[Buildroot] [PATCH 1/3] refpolicy: new package

[Buildroot] [PATCH 1/3] refpolicy: new package

[Adam Duskett]

The patch is for adding selinux reference policy (refpolicy).
It is a complete SELinux policy that can be used as the system policy
for a variety of systems and used as the basis for creating other policies.

Signed-off-by: Adam Duskett <aduskett@codeblue.com>
---
 package/Config.in                |  1 +
 package/refpolicy/Config.in      | 29 ++++++++++++++++++++++++
 package/refpolicy/refpolicy.hash |  2 ++
 package/refpolicy/refpolicy.mk   | 49 ++++++++++++++++++++++++++++++++++++++++
 4 files changed, 81 insertions(+)
 create mode 100644 package/refpolicy/Config.in
 create mode 100644 package/refpolicy/refpolicy.hash
 create mode 100644 package/refpolicy/refpolicy.mk

diff --git a/package/Config.in b/package/Config.in
index d57813c..6aa6885 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1754,6 +1754,7 @@ endmenu
 menu "Security"
 	source "package/checkpolicy/Config.in"
 	source "package/policycoreutils/Config.in"
+	source "package/refpolicy/Config.in"
 	source "package/sepolgen/Config.in"
 	source "package/setools/Config.in"
 endmenu
diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
new file mode 100644
index 0000000..e772cac
--- /dev/null
+++ b/package/refpolicy/Config.in
@@ -0,0 +1,29 @@
+config BR2_PACKAGE_REFPOLICY
+	bool "refpolicy"
+	depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
+	depends on BR2_TOOLCHAIN_USES_GLIBC # policycoreutils
+	select BR2_PACKAGE_POLICYCOREUTILS
+	select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX
+	help
+	  The SELinux Reference Policy project (refpolicy) is a
+	  complete SELinux policy that can be used as the system
+	  policy for a variety of systems and used as the basis
+	  for creating other policies. Reference Policy was originally
+	  based on the NSA example policy, but aims to accomplish
+	  many additional goals.
+
+	  The current refpolicy does not fully support Buildroot
+	  and needs modifications to work with the default system
+	  file layout. These changes should be added as patches to
+	  the refpolicy that modify a single SELinux policy.
+
+	  The refpolicy works for the most part in permissive mode. Only
+	  the basic set of utilities are enabled in the example policy
+	  config and some of the pathing in the policies is not correct.
+	  Individual policies would need to be tweaked to get everything
+	  functioning properly.
+
+	  https://github.com/TresysTechnology/refpolicy
+
+comment "refpolicy needs a toolchain w/ threads, glibc"
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_TOOLCHAIN_USES_GLIBC
diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash
new file mode 100644
index 0000000..7aeac41
--- /dev/null
+++ b/package/refpolicy/refpolicy.hash
@@ -0,0 +1,2 @@
+#From https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease
+sha256 08f9e2afc5e4939c23e56deeec7c47da029d7b85d82fb4ded01a36eb5da0651e  refpolicy-RELEASE_2_20170204.tar.gz
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
new file mode 100644
index 0000000..d565cbd
--- /dev/null
+++ b/package/refpolicy/refpolicy.mk
@@ -0,0 +1,49 @@
+################################################################################
+#
+# refpolicy
+#
+################################################################################
+
+REFPOLICY_VERSION = RELEASE_2_20170204
+
+# Do not use GitHub helper as git submodules are needed for refpolicy-contrib
+REFPOLICY_SITE = https://github.com/TresysTechnology/refpolicy.git
+REFPOLICY_SITE_METHOD = git
+REFPOLICY_GIT_SUBMODULES = y
+REFPOLICY_LICENSE = GPLv2
+REFPOLICY_LICENSE_FILES = COPYING
+REFPOLICY_INSTALL_STAGING = YES
+REFPOLICY_DEPENDENCIES += \
+	host-m4 \
+	host-checkpolicy \
+	host-policycoreutils \
+	host-setools \
+	host-gawk \
+	host-python \
+	policycoreutils
+
+REFPOLICY_PYINC = -I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/site-packages
+
+# Cannot use multiple threads to build the reference policy
+REFPOLICY_MAKE = PYTHON="$(HOST_DIR)/usr/bin/python2" $(TARGET_MAKE_ENV) $(MAKE1)
+
+define REFPOLICY_CONFIGURE_CMDS
+	$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = 30" $(@D)/build.conf
+	$(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(@D)/build.conf
+	$(SED) "/NAME/c\NAME = targeted" $(@D)/build.conf
+endef
+
+define REFPOLICY_BUILD_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) bare conf DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_INSTALL_STAGING_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) install-src install-headers \
+	DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_INSTALL_TARGET_CMDS
+	$(REFPOLICY_MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR)
+endef
+
+$(eval $(generic-package))
-- 
2.9.3

[Buildroot] [PATCH 2/3] refpolicy: add ability to specify policy version

[Adam Duskett]

Refpolicy by default will build the highest version supported.
This may cause older kernels to not load the policy.

