[Buildroot] [PATCH v4 3/3] refpolicy: add ability to set default state.
Thomas Petazzoni
thomas.petazzoni at free-electrons.com
Tue Jun 6 21:40:04 UTC 2017
Hello,
On Sat, 20 May 2017 16:41:43 -0400, Adam Duskett wrote:
> SELinux requires a config file in /etc/selinux which controls the state
> of SELinux on the system.
>
> This config file has two options set in it:
> SELINUX which set's the state of selinux on boot.
> SELINUXTYPE which should equal the name of the policy. In this case, the
> default name is targeted.
>
> This patch adds:
> - A choice menu on Config.in that allows the user to select a default
> SELinux state.
>
> - A basic config file that will be installed to
> target/etc/selinux and will set SELINUX= to the selected state.
>
> Signed-off-by: Adam Duskett <Adamduskett at outlook.com>
I've applied, after doing a few changes as well.
> +choice
> + prompt "SELinux default state"
> + default BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
> +
> +config BR2_PACKAGE_REFPOLICY_STATE_ENFORCING
> + bool "Enforcing"
> + help
> + SELinux security policy is enforced
> +
> +config BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
> + bool "Permissive"
> + help
> + SELinux prints warnings instead of enforcing
> +
> +config BR2_PACKAGE_REFPOLICY_STATE_DISABLED
> + bool "Disabled"
> + help
> + No SELinux policy is loaded
> +endchoice
> +
> +config BR2_PACKAGE_REFPOLICY_STATE
> + string
> + default "permissive" if BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
> + default "enforcing" if BR2_PACKAGE_REFPOLICY_STATE_ENFORCING
> + default "disabled" if BR2_PACKAGE_REFPOLICY_STATE_DISABLED
To be consistent with the other option, I've renamed all options to
BR2_PACKAGE_REFPOLICY_POLICY_STATE_xyz.
> REFPOLICY_PYINC = -I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/site-packages
> +REFPOLICY_NAME = "targeted"
This variable is unused, so I dropped it.
> define REFPOLICY_INSTALL_TARGET_CMDS
> $(REFPOLICY_MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR)
> + $(INSTALL) -m 0755 -D package/refpolicy/config \
> + $(TARGET_DIR)/etc/selinux/config
> +
> + $(SED) "/^SELINUX=/c\SELINUX=$(BR2_PACKAGE_REFPOLICY_STATE)" \
> + $(TARGET_DIR)/etc/selinux/config
And I've added a qstripped version this variable. So the code looks
like this:
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 4d85ee5..aab1877 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -31,6 +31,8 @@ REFPOLICY_MAKE = \
REFPOLICY_POLICY_VERSION = \
$(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_VERSION))
+REFPOLICY_POLICY_STATE = \
+ $(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE))
define REFPOLICY_CONFIGURE_CMDS
$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \
@@ -50,6 +52,10 @@ endef
define REFPOLICY_INSTALL_TARGET_CMDS
$(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install
+ $(INSTALL) -m 0755 -D package/refpolicy/config \
+ $(TARGET_DIR)/etc/selinux/config
+ $(SED) "/^SELINUX=/c\SELINUX=$(REFPOLICY_POLICY_STATE)" \
+ $(TARGET_DIR)/etc/selinux/config
endef
Once again, please test that everything still works fine for you after
my changes.
Thanks a lot for this work on refpolicy.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
More information about the buildroot
mailing list