CaROS/meta-selinux
3
0
Fork 0
mirror of git://git.yoctoproject.org/meta-selinux synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
05178ce178
meta-selinux/recipes-security/refpolicy/refpolicy_common.inc
Scott Murray 05178ce178 Adapt to UNPACKDIR changes 
Remove or update S definitions as required to work with oe-core
S/UNPACKDIR changes.  A default definition of S has been added to
selinux_common.inc to avoid duplication in the set of recipes that
use it to build packages from different subdirectories of the selinux
repo.  The three packagegroups test build successfully with these
changes.

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2025-06-30 13:38:18 +08:00

266 lines
10 KiB
PHP
Raw Blame History

SECTION = "admin"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"
PROVIDES = "virtual/refpolicy"
RPROVIDES:${PN} = "refpolicy"
# Specific config files for Poky
SRC_URI += "file://customizable_types \
file://setrans-mls.conf \
file://setrans-mcs.conf \
"
# Base patches applied to all Yocto-based platforms. Your own version of
# refpolicy should provide a version of these and place them in your own
# refpolicy-${PV} directory.
SRC_URI += " \
file://0001-fc-subs-volatile-alias-common-var-volatile-paths.patch \
file://0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch \
file://0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch \
file://0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \
file://0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \
file://0006-fc-login-apply-login-context-to-login.shadow.patch \
file://0007-fc-hwclock-add-hwclock-alternatives.patch \
file://0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \
file://0009-fc-ssh-apply-policy-to-ssh-alternatives.patch \
file://0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch \
file://0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \
file://0012-fc-su-apply-policy-to-su-alternatives.patch \
file://0013-fc-fstools-fix-real-path-for-fstools.patch \
file://0014-fc-init-fix-update-alternatives-for-sysvinit.patch \
file://0015-fc-brctl-apply-policy-to-brctl-alternatives.patch \
file://0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch \
file://0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \
file://0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch \
file://0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \
file://0020-fc-ldap-apply-policy-to-ldap-alternatives.patch \
file://0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch \
file://0022-fc-screen-apply-policy-to-screen-alternatives.patch \
file://0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch \
file://0024-fc-getty-add-file-context-to-start_getty.patch \
file://0025-fc-vlock-apply-policy-to-vlock-alternatives.patch \
file://0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch \
file://0027-file_contexts.subs_dist-set-aliase-for-root-director.patch \
file://0028-policy-modules-system-logging-add-rules-for-the-syml.patch \
file://0029-policy-modules-system-logging-add-rules-for-syslogd-.patch \
file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \
file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
file://0033-policy-modules-system-systemd-enable-support-for-sys.patch \
file://0034-policy-modules-system-logging-allow-systemd-tmpfiles.patch \
file://0035-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \
file://0036-policy-modules-system-systemd-systemd-user-fixes.patch \
file://0037-policy-modules-system-logging-grant-getpcap-capabili.patch \
file://0038-policy-modules-system-allow-services-to-read-tmpfs-u.patch \
file://0039-policy-modules-kernel-domain-allow-all-domains-to-co.patch \
file://0040-systemd-allow-systemd-logind-to-inherit-fds.patch \
file://0041-systemd-allow-systemd-tmpfiles-to-read-bin_t-symlink.patch \
file://0042-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
file://0043-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
file://0044-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \
file://0045-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \
file://0046-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
file://0047-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
file://0048-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \
file://0049-policy-modules-system-systemd-systemd-make-systemd_-.patch \
file://0050-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \
file://0051-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
file://0052-policy-modules-system-init-all-init_t-to-read-any-le.patch \
file://0053-policy-modules-system-logging-allow-auditd_t-to-writ.patch \
file://0054-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
file://0055-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
file://0056-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