This patch adds a custom policy version string which is defaulted
to 30, which is the highest supported as of today.

Signed-off-by: Adam Duskett <aduskett@codeblue.com>
---
 package/refpolicy/Config.in    | 8 ++++++++
 package/refpolicy/refpolicy.mk | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index e772cac..e12222e 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -27,3 +27,11 @@ config BR2_PACKAGE_REFPOLICY
 
 comment "refpolicy needs a toolchain w/ threads, glibc"
 	depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_TOOLCHAIN_USES_GLIBC
+
+if BR2_PACKAGE_REFPOLICY
+
+config BR2_PACKAGE_REFPOLICY_VERSION
+	string "Policy version"
+	default "30"
+
+endif
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index d565cbd..1eb0c54 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -28,7 +28,7 @@ REFPOLICY_PYINC = -I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/site-p
 REFPOLICY_MAKE = PYTHON="$(HOST_DIR)/usr/bin/python2" $(TARGET_MAKE_ENV) $(MAKE1)
 
 define REFPOLICY_CONFIGURE_CMDS
-	$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = 30" $(@D)/build.conf
+	$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(BR2_PACKAGE_REFPOLICY_VERSION)" $(@D)/build.conf
 	$(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(@D)/build.conf
 	$(SED) "/NAME/c\NAME = targeted" $(@D)/build.conf
 endef
-- 
2.9.3

[Buildroot] [PATCH 3/3] refpolicy: add ability to set default state.

[Adam Duskett]

SELinux requires a config file in /etc/selinux which controls the state
of SELinux on the system.

This config file has two options set in it:
SELINUX which set's the state of selinux on boot.
SELINUXTYPE which should equal the name of the policy.  In this case, the
default name is targeted.

This patch adds:
- A choice menu on Config.in that allows the user to select a default
  SELinux state.

- A basic config file that will be installed to
  target/etc/selinux and will set SELINUX= to the selected state.

Signed-off-by: Adam Duskett <aduskett@codeblue.com>
---
 package/refpolicy/Config.in    | 25 +++++++++++++++++++++++++
 package/refpolicy/config       |  9 +++++++++
 package/refpolicy/refpolicy.mk |  6 ++++++
 3 files changed, 40 insertions(+)
 create mode 100644 package/refpolicy/config

diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index e12222e..b6f86d3 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -33,5 +33,30 @@ if BR2_PACKAGE_REFPOLICY
 config BR2_PACKAGE_REFPOLICY_VERSION
 	string "Policy version"
 	default "30"
+choice
+	prompt "SELinux default state"
+	default BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
+
+config BR2_PACKAGE_REFPOLICY_STATE_ENFORCING
+	bool "Enforcing"
+	help
+	  SELinux security policy is enforced
+
+config BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
+	bool "Permissive"
+	help
+	  SELinux prints warnings instead of enforcing
+
+config BR2_PACKAGE_REFPOLICY_STATE_DISABLED
+	bool "Disabled"
+	help
+	  No SELinux policy is loaded
+endchoice
+
+config BR2_PACKAGE_REFPOLICY_STATE
+	string
+	default "permissive" if BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
+	default "enforcing" if BR2_PACKAGE_REFPOLICY_STATE_ENFORCING
+	default "disabled" if BR2_PACKAGE_REFPOLICY_STATE_DISABLED
 
 endif
diff --git a/package/refpolicy/config b/package/refpolicy/config
new file mode 100644
index 0000000..a45a349
--- /dev/null
+++ b/package/refpolicy/config
@@ -0,0 +1,9 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#     enforcing - SELinux security policy is enforced.
+#     permissive - SELinux prints warnings instead of enforcing.
+#     disabled - No SELinux policy is loaded.
+SELINUX=disabled
+
+SELINUXTYPE=targeted
+
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 1eb0c54..c982014 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -23,6 +23,7 @@ REFPOLICY_DEPENDENCIES += \
 	policycoreutils
 
 REFPOLICY_PYINC = -I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/site-packages
+REFPOLICY_NAME = "targeted"
 
