[yocto] [meta-selinux][PATCH 3/3] refpolicy_common: Sanity test DEFAULT_ENFORCING value and set default.
Philip Tricca
flihp at twobit.us
Sun Apr 3 17:21:35 PDT 2016
Use the anonymous python function to be sure the value set for
'SELINUX' in the config file is something useful. In the event that
DEFAULT_ENFORCING isn't set to one of the 3 permissible values we
set it to 'permissive'.
Signed-off-by: Philip Tricca <flihp at twobit.us>
---
recipes-security/refpolicy/refpolicy_common.inc | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 305675f..10e972d 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -66,6 +66,16 @@ EXTRA_OEMAKE += "tc_usrbindir=${STAGING_BINDIR_NATIVE}"
EXTRA_OEMAKE += "OUTPUT_POLICY=`${STAGING_BINDIR_NATIVE}/checkpolicy -V | cut -d' ' -f1`"
EXTRA_OEMAKE += "CC='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' PYTHON='${PYTHON}'"
+python __anonymous () {
+ import re
+
+ # make sure DEFAULT_ENFORCING is something sane
+ if not re.match('^(enforcing|permissive|disabled)$',
+ d.getVar('DEFAULT_ENFORCING', True),
+ flags=0):
+ d.setVar('DEFAULT_ENFORCING', 'permissive')
+}
+
do_compile() {
oe_runmake conf
oe_runmake policy
--
2.1.4
More information about the yocto
mailing list