All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages
@ 2020-12-28 16:11 Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 01/14] package/iwd: add SELinux module Maxime Chevallier
                   ` (15 more replies)
  0 siblings, 16 replies; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Hello everyone,

This is the second iteration of the series adding matching between
packages and the SELinux refpolicy module that supports them.

This series focuses on the tools that are impacted by the following
modules in the refpolicy [2] :

  - services/networkmanager, which adds support for :
    - iwd
    - network-manager
    - wpa_supplicant

  - system/ipatbles, which adds support for :
    - ebtables
    - ipset
    - iptables
    - nftables

  - admin/netutils, which adds support for :
    - fping
    - Some of the iputils tools :
      - arping
      - ping
      - tracepath
      - traceroute6
    - mtr
    - nmap
    - tcpdump

  - services/entropyd, which adds support for :
    - haveged
    - jitterentropy-library

With this series, the above-mentionned tools can now be used on systems
that have SELinux enabled.

Since V1, the main changes were the removal of the dhcp package which
will be part of another series, and the rework of the iputils package
according to Antoine Tenart's review.

Thanks,

Maxime

Maxime Chevallier (14):
  package/iwd: add SELinux module
  package/network-manager: add SELinux module
  package/wpa_supplicant: add SELinux module
  package/ebtables: add SELinux module
  package/ipset: add SELinux module
  package/iptables: add SELinux module
  package/nftables: add SELinux module
  package/fping: add SELinux module
  package/iputils: add SELinux module
  package/mtr: add SELinux module
  package/nmap: add SELinux module
  package/tcpdump: add SELinux module
  package/haveged: add SELinux module
  package/jitterentropy-library: add SELinux module

 package/ebtables/ebtables.mk                     |  1 +
 package/fping/fping.mk                           |  1 +
 package/haveged/haveged.mk                       |  1 +
 package/ipset/ipset.mk                           |  1 +
 package/iptables/iptables.mk                     |  2 ++
 package/iputils/iputils.mk                       | 16 ++++++++++++++++
 package/iwd/iwd.mk                               |  1 +
 .../jitterentropy-library.mk                     |  1 +
 package/mtr/mtr.mk                               |  1 +
 package/network-manager/network-manager.mk       |  1 +
 package/nftables/nftables.mk                     |  1 +
 package/nmap/nmap.mk                             |  1 +
 package/tcpdump/tcpdump.mk                       |  1 +
 package/wpa_supplicant/wpa_supplicant.mk         |  1 +
 14 files changed, 30 insertions(+)

-- 
2.25.4

^ permalink raw reply	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 01/14] package/iwd: add SELinux module
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
@ 2020-12-28 16:11 ` Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 02/14] package/network-manager: " Maxime Chevallier
                   ` (14 subsequent siblings)
  15 siblings, 0 replies; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Support for iwd and its configuration files is added by the
services/networkmanager module in the SELinux refpolicy.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 package/iwd/iwd.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/iwd/iwd.mk b/package/iwd/iwd.mk
index b1841b5476..b164970196 100644
--- a/package/iwd/iwd.mk
+++ b/package/iwd/iwd.mk
@@ -11,6 +11,7 @@ IWD_LICENSE = LGPL-2.1+
 IWD_LICENSE_FILES = COPYING
 # sources from git, no configure script provided
 IWD_AUTORECONF = YES
+IWD_SELINUX_MODULES = networkmanager
 
