[v5,09/24] busybox: selinux support

From: Matt Weber <matthew.weber@rockwellcollins.com>

Add a configure option to enable the SELinux support in the
busybox configuration from the Buildroot menuconfig.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>

---
Changes v4 -> v5:
  - Renamed to follow patch naming convention (Matt W.)
  - Added a dependency on having threads for the busybox SELinux flag to
    ensure it does not cause libselinux to build when threads are not
    available. Also added a select for libselinux to make the linking
    apparent. (Clayton S.)
 - Add dependency on not static libs for libselinux (Clayton S.)

Changes v1 -> v4:
  - Did not exist
---
 ...ags-strip-non-l-arguments-returned-by-pkg.patch | 28 ++++++++++++++++++++++
 package/busybox/Config.in                          |  6 +++++
 package/busybox/busybox.mk                         |  9 +++++++
 3 files changed, 43 insertions(+)
 create mode 100644 package/busybox/0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch

Hi Clayton,

On Wed, May 13, 2015 at 11:39 PM, Clayton Shotwell
<clayton.shotwell@rockwellcollins.com> wrote:
> From: Matt Weber <matthew.weber@rockwellcollins.com>
>
> Add a configure option to enable the SELinux support in the
> busybox configuration from the Buildroot menuconfig.
>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
>
[...]
> diff --git a/package/busybox/Config.in b/package/busybox/Config.in
> index 275e317..a60c54b 100644
> --- a/package/busybox/Config.in
> +++ b/package/busybox/Config.in
> @@ -35,6 +35,12 @@ comment "Busybox individual binaries depends on dynamic libraries"
>         depends on BR2_STATIC_LIBS
>         depends on BR2_bfin
>
> +config BR2_PACKAGE_BUSYBOX_SELINUX
> +       select BR2_PACKAGE_LIBSELINUX
> +       depends on BR2_TOOLCHAIN_HAS_THREADS
> +       depends on !BR2_STATIC_LIBS
> +       bool "Enable SELinux support"
Does not this option also need to select
BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES?

> +
>  config BR2_PACKAGE_BUSYBOX_WATCHDOG
>         bool "Install the watchdog daemon startup script"
>         help
> diff --git a/package/busybox/busybox.mk b/package/busybox/busybox.mk
> index dbee100..f60e3f2 100644
> --- a/package/busybox/busybox.mk
> +++ b/package/busybox/busybox.mk
> @@ -171,6 +171,14 @@ define BUSYBOX_INSTALL_INDIVIDUAL_BINARIES
>  endef
>  endif
>
> +ifeq ($(BR2_PACKAGE_BUSYBOX_SELINUX),y)
> +BUSYBOX_DEPENDENCIES += host-pkgconf libselinux libsepol
> +define BUSYBOX_SET_SELINUX
> +       $(call KCONFIG_ENABLE_OPT,CONFIG_SELINUX,$(BUSYBOX_BUILD_CONFIG))
> +       $(call KCONFIG_ENABLE_OPT,CONFIG_SELINUXENABLED,$(BUSYBOX_BUILD_CONFIG))
> +endef
> +endif
> +
>  define BUSYBOX_INSTALL_LOGGING_SCRIPT
>         if grep -q CONFIG_SYSLOGD=y $(@D)/.config; then \
>                 $(INSTALL) -m 0755 -D package/busybox/S01logging \
> @@ -207,6 +215,7 @@ define BUSYBOX_KCONFIG_FIXUP_CMDS
>         $(BUSYBOX_SET_INIT)
>         $(BUSYBOX_SET_WATCHDOG)
>         $(BUSYBOX_CONFIGURE_INDIVIDUAL_BINARIES)
> +       $(BUSYBOX_SET_SELINUX)
>  endef
>
>  define BUSYBOX_CONFIGURE_CMDS
> --
> 1.9.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

