[OpenWrt-Devel] [PATCH packages 00/11] SELinux support: packages feed changes
Hello, This patch series is one part of the changes needed to bring minimal SELinux support to OpenWrt. SELinux is a mandatory access control Linux security module, which I assume most if not all OpenWrt users are already familiar with. The work presented in these patch series presents a minimal integration, in the sense that it allows to: (1) Build all the important SELinux components, both on the build system (for example to compile a SELinux policy) and on the target system (libselinux, policy management tools, etc.) (2) Set the SELinux security contexts on the files in the filesystem image generated by OpenWrt. (3) Compile the SELinux policy on the build machine, and integrate the compiled SELinux policy in the target filesystem. (4) Load at boot time the SELinux policy and enable it. The provided SELinux policy is the default SELinux policy from the upstream project: it has not been tuned specifically for OpenWrt. There are two patch series for this work: - One for OpenWrt itself - One for the OpenWrt packages feed (this patch series) OpenWrt changes === This patch series brings the following changes: - Allow to build Busybox with SELinux support, mainly to get -Z option support in several commands. This requires linking against libselinux, which is provided in the packages feeds as part of the second patch series. - Addition of minimal SELinux support in procd, to load the SELinux policy at boot time. The patch has been submitted separately to procd, and is being discussed. - Addition of the fakeroot tool, which we need when generating the filesystem image to run the SELinux command "setfiles" that sets the appropriate security context for the files in the filesystem. It obviously requires root access, which is why it is executed under fakeroot. - Addition of support for generating a SquashFS image with the SELinux security contexts defined. It could be extended to other filesystem formats of course. - Add some logic to be able to enable SquashFS extended attribute support in the kernel configuration, as well as SELinux support. - Enable extended attribute support in mksquashfs. OpenWrt packages feed changes = This patch series brings new packages for the different user-space components of SELinux and their dependencies: - libsepol - libselinux, including its Python bindings - audit - libcap-ng - libsemanage - policycoreutils - checkpolicy - refpolicy - selinux-python These are pretty regular packages. I'm looking forward to the feedback of the OpenWrt community on this proposal. Best regards, Thomas Petazzoni Thomas Petazzoni (11): libs/pcre: add host variant of libpcre libs/libsepol: new package libs/libselinux: new package utils/audit: new package libs/libcap-ng: new package libs/libsemanage: new package utils/policycoreutils: new package utils/checkpolicy: new package admin/refpolicy: new package libs/libselinux: add support for building the Python bindings utils/selinux-python: new package admin/refpolicy/Makefile | 78 + admin/refpolicy/files/selinux-config | 7 + libs/libcap-ng/Makefile | 53 ++ libs/libselinux/Makefile | 104 libs/libsemanage/Makefile | 70 libs/libsepol/Makefile| 65 libs/pcre/Makefile| 11 ++ utils/audit/Makefile | 125 ++ utils/audit/files/audit.init | 16 ++ ...tue-functions-for-strndupa-rawmemchr.patch | 133 +++ utils/checkpolicy/Makefile| 42 + utils/policycoreutils/Makefile| 60 +++ utils/selinux-python/Makefile | 155 ++ .../0001-sepolgen-adjust-data_dir.patch | 26 +++ ...hardcode-search-for-ausearch-in-sbin.patch | 38 + .../0003-Don-t-force-using-python3.patch | 67 16 files changed, 1050 insertions(+) create mode 100644 admin/refpolicy/Makefile create mode 100644 admin/refpolicy/files/selinux-config create mode 100644 libs/libcap-ng/Makefile create mode 100644 libs/libselinux/Makefile create mode 100644 libs/libsemanage/Makefile create mode 100644 libs/libsepol/Makefile create mode 100644 utils/audit/Makefile create mode 100644 utils/audit/files/audit.init create mode 100644 utils/audit/patches/0001-Add-substitue-functions-for-strndupa-rawmemchr.patch create mode 100644 utils/checkpolicy/Makefile create mode 100644 utils/policycoreutils/Makefile create mode 100644 utils/selinux-python/Makefile create mode 100644 utils/selinux-python/patches/0001-sepolgen-adjust-data_dir.patch create mode 100644 utils/selinux-python/patches/0002-sepolgen-don-t-hardcode-search-for-ausearch-in-sbin.patch create mode 100644 utils/selinux-py
Re: [OpenWrt-Devel] [PATCH packages 00/11] SELinux support: packages feed changes
Hi, I really like the idea of SELinux support in OpenWrt, but I think that if you send these patches directly to https://github.com/openwrt/packages/ they will receive more attention than here in mailing list. J.P. Dne 22. 11. 