RepoMirrors
/
openwrt
mirror of git://git.openwrt.org/openwrt/openwrt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

refpolicy: add variant that builds modular policy 

This adds a variant of refpolicy that builds the modular form of the
policy. While this requires more memory on the target device, along with
some tricks to deal with OpenWrt's volatile /var directory, it is useful
for experiementing with SELinux policy.

Signed-off-by: W. Michael Petullo <mike@flyn.org>
This commit is contained in:
W. Michael Petullo 2020-11-01 07:44:56 -06:00 committed by Daniel Golle
parent 2e282537d0
commit 9eb9943f82
2 changed files with 39 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
config/Config-build.in
View File

@ -362,6 +362,12 @@ menu "Global build settings"
help help
SELinux Reference Policy (refpolicy) SELinux Reference Policy (refpolicy)
config SELINUXTYPE_targeted-modular
bool "targeted-modular"
select PACKAGE_refpolicy-modular
help
Modular SELinux Reference Policy (refpolicy-modular)
config SELINUXTYPE_dssp config SELINUXTYPE_dssp
bool "dssp" bool "dssp"
select PACKAGE_selinux-policy select PACKAGE_selinux-policy

35
package/system/refpolicy/Makefile
View File

@ -24,7 +24,7 @@ TAR_OPTIONS:=--transform='s%^refpolicy%$(PKG_NAME)-$(PKG_VERSION)%' -xf -
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
define Package/refpolicy define Package/refpolicy/Default
SECTION:=system SECTION:=system
CATEGORY:=Base system CATEGORY:=Base system
TITLE:=SELinux reference policy TITLE:=SELinux reference policy
@ -32,6 +32,19 @@ define Package/refpolicy
PKGARCH:=all PKGARCH:=all
endef endef
define Package/refpolicy
$(call Package/refpolicy/Default)
CONFLICTS:=refpolicy-modular
VARIANT:=default
endef
define Package/refpolicy-modular
$(call Package/refpolicy/Default)
TITLE += (modular)
VARIANT:=modular
PROVIDES:=refpolicy
endef
define Package/refpolicy/description define Package/refpolicy/description
The SELinux Reference Policy project (refpolicy) is a The SELinux Reference Policy project (refpolicy) is a
complete SELinux policy that can be used as the system complete SELinux policy that can be used as the system
@ -56,25 +69,43 @@ endef
# builds is a small host tool that gets run as part of the build # builds is a small host tool that gets run as part of the build
# process. # process.
MAKE_FLAGS += \ MAKE_FLAGS += \
DESTDIR="$(PKG_INSTALL_DIR)"
SETFILES="$(STAGING_DIR_HOST)/bin/setfiles" \ SETFILES="$(STAGING_DIR_HOST)/bin/setfiles" \
CHECKPOLICY="$(STAGING_DIR_HOSTPKG)/bin/checkpolicy" \ CHECKPOLICY="$(STAGING_DIR_HOSTPKG)/bin/checkpolicy" \
CC="$(HOSTCC)" \ CC="$(HOSTCC)" \
CFLAGS="$(HOST_CFLAGS)" CFLAGS="$(HOST_CFLAGS)"
define Build/Configure define Build/Configure
$(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(PKG_BUILD_DIR)/build.conf
$(SED) "/NAME/c\NAME = targeted" $(PKG_BUILD_DIR)/build.conf $(SED) "/NAME/c\NAME = targeted" $(PKG_BUILD_DIR)/build.conf
ifneq ($(BUILD_VARIANT),modular)
$(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(PKG_BUILD_DIR)/build.conf
endif
$(call Build/Compile/Default,conf) $(call Build/Compile/Default,conf)
endef endef
ifeq ($(BUILD_VARIANT),modular)
define Build/Install
$(call Build/Compile/Default,install install-headers)
endef
endif
define Package/refpolicy/conffiles define Package/refpolicy/conffiles
/etc/selinux/config /etc/selinux/config
endef endef
Package/refpolicy-modular/conffiles = $(Package/refpolicy/conffiles)
define Package/refpolicy/install define Package/refpolicy/install
$(INSTALL_DIR) $(1)/etc/selinux $(INSTALL_DIR) $(1)/etc/selinux
$(CP) $(PKG_INSTALL_DIR)/etc/selinux/* $(1)/etc/selinux/ $(CP) $(PKG_INSTALL_DIR)/etc/selinux/* $(1)/etc/selinux/
$(CP) ./files/selinux-config $(1)/etc/selinux/config $(CP) ./files/selinux-config $(1)/etc/selinux/config
ifeq ($(BUILD_VARIANT),modular)
$(INSTALL_DIR) $(1)/usr/share/selinux
$(CP) $(PKG_INSTALL_DIR)/usr/share/selinux/* $(1)/usr/share/selinux/
endif
endef endef
Package/refpolicy-modular/install = $(Package/refpolicy/install)
$(eval $(call BuildPackage,refpolicy)) $(eval $(call BuildPackage,refpolicy))
$(eval $(call BuildPackage,refpolicy-modular))