 # Cannot use multiple threads to build the reference policy
 REFPOLICY_MAKE = PYTHON="$(HOST_DIR)/usr/bin/python2" $(TARGET_MAKE_ENV) $(MAKE1)
@@ -44,6 +45,11 @@ endef
 
 define REFPOLICY_INSTALL_TARGET_CMDS
 	$(REFPOLICY_MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR)
+	$(INSTALL) -m 0755 -D package/refpolicy/config \
+		$(TARGET_DIR)/etc/selinux/config
+
+	$(SED) "/^SELINUX=/c\SELINUX=$(BR2_PACKAGE_REFPOLICY_STATE)" \
+		$(TARGET_DIR)/etc/selinux/config
 endef
 
 $(eval $(generic-package))
-- 
2.9.3

[Buildroot] [PATCH 1/3] refpolicy: new package

[Matthew Weber]

Adam,

On Wed, May 10, 2017 at 12:46 PM, Adam Duskett <aduskett@gmail.com> wrote:
> The patch is for adding selinux reference policy (refpolicy).
> It is a complete SELinux policy that can be used as the system policy
> for a variety of systems and used as the basis for creating other policies.
>

Similar patchset submitted here:
https://patchwork.ozlabs.org/patch/711535/

> Signed-off-by: Adam Duskett <aduskett@codeblue.com>
> ---
>  package/Config.in                |  1 +
>  package/refpolicy/Config.in      | 29 ++++++++++++++++++++++++
>  package/refpolicy/refpolicy.hash |  2 ++
>  package/refpolicy/refpolicy.mk   | 49 ++++++++++++++++++++++++++++++++++++++++
>  4 files changed, 81 insertions(+)
>  create mode 100644 package/refpolicy/Config.in
>  create mode 100644 package/refpolicy/refpolicy.hash
>  create mode 100644 package/refpolicy/refpolicy.mk
>
> diff --git a/package/Config.in b/package/Config.in
> index d57813c..6aa6885 100644
> --- a/package/Config.in
> +++ b/package/Config.in
> @@ -1754,6 +1754,7 @@ endmenu
>  menu "Security"
>         source "package/checkpolicy/Config.in"
>         source "package/policycoreutils/Config.in"
> +       source "package/refpolicy/Config.in"
>         source "package/sepolgen/Config.in"
>         source "package/setools/Config.in"
>  endmenu
> diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
> new file mode 100644
> index 0000000..e772cac
> --- /dev/null
> +++ b/package/refpolicy/Config.in
> @@ -0,0 +1,29 @@
> +config BR2_PACKAGE_REFPOLICY
> +       bool "refpolicy"
> +       depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
> +       depends on BR2_TOOLCHAIN_USES_GLIBC # policycoreutils
> +       select BR2_PACKAGE_POLICYCOREUTILS
> +       select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX
> +       help
> +         The SELinux Reference Policy project (refpolicy) is a
> +         complete SELinux policy that can be used as the system
> +         policy for a variety of systems and used as the basis
> +         for creating other policies. Reference Policy was originally
> +         based on the NSA example policy, but aims to accomplish
> +         many additional goals.
> +
> +         The current refpolicy does not fully support Buildroot
> +         and needs modifications to work with the default system
> +         file layout. These changes should be added as patches to
> +         the refpolicy that modify a single SELinux policy.
> +
> +         The refpolicy works for the most part in permissive mode. Only
> +         the basic set of utilities are enabled in the example policy
> +         config and some of the pathing in the policies is not correct.
> +         Individual policies would need to be tweaked to get everything
> +         functioning properly.
> +
> +         https://github.com/TresysTechnology/refpolicy
> +
> +comment "refpolicy needs a toolchain w/ threads, glibc"
> +       depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_TOOLCHAIN_USES_GLIBC
> diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash
> new file mode 100644
> index 0000000..7aeac41
> --- /dev/null
> +++ b/package/refpolicy/refpolicy.hash
> @@ -0,0 +1,2 @@
> +#From https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease
> +sha256 08f9e2afc5e4939c23e56deeec7c47da029d7b85d82fb4ded01a36eb5da0651e  refpolicy-RELEASE_2_20170204.tar.gz
> diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
> new file mode 100644
> index 0000000..d565cbd
> --- /dev/null
> +++ b/package/refpolicy/refpolicy.mk
> @@ -0,0 +1,49 @@
> +################################################################################
> +#
> +# refpolicy
> +#
> +################################################################################
> +
> +REFPOLICY_VERSION = RELEASE_2_20170204
> +
> +# Do not use GitHub helper as git submodules are needed for refpolicy-contrib
> +REFPOLICY_SITE = https://github.com/TresysTechnology/refpolicy.git
> +REFPOLICY_SITE_METHOD = git
> +REFPOLICY_GIT_SUBMODULES = y
> +REFPOLICY_LICENSE = GPLv2
> +REFPOLICY_LICENSE_FILES = COPYING
> +REFPOLICY_INSTALL_STAGING = YES
> +REFPOLICY_DEPENDENCIES += \
> +       host-m4 \
> +       host-checkpolicy \
> +       host-policycoreutils \
> +       host-setools \
> +       host-gawk \
> +       host-python \
> +       policycoreutils
> +
> +REFPOLICY_PYINC = -I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/site-packages
> +
> +# Cannot use multiple threads to build the reference policy
> +REFPOLICY_MAKE = PYTHON="$(HOST_DIR)/usr/bin/python2" $(TARGET_MAKE_ENV) $(MAKE1)
> +
> +define REFPOLICY_CONFIGURE_CMDS
> +       $(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = 30" $(@D)/build.conf
> +       $(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(@D)/build.conf
> +       $(SED) "/NAME/c\NAME = targeted" $(@D)/build.conf
> +endef
> +
> +define REFPOLICY_BUILD_CMDS
> +       $(REFPOLICY_MAKE) -C $(@D) bare conf DESTDIR=$(STAGING_DIR)
> +endef
> +
> +define REFPOLICY_INSTALL_STAGING_CMDS
> +       $(REFPOLICY_MAKE) -C $(@D) install-src install-headers \
> +       DESTDIR=$(STAGING_DIR)
> +endef
> +
> +define REFPOLICY_INSTALL_TARGET_CMDS
> +       $(REFPOLICY_MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR)
> +endef
> +
> +$(eval $(generic-package))
> --
> 2.9.3
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot



