This is a fix up for my previous RFC. I've cleaned up an error with some \ variable use. The intent remains the same:
This RFC is a significant departure from the way the policy packages are currently set up. The noteworthy differences are: 1) the POLICY_TYPE variable can be set as configuration outside the policy recipe 2) a single refpolicy recipe can be used to build all 3 policy types 3) DEFAULT_POLICY from selinux-config has been changed to be the same POLICY_TYPE variable as the policy 4) refpolicy depends on the config and sets the POLICY_TYPE accordingly This approach was taken to allow the use of a policy type beyond the default MLS. I've left the other refpolicy-* recipes in tact but if this approach is acceptable they could be removed if we're willing to accept the limitation that only one policy may be installed on a given image. If this limitation isn't acceptable then they can be left as is. After thinking about this a bit I've realized that the same effect can likely be achieved using the virtual provider mechanism. If this approach would be preferred I'm happy to whip up a prototype. Comments and input would be appreciated. Regards, - Philip Signed-off-by: Philip Tricca <fl...@twobit.us> --- .../packagegroups/packagegroup-selinux-minimal.bb | 3 +-- recipes-security/refpolicy/refpolicy_2.20130424.bb | 16 ++++++++++++++++ recipes-security/selinux/selinux-config_0.1.bb | 4 ++-- 3 files changed, 19 insertions(+), 4 deletions(-) create mode 100644 recipes-security/refpolicy/refpolicy_2.20130424.bb diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb index 072320d..af29da1 100644 --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb @@ -13,6 +13,5 @@ ALLOW_EMPTY_${PN} = "1" RDEPENDS_${PN} = "\ policycoreutils-semodule \ policycoreutils-sestatus \ - selinux-config \ - refpolicy-mls \ + refpolicy \ " diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.bb b/recipes-security/refpolicy/refpolicy_2.20130424.bb new file mode 100644 index 0000000..f1fa2f8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy_2.20130424.bb @@ -0,0 +1,16 @@ +SUMMARY = "The SELinux reference policy." +DESCRIPTION = "\ +This is the reference policy for the SELinux mandatory access control \ +system. There are 3 supported policy types: standard, MCS and MLS. The \ +standard policy is the most simple of the three providing the standard \ +type enforcement policy. The MCS policy adds an additional element to the \ +SELinux label called a category. Finally the MLS variant allows giving data \ +labels such as \"Top Secret\" and preventing such data from leaking to \ +processes or files with lower classification. \ +" + +PR = "r0" +POLICY_TYPE ??= "mls" +RDEPENDS_${PN} = "selinux-config" + +include refpolicy_${PV}.inc diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb index 27d9995..066581e 100644 --- a/recipes-security/selinux/selinux-config_0.1.bb +++ b/recipes-security/selinux/selinux-config_0.1.bb @@ -1,4 +1,4 @@ -DEFAULT_POLICY = "mls" +POLICY_TYPE ??= "mls" SUMMARY = "SELinux configuration" DESCRIPTION = "\ @@ -45,7 +45,7 @@ SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # standard - Standard Security protection. # mls - Multi Level Security protection. -SELINUXTYPE=${DEFAULT_POLICY} +SELINUXTYPE=${POLICY_TYPE} " > ${WORKDIR}/config install -d ${D}/${sysconfdir}/selinux install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/ -- 1.7.10.4 _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto