initial buildroot for linux 5.15
This commit is contained in:
+83
@@ -0,0 +1,83 @@
|
||||
From 7c58f2508efc115dea03e18e1fa611ebf81f6ee6 Mon Sep 17 00:00:00 2001
|
||||
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
||||
Date: Wed, 4 Aug 2021 11:12:01 +0200
|
||||
Subject: [PATCH] policy/modules/services/samba.te: make crack optional
|
||||
|
||||
Make crack optional to avoid the following build failure:
|
||||
|
||||
Compiling targeted policy.31
|
||||
env LD_LIBRARY_PATH="/tmp/instance-5/output-1/host/lib:/tmp/instance-5/output-1/host/usr/lib" /tmp/instance-5/output-1/host/usr/bin/checkpolicy -c 31 -U deny -S -O -E policy.conf -o policy.31
|
||||
policy/modules/services/samba.te:399:ERROR 'type crack_db_t is not within scope' at token ';' on line 360232:
|
||||
allow smbd_t crack_db_t:dir { getattr search open };
|
||||
#line 399
|
||||
checkpolicy: error(s) encountered while parsing configuration
|
||||
|
||||
Fixes:
|
||||
- http://autobuild.buildroot.org/results/ab7098948d1920e42fa587e07f0513f23ba7fc74
|
||||
|
||||
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
||||
[Upstream status: https://github.com/SELinuxProject/refpolicy/pull/407]
|
||||
---
|
||||
policy/modules/services/samba.te | 32 ++++++++++++++++++--------------
|
||||
1 file changed, 18 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
|
||||
index 9d4665ae6..6c37625a9 100644
|
||||
--- a/policy/modules/services/samba.te
|
||||
+++ b/policy/modules/services/samba.te
|
||||
@@ -396,8 +396,6 @@ userdom_signal_all_users(smbd_t)
|
||||
userdom_home_filetrans_user_home_dir(smbd_t)
|
||||
userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
|
||||
|
||||
-usermanage_read_crack_db(smbd_t)
|
||||
-
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
files_dontaudit_getattr_default_dirs(smbd_t)
|
||||
files_dontaudit_getattr_boot_dirs(smbd_t)
|
||||
@@ -413,18 +411,6 @@ tunable_policy(`samba_create_home_dirs',`
|
||||
userdom_create_user_home_dirs(smbd_t)
|
||||
')
|
||||
|
||||
-tunable_policy(`samba_domain_controller',`
|
||||
- gen_require(`
|
||||
- class passwd passwd;
|
||||
- ')
|
||||
-
|
||||
- usermanage_domtrans_passwd(smbd_t)
|
||||
- usermanage_kill_passwd(smbd_t)
|
||||
- usermanage_domtrans_useradd(smbd_t)
|
||||
- usermanage_domtrans_groupadd(smbd_t)
|
||||
- allow smbd_t self:passwd passwd;
|
||||
-')
|
||||
-
|
||||
tunable_policy(`samba_enable_home_dirs',`
|
||||
userdom_manage_user_home_content_dirs(smbd_t)
|
||||
userdom_manage_user_home_content_files(smbd_t)
|
||||
@@ -505,6 +491,24 @@ optional_policy(`
|
||||
seutil_sigchld_newrole(smbd_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ usermanage_read_crack_db(smbd_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
+ tunable_policy(`samba_domain_controller',`
|
||||
+ gen_require(`
|
||||
+ class passwd passwd;
|
||||
+ ')
|
||||
+
|
||||
+ usermanage_domtrans_passwd(smbd_t)
|
||||
+ usermanage_kill_passwd(smbd_t)
|
||||
+ usermanage_domtrans_useradd(smbd_t)
|
||||
+ usermanage_domtrans_groupadd(smbd_t)
|
||||
+ allow smbd_t self:passwd passwd;
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
########################################
|
||||
#
|
||||
# Nmbd Local policy
|
||||
--
|
||||
2.30.2
|
||||
|
||||
+54
@@ -0,0 +1,54 @@
|
||||
From 67394d078c2e1438293b25d08cf408b0b0d55755 Mon Sep 17 00:00:00 2001
|
||||
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
||||
Date: Wed, 22 Sep 2021 23:55:59 +0200
|
||||
Subject: [PATCH] policy/modules/services/wireguard.te: make iptables optional
|
||||
|
||||
Make iptables optional to avoid the following build failure raised since
|
||||
version 2.20210908 and
|
||||
https://github.com/SELinuxProject/refpolicy/commit/7f1a7b1cacd5d211077ce62fbb4e91890e65c820:
|
||||
|
||||
Compiling targeted policy.33
|
||||
env LD_LIBRARY_PATH="/tmp/instance-0/output-1/host/lib:/tmp/instance-0/output-1/host/usr/lib" /tmp/instance-0/output-1/host/usr/bin/checkpolicy -c 33 -U deny -S -O -E policy.conf -o policy.33
|
||||
policy/modules/services/wireguard.te:66:ERROR 'type iptables_exec_t is not within scope' at token ';' on line 591892:
|
||||
#line 66
|
||||
allow wireguard_t iptables_exec_t:file { getattr open map read execute ioctl };
|
||||
