CaROS/meta-selinux
3
0
Fork 0
mirror of git://git.yoctoproject.org/meta-selinux synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
deb7559be4
meta-selinux/recipes-security/refpolicy/refpolicy_common.inc
Clayton Casciato deb7559be4 refpolicy: locallogin - allow sulogin_t user_tty_device_t rw 
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2025-04-30 10:12:01 +08:00

274 lines
11 KiB
PHP
Raw Blame History

SECTION = "admin"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=393a5ca445f6965873eca0259a17f833"
PROVIDES = "virtual/refpolicy"
RPROVIDES:${PN} = "refpolicy"
# Specific config files for Poky
SRC_URI += "file://customizable_types \
file://setrans-mls.conf \
file://setrans-mcs.conf \
"
# Base patches applied to all Yocto-based platforms. Your own version of
# refpolicy should provide a version of these and place them in your own
# refpolicy-${PV} directory.
SRC_URI += " \
file://0001-fc-subs-volatile-alias-common-var-volatile-paths.patch \
file://0002-fc-subs-busybox-set-aliases-for-bin-sbin-and-usr.patch \
file://0003-fc-hostname-apply-policy-to-common-yocto-hostname-al.patch \
file://0004-fc-bash-apply-usr-bin-bash-context-to-bin-bash.bash.patch \
file://0005-fc-resolv.conf-label-resolv.conf-in-var-run-properly.patch \
file://0006-fc-login-apply-login-context-to-login.shadow.patch \
file://0007-fc-hwclock-add-hwclock-alternatives.patch \
file://0008-fc-dmesg-apply-policy-to-dmesg-alternatives.patch \
file://0009-fc-ssh-apply-policy-to-ssh-alternatives.patch \
file://0010-fc-sysnetwork-apply-policy-to-network-commands-alter.patch \
file://0011-fc-rpm-apply-rpm_exec-policy-to-cpio-binaries.patch \
file://0012-fc-su-apply-policy-to-su-alternatives.patch \
file://0013-fc-fstools-fix-real-path-for-fstools.patch \
file://0014-fc-init-fix-update-alternatives-for-sysvinit.patch \
file://0015-fc-brctl-apply-policy-to-brctl-alternatives.patch \
file://0016-fc-corecommands-apply-policy-to-nologin-alternatives.patch \
file://0017-fc-locallogin-apply-policy-to-sulogin-alternatives.patch \
file://0018-fc-ntp-apply-policy-to-ntpd-alternatives.patch \
file://0019-fc-kerberos-apply-policy-to-kerberos-alternatives.patch \
file://0020-fc-ldap-apply-policy-to-ldap-alternatives.patch \
file://0021-fc-postgresql-apply-policy-to-postgresql-alternative.patch \
file://0022-fc-screen-apply-policy-to-screen-alternatives.patch \
file://0023-fc-usermanage-apply-policy-to-usermanage-alternative.patch \
file://0024-fc-getty-add-file-context-to-start_getty.patch \
file://0025-fc-vlock-apply-policy-to-vlock-alternatives.patch \
file://0026-fc-add-fcontext-for-init-scripts-and-systemd-service.patch \
file://0027-file_contexts.subs_dist-set-aliase-for-root-director.patch \
file://0028-policy-modules-system-logging-add-rules-for-the-syml.patch \
file://0029-policy-modules-system-logging-add-rules-for-syslogd-.patch \
file://0030-policy-modules-kernel-files-add-rules-for-the-symlin.patch \
file://0031-policy-modules-system-logging-fix-auditd-startup-fai.patch \
file://0032-policy-modules-kernel-terminal-don-t-audit-tty_devic.patch \
file://0033-policy-modules-system-systemd-enable-support-for-sys.patch \
file://0034-policy-modules-system-logging-allow-systemd-tmpfiles.patch \
file://0035-policy-modules-system-systemd-allow-systemd_logind_t.patch \
file://0036-policy-modules-roles-sysadm-allow-sysadm-to-use-init.patch \
file://0037-policy-modules-system-systemd-systemd-user-fixes.patch \
