@@ -32,6 +32,7 @@ F: package/vulkan-loader/
F: package/vulkan-tools/
N: Adam Duskett <adam.duskett@amarulasolutions.com>
+F: package/busybox/selinux/
F: package/depot-tools/
F: package/flutter-engine/
F: package/flutter-gallery/
new file mode 100644
@@ -0,0 +1 @@
+/lib/libbusybox* -- gen_context(system_u:object_r:lib_t,s0)
new file mode 100644
@@ -0,0 +1 @@
+## <summary>Buildroot busybox rules</summary>
new file mode 100644
@@ -0,0 +1,16 @@
+policy_module(buildroot-busybox, 1.0.0)
+
+#============= init_tmpfs_t ==============
+allow init_tmpfs_t self:file { lock open read write };
+
+#============= getty_t ==============
+allow getty_t local_login_t:file { lock open read write };
+allow getty_t local_login_t:process { noatsecure rlimitinh siginh };
+allow getty_t security_t:filesystem getattr;
+allow getty_t selinux_config_t:dir search;
+
+#============= local_login_t ==============
+allow local_login_t device_t:chr_file { getattr setattr };
+allow local_login_t shadow_t:file { getattr open read };
+allow local_login_t sysadm_t:process { noatsecure siginh rlimitinh };
+
This is a minimal selinux policy required to run busybox in enforcing mode without denials. It is based off of the applets that Buildroot selects by default. Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com> --- DEVELOPERS | 1 + package/busybox/selinux/buildroot-busybox.fc | 1 + package/busybox/selinux/buildroot-busybox.if | 1 + package/busybox/selinux/buildroot-busybox.te | 16 ++++++++++++++++ 4 files changed, 19 insertions(+) create mode 100644 package/busybox/selinux/buildroot-busybox.fc create mode 100644 package/busybox/selinux/buildroot-busybox.if create mode 100644 package/busybox/selinux/buildroot-busybox.te