Hey Phil, [[meta-selinux][RFC v2] refpolicy: Add generic refpolicy recipe and make policy type configurable.] On 13.11.13 (Wed 20:05) Philip Tricca wrote:
> This is a fix up for my previous RFC. I've cleaned up an error with some \ > variable use. The intent remains the same: > > This RFC is a significant departure from the way the policy packages are > currently set up. The noteworthy differences are: > 1) the POLICY_TYPE variable can be set as configuration outside the policy > recipe > 2) a single refpolicy recipe can be used to build all 3 policy types > 3) DEFAULT_POLICY from selinux-config has been changed to be the same > POLICY_TYPE variable as the policy > 4) refpolicy depends on the config and sets the POLICY_TYPE accordingly > > This approach was taken to allow the use of a policy type beyond the default > MLS. I've left the other refpolicy-* recipes in tact but if this approach is > acceptable they could be removed if we're willing to accept the limitation > that only one policy may be installed on a given image. If this limitation > isn't acceptable then they can be left as is. > > After thinking about this a bit I've realized that the same effect can likely > be achieved using the virtual provider mechanism. If this approach would be > preferred I'm happy to whip up a prototype. > > Comments and input would be appreciated. I've been playing with this for a bit and I quite like both the idea. I'd like to see this taken to the logical conclusion you mention above, hit all the policy recipes. Meaning I think it makes the most sense to actually approach this as a virtual provider problem. If you're still willing to put together a prototype for this, I'm able to take a look at it in pretty short order. -J. > > Regards, > - Philip > > Signed-off-by: Philip Tricca <[email protected]> > --- > .../packagegroups/packagegroup-selinux-minimal.bb | 3 +-- > recipes-security/refpolicy/refpolicy_2.20130424.bb | 16 > ++++++++++++++++ > recipes-security/selinux/selinux-config_0.1.bb | 4 ++-- > 3 files changed, 19 insertions(+), 4 deletions(-) > create mode 100644 recipes-security/refpolicy/refpolicy_2.20130424.bb > > diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb > b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb > index 072320d..af29da1 100644 > --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb > +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb > @@ -13,6 +13,5 @@ ALLOW_EMPTY_${PN} = "1" > RDEPENDS_${PN} = "\ > policycoreutils-semodule \ > policycoreutils-sestatus \ > - selinux-config \ > - refpolicy-mls \ > + refpolicy \ > " > diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.bb > b/recipes-security/refpolicy/refpolicy_2.20130424.bb > new file mode 100644 > index 0000000..f1fa2f8 > --- /dev/null > +++ b/recipes-security/refpolicy/refpolicy_2.20130424.bb > @@ -0,0 +1,16 @@ > +SUMMARY = "The SELinux reference policy." > +DESCRIPTION = "\ > +This is the reference policy for the SELinux mandatory access control \ > +system. There are 3 supported policy types: standard, MCS and MLS. The \ > +standard policy is the most simple of the three providing the standard \ > +type enforcement policy. The MCS policy adds an additional element to the \ > +SELinux label called a category. Finally the MLS variant allows giving data \ > +labels such as \"Top Secret\" and preventing such data from leaking to \ > +processes or files with lower classification. \ > +" > + > +PR = "r0" > +POLICY_TYPE ??= "mls" > +RDEPENDS_${PN} = "selinux-config" > + > +include refpolicy_${PV}.inc > diff --git a/recipes-security/selinux/selinux-config_0.1.bb > b/recipes-security/selinux/selinux-config_0.1.bb > index 27d9995..066581e 100644 > --- a/recipes-security/selinux/selinux-config_0.1.bb > +++ b/recipes-security/selinux/selinux-config_0.1.bb > @@ -1,4 +1,4 @@ > -DEFAULT_POLICY = "mls" > +POLICY_TYPE ??= "mls" > > SUMMARY = "SELinux configuration" > DESCRIPTION = "\ > @@ -45,7 +45,7 @@ SELINUX=enforcing > # SELINUXTYPE= can take one of these two values: > # standard - Standard Security protection. > # mls - Multi Level Security protection. > -SELINUXTYPE=${DEFAULT_POLICY} > +SELINUXTYPE=${POLICY_TYPE} > " > ${WORKDIR}/config > install -d ${D}/${sysconfdir}/selinux > install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/ -- -Joe MacDonald. :wq
signature.asc
Description: Digital signature
_______________________________________________ yocto mailing list [email protected] https://lists.yoctoproject.org/listinfo/yocto
