Re: [meta-selinux][RFC v2] refpolicy: Add generic refpolicy recipe and make policy type configurable.

[Joe MacDonald <joe@deserted.net>]

[-- Attachment #1: Type: text/plain, Size: 4547 bytes --]

Hey Phil,

[[meta-selinux][RFC v2] refpolicy: Add generic refpolicy recipe and make policy type configurable.] On 13.11.13 (Wed 20:05) Philip Tricca wrote:

> This is a fix up for my previous RFC. I've cleaned up an error with some \
> variable use. The intent remains the same:
> 
> This RFC is a significant departure from the way the policy packages are
> currently set up. The noteworthy differences are:
> 1) the POLICY_TYPE variable can be set as configuration outside the policy recipe
> 2) a single refpolicy recipe can be used to build all 3 policy types
> 3) DEFAULT_POLICY from selinux-config has been changed to be the same POLICY_TYPE variable as the policy
> 4) refpolicy depends on the config and sets the POLICY_TYPE accordingly
> 
> This approach was taken to allow the use of a policy type beyond the default
>  MLS. I've left the other refpolicy-* recipes in tact but if this approach is
> acceptable they could be removed if we're willing to accept the limitation
> that only one policy may be installed on a given image. If this limitation
> isn't acceptable then they can be left as is.
> 
> After thinking about this a bit I've realized that the same effect can likely
> be achieved using the virtual provider mechanism. If this approach would be
> preferred I'm happy to whip up a prototype.
> 
> Comments and input would be appreciated.

I've been playing with this for a bit and I quite like both the idea.
I'd like to see this taken to the logical conclusion you mention above,
hit all the policy recipes.  Meaning I think it makes the most sense to
actually approach this as a virtual provider problem.  If you're still
willing to put together a prototype for this, I'm able to take a look at
it in pretty short order.

-J.

> 
> Regards,
> - Philip
> 
> Signed-off-by: Philip Tricca <flihp@twobit.us>
> ---
>  .../packagegroups/packagegroup-selinux-minimal.bb      |    3 +--
>  recipes-security/refpolicy/refpolicy_2.20130424.bb     |   16 ++++++++++++++++
>  recipes-security/selinux/selinux-config_0.1.bb         |    4 ++--
>  3 files changed, 19 insertions(+), 4 deletions(-)
>  create mode 100644 recipes-security/refpolicy/refpolicy_2.20130424.bb
> 
> diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> index 072320d..af29da1 100644
> --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> @@ -13,6 +13,5 @@ ALLOW_EMPTY_${PN} = "1"
>  RDEPENDS_${PN} = "\
>  	policycoreutils-semodule \
>  	policycoreutils-sestatus \
> -	selinux-config \
> -	refpolicy-mls \
> +	refpolicy \
>  "
> diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.bb b/recipes-security/refpolicy/refpolicy_2.20130424.bb
> new file mode 100644
> index 0000000..f1fa2f8
> --- /dev/null
> +++ b/recipes-security/refpolicy/refpolicy_2.20130424.bb
> @@ -0,0 +1,16 @@
> +SUMMARY = "The SELinux reference policy."
> +DESCRIPTION = "\
> +This is the reference policy for the SELinux mandatory access control \
> +system. There are 3 supported policy types: standard, MCS and MLS. The \
> +standard policy is the most simple of the three providing the standard \
> +type enforcement policy. The MCS policy adds an additional element to the \
> +SELinux label called a category. Finally the MLS variant allows giving data \
> +labels such as \"Top Secret\" and preventing such data from leaking to \
> +processes or files with lower classification. \
> +"
> +
> +PR = "r0"
> +POLICY_TYPE ??= "mls"
> +RDEPENDS_${PN} = "selinux-config"
> +
> +include refpolicy_${PV}.inc
> diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
> index 27d9995..066581e 100644
> --- a/recipes-security/selinux/selinux-config_0.1.bb
> +++ b/recipes-security/selinux/selinux-config_0.1.bb
> @@ -1,4 +1,4 @@
> -DEFAULT_POLICY = "mls"
> +POLICY_TYPE ??= "mls"
>  
>  SUMMARY = "SELinux configuration"
>  DESCRIPTION = "\
> @@ -45,7 +45,7 @@ SELINUX=enforcing
>  # SELINUXTYPE= can take one of these two values:
>  #     standard - Standard Security protection.
>  #     mls - Multi Level Security protection.
> -SELINUXTYPE=${DEFAULT_POLICY}
> +SELINUXTYPE=${POLICY_TYPE}
>  " > ${WORKDIR}/config
>  	install -d ${D}/${sysconfdir}/selinux
>  	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]