This RFC is a significant departure from the way the policy packages are currently set up. The noteworthy differences are: 1) the POLICY_TYPE variable can be set as configuration outside the policy recipe 2) a single refpolicy recipe can be used to build all 3 policy types 3) DEFAULT_POLICY from selinux-config can be set outside the config recipe 4) refpolicy depends on the config and sets the DEFAULT_POLICY accordingly
This approach was taken to allow the use of a policy type beyond MLS. I've left the other refpolicy-* recipes in tact but if this approach is acceptable they could be removed if we're willing to accept the limitation that only one policy may be installed on a given image. If this limitation isn't \ acceptable then they can be left as is. Comments and input would be appreciated. Cheers, - Philip Signed-off-by: Philip Tricca <fl...@twobit.us> --- .../packagegroups/packagegroup-selinux-minimal.bb | 3 +-- recipes-security/refpolicy/refpolicy_2.20130424.bb | 19 +++++++++++++++++++ recipes-security/selinux/selinux-config_0.1.bb | 2 +- 3 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 recipes-security/refpolicy/refpolicy_2.20130424.bb diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb index 072320d..af29da1 100644 --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb @@ -13,6 +13,5 @@ ALLOW_EMPTY_${PN} = "1" RDEPENDS_${PN} = "\ policycoreutils-semodule \ policycoreutils-sestatus \ - selinux-config \ - refpolicy-mls \ + refpolicy \ " diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.bb b/recipes-security/refpolicy/refpolicy_2.20130424.bb new file mode 100644 index 0000000..c00aca3 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy_2.20130424.bb @@ -0,0 +1,19 @@ +SUMMARY = "The SELinux reference policy." +DESCRIPTION = "\ +This is the reference policy for the SELinux mandatory access control \ +system. There are 3 supported policy types: standard, MCS and MLS. The \ +standard policy is the most simple of the three providing the standard \ +type enforcement policy. The MCS policy adds an additional element to the \ +SELinux label called a category. Finally the MLS variant allows giving data \ +labels such as \"Top Secret\" and preventing such data from leaking to \ +processes or files with lower classification. \ +" + +PR = "r0" + +POLICY_TYPE ??= "mls" +DEFAULT_POLICY = "${POLICY_TYPE}" + +RDEPENDS_${PN} = "selinux-config" + +include refpolicy_${PV}.inc diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb index 27d9995..293218e 100644 --- a/recipes-security/selinux/selinux-config_0.1.bb +++ b/recipes-security/selinux/selinux-config_0.1.bb @@ -1,4 +1,4 @@ -DEFAULT_POLICY = "mls" +DEFAULT_POLICY ??= "mls" SUMMARY = "SELinux configuration" DESCRIPTION = "\ -- 1.7.10.4 _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto