From patchwork Thu Jan 7 13:53:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxime Chevallier X-Patchwork-Id: 1423309 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DBSPH4ZHxz9sVk for ; Fri, 8 Jan 2021 00:53:23 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 3DD21869D0; Thu, 7 Jan 2021 13:53:22 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LblNRPzFRRWX; Thu, 7 Jan 2021 13:53:21 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id 97249869F2; Thu, 7 Jan 2021 13:53:21 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id 7C3871BF3A1 for ; Thu, 7 Jan 2021 13:53:20 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 7093B204E8 for ; Thu, 7 Jan 2021 13:53:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FdROcxaAvCKt for ; Thu, 7 Jan 2021 13:53:16 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay12.mail.gandi.net (relay12.mail.gandi.net [217.70.178.232]) by silver.osuosl.org (Postfix) with ESMTPS id 3BFCA273D3 for ; Thu, 7 Jan 2021 13:53:16 +0000 (UTC) Received: from pc-2.home (apoitiers-259-1-26-122.w90-55.abo.wanadoo.fr [90.55.97.122]) (Authenticated sender: maxime.chevallier@bootlin.com) by relay12.mail.gandi.net (Postfix) with ESMTPSA id 19A73200003; Thu, 7 Jan 2021 13:53:09 +0000 (UTC) From: Maxime Chevallier To: buildroot@buildroot.org Date: Thu, 7 Jan 2021 14:53:04 +0100 Message-Id: <20210107135307.1762186-1-maxime.chevallier@bootlin.com> X-Mailer: git-send-email 2.25.4 MIME-Version: 1.0 Subject: [Buildroot] [PATCH 0/3] refpolicy: Allow booting without denied actions X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antoine Tenart , Thomas Petazzoni , Maxime Chevallier Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Following the refpolicy support recently added, this series adds support for booting basic systems using SELinux with a first batch of fixes, allowing a clean boot without denied actions. Some remaining issues are left to be fixed in order to boot in Enforcing mode. Most of the series adds the missing rules in the refpolicy for Buildroot to be supported. An ongoing effort is currently being made to upstream as much of these rules in the refpolicy itself, and some of these fixes are already there, waiting for the next release. Some other fixes are still being discussed, and finally some are waiting to be better analysed in order to find the correct solution for upstreaming in the refpolicy. Still, this series adds patches that apply onto the refpolicy to fix ongoing issues, along with a buildroot SELinux module to fix some rules that needs to be analysed and upstreamed, being specific to embedded systems. Finally, the last patch adds a check for the number of denied actions in the bootlog for the 2 testcases currently existing for SELinux, while still using the Permissive mode. These patches and the module are due to evolve, hopefully being thinner and thinner until we can use the vanilla refpolicy. Thanks to Antoine Tenart for initiating this work and doing the heavy lifting. Thanks, Maxime Maxime Chevallier (3): package/refpolicy: Add patches pending the next release package/refpolicy: Add a buildroot module support/testing: improve SELinux test .../refpolicy/0001-pending-next-release.patch | 673 ++++++++++++++++++ ...-private-type-for-run-systemd-userdb.patch | 130 ++++ .../0003-authlogin-connect-to-userdb.patch | 92 +++ ...0004-systemd-logind-utilize-nsswitch.patch | 33 + ...0005-getty-utilize-auth_use_nsswitch.patch | 40 ++ ...d-tmpfiles-utilize-auth_use_nsswitch.patch | 32 + .../refpolicy/0007-first-udevadm-patch.patch | 130 ++++ ...ing-Fixes-for-Buildroot-to-boot-in-e.patch | 190 +++++ .../refpolicy/selinux-modules/buildroot.fc | 0 .../refpolicy/selinux-modules/buildroot.if | 1 + .../refpolicy/selinux-modules/buildroot.te | 121 ++++ .../tests/init/test_systemd_selinux.py | 6 + 12 files changed, 1448 insertions(+) create mode 100644 package/refpolicy/0001-pending-next-release.patch create mode 100644 package/refpolicy/0002-systemd-private-type-for-run-systemd-userdb.patch create mode 100644 package/refpolicy/0003-authlogin-connect-to-userdb.patch create mode 100644 package/refpolicy/0004-systemd-logind-utilize-nsswitch.patch create mode 100644 package/refpolicy/0005-getty-utilize-auth_use_nsswitch.patch create mode 100644 package/refpolicy/0006-systemd-tmpfiles-utilize-auth_use_nsswitch.patch create mode 100644 package/refpolicy/0007-first-udevadm-patch.patch create mode 100644 package/refpolicy/0008-pending-upstreaming-Fixes-for-Buildroot-to-boot-in-e.patch create mode 100644 package/refpolicy/selinux-modules/buildroot.fc create mode 100644 package/refpolicy/selinux-modules/buildroot.if create mode 100644 package/refpolicy/selinux-modules/buildroot.te