[OpenWrt-Devel] [PATCH packages 00/11] SELinux support: packages feed changes

Jan Pavlinec jan.pavlinec at nic.cz
Thu Nov 28 06:35:36 EST 2019 

Hi,

I really like the idea of SELinux support in OpenWrt, but I think that
if you send these patches directly to
https://github.com/openwrt/packages/ they will receive more attention
than here in mailing list.

J.P.

Dne 22. 11. 19 v 10:55 Thomas Petazzoni napsal(a):
> Hello,
>
> This patch series is one part of the changes needed to bring minimal
> SELinux support to OpenWrt. SELinux is a mandatory access control
> Linux security module, which I assume most if not all OpenWrt users
> are already familiar with. The work presented in these patch series
> presents a minimal integration, in the sense that it allows to:
>
>  (1) Build all the important SELinux components, both on the build
>      system (for example to compile a SELinux policy) and on the
>      target system (libselinux, policy management tools, etc.)
>
>  (2) Set the SELinux security contexts on the files in the filesystem
>      image generated by OpenWrt.
>
>  (3) Compile the SELinux policy on the build machine, and integrate
>      the compiled SELinux policy in the target filesystem.
>
>  (4) Load at boot time the SELinux policy and enable it.
>
> The provided SELinux policy is the default SELinux policy from the
> upstream project: it has not been tuned specifically for OpenWrt.
>
> There are two patch series for this work:
>
>  - One for OpenWrt itself
>
>  - One for the OpenWrt packages feed (this patch series)
>
> OpenWrt changes
> ===============
>
> This patch series brings the following changes:
>
>  - Allow to build Busybox with SELinux support, mainly to get -Z
>    option support in several commands. This requires linking against
>    libselinux, which is provided in the packages feeds as part of the
>    second patch series.
>
>  - Addition of minimal SELinux support in procd, to load the SELinux
>    policy at boot time. The patch has been submitted separately to
>    procd, and is being discussed.
>
>  - Addition of the fakeroot tool, which we need when generating the
>    filesystem image to run the SELinux command "setfiles" that sets
>    the appropriate security context for the files in the
>    filesystem. It obviously requires root access, which is why it is
>    executed under fakeroot.
>
>  - Addition of support for generating a SquashFS image with the
>    SELinux security contexts defined. It could be extended to other
>    filesystem formats of course.
>
>  - Add some logic to be able to enable SquashFS extended attribute
>    support in the kernel configuration, as well as SELinux support.
>
>  - Enable extended attribute support in mksquashfs.
>
> OpenWrt packages feed changes
> =============================
>
> This patch series brings new packages for the different user-space
> components of SELinux and their dependencies:
>
>  - libsepol
>  - libselinux, including its Python bindings
>  - audit
>  - libcap-ng
>  - libsemanage
>  - policycoreutils
>  - checkpolicy
>  - refpolicy
>  - selinux-python
>
> These are pretty regular packages.
>
> I'm looking forward to the feedback of the OpenWrt community on this
> proposal.
>
> Best regards,
>
> Thomas Petazzoni
>
>
>
> Thomas Petazzoni (11):
>   libs/pcre: add host variant of libpcre
>   libs/libsepol: new package
>   libs/libselinux: new package
>   utils/audit: new package
>   libs/libcap-ng: new package
>   libs/libsemanage: new package
>   utils/policycoreutils: new package
>   utils/checkpolicy: new package
>   admin/refpolicy: new package
>   libs/libselinux: add support for building the Python bindings
>   utils/selinux-python: new package
>
>  admin/refpolicy/Makefile                      |  78 +++++++++
>  admin/refpolicy/files/selinux-config          |   7 +
>  libs/libcap-ng/Makefile                       |  53 ++++++
>  libs/libselinux/Makefile                      | 104 ++++++++++++
>  libs/libsemanage/Makefile                     |  70 ++++++++
>  libs/libsepol/Makefile                        |  65 ++++++++
>  libs/pcre/Makefile                            |  11 ++
>  utils/audit/Makefile                          | 125 ++++++++++++++
>  utils/audit/files/audit.init                  |  16 ++
>  ...tue-functions-for-strndupa-rawmemchr.patch | 133 +++++++++++++++
>  utils/checkpolicy/Makefile                    |  42 +++++
>  utils/policycoreutils/Makefile                |  60 +++++++
>  utils/selinux-python/Makefile                 | 155 ++++++++++++++++++
>  .../0001-sepolgen-adjust-data_dir.patch       |  26 +++
>  ...hardcode-search-for-ausearch-in-sbin.patch |  38 +++++
>  .../0003-Don-t-force-using-python3.patch      |  67 ++++++++
>  16 files changed, 1050 insertions(+)
>  create mode 100644 admin/refpolicy/Makefile
>  create mode 100644 admin/refpolicy/files/selinux-config
>  create mode 100644 libs/libcap-ng/Makefile
>  create mode 100644 libs/libselinux/Makefile
>  create mode 100644 libs/libsemanage/Makefile
>  create mode 100644 libs/libsepol/Makefile
>  create mode 100644 utils/audit/Makefile
>  create mode 100644 utils/audit/files/audit.init
>  create mode 100644 utils/audit/patches/0001-Add-substitue-functions-for-strndupa-rawmemchr.patch
>  create mode 100644 utils/checkpolicy/Makefile
>  create mode 100644 utils/policycoreutils/Makefile
>  create mode 100644 utils/selinux-python/Makefile
>  create mode 100644 utils/selinux-python/patches/0001-sepolgen-adjust-data_dir.patch
>  create mode 100644 utils/selinux-python/patches/0002-sepolgen-don-t-hardcode-search-for-ausearch-in-sbin.patch
>  create mode 100644 utils/selinux-python/patches/0003-Don-t-force-using-python3.patch
>

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list