[meta-selinux][RFC v2] refpolicy: Add generic refpolicy recipe and make policy type configurable.

[meta-selinux][RFC v2] refpolicy: Add generic refpolicy recipe and make policy type configurable.

[Philip Tricca]

This is a fix up for my previous RFC. I've cleaned up an error with some \
variable use. The intent remains the same:

This RFC is a significant departure from the way the policy packages are
currently set up. The noteworthy differences are:
1) the POLICY_TYPE variable can be set as configuration outside the policy recipe
2) a single refpolicy recipe can be used to build all 3 policy types
3) DEFAULT_POLICY from selinux-config has been changed to be the same POLICY_TYPE variable as the policy
4) refpolicy depends on the config and sets the POLICY_TYPE accordingly

This approach was taken to allow the use of a policy type beyond the default
 MLS. I've left the other refpolicy-* recipes in tact but if this approach is
acceptable they could be removed if we're willing to accept the limitation
that only one policy may be installed on a given image. If this limitation
isn't acceptable then they can be left as is.

After thinking about this a bit I've realized that the same effect can likely
be achieved using the virtual provider mechanism. If this approach would be
preferred I'm happy to whip up a prototype.

Comments and input would be appreciated.

Regards,
- Philip

Signed-off-by: Philip Tricca <flihp@twobit.us>
---
 .../packagegroups/packagegroup-selinux-minimal.bb      |    3 +--
 recipes-security/refpolicy/refpolicy_2.20130424.bb     |   16 ++++++++++++++++
 recipes-security/selinux/selinux-config_0.1.bb         |    4 ++--
 3 files changed, 19 insertions(+), 4 deletions(-)
 create mode 100644 recipes-security/refpolicy/refpolicy_2.20130424.bb

diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
index 072320d..af29da1 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -13,6 +13,5 @@ ALLOW_EMPTY_${PN} = "1"
 RDEPENDS_${PN} = "\
 	policycoreutils-semodule \
 	policycoreutils-sestatus \
-	selinux-config \
-	refpolicy-mls \
+	refpolicy \
 "
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.bb b/recipes-security/refpolicy/refpolicy_2.20130424.bb
new file mode 100644
index 0000000..f1fa2f8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.bb
@@ -0,0 +1,16 @@
+SUMMARY = "The SELinux reference policy."
+DESCRIPTION = "\
+This is the reference policy for the SELinux mandatory access control \
+system. There are 3 supported policy types: standard, MCS and MLS. The \
+standard policy is the most simple of the three providing the standard \
+type enforcement policy. The MCS policy adds an additional element to the \
+SELinux label called a category. Finally the MLS variant allows giving data \
+labels such as \"Top Secret\" and preventing such data from leaking to \
+processes or files with lower classification. \
+"
+
+PR = "r0"
+POLICY_TYPE ??= "mls"
+RDEPENDS_${PN} = "selinux-config"
+
+include refpolicy_${PV}.inc
diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
index 27d9995..066581e 100644
--- a/recipes-security/selinux/selinux-config_0.1.bb
+++ b/recipes-security/selinux/selinux-config_0.1.bb
@@ -1,4 +1,4 @@
-DEFAULT_POLICY = "mls"
+POLICY_TYPE ??= "mls"
 
 SUMMARY = "SELinux configuration"
 DESCRIPTION = "\
@@ -45,7 +45,7 @@ SELINUX=enforcing
 # SELINUXTYPE= can take one of these two values:
 #     standard - Standard Security protection.
 #     mls - Multi Level Security protection.
-SELINUXTYPE=${DEFAULT_POLICY}
+SELINUXTYPE=${POLICY_TYPE}
 " > ${WORKDIR}/config
 	install -d ${D}/${sysconfdir}/selinux
 	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
-- 
1.7.10.4

Re: [meta-selinux][RFC v2] refpolicy: Add generic refpolicy recipe and make policy type configurable.

[Joe MacDonald]

[-- Attachment #1: Type: text/plain, Size: 4547 bytes --]

Hey Phil,

[[meta-selinux][RFC v2] refpolicy: Add generic refpolicy recipe and make policy type configurable.] On 13.11.13 (Wed 20:05) Philip Tricca wrote:

> This is a fix up for my previous RFC. I've cleaned up an error with some \
> variable use. The intent remains the same:
> 
> This RFC is a significant departure from the way the policy packages are
> currently set up. The noteworthy differences are:
> 1) the POLICY_TYPE variable can be set as configuration outside the policy recipe
> 2) a single refpolicy recipe can be used to build all 3 policy types
> 3) DEFAULT_POLICY from selinux-config has been changed to be the same POLICY_TYPE variable as the policy
> 4) refpolicy depends on the config and sets the POLICY_TYPE accordingly
> 
> This approach was taken to allow the use of a policy type beyond the default
>  MLS. I've left the other refpolicy-* recipes in tact but if this approach is
> acceptable they could be removed if we're willing to accept the limitation
> that only one policy may be installed on a given image. If this limitation
> isn't acceptable then they can be left as is.
> 
> After thinking about this a bit I've realized that the same effect can likely
> be achieved using the virtual provider mechanism. If this approach would be
> preferred I'm happy to whip up a prototype.
> 
> Comments and input would be appreciated.

