Currently, a user sets a policy version via the refpolicy package.
Having the option here has a few disadvantages:
- The Refpolicy package is not technically needed to use SELinux.
- When building a modular policy, Refpolicy will ignore the version string
and build the highest version possible which will cause libsemanage to
possibly fail when loading the policy.
Specifying a manual policy version in /etc/selinux/semanage.conf
forces libsemanage to load a specific policy version, which fixes the
above issue. However, because refpolicy currently defines the policy
version, libsemanage does not have a way to determine the policy
version, as refpolicy is not a dependency of libsemanage.
To work around these limitations, move the policy version number
selection to libsepol, as a system using SELinux always requires this
library.
Signed-off-by: Adam Duskett <aduskett@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
comment "Legacy options removed in 2020.02"
+config BR2_PACKAGE_REFPOLICY_POLICY_VERSION
+ string "refpolicy policy version"
+ help
+ The refpolicy policy version option has been moved to the
+ libsepol package.
+
+config BR2_PACKAGE_REFPOLICY_POLICY_VERSION_WRAP
+ bool
+ default y if BR2_PACKAGE_REFPOLICY_POLICY_VERSION != ""
+ select BR2_LEGACY
+
config BR2_PACKAGE_CELT051
bool "celt051 package was removed"
select BR2_LEGACY
http://selinuxproject.org/page/Main_Page
+if BR2_PACKAGE_LIBSEPOL
+
+config BR2_PACKAGE_LIBSEPOL_POLICY_VERSION
+ string "Policy version"
+ default BR2_PACKAGE_REFPOLICY_POLICY_VERSION if BR2_PACKAGE_REFPOLICY_POLICY_VERSION != ""
+ default "30"
+
+endif
+
comment "libsepol needs a toolchain w/ threads"
depends on !BR2_TOOLCHAIN_HAS_THREADS
config BR2_PACKAGE_REFPOLICY
bool "refpolicy"
+ depends on BR2_TOOLCHAIN_HAS_THREADS # libsepol
select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX
+ # Even though libsepol is not necessary for building, we get
+ # the policy version from libsepol, so we select it, and treat
+ # it like a runtime dependency.
+ select BR2_PACKAGE_LIBSEPOL
help
The SELinux Reference Policy project (refpolicy) is a
complete SELinux policy that can be used as the system
if BR2_PACKAGE_REFPOLICY
-config BR2_PACKAGE_REFPOLICY_POLICY_VERSION
- string "Policy version"
- default "30"
-
choice
prompt "SELinux default state"
default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
endif
+
+comment "refpolicy needs a toolchain w/ threads"
+ depends on !BR2_TOOLCHAIN_HAS_THREADS
$(MAKE1)
REFPOLICY_POLICY_VERSION = \
- $(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_VERSION))
+ $(call qstrip,$(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION))
REFPOLICY_POLICY_STATE = \
$(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE))
projects / buildroot.git / commitdiff