2020-07-31 12:10:40 +02:00
|
|
|
// -*- mode:doc; -*-
|
|
|
|
// vim: set syntax=asciidoc:
|
|
|
|
|
|
|
|
[[selinux]]
|
2022-07-28 00:12:16 +02:00
|
|
|
=== Using SELinux in Buildroot
|
2020-07-31 12:10:40 +02:00
|
|
|
|
|
|
|
https://selinuxproject.org[SELinux] is a Linux kernel security module
|
|
|
|
enforcing access control policies. In addition to the traditional file
|
|
|
|
permissions and access control lists, +SELinux+ allows to write rules
|
|
|
|
for users or processes to access specific functions of resources
|
|
|
|
(files, sockets...).
|
|
|
|
|
|
|
|
_SELinux_ has three modes of operation:
|
|
|
|
|
|
|
|
* _Disabled_: the policy is not applied
|
|
|
|
* _Permissive_: the policy is applied, and non-authorized actions are
|
|
|
|
simply logged. This mode is often used for troubleshooting SELinux
|
|
|
|
issues.
|
|
|
|
* _Enforcing_: the policy is applied, and non-authorized actions are
|
|
|
|
denied
|
|
|
|
|
|
|
|
In Buildroot the mode of operation is controlled by the
|
|
|
|
+BR2_PACKAGE_REFPOLICY_POLICY_STATE_*+ configuration options. The
|
|
|
|
Linux kernel also has various configuration options that affect how
|
|
|
|
+SELinux+ is enabled (see +security/selinux/Kconfig+ in the Linux
|
|
|
|
kernel sources).
|
|
|
|
|
|
|
|
By default in Buildroot the +SELinux+ policy is provided by the
|
|
|
|
upstream https://github.com/SELinuxProject/refpolicy[refpolicy]
|
|
|
|
project, enabled with +BR2_PACKAGE_REFPOLICY+.
|
|
|
|
|
|
|
|
[[enabling-selinux]]
|
2022-07-28 00:12:16 +02:00
|
|
|
==== Enabling SELinux support
|
2020-07-31 12:10:40 +02:00
|
|
|
|
|
|
|
To have proper support for +SELinux+ in a Buildroot generated system,
|
|
|
|
the following configuration options must be enabled:
|
|
|
|
|
|
|
|
* +BR2_PACKAGE_LIBSELINUX+
|
|
|
|
* +BR2_PACKAGE_REFPOLICY+
|
|
|
|
|
|
|
|
In addition, your filesystem image format must support extended
|
|
|
|
attributes.
|
|
|
|
|
|
|
|
[[selinux-policy-tweaking]]
|
2022-07-28 00:12:16 +02:00
|
|
|
==== SELinux policy tweaking
|
2020-07-31 12:10:40 +02:00
|
|
|
|
|
|
|
The +SELinux refpolicy+ contains modules that can be enabled or
|
|
|
|
disabled when being built. Each module provide a number of +SELinux+
|
|
|
|
rules. In Buildroot the non-base modules are disabled by default and
|
|
|
|
several ways to enable such modules are provided:
|
|
|
|
|
|
|
|
- Packages can enable a list of +SELinux+ modules within the +refpolicy+ using
|
|
|
|
the +<packagename>_SELINUX_MODULES+ variable.
|
|
|
|
- Packages can provide additional +SELinux+ modules by putting them (.fc, .if
|
|
|
|
and .te files) in +package/<packagename>/selinux/+.
|
|
|
|
- Extra +SELinux+ modules can be added in directories pointed by the
|
|
|
|
+BR2_REFPOLICY_EXTRA_MODULES_DIRS+ configuration option.
|
|
|
|
- Additional modules in the +refpolicy+ can be enabled if listed in the
|
|
|
|
+BR2_REFPOLICY_EXTRA_MODULES_DEPENDENCIES+ configuration option.
|
|
|
|
|
|
|
|
Buildroot also allows to completely override the +refpolicy+. This
|
|
|
|
allows to provide a full custom policy designed specifically for a
|
|
|
|
given system. When going this way, all of the above mechanisms are
|
|
|
|
disabled: no extra +SElinux+ module is added to the policy, and all
|
|
|
|
the available modules within the custom policy are enabled and built
|
|
|
|
into the final binary policy. The custom policy must be a fork of the
|
|
|
|
official https://github.com/SELinuxProject/refpolicy[refpolicy].
|
|
|
|
|
|
|
|
In order to fully override the +refpolicy+ the following configuration
|
|
|
|
variables have to be set:
|
|
|
|
|
|
|
|
- +BR2_PACKAGE_REFPOLICY_CUSTOM_GIT+
|
|
|
|
- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL+
|
|
|
|
- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION+
|