-- 
Matthew L Weber / Pr Software Engineer
Airborne Information Systems / Security Systems and Software / Secure Platforms
MS 131-100, C Ave NE, Cedar Rapids, IA, 52498, USA
www.rockwellcollins.com

Note: Any Export License Required Information and License Restricted
Third Party Intellectual Property (TPIP) content must be encrypted and
sent to matthew.weber at corp.rockwellcollins.com.

[Buildroot] [PATCH 3/3] refpolicy: add ability to set default state.

[Matthew Weber]

Adam,

On Wed, May 10, 2017 at 12:47 PM, Adam Duskett <aduskett@gmail.com> wrote:
> SELinux requires a config file in /etc/selinux which controls the state
> of SELinux on the system.
>
> This config file has two options set in it:
> SELINUX which set's the state of selinux on boot.
> SELINUXTYPE which should equal the name of the policy.  In this case, the
> default name is targeted.
>
> This patch adds:
> - A choice menu on Config.in that allows the user to select a default
>   SELinux state.
>
> - A basic config file that will be installed to
>   target/etc/selinux and will set SELINUX= to the selected state.
>

Similar patchset submitted here:
https://patchwork.ozlabs.org/patch/711537/
https://patchwork.ozlabs.org/patch/711536/

> Signed-off-by: Adam Duskett <aduskett@codeblue.com>
> ---
>  package/refpolicy/Config.in    | 25 +++++++++++++++++++++++++
>  package/refpolicy/config       |  9 +++++++++
>  package/refpolicy/refpolicy.mk |  6 ++++++
>  3 files changed, 40 insertions(+)
>  create mode 100644 package/refpolicy/config
>
> diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
> index e12222e..b6f86d3 100644
> --- a/package/refpolicy/Config.in
> +++ b/package/refpolicy/Config.in
> @@ -33,5 +33,30 @@ if BR2_PACKAGE_REFPOLICY
>  config BR2_PACKAGE_REFPOLICY_VERSION
>         string "Policy version"
>         default "30"
> +choice
> +       prompt "SELinux default state"
> +       default BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
> +
> +config BR2_PACKAGE_REFPOLICY_STATE_ENFORCING
> +       bool "Enforcing"
> +       help
> +         SELinux security policy is enforced
> +
> +config BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
> +       bool "Permissive"
> +       help
> +         SELinux prints warnings instead of enforcing
> +
> +config BR2_PACKAGE_REFPOLICY_STATE_DISABLED
> +       bool "Disabled"
> +       help
> +         No SELinux policy is loaded
> +endchoice
> +
> +config BR2_PACKAGE_REFPOLICY_STATE
> +       string
> +       default "permissive" if BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
> +       default "enforcing" if BR2_PACKAGE_REFPOLICY_STATE_ENFORCING
> +       default "disabled" if BR2_PACKAGE_REFPOLICY_STATE_DISABLED
>
>  endif
> diff --git a/package/refpolicy/config b/package/refpolicy/config
> new file mode 100644
> index 0000000..a45a349
> --- /dev/null
> +++ b/package/refpolicy/config
> @@ -0,0 +1,9 @@
> +# This file controls the state of SELinux on the system.
> +# SELINUX= can take one of these three values:
> +#     enforcing - SELinux security policy is enforced.
> +#     permissive - SELinux prints warnings instead of enforcing.
> +#     disabled - No SELinux policy is loaded.
> +SELINUX=disabled
> +
> +SELINUXTYPE=targeted
> +
> diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
> index 1eb0c54..c982014 100644
> --- a/package/refpolicy/refpolicy.mk
> +++ b/package/refpolicy/refpolicy.mk
> @@ -23,6 +23,7 @@ REFPOLICY_DEPENDENCIES += \
>         policycoreutils
>
>  REFPOLICY_PYINC = -I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/site-packages
> +REFPOLICY_NAME = "targeted"
>
>  # Cannot use multiple threads to build the reference policy
>  REFPOLICY_MAKE = PYTHON="$(HOST_DIR)/usr/bin/python2" $(TARGET_MAKE_ENV) $(MAKE1)
> @@ -44,6 +45,11 @@ endef
>
>  define REFPOLICY_INSTALL_TARGET_CMDS
>         $(REFPOLICY_MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR)
> +       $(INSTALL) -m 0755 -D package/refpolicy/config \
> +               $(TARGET_DIR)/etc/selinux/config
> +
> +       $(SED) "/^SELINUX=/c\SELINUX=$(BR2_PACKAGE_REFPOLICY_STATE)" \
> +               $(TARGET_DIR)/etc/selinux/config
>  endef
>
>  $(eval $(generic-package))
> --
> 2.9.3
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot



