.
> @@ -72,6 +91,8 @@ define REFPOLICY_CONFIGURE_CMDS
>  endef
>  
>  define REFPOLICY_BUILD_CMDS
> +	$(if $(call qstrip,$(REFPOLICY_EXTRA_MODULES)),\
> +		$(REFPOLICY_COPY_MODULES))

So that we don't need a condition here.

Final commit looks like this:

  https://git.buildroot.org/buildroot/commit/?id=1e2e3cc9519ab0fd6ed5411fe88cce14b4b7a2a9

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 14/15] package/refpolicy: fix the configure, build and install steps

[Thomas Petazzoni]

On Fri, 31 Jul 2020 12:10:39 +0200
Antoine Tenart <antoine.tenart@bootlin.com> wrote:

> -define REFPOLICY_CONFIGURE_CMDS
> +define REFPOLICY_CONFIGURE_BUILD

I found it a bit silly to have REFPOLICY_CONFIGURE_CMDS calling
REFPOLICY_CONFIGURE_BUILD, so I've just inlined in
REFPOLICY_CONFIGURE_CMDS what REFPOLICY_CONFIGURE_BUILD is doing. See
the final commit at:

  https://git.buildroot.org/buildroot/commit/?id=fb2968707bc66afb2c246d92e15f295475f23868

Also, note that with your change, the policy is indeed being built
during the "build" step, but it is also built again during the target
installation step. However, due to how the refpolicy build system
works, this seems unavoidable, and this patch is anyway already an
improvement.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 15/15] docs/manual: add a section about SELinux

[Thomas Petazzoni]

Hello Antoine,

On Fri, 31 Jul 2020 12:10:40 +0200
Antoine Tenart <antoine.tenart@bootlin.com> wrote:

> +== Using +SELinux+ in Buildroot
> +
> +https://selinuxproject.org[SELinux] is a Linux kernel security module enforcing
> +access control policies. In addition to the traditional file permissions and
> +access control lists, +SELinux+ allows to write rules for users or processes to
> +access specific functions of resources (files, sockets...).
> +
> ++SELinux+ has three modes of operating: +Enforcing+, +Permissive+ and
> ++Disabled+.  If not +Disabled+, the kernel will apply the policy and
> +non-authorized actions will be denied in +Enforcing+ mode or logged and reported
> +in +Permissive+ mode.  +Permissive+ mode is often used for troubleshooting
> +SELinux issues. In Buildroot this is controlled by the
> ++BR2_PACKAGE_REFPOLICY_POLICY_STATE_*+ configuration options.

I reformatted this paragraph a bit, and pointed to SELinux kernel
options as suggested by Adam.

> +By default in Buildroot the +SELinux+ policy is provided by the upstream
> +https://github.com/SELinuxProject/refpolicy[refpolicy] project, enabled with
> ++BR2_PACKAGE_REFPOLICY+.
> +
> +[[enabling-selinux]]
> +=== Enabling SELinux support
> +
> +To have proper support for +SELinux+ in a Buildroot generated system, the
> +following configuration needs to be enabled:
> +
> +* +BR2_PACKAGE_REFPOLICY+
> +* +BR2_PACKAGE_POLICYCOREUTILS+

policycoreutils is not mandatory. However, libselinux is, so I've
replaced BR2_PACKAGE_POLICYCOREUTILS by BR2_PACKAGE_LIBSELINUX.

> +The Linux kernel configuration must also enable +SELinux+ support with
> ++CONFIG_SECURITY_SELINUX+, +CONFIG_LSM+ (or using the +lsm+ kernel
> +parameter) and extended attributes in filesystems (+CONFIG_EXT2_FS_XATTR+ for
> ++ext2+, +CONFIG_SQUASHFS_XATTR+ for +squashfs+, etc...).

I've dropped this paragraph since kernel options are taken care of, and
the extended attributes support will be taken care of by the patch
series from Adam.

