[PATCH/next,v2,3/4] package/openrc: add libselinux support

From: Adam Duskett <Aduskett@gmail.com>

If the libselinux package is selected, add the package to the dependency list
and explicitly set OPENRC_MAKE_OPTS += MKSELINUX=yes

Signed-off-by: Adam Duskett <Aduskett@gmail.com>
Signed-off-by: Carlos Santos <unixmania@gmail.com>
---
 package/openrc/openrc.mk | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Carlos, All,

On 2020-03-01 12:17 -0300, unixmania@gmail.com spake thusly:
> From: Adam Duskett <Aduskett@gmail.com>
> 
> If the libselinux package is selected, add the package to the dependency list
> and explicitly set OPENRC_MAKE_OPTS += MKSELINUX=yes

This SELinux stuff has always been a bit boo-I-dont-want-too-touch for
me, because it looks overly complex, so just adding the dependency
without explanations on how openrc uses/fits with SELinux is a bit too
much for me to handle, so I defer to a SELinux-knowledgeable maintainer
to look a it...

Regards,
Yann E. MORIN.

> Signed-off-by: Adam Duskett <Aduskett@gmail.com>
> Signed-off-by: Carlos Santos <unixmania@gmail.com>
> ---
>  package/openrc/openrc.mk | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/package/openrc/openrc.mk b/package/openrc/openrc.mk
> index 6057451bfe..97536dad37 100644
> --- a/package/openrc/openrc.mk
> +++ b/package/openrc/openrc.mk
> @@ -18,7 +18,6 @@ OPENRC_MAKE_OPTS = \
>  	LIBNAME=lib \
>  	LIBEXECDIR=/usr/libexec/rc \
>  	MKPKGCONFIG=no \
> -	MKSELINUX=no \
>  	MKSYSVINIT=yes \
>  	BRANDING="Buildroot $(BR2_VERSION_FULL)" \
>  	CC=$(TARGET_CC)
> @@ -29,6 +28,13 @@ else
>  OPENRC_MAKE_OPTS += MKSTATICLIBS=yes
>  endif
>  
> +ifeq ($(BR2_PACKAGE_LIBSELINUX),y)
> +OPENRC_MAKE_OPTS += MKSELINUX=yes
> +OPENRC_DEPENDENCIES += libselinux
> +else
> +OPENRC_MAKE_OPTS += MKSELINUX=no
> +endif
> +
>  define OPENRC_BUILD_CMDS
>  	$(MAKE) $(OPENRC_MAKE_OPTS) -C $(@D)
>  endef
> -- 
> 2.18.2
> 
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

CArlos, Adam, All,

On 2020-03-11 18:26 +0100, Yann E. MORIN spake thusly:
> On 2020-03-01 12:17 -0300, unixmania@gmail.com spake thusly:
> > From: Adam Duskett <Aduskett@gmail.com>
> > If the libselinux package is selected, add the package to the dependency list
> > and explicitly set OPENRC_MAKE_OPTS += MKSELINUX=yes
> 
> This SELinux stuff has always been a bit boo-I-dont-want-too-touch for
> me, because it looks overly complex, so just adding the dependency
> without explanations on how openrc uses/fits with SELinux is a bit too
> much for me to handle, so I defer to a SELinux-knowledgeable maintainer
> to look a it...

WHAT I forgot to say above the current commit log, is that it is not
that helpful: it just repeats in english what the patch does, which is
anyway already pretty trivial to see... What a commit log should say, is
why the patch exists, and how the patch works.

Totally hypotetical commit log:

    package/openrc: add libselinux support

    OpenRC has suport for SELinux contexts, but we currently forcibly
    disable it.

    When SELinux is enabled, we know a policy will be installed, so we
    can enable SELinux support in OpenRC.

    Signed-off-by: you
    Signed-off-by: the other

Regards,
Yann E. MORIN.

On Wed, Mar 11, 2020 at 2:26 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> Carlos, All,
>
> On 2020-03-01 12:17 -0300, unixmania@gmail.com spake thusly:
> > From: Adam Duskett <Aduskett@gmail.com>
> >
> > If the libselinux package is selected, add the package to the dependency list
> > and explicitly set OPENRC_MAKE_OPTS += MKSELINUX=yes
>
> This SELinux stuff has always been a bit boo-I-dont-want-too-touch for
> me, because it looks overly complex, so just adding the dependency
> without explanations on how openrc uses/fits with SELinux is a bit too
> much for me to handle, so I defer to a SELinux-knowledgeable maintainer
> to look a it...

I tested it.

On Wed, Mar 11, 2020 at 2:35 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
>
> CArlos, Adam, All,
>
> On 2020-03-11 18:26 +0100, Yann E. MORIN spake thusly:
> > On 2020-03-01 12:17 -0300, unixmania@gmail.com spake thusly:
> > > From: Adam Duskett <Aduskett@gmail.com>
> > > If the libselinux package is selected, add the package to the dependency list
> > > and explicitly set OPENRC_MAKE_OPTS += MKSELINUX=yes
> >
> > This SELinux stuff has always been a bit boo-I-dont-want-too-touch for
> > me, because it looks overly complex, so just adding the dependency
> > without explanations on how openrc uses/fits with SELinux is a bit too
> > much for me to handle, so I defer to a SELinux-knowledgeable maintainer
> > to look a it...
>
> WHAT I forgot to say above the current commit log, is that it is not
> that helpful: it just repeats in english what the patch does, which is
> anyway already pretty trivial to see... What a commit log should say, is
> why the patch exists, and how the patch works.
>
> Totally hypotetical commit log:
>
>     package/openrc: add libselinux support
>
>     OpenRC has suport for SELinux contexts, but we currently forcibly
>     disable it.

OK, I will send a new patch with a better commit message and explained
how I tested it.

>     When SELinux is enabled, we know a policy will be installed, so we
>     can enable SELinux support in OpenRC.

Actually no policy is installed along with OpenRC. Enabling SELinux in
OpenRC only adds code to perform the initial policy load and set the
enforcing mode. See the security_load_policy(3) man page for
additional details.

In order to make the SELinux support useful you also need a complete
policy, currently provided by the refpolicy package, as well as the
policycoreutils (for restorecon and other utilities). I'm not sure if
those packages should be selected along with openrc (they are not
selected by systemd, for instance).

As explained in the package help, the refpolicy works for the most
part in permissive mode, only.