19 v 10:55 Thomas Petazzoni napsal(a): > Hello, > > This patch series is one part of the changes needed to bring minimal > SELinux support to OpenWrt. SELinux is a mandatory access control > Linux security module, which I assume most if not all OpenWrt users > are already familiar with. The work presented in these patch series > presents a minimal integration, in the sense that it allows to: > > (1) Build all the important SELinux components, both on the build > system (for example to compile a SELinux policy) and on the > target system (libselinux, policy management tools, etc.) > > (2) Set the SELinux security contexts on the files in the filesystem > image generated by OpenWrt. > > (3) Compile the SELinux policy on the build machine, and integrate > the compiled SELinux policy in the target filesystem. > > (4) Load at boot time the SELinux policy and enable it. > > The provided SELinux policy is the default SELinux policy from the > upstream project: it has not been tuned specifically for OpenWrt. > > There are two patch series for this work: > > - One for OpenWrt itself > > - One for the OpenWrt packages feed (this patch series) > > OpenWrt changes > === > > This patch series brings the following changes: > > - Allow to build Busybox with SELinux support, mainly to get -Z >option support in several commands. This requires linking against >libselinux, which is provided in the packages feeds as part of the >second patch series. > > - Addition of minimal SELinux support in procd, to load the SELinux >policy at boot time. The patch has been submitted separately to >procd, and is being discussed. > > - Addition of the fakeroot tool, which we need when generating the >filesystem image to run the SELinux command "setfiles" that sets >the appropriate security context for the files in the >filesystem. It obviously requires root access, which is why it is >executed under fakeroot. > > - Addition of support for generating a SquashFS image with the >SELinux security contexts defined. It could be extended to other >filesystem formats of course. > > - Add some logic to be able to enable SquashFS extended attribute >support in the kernel configuration, as well as SELinux support. > > - Enable extended attribute support in mksquashfs. > > OpenWrt packages feed changes > = > > This patch series brings new packages for the different user-space > components of SELinux and their dependencies: > > - libsepol > - libselinux, including its Python bindings > - audit > - libcap-ng > - libsemanage > - policycoreutils > - checkpolicy > - refpolicy > - selinux-python > > These are pretty regular packages. > > I'm looking forward to the feedback of the OpenWrt community on this > proposal. > > Best regards, > > Thomas Petazzoni > > > > Thomas Petazzoni (11): > libs/pcre: add host variant of libpcre > libs/libsepol: new package > libs/libselinux: new package > utils/audit: new package > libs/libcap-ng: new package > libs/libsemanage: new package > utils/policycoreutils: new package > utils/checkpolicy: new package > admin/refpolicy: new package > libs/libselinux: add support for building the Python bindings > utils/selinux-python: new package > > admin/refpolicy/Makefile | 78 + > admin/refpolicy/files/selinux-config | 7 + > libs/libcap-ng/Makefile | 53 ++ > libs/libselinux/Makefile | 104 > libs/libsemanage/Makefile | 70 > libs/libsepol/Makefile| 65 > libs/pcre/Makefile| 11 ++ > utils/audit/Makefile | 125 ++ > utils/audit/files/audit.init | 16 ++ > ...tue-functions-for-strndupa-rawmemchr.patch | 133 +++ > utils/checkpolicy/Makefile| 42 + > utils/policycoreutils/Makefile| 60 +++ > utils/selinux-python/Makefile | 155 ++ > .../0001-sepolgen-adjust-data_dir.patch | 26 +++ > ...hardcode-search-for-ausearch-in-sbin.patch | 38 + > .../0003-Don-t-force-using-python3.patch | 67 > 16 files changed, 1050 insertions(+) > create mode 100644 admin/refpolicy/Makefile > create mode 100644 admin/refpolicy/files/selinux-config > create mode 100644 libs/libcap-ng/Makefile > create mode 100644 libs/libselinux/Makefile > create mode 100644 libs/libsemanage/Makefile > create mode 100644 libs/libsepol/Makefile > create mode 100644 utils/audit/Makefile > create mode 100644 utils/audit/files/audit.i
Re: [OpenWrt-Devel] [PATCH packages 00/11] SELinux support: packages feed changes
Hello Jan, On Thu, 28 Nov 2019 12:35:36 +0100 Jan Pavlinec wrote: > I really like the idea of SELinux support in OpenWrt, but I think that > if you send these patches directly to > https://github.com/openwrt/packages/ they will receive more attention > than here in mailing list. Thanks a lot for your feedback. Should I do this only for the package patches (i.e the package feeds), or also for the "core" changes ? Best regards, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH packages 00/11] SELinux support: packages feed changes
I think that maintainers of openwrt/openwrt repo are more active on the mailing list but openwrt/packages maintainers prefer GitHub. But that is just my personal feeling. J.P. Dne 28. 11. 19 v 13:01 Thomas Petazzoni napsal(a): > Hello Jan, > > On Thu, 28 Nov 2019 12:35:36 +0100 > Jan Pavlinec wrote: > >> I really like the idea of SELinux support in OpenWrt, but I think that >> if you send these patches directly to >> https://github.com/openwrt/packages/ they will receive more attention >> than here in mailing list. > Thanks a lot for your feedback. Should I do this only for the package > patches (i.e the package feeds), or also for the "core" changes ? > > Best regards, > > Thomas ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH packages 00/11] SELinux support: packages feed changes
Hello Jan, On Thu, 28 Nov 2019 13:25:24 +0100 Jan Pavlinec wrote: > I think that maintainers of openwrt/openwrt repo are more active on the > mailing list but openwrt/packages maintainers prefer GitHub. But that is > just my personal feeling. Thanks for the suggestion. I just opened a Github pull request for the packages part: https://github.com/openwrt/packages/pull/10664 Best regards, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