file://0057-policy-modules-system-logging-make-syslogd_runtime_t.patch \
"
S = "${UNPACKDIR}/refpolicy"
CONFFILES:${PN} = "${sysconfdir}/selinux/config"
FILES:${PN} += " \
${sysconfdir}/selinux/${POLICY_NAME}/ \
${datadir}/selinux/${POLICY_NAME}/*.pp \
${localstatedir}/lib/selinux/${POLICY_NAME}/ \
"
FILES:${PN}-dev =+ " \
${datadir}/selinux/${POLICY_NAME}/include/ \
${sysconfdir}/selinux/sepolgen.conf \
"
EXTRANATIVEPATH += "bzip2-native"
DEPENDS = "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native"
RDEPENDS:${PN}-dev = " \
python3-core \
"
PACKAGE_ARCH = "${MACHINE_ARCH}"
inherit python3native
PARALLEL_MAKE = ""
DEFAULT_ENFORCING ??= "enforcing"
POLICY_NAME ?= "${POLICY_TYPE}"
POLICY_DISTRO ?= "debian"
POLICY_UBAC ?= "n"
POLICY_UNK_PERMS ?= "allow"
POLICY_DIRECT_INITRC ?= "y"
POLICY_SYSTEMD ?= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'y', 'n', d)}"
POLICY_MONOLITHIC ?= "n"
POLICY_CUSTOM_BUILDOPT ?= ""
POLICY_QUIET ?= "y"
POLICY_MLS_SENS ?= "16"
POLICY_MLS_CATS ?= "1024"
POLICY_MCS_CATS ?= "1024"
EXTRA_OEMAKE = "NAME=${POLICY_NAME} \
TYPE=${POLICY_TYPE} \
DISTRO=${POLICY_DISTRO} \
UBAC=${POLICY_UBAC} \
UNK_PERMS=${POLICY_UNK_PERMS} \
DIRECT_INITRC=${POLICY_DIRECT_INITRC} \
SYSTEMD=${POLICY_SYSTEMD} \
MONOLITHIC=${POLICY_MONOLITHIC} \
CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \
QUIET=${POLICY_QUIET} \
MLS_SENS=${POLICY_MLS_SENS} \
MLS_CATS=${POLICY_MLS_CATS} \
MCS_CATS=${POLICY_MCS_CATS}"
EXTRA_OEMAKE += "tc_usrbindir=${STAGING_BINDIR_NATIVE}"
EXTRA_OEMAKE += "OUTPUT_POLICY=`${STAGING_BINDIR_NATIVE}/checkpolicy -V | cut -d' ' -f1`"
EXTRA_OEMAKE += "CC='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' PYTHON='${PYTHON}'"
python __anonymous() {
import re
# Make sure DEFAULT_ENFORCING is something sane
if not re.match('^(enforcing|permissive|disabled)$',
d.getVar('DEFAULT_ENFORCING'),
flags=0):
d.setVar('DEFAULT_ENFORCING', 'permissive')
}
disable_policy_modules() {
for module in ${PURGE_POLICY_MODULES} ; do
sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf
done
}
do_compile() {
if [ -f "${WORKDIR}/modules.conf" ] ; then
cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
fi
oe_runmake conf
disable_policy_modules
oe_runmake policy
}
prepare_policy_store() {
oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
POL_PRIORITY=100
POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
# Prepare to create policy store
mkdir -p ${POL_STORE}
mkdir -p ${POL_ACTIVE_MODS}
# Get hll type from suffix on base policy module
HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
for i in ${POL_SRC}/*.${HLL_TYPE}; do
MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//")
MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME}
mkdir -p ${MOD_DIR}
echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
if ! bzip2 -t $i >/dev/null 2>&1; then
${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil
bzip2 -f $i && mv -f $i.bz2 $i
else
bunzip2 --stdout $i | \
${HLL_BIN} | \
bzip2 --stdout > ${MOD_DIR}/cil
fi
cp $i ${MOD_DIR}/hll
done
}
rebuild_policy() {
cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf
module-store = direct
[setfiles]
path = ${STAGING_DIR_NATIVE}${base_sbindir_native}/setfiles
args = -q -c \$@ \$<
[end]
[sefcontext_compile]
path = ${STAGING_DIR_NATIVE}${sbindir_native}/sefcontext_compile
args = \$@
[end]
policy-version = 33
EOF
# Create policy store and build the policy
semodule -p ${D} -s ${POLICY_NAME} -n -B
rm -f ${D}${sysconfdir}/selinux/semanage.conf
# No need to leave final dir created by semanage laying around
rm -rf ${D}${localstatedir}/lib/selinux/final
}
install_misc_files() {
cat ${UNPACKDIR}/customizable_types >> \
${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types
# Install setrans.conf for mls/mcs policy
if [ -f ${UNPACKDIR}/setrans-${POLICY_TYPE}.conf ]; then
install -m 0644 ${UNPACKDIR}/setrans-${POLICY_TYPE}.conf \
${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf
fi
# Install policy headers
oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
}
install_config() {
echo "\
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=${DEFAULT_ENFORCING}
# SELINUXTYPE= can take one of these values:
# minimum - Minimum Security protection.
# standard - Standard Security protection.
# mls - Multi Level Security protection.
# targeted - Targeted processes are protected.
# mcs - Multi Category Security protection.
SELINUXTYPE=${POLICY_NAME}
" > ${WORKDIR}/config
install -d ${D}/${sysconfdir}/selinux
install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
}
do_install() {
prepare_policy_store
rebuild_policy
install_misc_files
install_config
}
do_install:append() {
# While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
}
sysroot_stage_all:append() {
sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
}
Reference in New Issue View Git Blame Copy Permalink