Regards,

Samuel,

On Fri, May 15, 2015 at 1:22 AM, Samuel Martin <s.martin49@gmail.com> wrote:
> Hi Clayton,
>
> On Wed, May 13, 2015 at 11:39 PM, Clayton Shotwell
> <clayton.shotwell@rockwellcollins.com> wrote:
>> From: Matt Weber <matthew.weber@rockwellcollins.com>
>>
>> Add a configure option to enable the SELinux support in the
>> busybox configuration from the Buildroot menuconfig.
>>
>> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
>> Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
>> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
>>
> [...]
>> diff --git a/package/busybox/Config.in b/package/busybox/Config.in
>> index 275e317..a60c54b 100644
>> --- a/package/busybox/Config.in
>> +++ b/package/busybox/Config.in
>> @@ -35,6 +35,12 @@ comment "Busybox individual binaries depends on dynamic libraries"
>>         depends on BR2_STATIC_LIBS
>>         depends on BR2_bfin
>>
>> +config BR2_PACKAGE_BUSYBOX_SELINUX
>> +       select BR2_PACKAGE_LIBSELINUX
>> +       depends on BR2_TOOLCHAIN_HAS_THREADS
>> +       depends on !BR2_STATIC_LIBS
>> +       bool "Enable SELinux support"
> Does not this option also need to select
> BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES?

Those features are not necessarily dependent, it mostly depends on
what parts of busybox are being used. For instance, if a configuration
only used a couple of minor busybox features, such as simple command
line utilities, the symlinked version of busybox could be used to save
space. If busybox was providing more features, such as crond, then
individual binaries would have to be enabled for the SELinux type
transitions to occur properly. I would like to leave that up to the
individual user to enable the individual binaries as needed.

Thanks,
Clayton

Dear Clayton Shotwell,

On Mon, 18 May 2015 09:14:54 -0500, Clayton Shotwell wrote:

> >> +config BR2_PACKAGE_BUSYBOX_SELINUX
> >> +       select BR2_PACKAGE_LIBSELINUX
> >> +       depends on BR2_TOOLCHAIN_HAS_THREADS
> >> +       depends on !BR2_STATIC_LIBS
> >> +       bool "Enable SELinux support"
> > Does not this option also need to select
> > BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES?
> 
> Those features are not necessarily dependent, it mostly depends on
> what parts of busybox are being used. For instance, if a configuration
> only used a couple of minor busybox features, such as simple command
> line utilities, the symlinked version of busybox could be used to save
> space. If busybox was providing more features, such as crond, then
> individual binaries would have to be enabled for the SELinux type
> transitions to occur properly. I would like to leave that up to the
> individual user to enable the individual binaries as needed.

Then exactly this needs to be copy/pasted in the help text of this
option :-)

Thomas

Thomas,

On Mon, May 18, 2015 at 9:30 AM, Thomas Petazzoni
<thomas.petazzoni@free-electrons.com> wrote:
> Dear Clayton Shotwell,
>
> On Mon, 18 May 2015 09:14:54 -0500, Clayton Shotwell wrote:
>
>> >> +config BR2_PACKAGE_BUSYBOX_SELINUX
>> >> +       select BR2_PACKAGE_LIBSELINUX
>> >> +       depends on BR2_TOOLCHAIN_HAS_THREADS
>> >> +       depends on !BR2_STATIC_LIBS
>> >> +       bool "Enable SELinux support"
>> > Does not this option also need to select
>> > BR2_PACKAGE_BUSYBOX_INDIVIDUAL_BINARIES?
>>
>> Those features are not necessarily dependent, it mostly depends on
>> what parts of busybox are being used. For instance, if a configuration
>> only used a couple of minor busybox features, such as simple command
>> line utilities, the symlinked version of busybox could be used to save
>> space. If busybox was providing more features, such as crond, then
>> individual binaries would have to be enabled for the SELinux type
>> transitions to occur properly. I would like to leave that up to the
>> individual user to enable the individual binaries as needed.
>
> Then exactly this needs to be copy/pasted in the help text of this
> option :-)

Good point. I'll add that in there.

Thanks,
Clayton