1config BR2_PACKAGE_REFPOLICY 2 bool "refpolicy" 3 depends on BR2_TOOLCHAIN_HAS_THREADS # libsepol 4 # Even though libsepol is not necessary for building, we get 5 # the policy version from libsepol, so we select it, and treat 6 # it like a runtime dependency. 7 select BR2_PACKAGE_LIBSEPOL 8 help 9 The SELinux Reference Policy project (refpolicy) is a 10 complete SELinux policy that can be used as the system 11 policy for a variety of systems and used as the basis for 12 creating other policies. Reference Policy was originally 13 based on the NSA example policy, but aims to accomplish many 14 additional goals. 15 16 The current refpolicy does not fully support Buildroot and 17 needs modifications to work with the default system file 18 layout. These changes should be added as patches to the 19 refpolicy that modify a single SELinux policy. 20 21 The refpolicy works for the most part in permissive 22 mode. Only the basic set of utilities are enabled in the 23 example policy config and some of the pathing in the 24 policies is not correct. Individual policies would need to 25 be tweaked to get everything functioning properly. 26 27 https://github.com/TresysTechnology/refpolicy 28 29if BR2_PACKAGE_REFPOLICY 30 31choice 32 prompt "Refpolicy version" 33 default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION 34 35config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION 36 bool "Upstream version" 37 help 38 Use the refpolicy as provided by Buildroot. 39 40config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT 41 bool "Custom git repository" 42 help 43 Allows to get the refpolicy from a custom git repository. 44 45 The custom refpolicy must define the full policy explicitly, 46 and must be a fork of the original refpolicy, to have the 47 same build system. When this is selected, only the custom 48 policy definition are taken into account and all the modules 49 of the policy are built into the binary policy. 50 51endchoice 52 53if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT 54 55config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL 56 string "URL of custom repository" 57 58config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION 59 string "Custom repository version" 60 help 61 Revision to use in the typical format used by Git. 62 E.g. a sha id, tag, branch... 63 64endif 65 66choice 67 prompt "SELinux default state" 68 default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE 69 70config BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING 71 bool "Enforcing" 72 help 73 SELinux security policy is enforced 74 75config BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE 76 bool "Permissive" 77 help 78 SELinux prints warnings instead of enforcing 79 80config BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED 81 bool "Disabled" 82 help 83 No SELinux policy is loaded 84endchoice 85 86config BR2_PACKAGE_REFPOLICY_POLICY_STATE 87 string 88 default "permissive" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE 89 default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING 90 default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED 91 92if BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION 93 94config BR2_REFPOLICY_EXTRA_MODULES_DIRS 95 string "Extra modules directories" 96 help 97 Specify a space-separated list of directories containing 98 SELinux modules that will be built into the SELinux 99 policy. The modules will be automatically enabled in the 100 policy. 101 102 Each of those directories must contain the SELinux policy 103 .fc, .if and .te files directly at the top-level, with no 104 sub-directories. Also, you cannot have several modules with 105 the same name in different directories. 106 107config BR2_REFPOLICY_EXTRA_MODULES 108 string "Extra modules to enable" 109 help 110 List of extra SELinux modules to enable in the refpolicy. 111 112endif 113 114endif 115 116comment "refpolicy needs a toolchain w/ threads" 117 depends on !BR2_TOOLCHAIN_HAS_THREADS 118