 IWD_CONF_OPTS = \
 	--disable-manual-pages \
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 02/14] package/network-manager: add SELinux module
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 01/14] package/iwd: add SELinux module Maxime Chevallier
@ 2020-12-28 16:11 ` Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 03/14] package/wpa_supplicant: " Maxime Chevallier
                   ` (13 subsequent siblings)
  15 siblings, 0 replies; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Support for NetworkManager is added by the services/networkmanager
module in the SELinux refpolicy.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 package/network-manager/network-manager.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/network-manager/network-manager.mk b/package/network-manager/network-manager.mk
index 3dc3188f32..4b2ade5b9b 100644
--- a/package/network-manager/network-manager.mk
+++ b/package/network-manager/network-manager.mk
@@ -13,6 +13,7 @@ NETWORK_MANAGER_DEPENDENCIES = host-pkgconf udev gnutls libglib2 \
 	libgcrypt wireless_tools util-linux host-intltool readline libndp
 NETWORK_MANAGER_LICENSE = GPL-2.0+ (app), LGPL-2.1+ (libnm)
 NETWORK_MANAGER_LICENSE_FILES = COPYING COPYING.LGPL CONTRIBUTING
+NETWORK_MANAGER_SELINUX_MODULES = networkmanager
 
 NETWORK_MANAGER_CONF_ENV = \
 	ac_cv_path_LIBGCRYPT_CONFIG=$(STAGING_DIR)/usr/bin/libgcrypt-config \
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 03/14] package/wpa_supplicant: add SELinux module
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 01/14] package/iwd: add SELinux module Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 02/14] package/network-manager: " Maxime Chevallier
@ 2020-12-28 16:11 ` Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 04/14] package/ebtables: " Maxime Chevallier
                   ` (12 subsequent siblings)
  15 siblings, 0 replies; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Support for wpa_supplicant is added by the services/networkmanager
module in the SELinux refpolicy.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 package/wpa_supplicant/wpa_supplicant.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk
index 7170db0d07..38af11625a 100644
--- a/package/wpa_supplicant/wpa_supplicant.mk
+++ b/package/wpa_supplicant/wpa_supplicant.mk
@@ -14,6 +14,7 @@ WPA_SUPPLICANT_DBUS_OLD_SERVICE = fi.epitest.hostap.WPASupplicant
 WPA_SUPPLICANT_DBUS_NEW_SERVICE = fi.w1.wpa_supplicant1
 WPA_SUPPLICANT_CFLAGS = $(TARGET_CFLAGS) -I$(STAGING_DIR)/usr/include/libnl3/
 WPA_SUPPLICANT_LDFLAGS = $(TARGET_LDFLAGS)
+WPA_SUPPLICANT_SELINUX_MODULES = networkmanager
 
 # 0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
 WPA_SUPPLICANT_IGNORE_CVES += CVE-2019-16275
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 04/14] package/ebtables: add SELinux module
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
                   ` (2 preceding siblings ...)
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 03/14] package/wpa_supplicant: " Maxime Chevallier
@ 2020-12-28 16:11 ` Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 05/14] package/ipset: " Maxime Chevallier
                   ` (11 subsequent siblings)
  15 siblings, 0 replies; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Support for ebtables is added in the system/iptables module in the
SELinux refpolicy.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 package/ebtables/ebtables.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/ebtables/ebtables.mk b/package/ebtables/ebtables.mk
index e8b982206c..93af5085ec 100644
--- a/package/ebtables/ebtables.mk
+++ b/package/ebtables/ebtables.mk
@@ -8,6 +8,7 @@ EBTABLES_VERSION = 2.0.11
 EBTABLES_SITE = http://ftp.netfilter.org/pub/ebtables
 EBTABLES_LICENSE = GPL-2.0+
 EBTABLES_LICENSE_FILES = COPYING
+EBTABLES_SELINUX_MODULES = iptables
 
 ifeq ($(BR2_PACKAGE_EBTABLES_UTILS_SAVE),y)
 define EBTABLES_INSTALL_TARGET_UTILS_SAVE
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 05/14] package/ipset: add SELinux module
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
                   ` (3 preceding siblings ...)
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 04/14] package/ebtables: " Maxime Chevallier
@ 2020-12-28 16:11 ` Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 06/14] package/iptables: " Maxime Chevallier
                   ` (10 subsequent siblings)
  15 siblings, 0 replies; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Support for ipset is added by the system/iptables module in the SELinux
refpolicy.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 package/ipset/ipset.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/ipset/ipset.mk b/package/ipset/ipset.mk
index 869763d322..03ef1667f4 100644
--- a/package/ipset/ipset.mk
+++ b/package/ipset/ipset.mk
@@ -12,5 +12,6 @@ IPSET_CONF_OPTS = --with-kmod=no
 IPSET_LICENSE = GPL-2.0
 IPSET_LICENSE_FILES = COPYING
 IPSET_INSTALL_STAGING = YES
+IPSET_SELINUX_MODULES = iptables
 