checkpolicy: error(s) encountered while parsing configuration
|
||||
make[1]: *** [Rules.monolithic:79: policy.33] Error 1
|
||||
|
||||
Fixes:
|
||||
- http://autobuild.buildroot.org/results/a4223accc6adb70b06fd4e74ca4f28484446b6fa
|
||||
|
||||
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
||||
[Upstream status: https://github.com/SELinuxProject/refpolicy/pull/408]
|
||||
---
|
||||
policy/modules/services/wireguard.te | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/services/wireguard.te b/policy/modules/services/wireguard.te
|
||||
index 7241f65e6..33fd3c55d 100644
|
||||
--- a/policy/modules/services/wireguard.te
|
||||
+++ b/policy/modules/services/wireguard.te
|
||||
@@ -61,10 +61,6 @@ corecmd_exec_shell(wireguard_t)
|
||||
|
||||
domain_use_interactive_fds(wireguard_t)
|
||||
|
||||
-# wg-quick can be configured to run iptables and other networking
|
||||
-# config tools when bringing up/down the wg interfaces
|
||||
-iptables_domtrans(wireguard_t)
|
||||
-
|
||||
# wg-quick tries to read /proc/filesystem when running "stat" and "mv" commands
|
||||
kernel_dontaudit_read_system_state(wireguard_t)
|
||||
kernel_dontaudit_search_kernel_sysctl(wireguard_t)
|
||||
@@ -75,3 +71,9 @@ miscfiles_read_localization(wireguard_t)
|
||||
sysnet_run_ifconfig(wireguard_t, wireguard_roles)
|
||||
|
||||
userdom_use_user_terminals(wireguard_t)
|
||||
+
|
||||
+# wg-quick can be configured to run iptables and other networking
|
||||
+# config tools when bringing up/down the wg interfaces
|
||||
+optional_policy(`
|
||||
+ iptables_domtrans(wireguard_t)
|
||||
+')
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@@ -0,0 +1,117 @@
|
||||
config BR2_PACKAGE_REFPOLICY
|
||||
bool "refpolicy"
|
||||
depends on BR2_TOOLCHAIN_HAS_THREADS # libsepol
|
||||
# Even though libsepol is not necessary for building, we get
|
||||
# the policy version from libsepol, so we select it, and treat
|
||||
# it like a runtime dependency.
|
||||
select BR2_PACKAGE_LIBSEPOL
|
||||
help
|
||||
The SELinux Reference Policy project (refpolicy) is a
|
||||
complete SELinux policy that can be used as the system
|
||||
policy for a variety of systems and used as the basis for
|
||||
creating other policies. Reference Policy was originally
|
||||
based on the NSA example policy, but aims to accomplish many
|
||||
additional goals.
|
||||
|
||||
The current refpolicy does not fully support Buildroot and
|
||||
needs modifications to work with the default system file
|
||||
layout. These changes should be added as patches to the
|
||||
refpolicy that modify a single SELinux policy.
|
||||
|
||||
The refpolicy works for the most part in permissive
|
||||
mode. Only the basic set of utilities are enabled in the
|
||||
example policy config and some of the pathing in the
|
||||
policies is not correct. Individual policies would need to
|
||||
be tweaked to get everything functioning properly.
|
||||
|
||||
https://github.com/TresysTechnology/refpolicy
|
||||
|
||||
if BR2_PACKAGE_REFPOLICY
|
||||
|
||||
choice
|
||||
prompt "Refpolicy version"
|
||||
default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
|
||||
|
||||
config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
|
||||
bool "Upstream version"
|
||||
help
|
||||
Use the refpolicy as provided by Buildroot.
|
||||
|
||||
config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
|
||||
bool "Custom git repository"
|
||||
help
|
||||
Allows to get the refpolicy from a custom git repository.
|
||||
|
||||
The custom refpolicy must define the full policy explicitly,
|
||||
and must be a fork of the original refpolicy, to have the
|
||||
same build system. When this is selected, only the custom
|
||||
policy definition are taken into account and all the modules
|
||||
of the policy are built into the binary policy.
|
||||
|
||||
endchoice
|
||||
|
||||
if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
|
||||
|
||||
config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
|
||||
string "URL of custom repository"
|
||||
|
||||
config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
|
||||
string "Custom repository version"
|
||||
help
|
||||
Revision to use in the typical format used by Git.
|
||||
E.g. a sha id, tag, branch...
