xref: /OK3568_Linux_fs/buildroot/package/refpolicy/Config.in (revision 4882a59341e53eb6f0b4789bf948001014eff981)

config BR2_PACKAGE_REFPOLICY
	bool "refpolicy"
	depends on BR2_TOOLCHAIN_HAS_THREADS # libsepol
	# Even though libsepol is not necessary for building, we get
	# the policy version from libsepol, so we select it, and treat
	# it like a runtime dependency.
	select BR2_PACKAGE_LIBSEPOL
	help
	  The SELinux Reference Policy project (refpolicy) is a
	  complete SELinux policy that can be used as the system
	  policy for a variety of systems and used as the basis for
	  creating other policies. Reference Policy was originally
	  based on the NSA example policy, but aims to accomplish many
	  additional goals.

	  The current refpolicy does not fully support Buildroot and
	  needs modifications to work with the default system file
	  layout. These changes should be added as patches to the
	  refpolicy that modify a single SELinux policy.

	  The refpolicy works for the most part in permissive
	  mode. Only the basic set of utilities are enabled in the
	  example policy config and some of the pathing in the
	  policies is not correct.  Individual policies would need to
	  be tweaked to get everything functioning properly.

	  https://github.com/TresysTechnology/refpolicy

if BR2_PACKAGE_REFPOLICY

choice
	prompt "Refpolicy version"
	default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION

config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
	bool "Upstream version"
	help
	  Use the refpolicy as provided by Buildroot.

config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
	bool "Custom git repository"
	help
	  Allows to get the refpolicy from a custom git repository.

	  The custom refpolicy must define the full policy explicitly,
	  and must be a fork of the original refpolicy, to have the
	  same build system.  When this is selected, only the custom
	  policy definition are taken into account and all the modules
	  of the policy are built into the binary policy.

endchoice

if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT

config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
	string "URL of custom repository"

config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
	string "Custom repository version"
	help
	  Revision to use in the typical format used by Git.
	  E.g. a sha id, tag, branch...

endif

choice
	prompt "SELinux default state"
	default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE

config BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
	bool "Enforcing"
	help
	  SELinux security policy is enforced

config BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
	bool "Permissive"
	help
	  SELinux prints warnings instead of enforcing

config BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
	bool "Disabled"
	help
	  No SELinux policy is loaded
endchoice

config BR2_PACKAGE_REFPOLICY_POLICY_STATE
	string
	default "permissive" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
	default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
	default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED

if BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION

config BR2_REFPOLICY_EXTRA_MODULES_DIRS
	string "Extra modules directories"
	help
	  Specify a space-separated list of directories containing
	  SELinux modules that will be built into the SELinux
	  policy. The modules will be automatically enabled in the
	  policy.

	  Each of those directories must contain the SELinux policy
	  .fc, .if and .te files directly at the top-level, with no
	  sub-directories. Also, you cannot have several modules with
	  the same name in different directories.

config BR2_REFPOLICY_EXTRA_MODULES
	string "Extra modules to enable"
	help
	  List of extra SELinux modules to enable in the refpolicy.

endif

endif

comment "refpolicy needs a toolchain w/ threads"
	depends on !BR2_TOOLCHAIN_HAS_THREADS