-- 
Matthew L Weber / Pr Software Engineer
Airborne Information Systems / Security Systems and Software / Secure Platforms
MS 131-100, C Ave NE, Cedar Rapids, IA, 52498, USA
www.rockwellcollins.com

Note: Any Export License Required Information and License Restricted
Third Party Intellectual Property (TPIP) content must be encrypted and
sent to matthew.weber at corp.rockwellcollins.com.

[Buildroot] [PATCH 1/3] refpolicy: new package

[Thomas Petazzoni]

Hello,

On Wed, 10 May 2017 12:58:46 -0500, Matthew Weber wrote:

> On Wed, May 10, 2017 at 12:46 PM, Adam Duskett <aduskett@gmail.com> wrote:
> > The patch is for adding selinux reference policy (refpolicy).
> > It is a complete SELinux policy that can be used as the system policy
> > for a variety of systems and used as the basis for creating other policies.
> >  
> 
> Similar patchset submitted here:
> https://patchwork.ozlabs.org/patch/711535/

Exactly what I was going to say: what is the difference between this
new submission, and the one from Bryce Ferguson already in patchwork ?

Best regards,

Thomas
-- 
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com

[Buildroot] [PATCH 1/3] refpolicy: new package

[Adam Duskett]

Hello

On May 10, 2017 3:50 PM, "Thomas Petazzoni" <
thomas.petazzoni@free-electrons.com> wrote:

Hello,

On Wed, 10 May 2017 12:58:46 -0500, Matthew Weber wrote:

> On Wed, May 10, 2017 at 12:46 PM, Adam Duskett <aduskett@gmail.com> wrote:
> > The patch is for adding selinux reference policy (refpolicy).
> > It is a complete SELinux policy that can be used as the system policy
> > for a variety of systems and used as the basis for creating other
policies.
> >
>
> Similar patchset submitted here:
> https://patchwork.ozlabs.org/patch/711535/

Exactly what I was going to say: what is the difference between this
new submission, and the one from Bryce Ferguson already in patchwork ?

I talked to Bryce earlier today and asked if I could take over the patch
for him, so I cleaned up the makefile and made everything cleaner for the
next round.

Best regards,

Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com


Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20170510/439adc57/attachment.html>

[Buildroot] [PATCH 1/3] refpolicy: new package

[Bryce Ferguson]

From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>

The patch is for adding selinux reference policy (refpolicy).
It is a complete SELinux policy that can be used as the system policy
for a variety of systems and used as the basis for creating other policies.

Signed-off-by: Bryce Ferguson <bryce.ferguson@rockwellcollins.com>
---
 package/Config.in                                  |   1 +
 .../0001-Fix-awk-references-to-use-variable.patch  |  42 +++++++
 .../0002-support-fc_sort-use-_FOR_BUILD.patch      |  27 +++++
 package/refpolicy/Config.in                        |  91 +++++++++++++++
 package/refpolicy/S00selinux                       | 124 +++++++++++++++++++++
 package/refpolicy/refpolicy.hash                   |   2 +
 package/refpolicy/refpolicy.mk                     |  67 +++++++++++
 7 files changed, 354 insertions(+)
 create mode 100644 package/refpolicy/0001-Fix-awk-references-to-use-variable.patch
 create mode 100644 package/refpolicy/0002-support-fc_sort-use-_FOR_BUILD.patch
 create mode 100644 package/refpolicy/Config.in
 create mode 100644 package/refpolicy/S00selinux
 create mode 100644 package/refpolicy/refpolicy.hash
 create mode 100644 package/refpolicy/refpolicy.mk