 $(eval $(autotools-package))
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 06/14] package/iptables: add SELinux module
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
                   ` (4 preceding siblings ...)
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 05/14] package/ipset: " Maxime Chevallier
@ 2020-12-28 16:11 ` Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 07/14] package/nftables: " Maxime Chevallier
                   ` (9 subsequent siblings)
  15 siblings, 0 replies; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Support for iptables is adde by the system/iptables module in the
SELinux refpolicy.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 package/iptables/iptables.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/iptables/iptables.mk b/package/iptables/iptables.mk
index f83165edb9..60b91efb3b 100644
--- a/package/iptables/iptables.mk
+++ b/package/iptables/iptables.mk
@@ -12,6 +12,8 @@ IPTABLES_DEPENDENCIES = host-pkgconf \
 	$(if $(BR2_PACKAGE_LIBNETFILTER_CONNTRACK),libnetfilter_conntrack)
 IPTABLES_LICENSE = GPL-2.0
 IPTABLES_LICENSE_FILES = COPYING
+IPTABLES_SELINUX_MODULES = iptables
+
 # Building static causes ugly warnings on some plugins
 IPTABLES_CONF_OPTS = --libexecdir=/usr/lib --with-kernel=$(STAGING_DIR)/usr \
 	$(if $(BR2_STATIC_LIBS),,--disable-static)
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 07/14] package/nftables: add SELinux module
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
                   ` (5 preceding siblings ...)
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 06/14] package/iptables: " Maxime Chevallier
@ 2020-12-28 16:11 ` Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 08/14] package/fping: " Maxime Chevallier
                   ` (8 subsequent siblings)
  15 siblings, 0 replies; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Support for nft is added by the system/iptables module in the SELinux
refpolicy.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 package/nftables/nftables.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/nftables/nftables.mk b/package/nftables/nftables.mk
index 8a003a5e34..f9468c5250 100644
--- a/package/nftables/nftables.mk
+++ b/package/nftables/nftables.mk
@@ -11,6 +11,7 @@ NFTABLES_DEPENDENCIES = libmnl libnftnl host-pkgconf $(TARGET_NLS_DEPENDENCIES)
 NFTABLES_LICENSE = GPL-2.0
 NFTABLES_LICENSE_FILES = COPYING
 NFTABLES_CONF_OPTS = --disable-man-doc --disable-pdf-doc
+NFTABLES_SELINUX_MODULES = iptables
 
 ifeq ($(BR2_PACKAGE_GMP),y)
 NFTABLES_DEPENDENCIES += gmp
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 08/14] package/fping: add SELinux module
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
                   ` (6 preceding siblings ...)
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 07/14] package/nftables: " Maxime Chevallier
@ 2020-12-28 16:11 ` Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 09/14] package/iputils: " Maxime Chevallier
                   ` (7 subsequent siblings)
  15 siblings, 0 replies; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Support for fping is added by the admin/netutils module in the SELinux
refpolicy.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 package/fping/fping.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/fping/fping.mk b/package/fping/fping.mk
index 24aca32367..0a03c1dfdc 100644
--- a/package/fping/fping.mk
+++ b/package/fping/fping.mk
@@ -8,5 +8,6 @@ FPING_VERSION = 5.0
 FPING_SITE = http://fping.org/dist
 FPING_LICENSE = BSD-like
 FPING_LICENSE_FILES = COPYING
+FPING_SELINUX_MODULES = netutils
 
