From 9eb9943f82e0b2d5e32ffe1c63f5a82caca5094d Mon Sep 17 00:00:00 2001 From: "W. Michael Petullo" Date: Sun, 1 Nov 2020 07:44:56 -0600 Subject: [PATCH] refpolicy: add variant that builds modular policy This adds a variant of refpolicy that builds the modular form of the policy. While this requires more memory on the target device, along with some tricks to deal with OpenWrt's volatile /var directory, it is useful for experiementing with SELinux policy. Signed-off-by: W. Michael Petullo --- config/Config-build.in | 6 ++++++ package/system/refpolicy/Makefile | 35 +++++++++++++++++++++++++++++-- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/config/Config-build.in b/config/Config-build.in index 8e12199cbd..178afbdb94 100644 --- a/config/Config-build.in +++ b/config/Config-build.in @@ -362,6 +362,12 @@ menu "Global build settings" help SELinux Reference Policy (refpolicy) + config SELINUXTYPE_targeted-modular + bool "targeted-modular" + select PACKAGE_refpolicy-modular + help + Modular SELinux Reference Policy (refpolicy-modular) + config SELINUXTYPE_dssp bool "dssp" select PACKAGE_selinux-policy diff --git a/package/system/refpolicy/Makefile b/package/system/refpolicy/Makefile index a431770955..d9c8c90208 100644 --- a/package/system/refpolicy/Makefile +++ b/package/system/refpolicy/Makefile @@ -24,7 +24,7 @@ TAR_OPTIONS:=--transform='s%^refpolicy%$(PKG_NAME)-$(PKG_VERSION)%' -xf - include $(INCLUDE_DIR)/package.mk -define Package/refpolicy +define Package/refpolicy/Default SECTION:=system CATEGORY:=Base system TITLE:=SELinux reference policy @@ -32,6 +32,19 @@ define Package/refpolicy PKGARCH:=all endef +define Package/refpolicy + $(call Package/refpolicy/Default) + CONFLICTS:=refpolicy-modular + VARIANT:=default +endef + +define Package/refpolicy-modular + $(call Package/refpolicy/Default) + TITLE += (modular) + VARIANT:=modular + PROVIDES:=refpolicy +endef + define Package/refpolicy/description The SELinux Reference Policy project (refpolicy) is a complete SELinux policy that can be used as the system @@ -56,25 +69,43 @@ endef # builds is a small host tool that gets run as part of the build # process. MAKE_FLAGS += \ + DESTDIR="$(PKG_INSTALL_DIR)" SETFILES="$(STAGING_DIR_HOST)/bin/setfiles" \ CHECKPOLICY="$(STAGING_DIR_HOSTPKG)/bin/checkpolicy" \ CC="$(HOSTCC)" \ CFLAGS="$(HOST_CFLAGS)" define Build/Configure - $(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(PKG_BUILD_DIR)/build.conf $(SED) "/NAME/c\NAME = targeted" $(PKG_BUILD_DIR)/build.conf +ifneq ($(BUILD_VARIANT),modular) + $(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(PKG_BUILD_DIR)/build.conf +endif $(call Build/Compile/Default,conf) endef +ifeq ($(BUILD_VARIANT),modular) +define Build/Install + $(call Build/Compile/Default,install install-headers) +endef +endif + define Package/refpolicy/conffiles /etc/selinux/config endef +Package/refpolicy-modular/conffiles = $(Package/refpolicy/conffiles) + define Package/refpolicy/install $(INSTALL_DIR) $(1)/etc/selinux $(CP) $(PKG_INSTALL_DIR)/etc/selinux/* $(1)/etc/selinux/ $(CP) ./files/selinux-config $(1)/etc/selinux/config +ifeq ($(BUILD_VARIANT),modular) + $(INSTALL_DIR) $(1)/usr/share/selinux + $(CP) $(PKG_INSTALL_DIR)/usr/share/selinux/* $(1)/usr/share/selinux/ +endif endef +Package/refpolicy-modular/install = $(Package/refpolicy/install) + $(eval $(call BuildPackage,refpolicy)) +$(eval $(call BuildPackage,refpolicy-modular)) -- 2.30.2