diff --git a/package/Config.in b/package/Config.in
index 6511c98..f73f529 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1679,6 +1679,7 @@ endmenu
 
 menu "Security"
 	source "package/policycoreutils/Config.in"
+	source "package/refpolicy/Config.in"
 	source "package/setools/Config.in"
 endmenu
 
diff --git a/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch b/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch
new file mode 100644
index 0000000..8236fa2
--- /dev/null
+++ b/package/refpolicy/0001-Fix-awk-references-to-use-variable.patch
@@ -0,0 +1,42 @@
+From 1d4c826e8de366bccb93f167cd9be834ab5911c8 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Fri, 8 May 2015 14:13:00 -0500
+Subject: [PATCH] Fix awk references to use variable
+
+Ensure all awk calls use the variable setup in the makefile rather than
+relying on the system.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 85d4cfb..3aa4b51 100644
+--- a/Makefile
++++ b/Makefile
+@@ -292,9 +292,9 @@ cmdline_mods := $(addsuffix .te,$(APPS_MODS))
+ cmdline_off := $(addsuffix .te,$(APPS_OFF))
+ 
+ # extract settings from modules.conf
+-mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
+-mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
+-mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_base := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_mods := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_off := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
+ 
+ base_mods := $(cmdline_base)
+ mod_mods := $(cmdline_mods)
+@@ -308,7 +308,7 @@ off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_c
+ off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+ 
+ # filesystems to be used in labeling targets
+-filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
++filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+ fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
+ 
+ ########################################
+-- 
+1.9.1
+
diff --git a/package/refpolicy/0002-support-fc_sort-use-_FOR_BUILD.patch b/package/refpolicy/0002-support-fc_sort-use-_FOR_BUILD.patch
new file mode 100644
index 0000000..a8322e6
--- /dev/null
+++ b/package/refpolicy/0002-support-fc_sort-use-_FOR_BUILD.patch
@@ -0,0 +1,27 @@
+From bbd4bd5407cccda7e29e1943c7c8ad5309c90d2f Mon Sep 17 00:00:00 2001
+From: Matt Weber <matthew.weber@rockwellcollins.com>
+Date: Fri, 23 Dec 2016 13:14:58 -0600
+Subject: [PATCH] refpolicy: support/fc_sort use *_FOR_BUILD
+Updates the one C based tool to use the CC_FOR_BUILD
+and respective flags variable as a full host build
+isn't required..
+Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/Makefile b/Makefile
+index 4feba89..3643d48 100644
+--- a/Makefile
++++ b/Makefile
+@@ -400,7 +400,7 @@ $(mod_conf) $(booleans): $(polxml)
+ # Generate the fc_sort program
+ #
+ $(fcsort) : $(support)/fc_sort.c
+-	$(verbose) $(CC) $(CFLAGS) $^ -o $@
++	$(verbose) $(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) $^ -o $@
+ 
+ ########################################
+ #
+-- 
+1.9.1
+
diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
new file mode 100644
index 0000000..6ed0bff
--- /dev/null
+++ b/package/refpolicy/Config.in
@@ -0,0 +1,91 @@
+config BR2_PACKAGE_REFPOLICY
+	bool "refpolicy"
+	select BR2_PACKAGE_POLICYCOREUTILS
+	select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX
+	depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS # libsemanage
+	depends on BR2_TOOLCHAIN_HAS_THREADS # libsemanage
+	depends on !BR2_STATIC_LIBS #libsemanage
+	depends on !BR2_arc # libsemanage
+	depends on BR2_TOOLCHAIN_USES_GLIBC # libsemanage
+	help
+	  The SELinux Reference Policy project (refpolicy) is a
+	  complete SELinux policy that can be used as the system
+	  policy for a variety of systems and used as the basis
+	  for creating other policies. Reference Policy was originally
+	  based on the NSA example policy, but aims to accomplish
+	  many additional goals.
+
+	  The current refpolicy does not fully support Buildroot
+	  and needs modifications to work with the default system
+	  file layout. These changes should be added as patches to
+	  the refpolicy that modify a single SELinux policy.
+
+	  The refpolicy works for the most part in permissive mode. Only the
+	  basic set of utilities are enabled in the example policy config and