I've been playing with this for a bit and I quite like both the idea.
I'd like to see this taken to the logical conclusion you mention above,
hit all the policy recipes.  Meaning I think it makes the most sense to
actually approach this as a virtual provider problem.  If you're still
willing to put together a prototype for this, I'm able to take a look at
it in pretty short order.

-J.

> 
> Regards,
> - Philip
> 
> Signed-off-by: Philip Tricca <flihp@twobit.us>
> ---
>  .../packagegroups/packagegroup-selinux-minimal.bb      |    3 +--
>  recipes-security/refpolicy/refpolicy_2.20130424.bb     |   16 ++++++++++++++++
>  recipes-security/selinux/selinux-config_0.1.bb         |    4 ++--
>  3 files changed, 19 insertions(+), 4 deletions(-)
>  create mode 100644 recipes-security/refpolicy/refpolicy_2.20130424.bb
> 
> diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> index 072320d..af29da1 100644
> --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> @@ -13,6 +13,5 @@ ALLOW_EMPTY_${PN} = "1"
>  RDEPENDS_${PN} = "\
>  	policycoreutils-semodule \
>  	policycoreutils-sestatus \
> -	selinux-config \
> -	refpolicy-mls \
> +	refpolicy \
>  "
> diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.bb b/recipes-security/refpolicy/refpolicy_2.20130424.bb
> new file mode 100644
> index 0000000..f1fa2f8
> --- /dev/null
> +++ b/recipes-security/refpolicy/refpolicy_2.20130424.bb
> @@ -0,0 +1,16 @@
> +SUMMARY = "The SELinux reference policy."
> +DESCRIPTION = "\
> +This is the reference policy for the SELinux mandatory access control \
> +system. There are 3 supported policy types: standard, MCS and MLS. The \
> +standard policy is the most simple of the three providing the standard \
> +type enforcement policy. The MCS policy adds an additional element to the \
> +SELinux label called a category. Finally the MLS variant allows giving data \
> +labels such as \"Top Secret\" and preventing such data from leaking to \
> +processes or files with lower classification. \
> +"
> +
> +PR = "r0"
> +POLICY_TYPE ??= "mls"
> +RDEPENDS_${PN} = "selinux-config"
> +
> +include refpolicy_${PV}.inc
> diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
> index 27d9995..066581e 100644
> --- a/recipes-security/selinux/selinux-config_0.1.bb
> +++ b/recipes-security/selinux/selinux-config_0.1.bb
> @@ -1,4 +1,4 @@
> -DEFAULT_POLICY = "mls"
> +POLICY_TYPE ??= "mls"
>  
>  SUMMARY = "SELinux configuration"
>  DESCRIPTION = "\
> @@ -45,7 +45,7 @@ SELINUX=enforcing
>  # SELINUXTYPE= can take one of these two values:
>  #     standard - Standard Security protection.
>  #     mls - Multi Level Security protection.
> -SELINUXTYPE=${DEFAULT_POLICY}
> +SELINUXTYPE=${POLICY_TYPE}
>  " > ${WORKDIR}/config
>  	install -d ${D}/${sysconfdir}/selinux
>  	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]

Re: [meta-selinux][RFC v2] refpolicy: Add generic refpolicy recipe and make policy type configurable.

[Philip Tricca]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Joe,

On 12/04/2013 10:40 AM, Joe MacDonald wrote:
> Hey Phil,
> 
> [[meta-selinux][RFC v2] refpolicy: Add generic refpolicy recipe and make policy type configurable.] On 13.11.13 (Wed 20:05) Philip Tricca wrote:
> 
>> This is a fix up for my previous RFC. I've cleaned up an error with some \
>> variable use. The intent remains the same:
>>
>> This RFC is a significant departure from the way the policy packages are
>> currently set up. The noteworthy differences are:
>> 1) the POLICY_TYPE variable can be set as configuration outside the policy recipe
>> 2) a single refpolicy recipe can be used to build all 3 policy types
>> 3) DEFAULT_POLICY from selinux-config has been changed to be the same POLICY_TYPE variable as the policy
>> 4) refpolicy depends on the config and sets the POLICY_TYPE accordingly
>>
>> This approach was taken to allow the use of a policy type beyond the default
>>  MLS. I've left the other refpolicy-* recipes in tact but if this approach is
>> acceptable they could be removed if we're willing to accept the limitation
>> that only one policy may be installed on a given image. If this limitation
>> isn't acceptable then they can be left as is.
>>
>> After thinking about this a bit I've realized that the same effect can likely
>> be achieved using the virtual provider mechanism. If this approach would be
>> preferred I'm happy to whip up a prototype.
>>
>> Comments and input would be appreciated.
> 
> I've been playing with this for a bit and I quite like both the idea.
> I'd like to see this taken to the logical conclusion you mention above,
> hit all the policy recipes.  Meaning I think it makes the most sense to
> actually approach this as a virtual provider problem.  If you're still
> willing to put together a prototype for this, I'm able to take a look at
> it in pretty short order.

