All of lore.kernel.org
 help / color / mirror / Atom feed
* [meta-selinux][RFC] refpolicy: Add generic refpolicy recipe with configurable policy type.
@ 2013-11-13  5:22 Philip Tricca
  2013-11-13 17:22 ` Philip Tricca
  0 siblings, 1 reply; 2+ messages in thread
From: Philip Tricca @ 2013-11-13  5:22 UTC (permalink / raw)
  To: yocto

This RFC is a significant departure from the way the policy packages are
currently set up. The noteworthy differences are:
1) the POLICY_TYPE variable can be set as configuration outside the policy recipe
2) a single refpolicy recipe can be used to build all 3 policy types
3) DEFAULT_POLICY from selinux-config can be set outside the config recipe
4) refpolicy depends on the config and sets the DEFAULT_POLICY accordingly

This approach was taken to allow the use of a policy type beyond MLS. I've
left the other refpolicy-* recipes in tact but if this approach is acceptable
they could be removed if we're willing to accept the limitation that only
one policy may be installed on a given image. If this limitation isn't \
acceptable then they can be left as is.

Comments and input would be appreciated.

Cheers,
- Philip

Signed-off-by: Philip Tricca <flihp@twobit.us>
---
 .../packagegroups/packagegroup-selinux-minimal.bb   |    3 +--
 recipes-security/refpolicy/refpolicy_2.20130424.bb  |   19 +++++++++++++++++++
 recipes-security/selinux/selinux-config_0.1.bb      |    2 +-
 3 files changed, 21 insertions(+), 3 deletions(-)
 create mode 100644 recipes-security/refpolicy/refpolicy_2.20130424.bb

diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
index 072320d..af29da1 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -13,6 +13,5 @@ ALLOW_EMPTY_${PN} = "1"
 RDEPENDS_${PN} = "\
 	policycoreutils-semodule \
 	policycoreutils-sestatus \
-	selinux-config \
-	refpolicy-mls \
+	refpolicy \
 "
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.bb b/recipes-security/refpolicy/refpolicy_2.20130424.bb
new file mode 100644
index 0000000..c00aca3
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.bb
@@ -0,0 +1,19 @@
+SUMMARY = "The SELinux reference policy."
+DESCRIPTION = "\
+This is the reference policy for the SELinux mandatory access control \
+system. There are 3 supported policy types: standard, MCS and MLS. The \
+standard policy is the most simple of the three providing the standard \
+type enforcement policy. The MCS policy adds an additional element to the \
+SELinux label called a category. Finally the MLS variant allows giving data \
+labels such as \"Top Secret\" and preventing such data from leaking to \
+processes or files with lower classification. \
+"
+
+PR = "r0"
+
+POLICY_TYPE ??= "mls"
+DEFAULT_POLICY = "${POLICY_TYPE}"
+
+RDEPENDS_${PN} = "selinux-config"
+
+include refpolicy_${PV}.inc
diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
index 27d9995..293218e 100644
--- a/recipes-security/selinux/selinux-config_0.1.bb
+++ b/recipes-security/selinux/selinux-config_0.1.bb
@@ -1,4 +1,4 @@
-DEFAULT_POLICY = "mls"
+DEFAULT_POLICY ??= "mls"
 
 SUMMARY = "SELinux configuration"
 DESCRIPTION = "\
-- 
1.7.10.4



^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-11-13 17:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-13  5:22 [meta-selinux][RFC] refpolicy: Add generic refpolicy recipe with configurable policy type Philip Tricca
2013-11-13 17:22 ` Philip Tricca

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.