+	  some of the pathing in the policies is not correct. Individual
+	  policies would need to be tweaked to get everything functioning
+	  properly.
+
+comment "refpolicy needs a glibc toolchain w/ thread, dynamic library"
+	depends on !BR2_arc
+	depends on BR2_PACKAGE_AUDIT_ARCH_SUPPORTS
+	depends on BR2_STATIC_LIBS || !BR2_TOOLCHAIN_HAS_THREADS || \
+		!BR2_TOOLCHAIN_USES_GLIBC
+
+if BR2_PACKAGE_REFPOLICY
+
+choice
+	prompt "SELinux policy type"
+	default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+
+config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+	bool "Standard"
+	help
+	  Standard SELinux policy enabling type enforcement only
+
+config BR2_PACKAGE_REFPOLICY_TYPE_MCS
+	bool "MCS"
+	help
+	  SELinux policy with multi-category support
+
+config BR2_PACKAGE_REFPOLICY_TYPE_MLS
+	bool "MLS"
+	help
+	  SELinux policy with multi-category and multi-level support
+
+endchoice
+
+config BR2_PACKAGE_REFPOLICY_TYPE
+	string
+	default "standard" if BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+	default "mcs" if BR2_PACKAGE_REFPOLICY_TYPE_MCS
+	default "mls" if BR2_PACKAGE_REFPOLICY_TYPE_MLS
+
+choice
+	prompt "SELinux default state"
+	default BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
+
+config BR2_PACKAGE_REFPOLICY_STATE_ENFORCE
+	bool "Enforcing"
+	help
+	  SELinux security policy is enforced
+
+config BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
+	bool "Permissive"
+	help
+	  SELinux prints warnings instead of enforcing
+
+config BR2_PACKAGE_REFPOLICY_STATE_DISABLE
+	bool "Disabled"
+	help
+	  No SELinux policy is loaded
+
+endchoice
+
+config BR2_PACKAGE_REFPOLICY_STATE
+	string
+	default "permissive" if BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
+	default "enforcing" if BR2_PACKAGE_REFPOLICY_STATE_ENFORCE
+	default "disabled" if BR2_PACKAGE_REFPOLICY_STATE_DISABLE
+
+endif
diff --git a/package/refpolicy/S00selinux b/package/refpolicy/S00selinux
new file mode 100644
index 0000000..ea4fbfb
--- /dev/null
+++ b/package/refpolicy/S00selinux
@@ -0,0 +1,124 @@
+#!/bin/sh
+################################################################################
+#
+# This file labels the security contexts of memory based filesystems such as
+# /dev/ and checks for auto relabel request if '/.autorelabel' file exists.
+#
+# This script is a heavily stripped down and modified version of the one used
+# in CentOS 6.2
+#
+################################################################################
+
+failed()
+{
+   echo $1
+   exit 1
+}
+
+# Get SELinux config env vars
+. /etc/selinux/config || failed "Failed to source the SELinux config"
+
+setup_selinux() {
+   # Create required directories
+   mkdir -p /etc/selinux/${SELINUXTYPE}/policy/ ||
+         failed "Failed to create the policy folder"
+   mkdir -p /etc/selinux/${SELINUXTYPE}/modules/active/modules || \
+         failed "Failed to create the modules folder"
+   if [ ! -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local ]
+   then
+      touch /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local || \
+            failed "Failed to create the file_contexts.local file"
+   fi
+
+   # Load the policy to activate it
+   load_policy -i || failed "Failed to load the SELinux policy"
+}
+
+relabel_selinux() {
+   # if /sbin/init is not labeled correctly this process is running in the
+   # wrong context, so a reboot will be required after relabel
+   AUTORELABEL=
+
+   # Switch to Permissive mode
+   echo "0" > /sys/fs/selinux/enforce || failed "Failed to disable enforcing mode"
+
+   echo
+   echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
+   echo "*** Relabeling could take a very long time, depending on file"
+   echo "*** system size and speed of hard drives."
+
+   # Relabel mount points
+   restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) \
+         >/dev/null 2>&1 || failed "Failed to relabel the mount points"
+
+   # Relabel file system
+   echo "Relabeling file systems"
+   restorecon -R -F / || failed "Failed to relabel the file system"
+
+   # Remove label
+   rm -f  /.autorelabel || failed "Failed to remove the autorelabel flag"
+
+   # Reboot to activate relabeled file system
+   echo "Automatic reboot in progress."
+   reboot -f
+}
+
+start() {
+   printf "Initializing SELinux: "
+
+   # Check to see if the default policy has been installed
