[Buildroot] [PATCH v3 00/16] SELinux Buildroot Additions
Clayton Shotwell
clshotwe at rockwellcollins.com
Wed Sep 25 19:32:35 UTC 2013
This is Round 3 for the SELinux package additions.
General changes in this version:
- Reordered patches to ensure dependencies come before the packages.
- Removed the libsepol package since it has already been applied.
- Incorporated changes from Thomas and Arnout on many of the packages.
Per Thomas Petazzoni's <thomas.petazzoni at free-electrons.com> email, here is
a brief overview of SELinux and how I have implemented it in buildroot.
SELinux is made up of several packages and Linux kernel configurations.
The best reference, at least the most complete, is probably the SELinux
Notebook at the link below. The notebook details how SELinux works and
gives very good examples on how to implement SELinux policies.
http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html
Packages:
libsepol
libselinux
libsemanage
checkpolicy
sepolgen
setools
policycoreutils
refpolicy
For this implementation, I have added a package hierarchy that will allow
for both a debugging and a paired down release version. The debugging
version required Python support, and is therefore much larger while the
release version does not. To enable the release version, simply select
the refpolicy package (BR2_PACKAGE_REFPOLICY) and it selects all of the
necessary packages to enable SELinux. For the debugging version, select
the policycoreutils debugging configure option
(BR2_PACKAGE_POLICYCOREUTILS_POLICY_DEBUGGING). This will pull in Python
and a bunch of other packages into the build to debug the SELinux policy
on target.
Caveats:
1. The Linux kernel config will need to be changed to enable SELinux
support and extended attribute support on the file systems
2. The busybox config will need to be changed to remove some packages
or to build each executable as a stand-alone package. The busybox
symlinks don't work well with the default refpolicy.
3. The audit package will need to be enabled to log issues with the
SELinux policy, especially if it is in enforcing mode.
4. If a modular SELinux policy is selected,
BR2_PACKAGE_REFPOLICY_MONOLITHIC = n, then the policy will be compiled
on target during the first boot which will take a long time (about
a half hour on a pandaboard).
Clayton Shotwell (16):
pcre: Add host build support
libselinux: new package
ustr: new package
bzip2: Add host build shared library installation
libsemanage: new package
checkpolicy: new package
sepolgen: new package
sqlite: Add host build support
setools: new package
libcgroup: new package
python-pyparsing: Add host build option
audit: new package
policycoreutils: new package
python-pyxml: new package
refpolicy: new package
shadow: new package
package/Config.in | 16 +
package/Config.in.host | 1 +
package/audit/Config.in | 10 +
package/audit/S14auditd | 172 +++
...it-0001-cross-compile-header-creation-fix.patch | 1424 ++++++++++++++++++++
package/audit/audit-0002-remove-zos-plugin.patch | 35 +
package/audit/audit.mk | 58 +
package/bzip2/bzip2.mk | 2 +
package/checkpolicy/Config.in.host | 10 +
package/checkpolicy/checkpolicy.mk | 30 +
package/libcgroup/Config.in | 4 +
package/libcgroup/libcgroup.mk | 38 +
package/libselinux/Config.in | 19 +
package/libselinux/libselinux.mk | 94 ++
package/libsemanage/Config.in | 20 +
.../libsemanage-0001-execption-lib-path-fix.patch | 14 +
package/libsemanage/libsemanage.mk | 80 ++
package/pcre/pcre.mk | 1 +
package/policycoreutils/Config.in | 76 ++
package/policycoreutils/S15restorecond | 85 ++
.../policycoreutils-0001-cross-compile-fixes.patch | 332 +++++
package/policycoreutils/policycoreutils.mk | 230 ++++
package/python-pyparsing/python-pyparsing.mk | 47 +-
package/python-pyxml/Config.in | 11 +
package/python-pyxml/python-xml.mk | 58 +
package/refpolicy/Config.in | 58 +
package/refpolicy/S12selinux | 134 ++
package/refpolicy/config | 8 +
.../refpolicy-0001-gentoo-hardened-fixes.patch | 1250 +++++++++++++++++
package/refpolicy/refpolicy.mk | 80 ++
package/sepolgen/Config.in | 8 +
package/sepolgen/sepolgen.mk | 35 +
package/setools/Config.in | 21 +
.../setools/setools-0001-cross-compile-fixes.patch | 121 ++
.../setools-0002-swig-typedef-python-fixes.patch | 1014 ++++++++++++++
package/setools/setools.mk | 85 ++
package/shadow/Config.in | 13 +
package/shadow/shadow.mk | 49 +
package/sqlite/sqlite.mk | 1 +
package/ustr/Config.in | 11 +
.../ustr-0001-cross-compile-modifications.patch | 144 ++
package/ustr/ustr.mk | 55 +
42 files changed, 5941 insertions(+), 13 deletions(-)
create mode 100644 package/audit/Config.in
create mode 100755 package/audit/S14auditd
create mode 100644 package/audit/audit-0001-cross-compile-header-creation-fix.patch
create mode 100644 package/audit/audit-0002-remove-zos-plugin.patch
create mode 100644 package/audit/audit.mk
create mode 100644 package/checkpolicy/Config.in.host
create mode 100644 package/checkpolicy/checkpolicy.mk
create mode 100644 package/libcgroup/Config.in
create mode 100644 package/libcgroup/libcgroup.mk
create mode 100644 package/libselinux/Config.in
create mode 100644 package/libselinux/libselinux.mk
create mode 100644 package/libsemanage/Config.in
create mode 100644 package/libsemanage/libsemanage-0001-execption-lib-path-fix.patch
create mode 100644 package/libsemanage/libsemanage.mk
create mode 100644 package/policycoreutils/Config.in
create mode 100755 package/policycoreutils/S15restorecond
create mode 100644 package/policycoreutils/policycoreutils-0001-cross-compile-fixes.patch
create mode 100644 package/policycoreutils/policycoreutils.mk
create mode 100644 package/python-pyxml/Config.in
create mode 100644 package/python-pyxml/python-xml.mk
create mode 100644 package/refpolicy/Config.in
create mode 100644 package/refpolicy/S12selinux
create mode 100755 package/refpolicy/config
create mode 100644 package/refpolicy/refpolicy-0001-gentoo-hardened-fixes.patch
create mode 100644 package/refpolicy/refpolicy.mk
create mode 100644 package/sepolgen/Config.in
create mode 100644 package/sepolgen/sepolgen.mk
create mode 100644 package/setools/Config.in
create mode 100644 package/setools/setools-0001-cross-compile-fixes.patch
create mode 100644 package/setools/setools-0002-swig-typedef-python-fixes.patch
create mode 100644 package/setools/setools.mk
create mode 100644 package/shadow/Config.in
create mode 100644 package/shadow/shadow.mk
create mode 100644 package/ustr/Config.in
create mode 100644 package/ustr/ustr-0001-cross-compile-modifications.patch
create mode 100644 package/ustr/ustr.mk
More information about the buildroot
mailing list