docs/manual/selinux-support.txt - buildroot - Git at Google

 // -*- mode:doc; -*-
 // vim: set syntax=asciidoc:

 [[selinux]]
 == Using SELinux in Buildroot

 https://selinuxproject.org[SELinux] is a Linux kernel security module
 enforcing access control policies. In addition to the traditional file
 permissions and access control lists, +SELinux+ allows to write rules
 for users or processes to access specific functions of resources
 (files, sockets...).

 _SELinux_ has three modes of operation:

 * _Disabled_: the policy is not applied
 * _Permissive_: the policy is applied, and non-authorized actions are
   simply logged. This mode is often used for troubleshooting SELinux
   issues.
 * _Enforcing_: the policy is applied, and non-authorized actions are
   denied

 In Buildroot the mode of operation is controlled by the
 +BR2_PACKAGE_REFPOLICY_POLICY_STATE_*+ configuration options. The
 Linux kernel also has various configuration options that affect how
 +SELinux+ is enabled (see +security/selinux/Kconfig+ in the Linux
 kernel sources).

 By default in Buildroot the +SELinux+ policy is provided by the
 upstream https://github.com/SELinuxProject/refpolicy[refpolicy]
 project, enabled with +BR2_PACKAGE_REFPOLICY+.

 [[enabling-selinux]]
 === Enabling SELinux support

 To have proper support for +SELinux+ in a Buildroot generated system,
 the following configuration options must be enabled:

 * +BR2_PACKAGE_LIBSELINUX+
 * +BR2_PACKAGE_REFPOLICY+

 In addition, your filesystem image format must support extended
 attributes.

 [[selinux-policy-tweaking]]
 === SELinux policy tweaking

 The +SELinux refpolicy+ contains modules that can be enabled or
 disabled when being built. Each module provide a number of +SELinux+
 rules. In Buildroot the non-base modules are disabled by default and
 several ways to enable such modules are provided:

 - Packages can enable a list of +SELinux+ modules within the +refpolicy+ using
   the +<packagename>_SELINUX_MODULES+ variable.
 - Packages can provide additional +SELinux+ modules by putting them (.fc, .if
   and .te files) in +package/<packagename>/selinux/+.
 - Extra +SELinux+ modules can be added in directories pointed by the
   +BR2_REFPOLICY_EXTRA_MODULES_DIRS+ configuration option.
 - Additional modules in the +refpolicy+ can be enabled if listed in the
   +BR2_REFPOLICY_EXTRA_MODULES_DEPENDENCIES+ configuration option.

 Buildroot also allows to completely override the +refpolicy+. This
 allows to provide a full custom policy designed specifically for a
 given system. When going this way, all of the above mechanisms are
 disabled: no extra +SElinux+ module is added to the policy, and all
 the available modules within the custom policy are enabled and built
 into the final binary policy. The custom policy must be a fork of the
 official https://github.com/SELinuxProject/refpolicy[refpolicy].

 In order to fully override the +refpolicy+ the following configuration
 variables have to be set:

 - +BR2_PACKAGE_REFPOLICY_CUSTOM_GIT+
 - +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL+
 - +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION+
	// -- mode:doc; --
	// vim: set syntax=asciidoc:

	[[selinux]]
	== Using SELinux in Buildroot

	https://selinuxproject.org[SELinux] is a Linux kernel security module
	enforcing access control policies. In addition to the traditional file
	permissions and access control lists, +SELinux+ allows to write rules
	for users or processes to access specific functions of resources
	(files, sockets...).

	_SELinux_ has three modes of operation:

	* _Disabled_: the policy is not applied
	* _Permissive_: the policy is applied, and non-authorized actions are
	simply logged. This mode is often used for troubleshooting SELinux
	issues.
	* _Enforcing_: the policy is applied, and non-authorized actions are
	denied

	In Buildroot the mode of operation is controlled by the
	+BR2_PACKAGE_REFPOLICY_POLICY_STATE_*+ configuration options. The
	Linux kernel also has various configuration options that affect how
	+SELinux+ is enabled (see +security/selinux/Kconfig+ in the Linux
	kernel sources).

	By default in Buildroot the +SELinux+ policy is provided by the
	upstream https://github.com/SELinuxProject/refpolicy[refpolicy]
	project, enabled with +BR2_PACKAGE_REFPOLICY+.

	[[enabling-selinux]]
	=== Enabling SELinux support

	To have proper support for +SELinux+ in a Buildroot generated system,
	the following configuration options must be enabled:

	* +BR2_PACKAGE_LIBSELINUX+
	* +BR2_PACKAGE_REFPOLICY+

	In addition, your filesystem image format must support extended
	attributes.

	[[selinux-policy-tweaking]]
	=== SELinux policy tweaking

	The +SELinux refpolicy+ contains modules that can be enabled or
	disabled when being built. Each module provide a number of +SELinux+
	rules. In Buildroot the non-base modules are disabled by default and
	several ways to enable such modules are provided:

	- Packages can enable a list of +SELinux+ modules within the +refpolicy+ using
	the +<packagename>_SELINUX_MODULES+ variable.
	- Packages can provide additional +SELinux+ modules by putting them (.fc, .if
	and .te files) in +package/<packagename>/selinux/+.
	- Extra +SELinux+ modules can be added in directories pointed by the
	+BR2_REFPOLICY_EXTRA_MODULES_DIRS+ configuration option.
	- Additional modules in the +refpolicy+ can be enabled if listed in the
	+BR2_REFPOLICY_EXTRA_MODULES_DEPENDENCIES+ configuration option.

	Buildroot also allows to completely override the +refpolicy+. This
	allows to provide a full custom policy designed specifically for a
	given system. When going this way, all of the above mechanisms are
	disabled: no extra +SElinux+ module is added to the policy, and all
	the available modules within the custom policy are enabled and built
	into the final binary policy. The custom policy must be a fork of the
	official https://github.com/SELinuxProject/refpolicy[refpolicy].

	In order to fully override the +refpolicy+ the following configuration
	variables have to be set:

	- +BR2_PACKAGE_REFPOLICY_CUSTOM_GIT+
	- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL+
	- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION+