package/refpolicy: allow packages to select SELinux modules

Add support for packages to enable SELinux modules already supported by
the refpolicy, but not selected by default in its policy.

With this commit, packages will be able to do something like:

SYSTEMD_SELINUX_MODULES = systemd udev

to enable additional SELinux modules.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index 3a4c5d5970d7eed93874484440d111d06419857f..7b6a08b016ae16a332f6ed29dd4b1c08800ffd87 100644 (file)
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -1089,6 +1089,10 @@ TARGET_FINALIZE_HOOKS += $$($(2)_TARGET_FINALIZE_HOOKS)
 ROOTFS_PRE_CMD_HOOKS += $$($(2)_ROOTFS_PRE_CMD_HOOKS)
 KEEP_PYTHON_PY_FILES += $$($(2)_KEEP_PY_FILES)
 
+ifneq ($$($(2)_SELINUX_MODULES),)
+PACKAGES_SELINUX_MODULES += $$($(2)_SELINUX_MODULES)
+endif
+
 ifeq ($$($(2)_SITE_METHOD),svn)
 DL_TOOLS_DEPENDENCIES += svn
 else ifeq ($$($(2)_SITE_METHOD),git)

diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 0ce83d2cbdcbd82d8044ece38a34bf5150783ab8..c29912a53b0b3d7bf599e4f9806f960ec47d0bb6 100644 (file)
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -45,13 +45,14 @@ REFPOLICY_MODULES = \
        sysadm \
        sysnetwork \
        unconfined \
-       userdomain
+       userdomain \
+       $(PACKAGES_SELINUX_MODULES)
 
 # In the context of a monolithic policy enabling a piece of the policy as
 # 'base' or 'module' is equivalent, so we enable them as 'base'.
 define REFPOLICY_CONFIGURE_MODULES
        $(SED) "s/ = module/ = no/g" $(@D)/policy/modules.conf
-       $(foreach m,$(REFPOLICY_MODULES),
+       $(foreach m,$(sort $(REFPOLICY_MODULES)),
                $(SED) "/^$(m) =/c\$(m) = base" $(@D)/policy/modules.conf
        )
 endef