 $(eval $(autotools-package))
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 09/14] package/iputils: add SELinux module
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
                   ` (7 preceding siblings ...)
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 08/14] package/fping: " Maxime Chevallier
@ 2020-12-28 16:11 ` Maxime Chevallier
  2020-12-29 14:09   ` Yann E. MORIN
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 10/14] package/mtr: " Maxime Chevallier
                   ` (6 subsequent siblings)
  15 siblings, 1 reply; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Support for the iputils is added by the admin/netutils module in the
SELinux refpolicy for the following tools :
 - arping
 - ping
 - tracepath
 - traceroute6

Support for rdisc is added by services/rdisc.

Support for tftpd is added by services/tftp.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
V1 -> V2: Use a per-tool module selection, for rdisc and tftpd,
according to Antoine's review

 package/iputils/iputils.mk | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/package/iputils/iputils.mk b/package/iputils/iputils.mk
index 4f8d9cb768..b1d71b38f2 100644
--- a/package/iputils/iputils.mk
+++ b/package/iputils/iputils.mk
@@ -27,6 +27,22 @@ IPUTILS_CONF_OPTS += \
 	-DBUILD_TRACEROUTE6=$(if $(BR2_PACKAGE_IPUTILS_TRACEROUTE6),true,false) \
 	-DBUILD_NINFOD=$(if $(BR2_PACKAGE_IPUTILS_NINFOD),true,false)
 
+# Selectively select the appropriate SELinux refpolicy modules
+ifneq ($(BR2_PACKAGE_IPUTILS_ARPING)\
+	$(BR2_PACKAGE_IPUTILS_PING)\
+	$(BR2_PACKAGE_IPUTILS_TRACEPATH)\
+	$(BR2_PACKAGE_IPUTILS_TRACEROUTE6),)
+IPUTILS_SELINUX_MODULES += netutils
+endif
+
+ifeq ($(BR2_PACKAGE_IPUTILS_RDISC),y)
+IPUTILS_SELINUX_MODULES += rdisc
+endif
+
+ifeq ($(BR2_PACKAGE_IPUTILS_TFTPD),y)
+IPUTILS_SELINUX_MODULES += tftp
+endif
+
 #
 # arping
 #
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 10/14] package/mtr: add SELinux module
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
                   ` (8 preceding siblings ...)
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 09/14] package/iputils: " Maxime Chevallier
@ 2020-12-28 16:11 ` Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 11/14] package/nmap: " Maxime Chevallier
                   ` (5 subsequent siblings)
  15 siblings, 0 replies; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Support for mtr is added by the admin/netutils module in the SELinux
refpolicy.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 package/mtr/mtr.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/mtr/mtr.mk b/package/mtr/mtr.mk
index 7a4b140267..263482534e 100644
--- a/package/mtr/mtr.mk
+++ b/package/mtr/mtr.mk
@@ -11,5 +11,6 @@ MTR_CONF_OPTS = --without-gtk
 MTR_DEPENDENCIES = host-pkgconf $(if $(BR2_PACKAGE_NCURSES),ncurses)
 MTR_LICENSE = GPL-2.0
 MTR_LICENSE_FILES = COPYING
+MTR_SELINUX_MODULES = netutils
 
 $(eval $(autotools-package))
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 11/14] package/nmap: add SELinux module
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
                   ` (9 preceding siblings ...)
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 10/14] package/mtr: " Maxime Chevallier
@ 2020-12-28 16:11 ` Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 12/14] package/tcpdump: " Maxime Chevallier
                   ` (4 subsequent siblings)
  15 siblings, 0 replies; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Support for nmap is added by the admin/netutils module in the SELinux
refpolicy.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 package/nmap/nmap.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/nmap/nmap.mk b/package/nmap/nmap.mk
index 46ffd5aef4..aed278ccba 100644
--- a/package/nmap/nmap.mk
+++ b/package/nmap/nmap.mk
@@ -12,6 +12,7 @@ NMAP_CONF_OPTS = --without-liblua --without-zenmap \
 	--with-libdnet=included
 NMAP_LICENSE = nmap license
 NMAP_LICENSE_FILES = LICENSE
+NMAP_SELINUX_MODULES = netutils
 
