From patchwork Sat May 20 20:41:43 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adam Duskett X-Patchwork-Id: 764994 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3wVcKj4fV4z9s81 for ; Sun, 21 May 2017 06:42:01 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="pKGyyO/x"; dkim-atps=neutral Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 3A4C186D98; Sat, 20 May 2017 20:41:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSwivVPjkdXM; Sat, 20 May 2017 20:41:57 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by fraxinus.osuosl.org (Postfix) with ESMTP id 6CA09870F7; Sat, 20 May 2017 20:41:56 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id C4A281C0E3B for ; Sat, 20 May 2017 20:41:48 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id BBB2425836 for ; Sat, 20 May 2017 20:41:48 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6a1AOupQBID for ; Sat, 20 May 2017 20:41:48 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-qt0-f194.google.com (mail-qt0-f194.google.com [209.85.216.194]) by silver.osuosl.org (Postfix) with ESMTPS id EBDF3255F0 for ; Sat, 20 May 2017 20:41:47 +0000 (UTC) Received: by mail-qt0-f194.google.com with SMTP id r58so13780550qtb.2 for ; Sat, 20 May 2017 13:41:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=rOUEx2pjhAxIm1pqXx4t2MfYetSbGT7i1E/1WdwhCEI=; b=pKGyyO/xnCMkdcGmWf8F8moPkB+WMXYfoOZ/lJS3crfa/m3hXsRPVFzGdm7tUOqGEC 3PLl4haVivZEFd+Q65gdtTDQKMVIc0YtV3CsY/Pcr3XAee51+6f/nIaiJwgW9+kiLbRy npx7ke9GVtBJcDP7UjkhMavBkKYAtdnhBO/pnvw4Rt7hnnHF4kAigmYpFGONrNh9xX2x 6mUu/CFFLjIHqmtYR0cPyMVelI4vjY3mJPFle4+AJN6+3UGXw3kQ3ZqSFdOw6qCXnJem SQW1Y3w3f6ZVcFe1kzLDmF7iNLkEVlt8gWzjgBUJ1yBytQaNC5xnjHwjYCCf4twNcnWg yuvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=rOUEx2pjhAxIm1pqXx4t2MfYetSbGT7i1E/1WdwhCEI=; b=OJ6wGSzIECkRfLwKyyBmqCtAZxyQ+h3aEdnQmoiZd0seN2H8DJjJfQAK8lM5ao2a5V Qhl8/InorRukiSntb2l/jyIFvS7crIMF1NBZDayNuPIiJA/o15dvog05j1sNgbMK/8mj 3ALEoAMYzfqXu9KaZbtWRbici7gjzoi438ibFpHXj6c80MH5tUwI4KCEUKrphhv9qPX8 ++dsoIm4G8rEESA74j9UtDbqlrX2cUceHiGtYu6svhc5hH+/9Mj7hLABM51hNqWXzFJR MocK6vce2D+Dkmx/RosXETwVh+iAQZlQxfPG5x00UI/dgmBW3VECpw0XqO/oxBJMgiZA P9Iw== X-Gm-Message-State: AODbwcA8zdmRbkzjynkTeXxneh6qK/wdvrXiskMwjlkK4t54lO9tNHmN Vk28By2ka8tupg== X-Received: by 10.200.48.45 with SMTP id f42mr13962246qte.199.1495312907068; Sat, 20 May 2017 13:41:47 -0700 (PDT) Received: from aduskett.duskett (2600-6c4a-767f-ff91-5314-67c6-1b83-d562.dhcp6.chtrptr.net. [2600:6c4a:767f:ff91:5314:67c6:1b83:d562]) by smtp.gmail.com with ESMTPSA id 135sm4750717qkh.29.2017.05.20.13.41.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 20 May 2017 13:41:46 -0700 (PDT) From: Adam Duskett X-Google-Original-From: Adam Duskett To: buildroot@buildroot.org Date: Sat, 20 May 2017 16:41:43 -0400 Message-Id: <20170520204143.18154-3-Adamduskett@outlook.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170520204143.18154-1-Adamduskett@outlook.com> References: <20170520204143.18154-1-Adamduskett@outlook.com> Cc: Adam Duskett Subject: [Buildroot] [PATCH v4 3/3] refpolicy: add ability to set default state. X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" SELinux requires a config file in /etc/selinux which controls the state of SELinux on the system. This config file has two options set in it: SELINUX which set's the state of selinux on boot. SELINUXTYPE which should equal the name of the policy. In this case, the default name is targeted. This patch adds: - A choice menu on Config.in that allows the user to select a default SELinux state. - A basic config file that will be installed to target/etc/selinux and will set SELINUX= to the selected state. Signed-off-by: Adam Duskett Acked-by: Matt Weber --- Changes v3 -> v4: - Removed a trailing newline in refpolicy/config - Removed Coverletter from patch set. Changes v2 -> v3: - No changes. Changes v1 -> v2: - Added cover letter explaining the new patch set. package/refpolicy/Config.in | 26 ++++++++++++++++++++++++++ package/refpolicy/config | 8 ++++++++ package/refpolicy/refpolicy.mk | 6 ++++++ 3 files changed, 40 insertions(+) create mode 100644 package/refpolicy/config diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in index 9d4e0e6..3eb2a7f 100644 --- a/package/refpolicy/Config.in +++ b/package/refpolicy/Config.in @@ -42,4 +42,30 @@ config BR2_PACKAGE_REFPOLICY_VERSION string "Policy version" default "30" +choice + prompt "SELinux default state" + default BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE + +config BR2_PACKAGE_REFPOLICY_STATE_ENFORCING + bool "Enforcing" + help + SELinux security policy is enforced + +config BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE + bool "Permissive" + help + SELinux prints warnings instead of enforcing + +config BR2_PACKAGE_REFPOLICY_STATE_DISABLED + bool "Disabled" + help + No SELinux policy is loaded +endchoice + +config BR2_PACKAGE_REFPOLICY_STATE + string + default "permissive" if BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE + default "enforcing" if BR2_PACKAGE_REFPOLICY_STATE_ENFORCING + default "disabled" if BR2_PACKAGE_REFPOLICY_STATE_DISABLED + endif diff --git a/package/refpolicy/config b/package/refpolicy/config new file mode 100644 index 0000000..087297c --- /dev/null +++ b/package/refpolicy/config @@ -0,0 +1,8 @@ +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=disabled + +SELINUXTYPE=targeted diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index fa02b5a..94a0cf8 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -23,6 +23,7 @@ REFPOLICY_DEPENDENCIES += \ policycoreutils REFPOLICY_PYINC = -I$(HOST_DIR)/usr/include/python$(PYTHON_VERSION_MAJOR)/site-packages +REFPOLICY_NAME = "targeted" # Cannot use multiple threads to build the reference policy REFPOLICY_MAKE = \ @@ -48,6 +49,11 @@ endef define REFPOLICY_INSTALL_TARGET_CMDS $(REFPOLICY_MAKE) -C $(@D) install DESTDIR=$(TARGET_DIR) + $(INSTALL) -m 0755 -D package/refpolicy/config \ + $(TARGET_DIR)/etc/selinux/config + + $(SED) "/^SELINUX=/c\SELINUX=$(BR2_PACKAGE_REFPOLICY_STATE)" \ + $(TARGET_DIR)/etc/selinux/config endef $(eval $(generic-package))