| lh | 758261d | 2023-07-13 05:52:04 -0700 | [diff] [blame^] | 1 | SUMMARY = "SELinux SELinux policy" |
| 2 | DESCRIPTION = "\ |
| 3 | This is the targeted variant of the SELinux reference policy. Most service \ |
| 4 | domains are locked down. Users and admins will login in with unconfined_t \ |
| 5 | domain, so they have the same access to the system as if SELinux was not \ |
| 6 | enabled. \ |
| 7 | " |
| 8 | |
| 9 | DEPENDS += " secilc secilc-native policycoreutils-native checkpolicy-native " |
| 10 | RDEPENDS_${PN}-dev =+ " \ |
| 11 | python3-core \ |
| 12 | " |
| 13 | inherit python3native |
| 14 | |
| 15 | # DEFAULT_ENFORCING ??= "permissive" |
| 16 | DEFAULT_ENFORCING ??= "enforcing" |
| 17 | |
| 18 | PROVIDES += "virtual/refpolicy" |
| 19 | RPROVIDES_${PN} += "refpolicy" |
| 20 | |
| 21 | POLICY_NAME = "selinux-policy" |
| 22 | POLICY_TYPE = "selinux-policy" |
| 23 | |
| 24 | #SRC_URI = "git://git.defensec.nl/selinux-policy.git" |
| 25 | #SRC_URI[md5sum] = "babb0d5ca2ae333631d25392b2b3ce8d" |
| 26 | #SRC_URI[sha256sum] = "3b58f751a21394e3aef47fd6c9fe9430fadde6427deb5c79f08478904837ec91" |
| 27 | SRC_URI = "file://selinux-policy-0.8 \ |
| 28 | " |
| 29 | LICENSE = "GPLv2" |
| 30 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/zte;md5=c075689d1d1e06d4ab5bbe53623a6808" |
| 31 | |
| 32 | S = "${WORKDIR}/selinux-policy-0.8" |
| 33 | PARALLEL_MAKE = "" |
| 34 | B = "${S}" |
| 35 | EXTRA_OEMAKE += "tc_usrbindir=${STAGING_BINDIR_NATIVE}" |
| 36 | |
| 37 | do_compile() { |
| 38 | echo "tc_usrbindir=${STAGING_BINDIR_NATIVE}" |
| 39 | oe_runmake 'tc_usrbindir=${STAGING_BINDIR_NATIVE}' |
| 40 | } |
| 41 | |
| 42 | install_config () { |
| 43 | echo "\ |
| 44 | # This file controls the state of SELinux on the system. |
| 45 | # SELINUX= can take one of these three values: |
| 46 | # enforcing - SELinux security policy is enforced. |
| 47 | # permissive - SELinux prints warnings instead of enforcing. |
| 48 | # disabled - No SELinux policy is loaded. |
| 49 | SELINUX=${DEFAULT_ENFORCING} |
| 50 | # SELINUXTYPE= can take one of these values: |
| 51 | # targeted - Targeted processes are protected. |
| 52 | # selinux-policy - Basic SELinux Security Policy designed specifically for OpenWrt. |
| 53 | SELINUXTYPE=${POLICY_NAME} |
| 54 | " > ${WORKDIR}/config |
| 55 | install -d ${D}/${sysconfdir}/selinux |
| 56 | install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/ |
| 57 | } |
| 58 | |
| 59 | do_install () { |
| 60 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/ |
| 61 | mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy/ |
| 62 | install -m 0644 ${B}/customizable_types ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts |
| 63 | install -m 0644 ${B}/file_contexts.subs_dist ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/ |
| 64 | install -m 0644 ${B}/file_contexts ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files/ |
| 65 | install -m 0644 ${B}/policy.* ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy/ |
| 66 | install_config |
| 67 | } |
| 68 | |
| 69 | FILES_${PN} += " \ |
| 70 | ${sysconfdir}/selinux/ \ |
| 71 | " |