 # needed by libpcap
 NMAP_LIBS_FOR_STATIC_LINK += `$(STAGING_DIR)/usr/bin/pcap-config --static --additional-libs`
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 12/14] package/tcpdump: add SELinux module
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
                   ` (10 preceding siblings ...)
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 11/14] package/nmap: " Maxime Chevallier
@ 2020-12-28 16:11 ` Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 13/14] package/haveged: " Maxime Chevallier
                   ` (3 subsequent siblings)
  15 siblings, 0 replies; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Support for tcpdump is added by the admin/netutils module in the SELinux
refpolicy.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 package/tcpdump/tcpdump.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/tcpdump/tcpdump.mk b/package/tcpdump/tcpdump.mk
index 8db35694ea..23e9333a8f 100644
--- a/package/tcpdump/tcpdump.mk
+++ b/package/tcpdump/tcpdump.mk
@@ -17,6 +17,7 @@ TCPDUMP_CONF_OPTS = \
 	--with-system-libpcap \
 	$(if $(BR2_PACKAGE_TCPDUMP_SMB),--enable-smb,--disable-smb)
 TCPDUMP_DEPENDENCIES = libpcap
+TCPDUMP_SELINUX_MODULES = netutils
 
 # 0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buffer.patch
 TCPDUMP_IGNORE_CVES += CVE-2020-8037
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 13/14] package/haveged: add SELinux module
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
                   ` (11 preceding siblings ...)
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 12/14] package/tcpdump: " Maxime Chevallier
@ 2020-12-28 16:11 ` Maxime Chevallier
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 14/14] package/jitterentropy-library: " Maxime Chevallier
                   ` (2 subsequent siblings)
  15 siblings, 0 replies; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Support for haveged is added by the services/entropyd module in the
SELinux refpolicy.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 package/haveged/haveged.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/haveged/haveged.mk b/package/haveged/haveged.mk
index 924b499fa9..3980f80132 100644
--- a/package/haveged/haveged.mk
+++ b/package/haveged/haveged.mk
@@ -8,6 +8,7 @@ HAVEGED_VERSION = 1.9.13
 HAVEGED_SITE = $(call github,jirka-h,haveged,v$(HAVEGED_VERSION))
 HAVEGED_LICENSE = GPL-3.0+
 HAVEGED_LICENSE_FILES = COPYING
+HAVEGED_SELINUX_MODULES = entropyd
 
 ifeq ($(BR2_sparc_v8)$(BR2_sparc_leon3),y)
 HAVEGED_CONF_OPTS += --enable-clock_gettime=yes
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 14/14] package/jitterentropy-library: add SELinux module
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
                   ` (12 preceding siblings ...)
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 13/14] package/haveged: " Maxime Chevallier
@ 2020-12-28 16:11 ` Maxime Chevallier
  2020-12-29 10:30 ` [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Antoine Tenart
  2020-12-29 14:05 ` Yann E. MORIN
  15 siblings, 0 replies; 18+ messages in thread
From: Maxime Chevallier @ 2020-12-28 16:11 UTC (permalink / raw)
  To: buildroot

