| config BR2_PACKAGE_REFPOLICY |
| bool "refpolicy" |
| depends on BR2_TOOLCHAIN_HAS_THREADS # libsepol |
| # Even though libsepol is not necessary for building, we get |
| # the policy version from libsepol, so we select it, and treat |
| # it like a runtime dependency. |
| select BR2_PACKAGE_LIBSEPOL |
| help |
| The SELinux Reference Policy project (refpolicy) is a |
| complete SELinux policy that can be used as the system |
| policy for a variety of systems and used as the basis for |
| creating other policies. Reference Policy was originally |
| based on the NSA example policy, but aims to accomplish many |
| additional goals. |
| |
| The current refpolicy does not fully support Buildroot and |
| needs modifications to work with the default system file |
| layout. These changes should be added as patches to the |
| refpolicy that modify a single SELinux policy. |
| |
| The refpolicy works for the most part in permissive |
| mode. Only the basic set of utilities are enabled in the |
| example policy config and some of the pathing in the |
| policies is not correct. Individual policies would need to |
| be tweaked to get everything functioning properly. |
| |
| https://github.com/TresysTechnology/refpolicy |
| |
| if BR2_PACKAGE_REFPOLICY |
| |
| choice |
| prompt "Refpolicy version" |
| default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION |
| |
| config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION |
| bool "Upstream version" |
| help |
| Use the refpolicy as provided by Buildroot. |
| |
| config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT |
| bool "Custom git repository" |
| help |
| Allows to get the refpolicy from a custom git repository. |
| |
| The custom refpolicy must define the full policy explicitly, |
| and must be a fork of the original refpolicy, to have the |
| same build system. When this is selected, only the custom |
| policy definition are taken into account and all the modules |
| of the policy are built into the binary policy. |
| |
| endchoice |
| |
| if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT |
| |
| config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL |
| string "URL of custom repository" |
| |
| config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION |
| string "Custom repository version" |
| help |
| Revision to use in the typical format used by Git. |
| E.g. a sha id, tag, branch... |
| |
| endif |
| |
| choice |
| prompt "SELinux default state" |
| default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE |
| |
| config BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING |
| bool "Enforcing" |
| help |
| SELinux security policy is enforced |
| |
| config BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE |
| bool "Permissive" |
| help |
| SELinux prints warnings instead of enforcing |
| |
| config BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED |
| bool "Disabled" |
| help |
| No SELinux policy is loaded |
| endchoice |
| |
| config BR2_PACKAGE_REFPOLICY_POLICY_STATE |
| string |
| default "permissive" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE |
| default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING |
| default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED |
| |
| if BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION |
| |
| config BR2_REFPOLICY_EXTRA_MODULES_DIRS |
| string "Extra modules directories" |
| help |
| Specify a space-separated list of directories containing |
| SELinux modules that will be built into the SELinux |
| policy. The modules will be automatically enabled in the |
| policy. |
| |
| Each of those directories must contain the SELinux policy |
| .fc, .if and .te files directly at the top-level, with no |
| sub-directories. Also, you cannot have several modules with |
| the same name in different directories. |
| |
| config BR2_REFPOLICY_EXTRA_MODULES |
| string "Extra modules to enable" |
| help |
| List of extra SELinux modules to enable in the refpolicy. |
| |
| endif |
| |
| endif |
| |
| comment "refpolicy needs a toolchain w/ threads" |
| depends on !BR2_TOOLCHAIN_HAS_THREADS |
