d-two/operating-system
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
382a3cc7bee737d061363ceb287d4619abcc56fd
operating-system/buildroot/package/refpolicy/Config.in
Stefan Agner a0871be6c0 Bump buildroot to 2020.11-rc1 (#985) 
* Update buildroot-patches for 2020.11-rc1 buildroot

* Update buildroot to 2020.11-rc1

Signed-off-by: Stefan Agner <stefan@agner.ch>

* Don't rely on sfdisk --list-free output

The --list-free (-F) argument does not allow machine readable mode. And
it seems that the output format changes over time (different spacing,
using size postfixes instead of raw blocks).

Use sfdisk json output and calculate free partition space ourselfs. This
works for 2.35 and 2.36 and is more robust since we rely on output which
is meant for scripts to parse.

* Migrate defconfigs for Buildroot 2020.11-rc1

In particular, rename BR2_TARGET_UBOOT_BOOT_SCRIPT(_SOURCE) to
BR2_PACKAGE_HOST_UBOOT_TOOLS_BOOT_SCRIPT(_SOURCE).

* Rebase/remove systemd patches for systemd 246

* Drop apparmor/libapparmor from buildroot-external

* hassos-persists: use /run as directory for lockfiles

The U-Boot tools use /var/lock by default which is not created any more
by systemd by default (it is under tmpfiles legacy.conf, which we no
longer install).

* Disable systemd-update-done.service

The service is not suited for pure read-only systems. In particular the
service needs to be able to write a file in /etc and /var. Remove the
service. Note: This is a static service and cannot be removed using
systemd-preset.

* Disable apparmor.service for now

The service loads all default profiles. Some might actually cause
problems. E.g. the profile for ping seems not to match our setup for
/etc/resolv.conf:
[85503.634653] audit: type=1400 audit(1605286002.684:236): apparmor="DENIED" operation="open" profile="ping" name="/run/resolv.conf" pid=27585 comm="ping" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2020-11-13 18:25:44 +01:00

118 lines
3.6 KiB
Plaintext
Raw Blame History

config BR2_PACKAGE_REFPOLICY
bool "refpolicy"
depends on BR2_TOOLCHAIN_HAS_THREADS # libsepol
# Even though libsepol is not necessary for building, we get
# the policy version from libsepol, so we select it, and treat
# it like a runtime dependency.
select BR2_PACKAGE_LIBSEPOL
help
The SELinux Reference Policy project (refpolicy) is a
complete SELinux policy that can be used as the system
policy for a variety of systems and used as the basis for
creating other policies. Reference Policy was originally
based on the NSA example policy, but aims to accomplish many
additional goals.
The current refpolicy does not fully support Buildroot and
needs modifications to work with the default system file
layout. These changes should be added as patches to the
refpolicy that modify a single SELinux policy.
The refpolicy works for the most part in permissive
mode. Only the basic set of utilities are enabled in the
example policy config and some of the pathing in the
policies is not correct. Individual policies would need to
be tweaked to get everything functioning properly.
https://github.com/TresysTechnology/refpolicy
if BR2_PACKAGE_REFPOLICY
choice
prompt "Refpolicy version"
default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
bool "Upstream version"
help
Use the refpolicy as provided by Buildroot.
config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
bool "Custom git repository"
help
Allows to get the refpolicy from a custom git repository.
The custom refpolicy must define the full policy explicitly,
and must be a fork of the original refpolicy, to have the
same build system. When this is selected, only the custom
policy definition are taken into account and all the modules
of the policy are built into the binary policy.
endchoice
if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
string "URL of custom repository"
config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
string "Custom repository version"
help
Revision to use in the typical format used by Git.
E.g. a sha id, tag, branch...
endif
choice
prompt "SELinux default state"
default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
bool "Enforcing"
help
SELinux security policy is enforced
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
bool "Permissive"
help
SELinux prints warnings instead of enforcing
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
bool "Disabled"
help
No SELinux policy is loaded
endchoice
config BR2_PACKAGE_REFPOLICY_POLICY_STATE
string
default "permissive" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
if BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
config BR2_REFPOLICY_EXTRA_MODULES_DIRS
string "Extra modules directories"
help
Specify a space-separated list of directories containing
SELinux modules that will be built into the SELinux
policy. The modules will be automatically enabled in the
policy.
Each of those directories must contain the SELinux policy
.fc, .if and .te files directly at the top-level, with no
sub-directories. Also, you cannot have several modules with
the same name in different directories.
config BR2_REFPOLICY_EXTRA_MODULES
string "Extra modules to enable"
help
List of extra SELinux modules to enable in the refpolicy.
endif
endif
comment "refpolicy needs a toolchain w/ threads"
depends on !BR2_TOOLCHAIN_HAS_THREADS
Reference in New Issue View Git Blame Copy Permalink