| lh | 758261d | 2023-07-13 05:52:04 -0700 | [diff] [blame^] | 1 | SUMMARY = "MLS (Multi Level Security) variant of the SELinux policy" |
| 2 | DESCRIPTION = "\ |
| 3 | This is the reference policy for SE Linux built with MLS support. \ |
| 4 | It allows giving data labels such as \"Top Secret\" and preventing \ |
| 5 | such data from leaking to processes or files with lower classification. \ |
| 6 | " |
| 7 | |
| 8 | DEFAULT_ENFORCING ??= "enforcing" |
| 9 | # DEFAULT_ENFORCING ??= "permissive" |
| 10 | # DEFAULT_ENFORCING ??= "disabled" |
| 11 | |
| 12 | SECTION = "admin" |
| 13 | LICENSE = "GPLv2" |
| 14 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/zte;md5=c075689d1d1e06d4ab5bbe53623a6808" |
| 15 | PROVIDES = "virtual/refpolicy" |
| 16 | RPROVIDES:${PN} = "refpolicy" |
| 17 | |
| 18 | POLICY_TYPE = "mls" |
| 19 | |
| 20 | SRC_URI = "${@bb.utils.contains('DISTRO_FEATURES', 'procd', 'file://procd-mls', 'file://policy-mls', d)} \ |
| 21 | " |
| 22 | # Specific config files for Poky |
| 23 | SRC_URI += "file://customizable_types \ |
| 24 | file://setrans-mls.conf \ |
| 25 | file://setrans-mcs.conf \ |
| 26 | " |
| 27 | |
| 28 | ##S = "${WORKDIR}/procd-mls" |
| 29 | S = "${@bb.utils.contains('DISTRO_FEATURES', 'procd', '${WORKDIR}/procd-mls', '${WORKDIR}/policy-mls', d)}" |
| 30 | CONFFILES:${PN} += "${sysconfdir}/selinux/config" |
| 31 | FILES:${PN} += " \ |
| 32 | ${sysconfdir}/selinux/${POLICY_NAME}/ \ |
| 33 | ${localstatedir}/lib/selinux/${POLICY_NAME}/ \ |
| 34 | " |
| 35 | |
| 36 | EXTRANATIVEPATH += "bzip2-native" |
| 37 | |
| 38 | DEPENDS += "bzip2-replacement-native checkpolicy-native policycoreutils-native semodule-utils-native m4-native" |
| 39 | |
| 40 | RDEPENDS:${PN}-dev =+ " \ |
| 41 | python3-core \ |
| 42 | " |
| 43 | |
| 44 | PACKAGE_ARCH = "${MACHINE_ARCH}" |
| 45 | |
| 46 | inherit python3native |
| 47 | |
| 48 | PARALLEL_MAKE = "" |
| 49 | POLICY_NAME ?= "${POLICY_TYPE}" |
| 50 | POLICY_DISTRO ?= "redhat" |
| 51 | POLICY_UBAC ?= "n" |
| 52 | POLICY_UNK_PERMS ?= "allow" |
| 53 | POLICY_DIRECT_INITRC ?= "y" |
| 54 | POLICY_SYSTEMD ?= "y" |
| 55 | POLICY_MONOLITHIC ?= "n" |
| 56 | POLICY_CUSTOM_BUILDOPT ?= "" |
| 57 | POLICY_QUIET ?= "n" |
| 58 | POLICY_MLS_SENS ?= "16" |
| 59 | POLICY_MLS_CATS ?= "1024" |
| 60 | POLICY_MCS_CATS ?= "1024" |
| 61 | |
| 62 | EXTRA_OEMAKE += "NAME=${POLICY_NAME} \ |
| 63 | TYPE=${POLICY_TYPE} \ |
| 64 | DISTRO=${POLICY_DISTRO} \ |
| 65 | UBAC=${POLICY_UBAC} \ |
| 66 | UNK_PERMS=${POLICY_UNK_PERMS} \ |
| 67 | DIRECT_INITRC=${POLICY_DIRECT_INITRC} \ |
| 68 | SYSTEMD=${POLICY_SYSTEMD} \ |
| 69 | MONOLITHIC=${POLICY_MONOLITHIC} \ |
| 70 | CUSTOM_BUILDOPT=${POLICY_CUSTOM_BUILDOPT} \ |
| 71 | QUIET=${POLICY_QUIET} \ |
| 72 | MLS_SENS=${POLICY_MLS_SENS} \ |
| 73 | MLS_CATS=${POLICY_MLS_CATS} \ |
| 74 | MCS_CATS=${POLICY_MCS_CATS}" |
| 75 | |
| 76 | EXTRA_OEMAKE += "tc_usrbindir=${STAGING_BINDIR_NATIVE}" |
| 77 | EXTRA_OEMAKE += "OUTPUT_POLICY=`${STAGING_BINDIR_NATIVE}/checkpolicy -V | cut -d' ' -f1`" |
| 78 | EXTRA_OEMAKE += "CC='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' PYTHON='${PYTHON}'" |
| 79 | |
| 80 | python __anonymous () { |
| 81 | import re |
| 82 | |
| 83 | # make sure DEFAULT_ENFORCING is something sane |
| 84 | if not re.match('^(enforcing|permissive|disabled)$', |
| 85 | d.getVar('DEFAULT_ENFORCING'), |
| 86 | flags=0): |
| 87 | d.setVar('DEFAULT_ENFORCING', 'permissive') |
| 88 | } |
| 89 | |
| 90 | disable_policy_modules () { |
| 91 | for module in ${PURGE_POLICY_MODULES} ; do |
| 92 | sed -i "s/^\(\<${module}\>\) *= *.*$/\1 = off/" ${S}/policy/modules.conf |
| 93 | done |
| 94 | } |
| 95 | |
| 96 | do_compile() { |
| 97 | if [ -f "${WORKDIR}/modules.conf" ] ; then |
| 98 | cp -f ${WORKDIR}/modules.conf ${S}/policy/modules.conf |
| 99 | fi |
| 100 | oe_runmake conf |
| 101 | disable_policy_modules |
| 102 | oe_runmake policy |
| 103 | } |
| 104 | |
| 105 | prepare_policy_store () { |