Support for the jitterentropy lib is added by the services/entropyd
module in the SELinux refpolicy.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 package/jitterentropy-library/jitterentropy-library.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/jitterentropy-library/jitterentropy-library.mk b/package/jitterentropy-library/jitterentropy-library.mk
index 3db04b27d3..d9dc031c35 100644
--- a/package/jitterentropy-library/jitterentropy-library.mk
+++ b/package/jitterentropy-library/jitterentropy-library.mk
@@ -10,6 +10,7 @@ JITTERENTROPY_LIBRARY_LICENSE = GPL-2.0 or BSD-3-Clause
 JITTERENTROPY_LIBRARY_LICENSE_FILES = COPYING COPYING.bsd COPYING.gplv2
 JITTERENTROPY_LIBRARY_INSTALL_STAGING = YES
 JITTERENTROPY_LIBRARY_INSTALL_TARGETS = install-includes
+JITTERENTROPY_LIBRARY_SELINUX_MODULES = entropyd
 
 ifeq ($(BR2_STATIC_LIBS)$(BR2_SHARED_STATIC_LIBS),y)
 JITTERENTROPY_LIBRARY_BUILD_TARGETS += jitterentropy-static
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
                   ` (13 preceding siblings ...)
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 14/14] package/jitterentropy-library: " Maxime Chevallier
@ 2020-12-29 10:30 ` Antoine Tenart
  2020-12-29 14:05 ` Yann E. MORIN
  15 siblings, 0 replies; 18+ messages in thread
From: Antoine Tenart @ 2020-12-29 10:30 UTC (permalink / raw)
  To: buildroot

Hi Maxime,

Quoting Maxime Chevallier (2020-12-28 17:11:20)
> Hello everyone,
> 
> This is the second iteration of the series adding matching between
> packages and the SELinux refpolicy module that supports them.
> 
> This series focuses on the tools that are impacted by the following
> modules in the refpolicy [2] :
> 
>   - services/networkmanager, which adds support for :
>     - iwd
>     - network-manager
>     - wpa_supplicant
> 
>   - system/ipatbles, which adds support for :
>     - ebtables
>     - ipset
>     - iptables
>     - nftables
> 
>   - admin/netutils, which adds support for :
>     - fping
>     - Some of the iputils tools :
>       - arping
>       - ping
>       - tracepath
>       - traceroute6
>     - mtr
>     - nmap
>     - tcpdump
> 
>   - services/entropyd, which adds support for :
>     - haveged
>     - jitterentropy-library
> 
> With this series, the above-mentionned tools can now be used on systems
> that have SELinux enabled.
> 
> Since V1, the main changes were the removal of the dhcp package which
> will be part of another series, and the rework of the iputils package
> according to Antoine Tenart's review.

The series looks good to me.

Thanks!
Antoine

> Maxime Chevallier (14):
>   package/iwd: add SELinux module
>   package/network-manager: add SELinux module
>   package/wpa_supplicant: add SELinux module
>   package/ebtables: add SELinux module
>   package/ipset: add SELinux module
>   package/iptables: add SELinux module
>   package/nftables: add SELinux module
>   package/fping: add SELinux module
>   package/iputils: add SELinux module
>   package/mtr: add SELinux module
>   package/nmap: add SELinux module
>   package/tcpdump: add SELinux module
>   package/haveged: add SELinux module
>   package/jitterentropy-library: add SELinux module
> 
>  package/ebtables/ebtables.mk                     |  1 +
>  package/fping/fping.mk                           |  1 +
>  package/haveged/haveged.mk                       |  1 +
>  package/ipset/ipset.mk                           |  1 +
>  package/iptables/iptables.mk                     |  2 ++
>  package/iputils/iputils.mk                       | 16 ++++++++++++++++
>  package/iwd/iwd.mk                               |  1 +
>  .../jitterentropy-library.mk                     |  1 +
>  package/mtr/mtr.mk                               |  1 +
>  package/network-manager/network-manager.mk       |  1 +
>  package/nftables/nftables.mk                     |  1 +
>  package/nmap/nmap.mk                             |  1 +
>  package/tcpdump/tcpdump.mk                       |  1 +
>  package/wpa_supplicant/wpa_supplicant.mk         |  1 +
>  14 files changed, 30 insertions(+)
> 
> -- 
> 2.25.4
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
> 

^ permalink raw reply	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages
  2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
                   ` (14 preceding siblings ...)
  2020-12-29 10:30 ` [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Antoine Tenart
@ 2020-12-29 14:05 ` Yann E. MORIN
  15 siblings, 0 replies; 18+ messages in thread
From: Yann E. MORIN @ 2020-12-29 14:05 UTC (permalink / raw)
  To: buildroot

Maxime, All,

On 2020-12-28 17:11 +0100, Maxime Chevallier spake thusly:
> This is the second iteration of the series adding matching between
> packages and the SELinux refpolicy module that supports them.

