config BR2_PACKAGE_REFPOLICY
|
bool "refpolicy"
|
depends on BR2_TOOLCHAIN_HAS_THREADS # libsepol
|
# Even though libsepol is not necessary for building, we get
|
# the policy version from libsepol, so we select it, and treat
|
# it like a runtime dependency.
|
select BR2_PACKAGE_LIBSEPOL
|
help
|
The SELinux Reference Policy project (refpolicy) is a
|
complete SELinux policy that can be used as the system
|
policy for a variety of systems and used as the basis for
|
creating other policies. Reference Policy was originally
|
based on the NSA example policy, but aims to accomplish many
|
additional goals.
|
|
The current refpolicy does not fully support Buildroot and
|
needs modifications to work with the default system file
|
layout. These changes should be added as patches to the
|
refpolicy that modify a single SELinux policy.
|
|
The refpolicy works for the most part in permissive
|
mode. Only the basic set of utilities are enabled in the
|
example policy config and some of the pathing in the
|
policies is not correct. Individual policies would need to
|
be tweaked to get everything functioning properly.
|
|
https://github.com/TresysTechnology/refpolicy
|
|
if BR2_PACKAGE_REFPOLICY
|
|
choice
|
prompt "Refpolicy version"
|
default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
|
|
config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
|
bool "Upstream version"
|
help
|
Use the refpolicy as provided by Buildroot.
|
|
config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
|
bool "Custom git repository"
|
help
|
Allows to get the refpolicy from a custom git repository.
|
|
The custom refpolicy must define the full policy explicitly,
|
and must be a fork of the original refpolicy, to have the
|
same build system. When this is selected, only the custom
|
policy definition are taken into account and all the modules
|
of the policy are built into the binary policy.
|
|
endchoice
|
|
if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
|
|
config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
|
string "URL of custom repository"
|
|
config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
|
string "Custom repository version"
|
help
|
Revision to use in the typical format used by Git.
|
E.g. a sha id, tag, branch...
|
|
endif
|
|
choice
|
prompt "SELinux default state"
|
default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
|
|
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
|
bool "Enforcing"
|
help
|
SELinux security policy is enforced
|
|
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
|
bool "Permissive"
|
help
|
SELinux prints warnings instead of enforcing
|
|
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
|
bool "Disabled"
|
help
|
No SELinux policy is loaded
|
endchoice
|
|
config BR2_PACKAGE_REFPOLICY_POLICY_STATE
|
string
|
default "permissive" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
|
default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
|
default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
|
|
if BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
|
|
config BR2_REFPOLICY_EXTRA_MODULES_DIRS
|
string "Extra modules directories"
|
help
|
Specify a space-separated list of directories containing
|
SELinux modules that will be built into the SELinux
|
policy. The modules will be automatically enabled in the
|
policy.
|
|
Each of those directories must contain the SELinux policy
|
.fc, .if and .te files directly at the top-level, with no
|
sub-directories. Also, you cannot have several modules with
|
the same name in different directories.
|
|
config BR2_REFPOLICY_EXTRA_MODULES
|
string "Extra modules to enable"
|
help
|
List of extra SELinux modules to enable in the refpolicy.
|
|
endif
|
|
endif
|
|
comment "refpolicy needs a toolchain w/ threads"
|
depends on !BR2_TOOLCHAIN_HAS_THREADS
|
