NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1975c53176
kumquat-buildroot/docs/manual/integration-selinux-support.txt
Arnout Vandecappelle (Essensium/Mind) 15c972f32a docs/manual: introduce "Integration topics" chapter 
We want to add more information in the manual about how a system created
with buildroot works overall. We currently already have a chapter about
SELinux, but we want to add more information like that, e.g. details
about how systemd in Buildroot works.

Create a new chapter "Integration topics" with an introductory blurb,
and move the SELinux topic under it (as a section rather than a
chapter).

"Integration topics" is not the best title, but we couldn't find
anything better.

Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
[yann.morin.1998@free.fr: remove selinux from main manual.txt]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2022-07-29 22:44:10 +02:00

75 lines
2.9 KiB
Plaintext
Raw Blame History

// -*- mode:doc; -*-
// vim: set syntax=asciidoc:
[[selinux]]
=== Using SELinux in Buildroot
https://selinuxproject.org[SELinux] is a Linux kernel security module
enforcing access control policies. In addition to the traditional file
permissions and access control lists, +SELinux+ allows to write rules
for users or processes to access specific functions of resources
(files, sockets...).
_SELinux_ has three modes of operation:
* _Disabled_: the policy is not applied
* _Permissive_: the policy is applied, and non-authorized actions are
simply logged. This mode is often used for troubleshooting SELinux
issues.
* _Enforcing_: the policy is applied, and non-authorized actions are
denied
In Buildroot the mode of operation is controlled by the
+BR2_PACKAGE_REFPOLICY_POLICY_STATE_*+ configuration options. The
Linux kernel also has various configuration options that affect how
+SELinux+ is enabled (see +security/selinux/Kconfig+ in the Linux
kernel sources).
By default in Buildroot the +SELinux+ policy is provided by the
upstream https://github.com/SELinuxProject/refpolicy[refpolicy]
project, enabled with +BR2_PACKAGE_REFPOLICY+.
[[enabling-selinux]]
==== Enabling SELinux support
To have proper support for +SELinux+ in a Buildroot generated system,
the following configuration options must be enabled:
* +BR2_PACKAGE_LIBSELINUX+
* +BR2_PACKAGE_REFPOLICY+
In addition, your filesystem image format must support extended
attributes.
[[selinux-policy-tweaking]]
==== SELinux policy tweaking
The +SELinux refpolicy+ contains modules that can be enabled or
disabled when being built. Each module provide a number of +SELinux+
rules. In Buildroot the non-base modules are disabled by default and
several ways to enable such modules are provided:
- Packages can enable a list of +SELinux+ modules within the +refpolicy+ using
the +<packagename>_SELINUX_MODULES+ variable.
- Packages can provide additional +SELinux+ modules by putting them (.fc, .if
and .te files) in +package/<packagename>/selinux/+.
- Extra +SELinux+ modules can be added in directories pointed by the
+BR2_REFPOLICY_EXTRA_MODULES_DIRS+ configuration option.
- Additional modules in the +refpolicy+ can be enabled if listed in the
+BR2_REFPOLICY_EXTRA_MODULES_DEPENDENCIES+ configuration option.
Buildroot also allows to completely override the +refpolicy+. This
allows to provide a full custom policy designed specifically for a
given system. When going this way, all of the above mechanisms are
disabled: no extra +SElinux+ module is added to the policy, and all
the available modules within the custom policy are enabled and built
into the final binary policy. The custom policy must be a fork of the
official https://github.com/SELinuxProject/refpolicy[refpolicy].
In order to fully override the +refpolicy+ the following configuration
variables have to be set:
- +BR2_PACKAGE_REFPOLICY_CUSTOM_GIT+
- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL+
- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION+
Reference in New Issue View Git Blame Copy Permalink