[yocto] [meta-selinux][RFC v2] refpolicy: Add generic refpolicy recipe and make policy type configurable.
Philip Tricca
flihp at twobit.us
Wed Nov 13 12:05:53 PST 2013
This is a fix up for my previous RFC. I've cleaned up an error with some \
variable use. The intent remains the same:
This RFC is a significant departure from the way the policy packages are
currently set up. The noteworthy differences are:
1) the POLICY_TYPE variable can be set as configuration outside the policy recipe
2) a single refpolicy recipe can be used to build all 3 policy types
3) DEFAULT_POLICY from selinux-config has been changed to be the same POLICY_TYPE variable as the policy
4) refpolicy depends on the config and sets the POLICY_TYPE accordingly
This approach was taken to allow the use of a policy type beyond the default
MLS. I've left the other refpolicy-* recipes in tact but if this approach is
acceptable they could be removed if we're willing to accept the limitation
that only one policy may be installed on a given image. If this limitation
isn't acceptable then they can be left as is.
After thinking about this a bit I've realized that the same effect can likely
be achieved using the virtual provider mechanism. If this approach would be
preferred I'm happy to whip up a prototype.
Comments and input would be appreciated.
Regards,
- Philip
Signed-off-by: Philip Tricca <flihp at twobit.us>
---
.../packagegroups/packagegroup-selinux-minimal.bb | 3 +--
recipes-security/refpolicy/refpolicy_2.20130424.bb | 16 ++++++++++++++++
recipes-security/selinux/selinux-config_0.1.bb | 4 ++--
3 files changed, 19 insertions(+), 4 deletions(-)
create mode 100644 recipes-security/refpolicy/refpolicy_2.20130424.bb
diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
index 072320d..af29da1 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -13,6 +13,5 @@ ALLOW_EMPTY_${PN} = "1"
RDEPENDS_${PN} = "\
policycoreutils-semodule \
policycoreutils-sestatus \
- selinux-config \
- refpolicy-mls \
+ refpolicy \
"
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.bb b/recipes-security/refpolicy/refpolicy_2.20130424.bb
new file mode 100644
index 0000000..f1fa2f8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.bb
@@ -0,0 +1,16 @@
+SUMMARY = "The SELinux reference policy."
+DESCRIPTION = "\
+This is the reference policy for the SELinux mandatory access control \
+system. There are 3 supported policy types: standard, MCS and MLS. The \
+standard policy is the most simple of the three providing the standard \
+type enforcement policy. The MCS policy adds an additional element to the \
+SELinux label called a category. Finally the MLS variant allows giving data \
+labels such as \"Top Secret\" and preventing such data from leaking to \
+processes or files with lower classification. \
+"
+
+PR = "r0"
+POLICY_TYPE ??= "mls"
+RDEPENDS_${PN} = "selinux-config"
+
+include refpolicy_${PV}.inc
diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
index 27d9995..066581e 100644
--- a/recipes-security/selinux/selinux-config_0.1.bb
+++ b/recipes-security/selinux/selinux-config_0.1.bb
@@ -1,4 +1,4 @@
-DEFAULT_POLICY = "mls"
+POLICY_TYPE ??= "mls"
SUMMARY = "SELinux configuration"
DESCRIPTION = "\
@@ -45,7 +45,7 @@ SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# standard - Standard Security protection.
# mls - Multi Level Security protection.
-SELINUXTYPE=${DEFAULT_POLICY}
+SELINUXTYPE=${POLICY_TYPE}
" > ${WORKDIR}/config
install -d ${D}/${sysconfdir}/selinux
install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
--
1.7.10.4
More information about the yocto
mailing list