Series applied to master, thanks. I did some tweaks to one patch, I'll
be replying separately to that one.

Regards,
Yann E. MORIN.

> Maxime
> 
> Maxime Chevallier (14):
>   package/iwd: add SELinux module
>   package/network-manager: add SELinux module
>   package/wpa_supplicant: add SELinux module
>   package/ebtables: add SELinux module
>   package/ipset: add SELinux module
>   package/iptables: add SELinux module
>   package/nftables: add SELinux module
>   package/fping: add SELinux module
>   package/iputils: add SELinux module
>   package/mtr: add SELinux module
>   package/nmap: add SELinux module
>   package/tcpdump: add SELinux module
>   package/haveged: add SELinux module
>   package/jitterentropy-library: add SELinux module
> 
>  package/ebtables/ebtables.mk                     |  1 +
>  package/fping/fping.mk                           |  1 +
>  package/haveged/haveged.mk                       |  1 +
>  package/ipset/ipset.mk                           |  1 +
>  package/iptables/iptables.mk                     |  2 ++
>  package/iputils/iputils.mk                       | 16 ++++++++++++++++
>  package/iwd/iwd.mk                               |  1 +
>  .../jitterentropy-library.mk                     |  1 +
>  package/mtr/mtr.mk                               |  1 +
>  package/network-manager/network-manager.mk       |  1 +
>  package/nftables/nftables.mk                     |  1 +
>  package/nmap/nmap.mk                             |  1 +
>  package/tcpdump/tcpdump.mk                       |  1 +
>  package/wpa_supplicant/wpa_supplicant.mk         |  1 +
>  14 files changed, 30 insertions(+)
> 
> -- 
> 2.25.4
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

^ permalink raw reply	[flat|nested] 18+ messages in thread

* [Buildroot] [PATCH v2 09/14] package/iputils: add SELinux module
  2020-12-28 16:11 ` [Buildroot] [PATCH v2 09/14] package/iputils: " Maxime Chevallier
@ 2020-12-29 14:09   ` Yann E. MORIN
  0 siblings, 0 replies; 18+ messages in thread
From: Yann E. MORIN @ 2020-12-29 14:09 UTC (permalink / raw)
  To: buildroot

Maxime, All,

On 2020-12-28 17:11 +0100, Maxime Chevallier spake thusly:
> Support for the iputils is added by the admin/netutils module in the
> SELinux refpolicy for the following tools :
>  - arping
>  - ping
>  - tracepath
>  - traceroute6
> 
> Support for rdisc is added by services/rdisc.
> 
> Support for tftpd is added by services/tftp.
> 
> Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
> ---
> V1 -> V2: Use a per-tool module selection, for rdisc and tftpd,
> according to Antoine's review
> 
>  package/iputils/iputils.mk | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/package/iputils/iputils.mk b/package/iputils/iputils.mk
> index 4f8d9cb768..b1d71b38f2 100644
> --- a/package/iputils/iputils.mk
> +++ b/package/iputils/iputils.mk
> @@ -27,6 +27,22 @@ IPUTILS_CONF_OPTS += \
>  	-DBUILD_TRACEROUTE6=$(if $(BR2_PACKAGE_IPUTILS_TRACEROUTE6),true,false) \
>  	-DBUILD_NINFOD=$(if $(BR2_PACKAGE_IPUTILS_NINFOD),true,false)
>  
> +# Selectively select the appropriate SELinux refpolicy modules
> +ifneq ($(BR2_PACKAGE_IPUTILS_ARPING)\

I am not ver fond of negative logic, especially as the following related
conditions do use positive logic.

