1// -*- mode:doc; -*- 2// vim: set syntax=asciidoc: 3 4[[selinux]] 5== Using SELinux in Buildroot 6 7https://selinuxproject.org[SELinux] is a Linux kernel security module 8enforcing access control policies. In addition to the traditional file 9permissions and access control lists, +SELinux+ allows to write rules 10for users or processes to access specific functions of resources 11(files, sockets...). 12 13_SELinux_ has three modes of operation: 14 15* _Disabled_: the policy is not applied 16* _Permissive_: the policy is applied, and non-authorized actions are 17 simply logged. This mode is often used for troubleshooting SELinux 18 issues. 19* _Enforcing_: the policy is applied, and non-authorized actions are 20 denied 21 22In Buildroot the mode of operation is controlled by the 23+BR2_PACKAGE_REFPOLICY_POLICY_STATE_*+ configuration options. The 24Linux kernel also has various configuration options that affect how 25+SELinux+ is enabled (see +security/selinux/Kconfig+ in the Linux 26kernel sources). 27 28By default in Buildroot the +SELinux+ policy is provided by the 29upstream https://github.com/SELinuxProject/refpolicy[refpolicy] 30project, enabled with +BR2_PACKAGE_REFPOLICY+. 31 32[[enabling-selinux]] 33=== Enabling SELinux support 34 35To have proper support for +SELinux+ in a Buildroot generated system, 36the following configuration options must be enabled: 37 38* +BR2_PACKAGE_LIBSELINUX+ 39* +BR2_PACKAGE_REFPOLICY+ 40 41In addition, your filesystem image format must support extended 42attributes. 43 44[[selinux-policy-tweaking]] 45=== SELinux policy tweaking 46 47The +SELinux refpolicy+ contains modules that can be enabled or 48disabled when being built. Each module provide a number of +SELinux+ 49rules. In Buildroot the non-base modules are disabled by default and 50several ways to enable such modules are provided: 51 52- Packages can enable a list of +SELinux+ modules within the +refpolicy+ using 53 the +<packagename>_SELINUX_MODULES+ variable. 54- Packages can provide additional +SELinux+ modules by putting them (.fc, .if 55 and .te files) in +package/<packagename>/selinux/+. 56- Extra +SELinux+ modules can be added in directories pointed by the 57 +BR2_REFPOLICY_EXTRA_MODULES_DIRS+ configuration option. 58- Additional modules in the +refpolicy+ can be enabled if listed in the 59 +BR2_REFPOLICY_EXTRA_MODULES_DEPENDENCIES+ configuration option. 60 61Buildroot also allows to completely override the +refpolicy+. This 62allows to provide a full custom policy designed specifically for a 63given system. When going this way, all of the above mechanisms are 64disabled: no extra +SElinux+ module is added to the policy, and all 65the available modules within the custom policy are enabled and built 66into the final binary policy. The custom policy must be a fork of the 67official https://github.com/SELinuxProject/refpolicy[refpolicy]. 68 69In order to fully override the +refpolicy+ the following configuration 70variables have to be set: 71 72- +BR2_PACKAGE_REFPOLICY_CUSTOM_GIT+ 73- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL+ 74- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION+ 75