Final commit:

  https://git.buildroot.org/buildroot/commit/?id=c38c1cde0d8b3e58643407edef7eb0e06a70b8de

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 10/15] package/refpolicy: allow providing user defined modules

[Antoine Tenart]

Hello Thomas,

Quoting Thomas Petazzoni (2020-09-04 15:05:32)
> On Fri, 31 Jul 2020 12:10:35 +0200
> Antoine Tenart <antoine.tenart@bootlin.com> wrote:
> 
> > -     $(PACKAGES_SELINUX_MODULES)
> > +     $(PACKAGES_SELINUX_MODULES) \
> > +     $(foreach d,$(call qstrip,$(REFPOLICY_EXTRA_MODULES)),\
> > +             $(basename $(notdir $(wildcard $(d)/*.te))))
> > +
> > +# Allow to provide out-of-tree SELinux modules in addition to the ones in the
> > +# refpolicy.
> > +REFPOLICY_EXTRA_MODULES = $(BR2_REFPOLICY_EXTRA_MODULES_DIRS)
> 
> It was a bit silly to not do the qstrip here once for all, and use that
> everywhere else. Also, the variable name REFPOLICY_EXTRA_MODULES wasn't
> so good, since it really contains a list of directories, not a list of
> modules.
> 
> So I've changed that to:
> 
> REFPOLICY_EXTRA_MODULES_DIRS = $(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES_DIRS))
> 
> I've moved it a bit further up so that the REFPOLICY_MODULES variable
> can use it:
> 
> -       $(PACKAGES_SELINUX_MODULES)
> +       $(PACKAGES_SELINUX_MODULES) \
> +       $(foreach d,$(REFPOLICY_EXTRA_MODULES_DIRS),\
> +               $(basename $(notdir $(wildcard $(d)/*.te))))
> > +
> > +define REFPOLICY_COPY_MODULES
> > +     mkdir -p $(@D)/policy/modules/buildroot
> > +     rsync -au $(addsuffix /*,$(call qstrip,$(REFPOLICY_EXTRA_MODULES))) \
> > +             $(@D)/policy/modules/buildroot/
> > +     if [ ! -f $(@D)/policy/modules/buildroot/metadata.xml ]; then \
> > +             echo "<summary>Buildroot extra modules</summary>" > \
> > +                     $(@D)/policy/modules/buildroot/metadata.xml; \
> > +     fi
> > +endef
> 
> I've enclosed this REFPOLICY_COPY_MODULES macro definition in a:
> 
> ifneq ($(REFPOLICY_EXTRA_MODULES_DIRS),)
> ...
> endif 
> 
> condition.

If there are no extra modules provided by BR2_REFPOLICY_EXTRA_MODULES_DIRS
nor PACKAGES_SELINUX_EXTRA_MODULES_DIRS, REFPOLICY_EXTRA_MODULES_DIRS
would still be different than an empty string as it is now a list. As a
result, REFPOLICY_COPY_EXTRA_MODULES will always be called and the
'buildroot/metadata.xml' file will be installed. This would break the
build.

But using:

ifneq ($(qstrip,$(REFPOLICY_EXTRA_MODULES_DIRS)),)

would also not work as REFPOLICY_EXTRA_MODULES_DIRS would be expanded
too early, and PACKAGES_SELINUX_EXTRA_MODULES_DIRS might not already
contain all the packages selinux's custom modules.

That's why there were deferred calls to qstrip in the original patch.

Thanks!
Antoine

-- 
Antoine T?nart, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 10/15] package/refpolicy: allow providing user defined modules

[Thomas Petazzoni]

Hello,

On Fri, 04 Sep 2020 17:00:17 +0200
Antoine Tenart <antoine.tenart@bootlin.com> wrote:

> If there are no extra modules provided by BR2_REFPOLICY_EXTRA_MODULES_DIRS
> nor PACKAGES_SELINUX_EXTRA_MODULES_DIRS, REFPOLICY_EXTRA_MODULES_DIRS
> would still be different than an empty string as it is now a list.

