On Mon, Sep 20, 2021 at 4:21 PM Antoine Tenart wrote: > Quoting José Pekkarinen (2021-09-20 11:44:42) > > On Mon, Sep 20, 2021 at 12:30 PM Antoine Tenart <[1] > atenart@kernel.org> > > wrote: > > > > Quoting José Pekkarinen (2021-09-20 08:01:27) > > > > > > Absolutely, in the security section of my .config we can read > the > > > following: > > > BR2_PACKAGE_POLICYCOREUTILS=y > > > BR2_PACKAGE_REFPOLICY=y > > > BR2_REFPOLICY_EXTRA_MODULES_DIRS="$OUTPUT_DIR/selinux" > > > BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING=y > > > > This should work. Did you check the content of your module show up > after > > applying this patch? > > > > Yes, after the patch I can see the module copied in the folder: > > build/refpolicy-2.20200818$ ls policy/modules/buildroot/ > > base.fc base.if base.te metadata.xml secure.fc secure.if > secure.te > > > > And: > > > > /build/refpolicy-2.20200818$ grep secure policy/modules.conf > > # Module: secure > > secure = base > > # Small and secure DNS daemon. > > I'm missing something here. I did the test and using the module and > configuration snippets you provided (replacing $OUTPUT_DIR/selinux with > something else; and adding a to secure.if[1]). It worked. The > 'secure' module was found and enabled. > > The logic is the following in Buildroot for extra modules: > > 1. The modules are rsynced in policy/modules/buildrood/. > 2. If not already there, a metadata.xml file is added. > 3. The refpolicy build system is used[2] to generate modules.conf using > all modules matching 'policy/modules/*/*.te'. > 4. All modules in modules.conf are disabled and then only the ones in > REFPOLICY_MODULES are enabled. > > It looks like more of a refpolicy/module issue than a Buildroot one: > steps 1 and 2 seem to work, but not step 3. If you retrieve the > refpolicy project outside of Builroot and mimic the above steps, are > your modules listed in modules.conf? If not that might be a good > starting point. I don't have a better idea for now... > Hi, I did, and this is how modules.conf looks like when it comes to the section of my module: [...] # Module: xscreensaver # # Modular screen saver and locker for X11. # xscreensaver = module # Layer: buildroot # Module: secure # # Layer: kernel # Module: storage [...] Now, reading the INSTALL file, it says the following: If you do not have a modules.conf, one can be generated: make conf This will create a *default modules.conf*. This default makes me think it implies you'd need to activate your own modules if they are there, and why I believe buildroot would require that extra logic. refpolicy project may stand for letting users add their own, but not taking part on it theirselves. Best regards. José. > > Antoine > > [1] Which I guess is not your issue as otherwise the configuration step > fails and the build stops. > [2] `make -j1 bare conf` > -- José.