[yocto] [meta-selinux][PATCH 2/3] Integrate selinux-config into refpolicy_common.

Philip Tricca flihp at twobit.us
Sun Apr 3 17:21:34 PDT 2016 

With the virutal package there's no need for a separate recipe to build
the config. This can be generated and included as part of the policy
package.

Signed-off-by: Philip Tricca <flihp at twobit.us>
---
 .../packagegroups/packagegroup-core-selinux.bb     |  1 -
 .../packagegroups/packagegroup-selinux-minimal.bb  |  1 -
 recipes-security/refpolicy/refpolicy_common.inc    | 30 ++++++++++++++--
 recipes-security/selinux/selinux-config_0.1.bb     | 40 ----------------------
 4 files changed, 28 insertions(+), 44 deletions(-)
 delete mode 100644 recipes-security/selinux/selinux-config_0.1.bb

diff --git a/recipes-security/packagegroups/packagegroup-core-selinux.bb b/recipes-security/packagegroups/packagegroup-core-selinux.bb
index 62c5a76..c6d22b7 100644
--- a/recipes-security/packagegroups/packagegroup-core-selinux.bb
+++ b/recipes-security/packagegroups/packagegroup-core-selinux.bb
@@ -22,7 +22,6 @@ RDEPENDS_${PN} = " \
 	packagegroup-selinux-policycoreutils \
 	setools \
 	setools-console \
-	selinux-config \
 	selinux-autorelabel \
 	selinux-init \
 	selinux-labeldev \
diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
index 87ae686..451ae8b 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -21,7 +21,6 @@ RDEPENDS_${PN} = "\
 	policycoreutils-semodule \
 	policycoreutils-sestatus \
 	policycoreutils-setfiles \
-	selinux-config \
 	selinux-labeldev \
 	virtual/refpolicy \
 "
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index ba887e4..305675f 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -1,3 +1,5 @@
+DEFAULT_ENFORCING ??= "enforcing"
+
 SECTION = "base"
 LICENSE = "GPLv2"
 
@@ -14,7 +16,8 @@ SRC_URI += "file://customizable_types \
 
 S = "${WORKDIR}/refpolicy"
 
-FILES_${PN} = " \
+CONFFILES_${PN} += "${sysconfdir}/selinux/config"
+FILES_${PN} += " \
 	${sysconfdir}/selinux/${POLICY_NAME}/ \
 	${datadir}/selinux/${POLICY_NAME}/*.pp \
 	${localstatedir}/lib/selinux/${POLICY_NAME}/ \
@@ -25,7 +28,6 @@ FILES_${PN}-dev =+ " \
 "
 
 DEPENDS += "checkpolicy-native policycoreutils-native m4-native"
-RDEPENDS_${PN} += "selinux-config"
 
 PACKAGE_ARCH = "${MACHINE_ARCH}"
 
@@ -137,13 +139,37 @@ install_misc_files () {
 	oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
 }
 
+install_config () {
+	echo "\
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#     enforcing - SELinux security policy is enforced.
+#     permissive - SELinux prints warnings instead of enforcing.
+#     disabled - No SELinux policy is loaded.
+SELINUX=${DEFAULT_ENFORCING}
+# SELINUXTYPE= can take one of these values:
+#     standard - Standard Security protection.
+#     mls - Multi Level Security protection.
+#     targeted - Targeted processes are protected.
+#     mcs - Multi Category Security protection.
+SELINUXTYPE=${POLICY_TYPE}
+" > ${WORKDIR}/config
+	install -d ${D}/${sysconfdir}/selinux
+	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
+}
+
 do_install () {
 	prepare_policy_store
 	rebuild_policy
 	install_misc_files
+	install_config
 }
 
 do_install_append(){
 	# While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
 	echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
 }
+
+sysroot_stage_all_append () {
+	sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
+}
diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
deleted file mode 100644
index e902e98..0000000
--- a/recipes-security/selinux/selinux-config_0.1.bb
+++ /dev/null
@@ -1,40 +0,0 @@
-DEFAULT_ENFORCING ??= "enforcing"
-
-SUMMARY = "SELinux configuration"
-DESCRIPTION = "\
-SELinux configuration files for Yocto. \
-"
-
-SECTION = "base"
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
-PR = "r4"
-
-S = "${WORKDIR}"
-
-CONFFILES_${PN} += "${sysconfdir}/selinux/config"
-
-PACKAGE_ARCH = "${MACHINE_ARCH}"
-
-do_install () {
-	echo "\
-# This file controls the state of SELinux on the system.
-# SELINUX= can take one of these three values:
-#     enforcing - SELinux security policy is enforced.
-#     permissive - SELinux prints warnings instead of enforcing.
-#     disabled - No SELinux policy is loaded.
-SELINUX=${DEFAULT_ENFORCING}
-# SELINUXTYPE= can take one of these values:
-#     standard - Standard Security protection.
-#     mls - Multi Level Security protection.
-#     targeted - Targeted processes are protected.
-#     mcs - Multi Category Security protection.
-SELINUXTYPE=${@d.getVar("PREFERRED_PROVIDER_virtual/refpolicy", False)[len("refpolicy-"):]}
-" > ${WORKDIR}/config
-	install -d ${D}/${sysconfdir}/selinux
-	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
-}
-
-sysroot_stage_all_append () {
-	sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
-}
-- 
2.1.4

More information about the yocto mailing list