| 106 | oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install |
| 107 | POL_PRIORITY=100 |
| 108 | POL_SRC=${D}${datadir}/selinux/${POLICY_NAME} |
| 109 | POL_STORE=${D}${localstatedir}/lib/selinux/${POLICY_NAME} |
| 110 | POL_ACTIVE_MODS=${POL_STORE}/active/modules/${POL_PRIORITY} |
| 111 | |
| 112 | # Prepare to create policy store |
| 113 | mkdir -p ${POL_STORE} |
| 114 | mkdir -p ${POL_ACTIVE_MODS} |
| 115 | |
| 116 | # get hll type from suffix on base policy module |
| 117 | HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}') |
| 118 | HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE} |
| 119 | |
| 120 | for i in ${POL_SRC}/*.${HLL_TYPE}; do |
| 121 | MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//") |
| 122 | MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME} |
| 123 | mkdir -p ${MOD_DIR} |
| 124 | echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext |
| 125 | if ! bzip2 -t $i >/dev/null 2>&1; then |
| 126 | ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil |
| 127 | bzip2 -f $i && mv -f $i.bz2 $i |
| 128 | else |
| 129 | bunzip2 --stdout $i | \ |
| 130 | ${HLL_BIN} | \ |
| 131 | bzip2 --stdout > ${MOD_DIR}/cil |
| 132 | fi |
| 133 | cp $i ${MOD_DIR}/hll |
| 134 | done |
| 135 | } |
| 136 | |
| 137 | rebuild_policy () { |
| 138 | cat <<-EOF > ${D}${sysconfdir}/selinux/semanage.conf |
| 139 | module-store = direct |
| 140 | [setfiles] |
| 141 | path = ${STAGING_DIR_NATIVE}${base_sbindir_native}/setfiles |
| 142 | args = -q -c \$@ \$< |
| 143 | [end] |
| 144 | [sefcontext_compile] |
| 145 | path = ${STAGING_DIR_NATIVE}${sbindir_native}/sefcontext_compile |
| 146 | args = \$@ |
| 147 | [end] |
| 148 | |
| 149 | policy-version = 31 |
| 150 | EOF |
| 151 | |
| 152 | # Create policy store and build the policy |
| 153 | semodule -p ${D} -s ${POLICY_NAME} -n -B |
| 154 | rm -f ${D}${sysconfdir}/selinux/semanage.conf |
| 155 | # no need to leave final dir created by semanage laying around |
| 156 | rm -rf ${D}${localstatedir}/lib/selinux/final |
| 157 | } |
| 158 | |
| 159 | install_misc_files () { |
| 160 | cat ${WORKDIR}/customizable_types >> \ |
| 161 | ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/customizable_types |
| 162 | |
| 163 | # install setrans.conf for mls/mcs policy |
| 164 | if [ -f ${WORKDIR}/setrans-${POLICY_TYPE}.conf ]; then |
| 165 | install -m 0644 ${WORKDIR}/setrans-${POLICY_TYPE}.conf \ |
| 166 | ${D}${sysconfdir}/selinux/${POLICY_NAME}/setrans.conf |
| 167 | fi |
| 168 | |
| 169 | # install policy headers |
| 170 | oe_runmake 'DESTDIR=${D}' 'prefix=${D}${prefix}' install-headers |
| 171 | } |
| 172 | |
| 173 | install_config () { |
| 174 | echo "\ |
| 175 | # This file controls the state of SELinux on the system. |
| 176 | # SELINUX= can take one of these three values: |
| 177 | # enforcing - SELinux security policy is enforced. |
| 178 | # permissive - SELinux prints warnings instead of enforcing. |
| 179 | # disabled - No SELinux policy is loaded. |
| 180 | SELINUX=${DEFAULT_ENFORCING} |
| 181 | # SELINUXTYPE= can take one of these values: |
| 182 | # minimum - Minimum Security protection. |
| 183 | # standard - Standard Security protection. |
| 184 | # mls - Multi Level Security protection. |
| 185 | # targeted - Targeted processes are protected. |
| 186 | # mcs - Multi Category Security protection. |
| 187 | SELINUXTYPE=${POLICY_NAME} |
| 188 | " > ${WORKDIR}/config |
| 189 | install -d ${D}/${sysconfdir}/selinux |
| 190 | install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/ |
| 191 | } |
| 192 | |
| 193 | do_install () { |
| 194 | prepare_policy_store |
| 195 | rebuild_policy |
| 196 | install_misc_files |
| 197 | install_config |
| 198 | echo "${S}/image${datadir}/selinux/${POLICY_NAME}/*.pp " |
| 199 | |
| 200 | rm -fr ${WORKDIR}/image/usr |
| 201 | rm -fr ${WORKDIR}/image/var |
| 202 | } |
| 203 | |
| 204 | sysroot_stage_all:append () { |
| 205 | sysroot_stage_dir ${D}${sysconfdir} ${SYSROOT_DESTDIR}${sysconfdir} |
| 206 | } |