d-two/operating-system
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
abfe9da03e3ec8993467a29e2e230b226233d9e5
operating-system/buildroot/docs/manual/selinux-support.txt
Stefan Agner a0871be6c0 Bump buildroot to 2020.11-rc1 (#985) 
* Update buildroot-patches for 2020.11-rc1 buildroot

* Update buildroot to 2020.11-rc1

Signed-off-by: Stefan Agner <stefan@agner.ch>

* Don't rely on sfdisk --list-free output

The --list-free (-F) argument does not allow machine readable mode. And
it seems that the output format changes over time (different spacing,
using size postfixes instead of raw blocks).

Use sfdisk json output and calculate free partition space ourselfs. This
works for 2.35 and 2.36 and is more robust since we rely on output which
is meant for scripts to parse.

* Migrate defconfigs for Buildroot 2020.11-rc1

In particular, rename BR2_TARGET_UBOOT_BOOT_SCRIPT(_SOURCE) to
BR2_PACKAGE_HOST_UBOOT_TOOLS_BOOT_SCRIPT(_SOURCE).

* Rebase/remove systemd patches for systemd 246

* Drop apparmor/libapparmor from buildroot-external

* hassos-persists: use /run as directory for lockfiles

The U-Boot tools use /var/lock by default which is not created any more
by systemd by default (it is under tmpfiles legacy.conf, which we no
longer install).

* Disable systemd-update-done.service

The service is not suited for pure read-only systems. In particular the
service needs to be able to write a file in /etc and /var. Remove the
service. Note: This is a static service and cannot be removed using
systemd-preset.

* Disable apparmor.service for now

The service loads all default profiles. Some might actually cause
problems. E.g. the profile for ping seems not to match our setup for
/etc/resolv.conf:
[85503.634653] audit: type=1400 audit(1605286002.684:236): apparmor="DENIED" operation="open" profile="ping" name="/run/resolv.conf" pid=27585 comm="ping" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2020-11-13 18:25:44 +01:00

75 lines
2.9 KiB
Plaintext
Raw Blame History

// -*- mode:doc; -*-
// vim: set syntax=asciidoc:
[[selinux]]
== Using SELinux in Buildroot
https://selinuxproject.org[SELinux] is a Linux kernel security module
enforcing access control policies. In addition to the traditional file
permissions and access control lists, +SELinux+ allows to write rules
for users or processes to access specific functions of resources
(files, sockets...).
_SELinux_ has three modes of operation:
* _Disabled_: the policy is not applied
* _Permissive_: the policy is applied, and non-authorized actions are
simply logged. This mode is often used for troubleshooting SELinux
issues.
* _Enforcing_: the policy is applied, and non-authorized actions are
denied
In Buildroot the mode of operation is controlled by the
+BR2_PACKAGE_REFPOLICY_POLICY_STATE_*+ configuration options. The
Linux kernel also has various configuration options that affect how
+SELinux+ is enabled (see +security/selinux/Kconfig+ in the Linux
kernel sources).
By default in Buildroot the +SELinux+ policy is provided by the
upstream https://github.com/SELinuxProject/refpolicy[refpolicy]
project, enabled with +BR2_PACKAGE_REFPOLICY+.
[[enabling-selinux]]
=== Enabling SELinux support
To have proper support for +SELinux+ in a Buildroot generated system,
the following configuration options must be enabled:
* +BR2_PACKAGE_LIBSELINUX+
* +BR2_PACKAGE_REFPOLICY+
In addition, your filesystem image format must support extended
attributes.
[[selinux-policy-tweaking]]
=== SELinux policy tweaking
The +SELinux refpolicy+ contains modules that can be enabled or
disabled when being built. Each module provide a number of +SELinux+
rules. In Buildroot the non-base modules are disabled by default and
several ways to enable such modules are provided:
- Packages can enable a list of +SELinux+ modules within the +refpolicy+ using
the +<packagename>_SELINUX_MODULES+ variable.
- Packages can provide additional +SELinux+ modules by putting them (.fc, .if
and .te files) in +package/<packagename>/selinux/+.
- Extra +SELinux+ modules can be added in directories pointed by the
+BR2_REFPOLICY_EXTRA_MODULES_DIRS+ configuration option.
- Additional modules in the +refpolicy+ can be enabled if listed in the
+BR2_REFPOLICY_EXTRA_MODULES_DEPENDENCIES+ configuration option.
Buildroot also allows to completely override the +refpolicy+. This
allows to provide a full custom policy designed specifically for a
given system. When going this way, all of the above mechanisms are
disabled: no extra +SElinux+ module is added to the policy, and all
the available modules within the custom policy are enabled and built
into the final binary policy. The custom policy must be a fork of the
official https://github.com/SELinuxProject/refpolicy[refpolicy].
In order to fully override the +refpolicy+ the following configuration
variables have to be set:
- +BR2_PACKAGE_REFPOLICY_CUSTOM_GIT+
- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL+
- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION+
Reference in New Issue View Git Blame Copy Permalink