There is no such thing as a "list" in make. Everything is string, and
space-separated words in a string can somehow be manipulated as a list.

> As a result, REFPOLICY_COPY_EXTRA_MODULES will always be called and
> the 'buildroot/metadata.xml' file will be installed. This would break
> the build.
> 
> But using:
> 
> ifneq ($(qstrip,$(REFPOLICY_EXTRA_MODULES_DIRS)),)

But indeed, there will always be a space in
REFPOLICY_EXTRA_MODULES_DIRS. So I guess the most logical change to do
is:

REFPOLICY_EXTRA_MODULES_DIRS = \
	$(strip \
		$(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES_DIRS)) \
		$(PACKAGES_SELINUX_EXTRA_MODULES_DIRS))

The below snippet of Makefile illustrates that:

# Strip quotes and then whitespaces
qstrip = $(strip $(subst ",,$(1)))
#"))

BR2_REFPOLICY_EXTRA_MODULES_DIRS = ""
PACKAGES_SELINUX_EXTRA_MODULES_DIRS =

REFPOLICY_EXTRA_MODULES_DIRS = \
	$(strip \
		$(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES_DIRS)) \
		$(PACKAGES_SELINUX_EXTRA_MODULES_DIRS))

all:
ifneq ($(REFPOLICY_EXTRA_MODULES_DIRS),)
	@echo "REFPOLICY_EXTRA_MODULES_DIRS is not empty"
else
	@echo "REFPOLICY_EXTRA_MODULES_DIRS is empty"
endif


> would also not work as REFPOLICY_EXTRA_MODULES_DIRS would be expanded
> too early, and PACKAGES_SELINUX_EXTRA_MODULES_DIRS might not already
> contain all the packages selinux's custom modules.

I'm not sure it's related to being expanded "too early". All those
variables are recursively expanded, i.e expanded at time of use.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 10/15] package/refpolicy: allow providing user defined modules

[Antoine Tenart]

Hello,

Quoting Thomas Petazzoni (2020-09-04 17:10:09)
> On Fri, 04 Sep 2020 17:00:17 +0200
> Antoine Tenart <antoine.tenart@bootlin.com> wrote:
> 
> > As a result, REFPOLICY_COPY_EXTRA_MODULES will always be called and
> > the 'buildroot/metadata.xml' file will be installed. This would break
> > the build.
> > 
> > But using:
> > 
> > ifneq ($(qstrip,$(REFPOLICY_EXTRA_MODULES_DIRS)),)
> 
> But indeed, there will always be a space in
> REFPOLICY_EXTRA_MODULES_DIRS. So I guess the most logical change to do
> is:
> 
> REFPOLICY_EXTRA_MODULES_DIRS = \
>         $(strip \
>                 $(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES_DIRS)) \
>                 $(PACKAGES_SELINUX_EXTRA_MODULES_DIRS))
> 
> > would also not work as REFPOLICY_EXTRA_MODULES_DIRS would be expanded
> > too early, and PACKAGES_SELINUX_EXTRA_MODULES_DIRS might not already
> > contain all the packages selinux's custom modules.
> 
> I'm not sure it's related to being expanded "too early". All those
> variables are recursively expanded, i.e expanded at time of use.

Calling "ifneq ($(REFPOLICY_EXTRA_MODULES_DIRS),)" would expend the
variables in REFPOLICY_EXTRA_MODULES_DIRS, including
REFPOLICY_EXTRA_MODULES_DIRS. But at the time this is done not all the
packages would have been parsed and expanded, and
REFPOLICY_EXTRA_MODULES_DIRS will therefor not contain the full list of
"selinux" folders within packages.

Deferring its expansion to the configure/build target do ensure the
REFPOLICY_EXTRA_MODULES_DIRS list is complete, as all the other packages
would be parsed and expanded by then.

Thanks,
Antoine

-- 
Antoine T?nart, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com