file://0038-policy-modules-system-logging-grant-getpcap-capabili.patch \
file://0039-policy-modules-system-allow-services-to-read-tmpfs-u.patch \
file://0040-policy-modules-kernel-domain-allow-all-domains-to-co.patch \
file://0041-policy-modules-system-mount-make-mount_t-domain-MLS-.patch \
file://0042-policy-modules-roles-sysadm-MLS-sysadm-rw-to-clearan.patch \
file://0043-policy-modules-services-rpc-make-nfsd_t-domain-MLS-t.patch \
file://0044-policy-modules-admin-dmesg-make-dmesg_t-MLS-trusted-.patch \
file://0045-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
file://0046-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
file://0047-policy-modules-system-systemd-make-systemd-tmpfiles_.patch \
file://0048-policy-modules-system-systemd-systemd-make-systemd_-.patch \
file://0049-policy-modules-system-logging-add-the-syslogd_t-to-t.patch \
file://0050-policy-modules-system-init-make-init_t-MLS-trusted-f.patch \
file://0051-policy-modules-system-init-all-init_t-to-read-any-le.patch \
file://0052-policy-modules-system-logging-allow-auditd_t-to-writ.patch \
file://0053-policy-modules-kernel-kernel-make-kernel_t-MLS-trust.patch \
file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \
file://0057-policy-modules-system-authlogin-chkpwd_t-dac_read_se.patch \
file://0058-policy-modules-services-chronyd-allow_dac_read_searc.patch \
file://0059-policy-modules-system-unconfined-fix-oddjob-security.patch \
file://0060-policy-modules-services-firewalld-fix-lib_t-python_c.patch \
file://0061-policy-modules-services-firewalld-fix-firewalld_t-fi.patch \
file://0062-policy-modules-multiple-filetrans-run_machine_id-etc.patch \
file://0063-policy-modules-system-locallogin-dontaudit-sulogin_t.patch \
file://0064-policy-modules-system-locallogin-allow-sulogin_t-unc.patch \
file://0065-policy-modules-system-locallogin-allow-sulogin_t-use.patch \
"
S = "${WORKDIR}/refpolicy"
CONFFILES:${PN} = "${sysconfdir}/selinux/config"
FILES:${PN} += " \
${sysconfdir}/selinux/${POLICY_NAME}/ \
${datadir}/selinux/${POLICY_NAME}/*.pp \
${localstatedir}/lib/selinux/${POLICY_NAME}/ \
"
FILES:${PN}-dev =+ " \
${datadir}/selinux/${POLICY_NAME}/include/ \
${sysconfdir}/selinux/sepolgen.conf \
"
EXTRANATIVEPATH += "bzip2-native"
DEPENDS = "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native"
RDEPENDS:${PN}-dev = " \
python3-core \
"
PACKAGE_ARCH = "${MACHINE_ARCH}"
inherit python3native
PARALLEL_MAKE = ""
DEFAULT_ENFORCING ??= "enforcing"
POLICY_NAME ?= "${POLICY_TYPE}"
POLICY_DISTRO ?= "debian"
POLICY_UBAC ?= "n"
POLICY_UNK_PERMS ?= "allow"
POLICY_DIRECT_INITRC ?= "y"
POLICY_SYSTEMD ?= "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'y', 'n', d)}"
POLICY_MONOLITHIC ?= "n"
POLICY_CUSTOM_BUILDOPT ?= ""
POLICY_QUIET ?= "y"
POLICY_MLS_SENS ?= "16"
POLICY_MLS_CATS ?= "1024"
POLICY_MCS_CATS ?= "1024"
EXTRA_OEMAKE = "NAME=${POLICY_NAME} \
TYPE=${POLICY_TYPE} \
DISTRO=${POLICY_DISTRO} \
UBAC=${POLICY_UBAC} \
UNK_PERMS=${POLICY_UNK_PERMS} \
DIRECT_INITRC=${POLICY_DIRECT_INITRC} \
SYSTEMD=${POLICY_SYSTEMD} \
MONOLITHIC=${POLICY_MONOLITHIC} \
CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \
QUIET=${POLICY_QUIET} \
MLS_SENS=${POLICY_MLS_SENS} \
MLS_CATS=${POLICY_MLS_CATS} \
MCS_CATS=${POLICY_MCS_CATS}"
EXTRA_OEMAKE += "tc_usrbindir=${STAGING_BINDIR_NATIVE}"
EXTRA_OEMAKE += "OUTPUT_POLICY=`${STAGING_BINDIR_NATIVE}/checkpolicy -V | cut -d' ' -f1`"
EXTRA_OEMAKE += "CC='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' PYTHON='${PYTHON}'"
python __anonymous() {
import re
# Make sure DEFAULT_ENFORCING is something sane
if not re.match('^(enforcing|permissive|disabled)$',
d.getVar('DEFAULT_ENFORCING'),
flags=0):
d.setVar('DEFAULT_ENFORCING', 'permissive')
}
disable_policy_modules() {
for module in ${PURGE_POLICY_MODULES} ; do
sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf
done
}
do_compile() {
if [ -f "${WORKDIR}/modules.conf" ] ; then
cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf
fi
oe_runmake conf
disable_policy_modules
oe_runmake policy
}
prepare_policy_store() {
oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install
POL_PRIORITY=100
POL_SRC=${D}${datadir}/selinux/${POLICY_NAME}
POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME}
POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY}
# Prepare to create policy store
mkdir -p ${POL_STORE}
mkdir -p ${POL_ACTIVE_MODS}
# Get hll type from suffix on base policy module
HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}')
HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE}
for i in ${POL_SRC}/*.${HLL_TYPE}; do
MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//")
MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME}
mkdir -p ${MOD_DIR}
echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext
if ! bzip2 -t $i >/dev/null 2>&1; then
${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil
bzip2 -f $i && mv -f $i.bz2 $i
else
bunzip2 --stdout $i | \
${HLL_BIN} | \
bzip2 --stdout > ${MOD_DIR}/cil
fi
cp $i ${MOD_DIR}/hll
done
}
rebuild_policy() {
cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf
module-store = direct
[setfiles]
path = ${STAGING_DIR_NATIVE}${base_sbindir_native}/setfiles
args = -q -c \$@ \$<
[end]
[sefcontext_compile]
path = ${STAGING_DIR_NATIVE}${sbindir_native}/sefcontext_compile
args = \$@
[end]
policy-version = 33
EOF
# Create policy store and build the policy
semodule -p ${D} -s ${POLICY_NAME} -n -B
rm -f ${D}${sysconfdir}/selinux/semanage.conf
# No need to leave final dir created by semanage laying around
rm -rf ${D}${localstatedir}/lib/selinux/final
}
install_misc_files() {
cat ${UNPACKDIR}/customizable_types >> \
${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types
# Install setrans.conf for mls/mcs policy
if [ -f ${UNPACKDIR}/setrans-${POLICY_TYPE}.conf ]; then
install -m 0644 ${UNPACKDIR}/setrans-${POLICY_TYPE}.conf \
${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf
fi
# Install policy headers
oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers
}
install_config() {
echo "\
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=${DEFAULT_ENFORCING}
# SELINUXTYPE= can take one of these values:
# minimum - Minimum Security protection.
# standard - Standard Security protection.
# mls - Multi Level Security protection.
# targeted - Targeted processes are protected.
# mcs - Multi Category Security protection.
SELINUXTYPE=${POLICY_NAME}
" > ${WORKDIR}/config
install -d ${D}/${sysconfdir}/selinux
install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
}
do_install() {
prepare_policy_store
rebuild_policy
install_misc_files
install_config
}
do_install:append() {
# While building policies on target, Makefile will be searched from SELINUX_DEVEL_PATH
echo "SELINUX_DEVEL_PATH=${datadir}/selinux/${POLICY_NAME}/include" > ${D}${sysconfdir}/selinux/sepolgen.conf
}
sysroot_stage_all:append() {
sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir}
}
Reference in New Issue View Git Blame Copy Permalink