[OpenWrt-Devel] [PATCH packages 00/11] SELinux support: packages feed changes

Thomas Petazzoni thomas.petazzoni at bootlin.com
Fri Nov 22 01:55:45 PST 2019


Hello,

This patch series is one part of the changes needed to bring minimal
SELinux support to OpenWrt. SELinux is a mandatory access control
Linux security module, which I assume most if not all OpenWrt users
are already familiar with. The work presented in these patch series
presents a minimal integration, in the sense that it allows to:

 (1) Build all the important SELinux components, both on the build
     system (for example to compile a SELinux policy) and on the
     target system (libselinux, policy management tools, etc.)

 (2) Set the SELinux security contexts on the files in the filesystem
     image generated by OpenWrt.

 (3) Compile the SELinux policy on the build machine, and integrate
     the compiled SELinux policy in the target filesystem.

 (4) Load at boot time the SELinux policy and enable it.

The provided SELinux policy is the default SELinux policy from the
upstream project: it has not been tuned specifically for OpenWrt.

There are two patch series for this work:

 - One for OpenWrt itself

 - One for the OpenWrt packages feed (this patch series)

OpenWrt changes
===============

This patch series brings the following changes:

 - Allow to build Busybox with SELinux support, mainly to get -Z
   option support in several commands. This requires linking against
   libselinux, which is provided in the packages feeds as part of the
   second patch series.

 - Addition of minimal SELinux support in procd, to load the SELinux
   policy at boot time. The patch has been submitted separately to
   procd, and is being discussed.

 - Addition of the fakeroot tool, which we need when generating the
   filesystem image to run the SELinux command "setfiles" that sets
   the appropriate security context for the files in the
   filesystem. It obviously requires root access, which is why it is
   executed under fakeroot.

 - Addition of support for generating a SquashFS image with the
   SELinux security contexts defined. It could be extended to other
   filesystem formats of course.

 - Add some logic to be able to enable SquashFS extended attribute
   support in the kernel configuration, as well as SELinux support.

 - Enable extended attribute support in mksquashfs.

OpenWrt packages feed changes
=============================

This patch series brings new packages for the different user-space
components of SELinux and their dependencies:

 - libsepol
 - libselinux, including its Python bindings
 - audit
 - libcap-ng
 - libsemanage
 - policycoreutils
 - checkpolicy
 - refpolicy
 - selinux-python

These are pretty regular packages.

I'm looking forward to the feedback of the OpenWrt community on this
proposal.

Best regards,

Thomas Petazzoni



Thomas Petazzoni (11):
  libs/pcre: add host variant of libpcre
  libs/libsepol: new package
  libs/libselinux: new package
  utils/audit: new package
  libs/libcap-ng: new package
  libs/libsemanage: new package
  utils/policycoreutils: new package
  utils/checkpolicy: new package
  admin/refpolicy: new package
  libs/libselinux: add support for building the Python bindings
  utils/selinux-python: new package

 admin/refpolicy/Makefile                      |  78 +++++++++
 admin/refpolicy/files/selinux-config          |   7 +
 libs/libcap-ng/Makefile                       |  53 ++++++
 libs/libselinux/Makefile                      | 104 ++++++++++++
 libs/libsemanage/Makefile                     |  70 ++++++++
 libs/libsepol/Makefile                        |  65 ++++++++
 libs/pcre/Makefile                            |  11 ++
 utils/audit/Makefile                          | 125 ++++++++++++++
 utils/audit/files/audit.init                  |  16 ++
 ...tue-functions-for-strndupa-rawmemchr.patch | 133 +++++++++++++++
 utils/checkpolicy/Makefile                    |  42 +++++
 utils/policycoreutils/Makefile                |  60 +++++++
 utils/selinux-python/Makefile                 | 155 ++++++++++++++++++
 .../0001-sepolgen-adjust-data_dir.patch       |  26 +++
 ...hardcode-search-for-ausearch-in-sbin.patch |  38 +++++
 .../0003-Don-t-force-using-python3.patch      |  67 ++++++++
 16 files changed, 1050 insertions(+)
 create mode 100644 admin/refpolicy/Makefile
 create mode 100644 admin/refpolicy/files/selinux-config
 create mode 100644 libs/libcap-ng/Makefile
 create mode 100644 libs/libselinux/Makefile
 create mode 100644 libs/libsemanage/Makefile
 create mode 100644 libs/libsepol/Makefile
 create mode 100644 utils/audit/Makefile
 create mode 100644 utils/audit/files/audit.init
 create mode 100644 utils/audit/patches/0001-Add-substitue-functions-for-strndupa-rawmemchr.patch
 create mode 100644 utils/checkpolicy/Makefile
 create mode 100644 utils/policycoreutils/Makefile
 create mode 100644 utils/selinux-python/Makefile
 create mode 100644 utils/selinux-python/patches/0001-sepolgen-adjust-data_dir.patch
 create mode 100644 utils/selinux-python/patches/0002-sepolgen-don-t-hardcode-search-for-ausearch-in-sbin.patch
 create mode 100644 utils/selinux-python/patches/0003-Don-t-force-using-python3.patch

-- 
2.23.0




More information about the openwrt-devel mailing list