So, I've taken advantage of the fact that the refpolicy modules are
$(sort)ed in the end, and so it does not matter that they are listed
more than once, to come up with this simpler solution:

IPUTILS_SELINUX_MODULES = \
       $(if $(BR2_PACKAGE_IPUTILS_ARPING),netutils) \
       $(if $(BR2_PACKAGE_IPUTILS_PING),netutils) \
       $(if $(BR2_PACKAGE_IPUTILS_TRACEPATH),netutils) \
       $(if $(BR2_PACKAGE_IPUTILS_TRACEROUTE6),netutils) \
       $(if $(BR2_PACKAGE_IPUTILS_RDISC),rdisc) \
       $(if $(BR2_PACKAGE_IPUTILS_TFTPD),tftp)

Applied with this change. Thanks!

Regards,
Yann E. MORIN.

> +	$(BR2_PACKAGE_IPUTILS_PING)\
> +	$(BR2_PACKAGE_IPUTILS_TRACEPATH)\
> +	$(BR2_PACKAGE_IPUTILS_TRACEROUTE6),)
> +IPUTILS_SELINUX_MODULES += netutils
> +endif
> +
> +ifeq ($(BR2_PACKAGE_IPUTILS_RDISC),y)
> +IPUTILS_SELINUX_MODULES += rdisc
> +endif
> +
> +ifeq ($(BR2_PACKAGE_IPUTILS_TFTPD),y)
> +IPUTILS_SELINUX_MODULES += tftp
> +endif
> +
>  #
>  # arping
>  #
> -- 
> 2.25.4
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2020-12-29 14:09 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-28 16:11 [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Maxime Chevallier
2020-12-28 16:11 ` [Buildroot] [PATCH v2 01/14] package/iwd: add SELinux module Maxime Chevallier
2020-12-28 16:11 ` [Buildroot] [PATCH v2 02/14] package/network-manager: " Maxime Chevallier
2020-12-28 16:11 ` [Buildroot] [PATCH v2 03/14] package/wpa_supplicant: " Maxime Chevallier
2020-12-28 16:11 ` [Buildroot] [PATCH v2 04/14] package/ebtables: " Maxime Chevallier
2020-12-28 16:11 ` [Buildroot] [PATCH v2 05/14] package/ipset: " Maxime Chevallier
2020-12-28 16:11 ` [Buildroot] [PATCH v2 06/14] package/iptables: " Maxime Chevallier
2020-12-28 16:11 ` [Buildroot] [PATCH v2 07/14] package/nftables: " Maxime Chevallier
2020-12-28 16:11 ` [Buildroot] [PATCH v2 08/14] package/fping: " Maxime Chevallier
2020-12-28 16:11 ` [Buildroot] [PATCH v2 09/14] package/iputils: " Maxime Chevallier
2020-12-29 14:09   ` Yann E. MORIN
2020-12-28 16:11 ` [Buildroot] [PATCH v2 10/14] package/mtr: " Maxime Chevallier
2020-12-28 16:11 ` [Buildroot] [PATCH v2 11/14] package/nmap: " Maxime Chevallier
2020-12-28 16:11 ` [Buildroot] [PATCH v2 12/14] package/tcpdump: " Maxime Chevallier
2020-12-28 16:11 ` [Buildroot] [PATCH v2 13/14] package/haveged: " Maxime Chevallier
2020-12-28 16:11 ` [Buildroot] [PATCH v2 14/14] package/jitterentropy-library: " Maxime Chevallier
2020-12-29 10:30 ` [Buildroot] [PATCH v2 00/14] packages: Add SELinux modules to some packages Antoine Tenart
2020-12-29 14:05 ` Yann E. MORIN

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.