Re: [meta-selinux][RFC] refpolicy: Add generic refpolicy recipe with configurable policy type.

[Philip Tricca <flihp@twobit.us>]

This requires a few tweaks before it will work as advertised. I had a
variable set in a distro.conf that interfered. I'll send out a v2 in a bit.

- Philip

On 11/13/2013 12:22 AM, Philip Tricca wrote:
> This RFC is a significant departure from the way the policy packages are
> currently set up. The noteworthy differences are:
> 1) the POLICY_TYPE variable can be set as configuration outside the policy recipe
> 2) a single refpolicy recipe can be used to build all 3 policy types
> 3) DEFAULT_POLICY from selinux-config can be set outside the config recipe
> 4) refpolicy depends on the config and sets the DEFAULT_POLICY accordingly
> 
> This approach was taken to allow the use of a policy type beyond MLS. I've
> left the other refpolicy-* recipes in tact but if this approach is acceptable
> they could be removed if we're willing to accept the limitation that only
> one policy may be installed on a given image. If this limitation isn't \
> acceptable then they can be left as is.
> 
> Comments and input would be appreciated.
> 
> Cheers,
> - Philip
> 
> Signed-off-by: Philip Tricca <flihp@twobit.us>
> ---
>  .../packagegroups/packagegroup-selinux-minimal.bb   |    3 +--
>  recipes-security/refpolicy/refpolicy_2.20130424.bb  |   19 +++++++++++++++++++
>  recipes-security/selinux/selinux-config_0.1.bb      |    2 +-
>  3 files changed, 21 insertions(+), 3 deletions(-)
>  create mode 100644 recipes-security/refpolicy/refpolicy_2.20130424.bb
> 
> diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> index 072320d..af29da1 100644
> --- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> +++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
> @@ -13,6 +13,5 @@ ALLOW_EMPTY_${PN} = "1"
>  RDEPENDS_${PN} = "\
>  	policycoreutils-semodule \
>  	policycoreutils-sestatus \
> -	selinux-config \
> -	refpolicy-mls \
> +	refpolicy \
>  "
> diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.bb b/recipes-security/refpolicy/refpolicy_2.20130424.bb
> new file mode 100644
> index 0000000..c00aca3
> --- /dev/null
> +++ b/recipes-security/refpolicy/refpolicy_2.20130424.bb
> @@ -0,0 +1,19 @@
> +SUMMARY = "The SELinux reference policy."
> +DESCRIPTION = "\
> +This is the reference policy for the SELinux mandatory access control \
> +system. There are 3 supported policy types: standard, MCS and MLS. The \
> +standard policy is the most simple of the three providing the standard \
> +type enforcement policy. The MCS policy adds an additional element to the \
> +SELinux label called a category. Finally the MLS variant allows giving data \
> +labels such as \"Top Secret\" and preventing such data from leaking to \
> +processes or files with lower classification. \
> +"
> +
> +PR = "r0"
> +
> +POLICY_TYPE ??= "mls"
> +DEFAULT_POLICY = "${POLICY_TYPE}"
> +
> +RDEPENDS_${PN} = "selinux-config"
> +
> +include refpolicy_${PV}.inc
> diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
> index 27d9995..293218e 100644
> --- a/recipes-security/selinux/selinux-config_0.1.bb
> +++ b/recipes-security/selinux/selinux-config_0.1.bb
> @@ -1,4 +1,4 @@
> -DEFAULT_POLICY = "mls"
> +DEFAULT_POLICY ??= "mls"
>  
>  SUMMARY = "SELinux configuration"
>  DESCRIPTION = "\
>