I'll give it a go and see what I can come up with.

Regards,
Philip

>> Signed-off-by: Philip Tricca <flihp@twobit.us>
>> ---
>>  .../packagegroups/packagegroup-selinux-minimal.bb      |    3 +--
>>  recipes-security/refpolicy/refpolicy_2.20130424.bb     |   16 ++++++++++++++++
>>  recipes-security/selinux/selinux-config_0.1.bb         |    4 ++--
>>  3 files changed, 19 insertions(+), 4 deletions(-)
>>  create mode 100644 recipes-security/refpolicy/refpolicy_2.20130424.bb
>>
>> diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>> index 072320d..af29da1 100644
>> --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>> +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
>> @@ -13,6 +13,5 @@ ALLOW_EMPTY_${PN} = "1"
>>  RDEPENDS_${PN} = "\
>>  	policycoreutils-semodule \
>>  	policycoreutils-sestatus \
>> -	selinux-config \
>> -	refpolicy-mls \
>> +	refpolicy \
>>  "
>> diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.bb b/recipes-security/refpolicy/refpolicy_2.20130424.bb
>> new file mode 100644
>> index 0000000..f1fa2f8
>> --- /dev/null
>> +++ b/recipes-security/refpolicy/refpolicy_2.20130424.bb
>> @@ -0,0 +1,16 @@
>> +SUMMARY = "The SELinux reference policy."
>> +DESCRIPTION = "\
>> +This is the reference policy for the SELinux mandatory access control \
>> +system. There are 3 supported policy types: standard, MCS and MLS. The \
>> +standard policy is the most simple of the three providing the standard \
>> +type enforcement policy. The MCS policy adds an additional element to the \
>> +SELinux label called a category. Finally the MLS variant allows giving data \
>> +labels such as \"Top Secret\" and preventing such data from leaking to \
>> +processes or files with lower classification. \
>> +"
>> +
>> +PR = "r0"
>> +POLICY_TYPE ??= "mls"
>> +RDEPENDS_${PN} = "selinux-config"
>> +
>> +include refpolicy_${PV}.inc
>> diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
>> index 27d9995..066581e 100644
>> --- a/recipes-security/selinux/selinux-config_0.1.bb
>> +++ b/recipes-security/selinux/selinux-config_0.1.bb
>> @@ -1,4 +1,4 @@
>> -DEFAULT_POLICY = "mls"
>> +POLICY_TYPE ??= "mls"
>>  
>>  SUMMARY = "SELinux configuration"
>>  DESCRIPTION = "\
>> @@ -45,7 +45,7 @@ SELINUX=enforcing
>>  # SELINUXTYPE= can take one of these two values:
>>  #     standard - Standard Security protection.
>>  #     mls - Multi Level Security protection.
>> -SELINUXTYPE=${DEFAULT_POLICY}
>> +SELINUXTYPE=${POLICY_TYPE}
>>  " > ${WORKDIR}/config
>>  	install -d ${D}/${sysconfdir}/selinux
>>  	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBCgAGBQJSn9jGAAoJEDL3fnXC4dO6qjUP/RyPTggJI552r2dIBxcp23vj
T+ZyA2onJAtGEz/dnVDMcZWMx/KbGYYGi1L3s2xJ9+/d00nCfqUnD9kc5vdis8TI
UgC3+k6+CfqzM/loLxax+hT/I2d51BaHXWNSMod3UUSyQowfOo+FerKUHU1/Z4e0
xcOb13vwVCo9ITh0b2N4MLkWDJuyT5+pHXmOLjD3LlF10fpcMHhTIwNI3Iir9iGR
THKxf7N0vnpV69ZdHqu59QaHTIZYLXSjv5A9BvHqSbDU6J0fsHNEwNLJmN4buGwx
ed1d6uqiuCNdakaYBFi4d7OU8Y3la7NAul7ETqrA3JKpXnlhHgIVj2hA1hAAJUGs
DziXBxCy18YfTFH7SYmlfuf5UVSb/H2IneQZw3NAXZmY/1hNJFsKpfuOUOHOFY2R
33lRvZUqN3hWj/VSy6hAi8qCrmUS9qgUUWcI0sqZvcDF2HucklgrSnD2QHPdXWbW
+YhSdtz78v6Tzo+Z2I5bj+FRHNG3CvZHeBDgYmTfNNEQ3ceV+/aHFuJHLQxTpRpK
f9viqhZag0jqT0X8Tc7Uu5t998/qd+e1/8GD/COkm5baHxlec+iT8KOW0w6NCarc
/UfsNk8xIdkmZyWmWpTtkA3NoBBMF5Oa1ggTcirMtU6uxNzzIvgXGt3AF1pfia40
bQCmQcUqfL27GHcHicSH
=GhjN
-----END PGP SIGNATURE-----