+   if [ "`sestatus | grep "SELinux status" | grep enabled`" == "" ]; then
+      if [ ! -f /etc/selinux/${SELINUXTYPE}/policy/policy.* ]
+      then
+         setup_selinux
+      else
+           # Load the policy to activate it
+           load_policy -i || failed "Failed to load the SELinux policy"
+      fi
+   fi
+
+   # Check SELinux status
+   SELINUX_STATE=
+   if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then
+      if [ -r "/selinux/enforce" ] ; then
+         SELINUX_STATE=$(cat "/selinux/enforce")
+      else
+         # assume enforcing if you can't read it
+         SELINUX_STATE=1
+      fi
+   fi
+
+   # Context Label /dev/
+      /sbin/restorecon -R -F /dev 2>/dev/null
+
+   # Context Label tmpfs mounts.
+   # using /proc/mounts to discover tmpfs mounts
+      /sbin/restorecon -R -F $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// && $3 =="tmpfs" { print $2 }' /etc/fstab) >/dev/null 2>&1
+
+   # Clean up SELinux labels
+      restorecon -F /etc/mtab /etc/ld.so.cache /etc/resolv.conf >/dev/null 2>&1
+
+   # Check for filesystem relabel request
+   if [ -f /.autorelabel ] ; then
+      relabel_selinux
+   fi
+
+   echo "OK"
+}
+stop() {
+   # There is nothing to do
+   :
+}
+
+case "$1" in
+   start)
+      start
+      ;;
+   stop)
+      stop
+      ;;
+   *)
+      echo "Usage: $0 {start|stop}"
+      exit 1
+      ;;
+esac
diff --git a/package/refpolicy/refpolicy.hash b/package/refpolicy/refpolicy.hash
new file mode 100644
index 0000000..3ff37dc
--- /dev/null
+++ b/package/refpolicy/refpolicy.hash
@@ -0,0 +1,2 @@
+#From https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease
+sha256 2dd2f45a7132137afe8302805c3b7839739759b9ab73dd1815c01afe34ac99de  refpolicy-RELEASE_2_20151208.tar.gz
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
new file mode 100644
index 0000000..9b3e1c5
--- /dev/null
+++ b/package/refpolicy/refpolicy.mk
@@ -0,0 +1,67 @@
+################################################################################
+#
+# refpolicy
+#
+################################################################################
+
+REFPOLICY_VERSION = RELEASE_2_20151208
+
+# Do not use GitHub helper as git submodules are needed for refpolicy-contrib
+REFPOLICY_SITE = https://github.com/TresysTechnology/refpolicy.git
+REFPOLICY_SITE_METHOD = git
+REFPOLICY_GIT_SUBMODULES = y # Required for refpolicy-contrib
+REFPOLICY_LICENSE = GPLv2
+REFPOLICY_LICENSE_FILES = COPYING
+
+# Cannot use multiple threads to build the reference policy
+REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)
+
+REFPOLICY_DEPENDENCIES += host-m4 host-checkpolicy host-policycoreutils \
+						host-gawk host-python
+
+REFPOLICY_INSTALL_STAGING = YES
+
+REFPOLICY_POLICY_NAME = br_policy
+
+# Note, the TEST_TOOLCHAIN option will also set the
+# LD_LIBRARY_PATH at run time.
+REFPOLICY_MAKE_OPTS = $(TARGET_CONFIGURE_OPTS) \
+	TEST_TOOLCHAIN="$(HOST_DIR)"
+
+# Build requires python2 to run
+REFPOLICY_MAKE_ENV = \
+	PYTHON="$(HOST_DIR)/usr/bin/python2" \
+	AWK="$(HOST_DIR)/usr/bin/gawk" \
+	M4="$(HOST_DIR)/usr/bin/m4"
+
+define REFPOLICY_CONFIGURE_CMDS
+	$(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) bare \
+		$(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+	$(SED) "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
+	$(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(@D)/build.conf
+	$(SED) "/NAME/c\NAME = $(REFPOLICY_POLICY_NAME)" $(@D)/build.conf
+
+	$(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) conf \
+		$(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_INSTALL_STAGING_CMDS
+	$(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install-src install-headers \
+		install-docs $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_INSTALL_TARGET_CMDS
+	$(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install \
+		$(REFPOLICY_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
+	echo SELINUX=$(BR2_PACKAGE_REFPOLICY_STATE) > $(TARGET_DIR)/etc/selinux/config
+	echo SELINUXTYPE=$(REFPOLICY_POLICY_NAME) >> $(TARGET_DIR)/etc/selinux/config
+	touch $(TARGET_DIR)/.autorelabel
+	$(RM) $(TARGET_DIR)/etc/selinux/$(REFPOLICY_POLICY_NAME)/booleans
+endef
+
+define REFPOLICY_INSTALL_INIT_SYSV
+	$(INSTALL) -m 0755 -D package/refpolicy/S00selinux \
+		$(TARGET_DIR)/etc/init.d/S00selinux
+endef
+
+$(eval $(generic-package))
-- 
1.9.1