|
||||
|
||||
endif
|
||||
|
||||
choice
|
||||
prompt "SELinux default state"
|
||||
default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
|
||||
|
||||
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
|
||||
bool "Enforcing"
|
||||
help
|
||||
SELinux security policy is enforced
|
||||
|
||||
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
|
||||
bool "Permissive"
|
||||
help
|
||||
SELinux prints warnings instead of enforcing
|
||||
|
||||
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
|
||||
bool "Disabled"
|
||||
help
|
||||
No SELinux policy is loaded
|
||||
endchoice
|
||||
|
||||
config BR2_PACKAGE_REFPOLICY_POLICY_STATE
|
||||
string
|
||||
default "permissive" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
|
||||
default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
|
||||
default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
|
||||
|
||||
if BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
|
||||
|
||||
config BR2_REFPOLICY_EXTRA_MODULES_DIRS
|
||||
string "Extra modules directories"
|
||||
help
|
||||
Specify a space-separated list of directories containing
|
||||
SELinux modules that will be built into the SELinux
|
||||
policy. The modules will be automatically enabled in the
|
||||
policy.
|
||||
|
||||
Each of those directories must contain the SELinux policy
|
||||
.fc, .if and .te files directly at the top-level, with no
|
||||
sub-directories. Also, you cannot have several modules with
|
||||
the same name in different directories.
|
||||
|
||||
config BR2_REFPOLICY_EXTRA_MODULES
|
||||
string "Extra modules to enable"
|
||||
help
|
||||
List of extra SELinux modules to enable in the refpolicy.
|
||||
|
||||
endif
|
||||
|
||||
endif
|
||||
|
||||
comment "refpolicy needs a toolchain w/ threads"
|
||||
depends on !BR2_TOOLCHAIN_HAS_THREADS
|
||||
@@ -0,0 +1,8 @@
|
||||
# This file controls the state of SELinux on the system.
|
||||
# SELINUX= can take one of these three values:
|
||||
# enforcing - SELinux security policy is enforced.
|
||||
# permissive - SELinux prints warnings instead of enforcing.
|
||||
# disabled - No SELinux policy is loaded.
|
||||
SELINUX=disabled
|
||||
|
||||
SELINUXTYPE=targeted
|
||||
@@ -0,0 +1,5 @@
|
||||
# From https://github.com/SELinuxProject/refpolicy/releases
|
||||
sha256 4d3140d9fbb91322f5de36d73959464ce1d8946dcd149e36fcaf60e92444e902 refpolicy-2.20210908.tar.bz2
|
||||
|
||||
# Locally computed
|
||||
sha256 204d8eff92f95aac4df6c8122bc1505f468f3a901e5a4cc08940e0ede1938994 COPYING
|
||||
@@ -0,0 +1,134 @@
|
||||
################################################################################
|
||||
#
|
||||
# refpolicy
|
||||
#
|
||||
################################################################################
|
||||
|
||||
REFPOLICY_LICENSE = GPL-2.0
|
||||
REFPOLICY_LICENSE_FILES = COPYING
|
||||
REFPOLICY_CPE_ID_VENDOR = selinuxproject
|
||||
REFPOLICY_INSTALL_STAGING = YES
|
||||
REFPOLICY_DEPENDENCIES = \
|
||||
host-m4 \
|
||||
host-checkpolicy \
|
||||
host-policycoreutils \
|
||||
host-python3 \
|
||||
host-setools \
|
||||
host-gawk \
|
||||
host-libxml2
|
||||
|
||||
ifeq ($(BR2_PACKAGE_REFPOLICY_CUSTOM_GIT),y)
|
||||
REFPOLICY_VERSION = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION))
|
||||
REFPOLICY_SITE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL))
|
||||
REFPOLICY_SITE_METHOD = git
|
||||
BR_NO_CHECK_HASH_FOR += $(REFPOLICY_SOURCE)
|
||||
else
|
||||
REFPOLICY_VERSION = 2.20210908
|
||||
REFPOLICY_SOURCE = refpolicy-$(REFPOLICY_VERSION).tar.bz2
|
||||
REFPOLICY_SITE = https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_$(subst .,_,$(REFPOLICY_VERSION))
|
||||
endif
|
||||
|
||||
# Cannot use multiple threads to build the reference policy
|
||||
REFPOLICY_MAKE = \
|
||||
PYTHON=$(HOST_DIR)/usr/bin/python3 \
|
||||
XMLLINT=$(LIBXML2_HOST_BINARY) \
|
||||
TEST_TOOLCHAIN=$(HOST_DIR) \
|
||||
$(TARGET_MAKE_ENV) \
|
||||
$(MAKE1)
|
||||
|
||||
REFPOLICY_POLICY_VERSION = $(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION)
|
||||
REFPOLICY_POLICY_STATE = \
|
||||
$(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE))
|
||||
|
||||
ifeq ($(BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION),y)
