11a7a0af2a
The refpolicy is configured to use a monolithic build, compiling all the available modules (whether they're 'base' or 'modules' ones) in the binary policy. The result is a quite big SELinux policy, with a lot more rules than what would be needed in a Buildroot image. Refactor the refpolicy build configuration to enable less modules by default. To achieve this, all the modules marked as being part of the 'base' policy are kept but all the modules marked as being only 'modules' are disabled. Then a static list of modules (in addition to the already selected 'base' ones) are enabled. The result is a much smaller refpolicy: tests showed a reduction of the binary policy from 2.4M to 249K (~90% smaller). This minimal set of SELinux modules should allow to boot a system in enforcing mode in the future. It currently does not work, not because extra modules are needed, but because of required changes within the selected modules. This patch would break backward compatibility as the refpolicy will no longer have all the modules provided by the project, but only those selected. This should not be an issue as this configuration was not suitable directly for a real system. Modifications had to be done. If we still find out later that this is an issue for someone, we'll have the ability to mimic what was done previously thanks to other mechanisms (such as providing the upstream policy as a "custom" policy location). Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> |
||
|---|---|---|
| arch | ||
| board | ||
| boot | ||
| configs | ||
| docs | ||
| fs | ||
| linux | ||
| package | ||
| support | ||
| system | ||
| toolchain | ||
| utils | ||
| .defconfig | ||
| .flake8 | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| CHANGES | ||
| Config.in | ||
| Config.in.legacy | ||
| COPYING | ||
| DEVELOPERS | ||
| Makefile | ||
| Makefile.legacy | ||
| README | ||
Buildroot is a simple, efficient and easy-to-use tool to generate embedded Linux systems through cross-compilation. The documentation can be found in docs/manual. You can generate a text document with 'make manual-text' and read output/docs/manual/manual.text. Online documentation can be found at http://buildroot.org/docs.html To build and use the buildroot stuff, do the following: 1) run 'make menuconfig' 2) select the target architecture and the packages you wish to compile 3) run 'make' 4) wait while it compiles 5) find the kernel, bootloader, root filesystem, etc. in output/images You do not need to be root to build or run buildroot. Have fun! Buildroot comes with a basic configuration for a number of boards. Run 'make list-defconfigs' to view the list of provided configurations. Please feed suggestions, bug reports, insults, and bribes back to the buildroot mailing list: buildroot@buildroot.org You can also find us on #buildroot on Freenode IRC. If you would like to contribute patches, please read https://buildroot.org/manual.html#submitting-patches