|
||||
|
||||
# Allow to provide out-of-tree SELinux modules in addition to the ones
|
||||
# in the refpolicy.
|
||||
REFPOLICY_EXTRA_MODULES_DIRS = \
|
||||
$(strip \
|
||||
$(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES_DIRS)) \
|
||||
$(PACKAGES_SELINUX_EXTRA_MODULES_DIRS))
|
||||
$(foreach dir,$(REFPOLICY_EXTRA_MODULES_DIRS),\
|
||||
$(if $(wildcard $(dir)),,\
|
||||
$(error BR2_REFPOLICY_EXTRA_MODULES_DIRS contains nonexistent directory $(dir))))
|
||||
|
||||
REFPOLICY_MODULES = \
|
||||
application \
|
||||
authlogin \
|
||||
getty \
|
||||
init \
|
||||
libraries \
|
||||
locallogin \
|
||||
logging \
|
||||
miscfiles \
|
||||
modutils \
|
||||
mount \
|
||||
selinuxutil \
|
||||
storage \
|
||||
sysadm \
|
||||
sysnetwork \
|
||||
unconfined \
|
||||
userdomain \
|
||||
$(PACKAGES_SELINUX_MODULES) \
|
||||
$(call qstrip,$(BR2_REFPOLICY_EXTRA_MODULES)) \
|
||||
$(foreach d,$(REFPOLICY_EXTRA_MODULES_DIRS),\
|
||||
$(basename $(notdir $(wildcard $(d)/*.te))))
|
||||
|
||||
define REFPOLICY_COPY_EXTRA_MODULES
|
||||
mkdir -p $(@D)/policy/modules/buildroot
|
||||
rsync -au $(addsuffix /*,$(REFPOLICY_EXTRA_MODULES_DIRS)) \
|
||||
$(@D)/policy/modules/buildroot/
|
||||
if [ ! -f $(@D)/policy/modules/buildroot/metadata.xml ]; then \
|
||||
echo "<summary>Buildroot extra modules</summary>" > \
|
||||
$(@D)/policy/modules/buildroot/metadata.xml; \
|
||||
fi
|
||||
endef
|
||||
|
||||
# In the context of a monolithic policy enabling a piece of the policy as
|
||||
# 'base' or 'module' is equivalent, so we enable them as 'base'.
|
||||
define REFPOLICY_CONFIGURE_MODULES
|
||||
$(SED) "s/ = module/ = no/g" $(@D)/policy/modules.conf
|
||||
$(foreach m,$(sort $(REFPOLICY_MODULES)),
|
||||
$(SED) "/^$(m) =/c\$(m) = base" $(@D)/policy/modules.conf
|
||||
)
|
||||
endef
|
||||
|
||||
endif # BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION = y
|
||||
|
||||
ifeq ($(BR2_INIT_SYSTEMD),y)
|
||||
define REFPOLICY_CONFIGURE_SYSTEMD
|
||||
$(SED) "/SYSTEMD/c\SYSTEMD = y" $(@D)/build.conf
|
||||
endef
|
||||
endif
|
||||
|
||||
define REFPOLICY_CONFIGURE_CMDS
|
||||
$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \
|
||||
$(@D)/build.conf
|
||||
$(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(@D)/build.conf
|
||||
$(SED) "/NAME/c\NAME = targeted" $(@D)/build.conf
|
||||
$(REFPOLICY_CONFIGURE_SYSTEMD)
|
||||
$(if $(REFPOLICY_EXTRA_MODULES_DIRS), \
|
||||
$(REFPOLICY_COPY_EXTRA_MODULES)
|
||||
)
|
||||
$(REFPOLICY_MAKE) -C $(@D) bare conf
|
||||
$(REFPOLICY_CONFIGURE_MODULES)
|
||||
endef
|
||||
|
||||
define REFPOLICY_BUILD_CMDS
|
||||
$(REFPOLICY_MAKE) -C $(@D) policy
|
||||
endef
|
||||
|
||||
define REFPOLICY_INSTALL_STAGING_CMDS
|
||||
$(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) \
|
||||
install-src install-headers
|
||||
endef
|
||||
|
||||
define REFPOLICY_INSTALL_TARGET_CMDS
|
||||
$(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install
|
||||
$(INSTALL) -m 0755 -D package/refpolicy/config \
|
||||
$(TARGET_DIR)/etc/selinux/config
|
||||
$(SED) "/^SELINUX=/c\SELINUX=$(REFPOLICY_POLICY_STATE)" \
|
||||
$(TARGET_DIR)/etc/selinux/config
|
||||
endef
|
||||
|
||||
$(eval $(generic-package))
|
||||
Reference in New Issue
Block a user