NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c5258ce271
kumquat-buildroot/package/refpolicy/Config.in
Yann E. MORIN c20b2ae4ec package/openssh: fix dependencies with refpolicy 
Commit 2c5a82a29c (package/openssh: select linux-pam if refpolicy
upstream is selected) did not account for the linux-pam dependencies
before selecting it, causing unmet dependencies warnings (unfortunately,
not errors), such as:

    $ KCONFIG_SEED=0xCF227CF4 make randconfig
    WARNING: unmet direct dependencies detected for BR2_PACKAGE_LINUX_PAM
      Depends on [n]: BR2_ENABLE_LOCALE [=n] && BR2_USE_WCHAR [=n] && !BR2_STATIC_LIBS [=n] && BR2_USE_MMU [=y] && BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 [=y]
      Selected by [y]:
      - BR2_PACKAGE_OPENSSH [=y] && BR2_USE_MMU [=y] && BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION [=y]

2c5a82a29c made the choice of having openssl bear the responsibility
to select linux-pam when the upstream refpolicy version was enabled.
Semantically however, the responsibility really lies within refpolicy
itself, since that's what imposes linux-pam to openssh.

Move the select to refpolicy and drop it from openssh. Then, ensure that
linux-pam is only selected when it is available.

That means that one may get an openssh that is not linked against
linux-pam, when the linux-pam dependencies are not met; refpolicy (by
way of libsepol) also has a more stringent requirement on gcc version
than linux-pam, so most probably the missing dependencies would be
locale, wchar, or a static build. We consider that situation to be a
corner case that we do not want to address.

In the future, we may have more similar situations, whereby refpolicy
would impose other packages be linked with otherwise optional
dependencies. If (when) that were (will be) the case, then the proposed
mechanism would quickly become ugly; we could then re-assess a nicer way
to do that. Until then, this is good ebough.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Adam Duskett <adam.duskett@amarulasolutions.com>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2024-02-28 12:23:57 +01:00

130 lines
4.1 KiB
Plaintext
Raw Blame History

config BR2_PACKAGE_REFPOLICY
bool "refpolicy"
depends on BR2_TOOLCHAIN_HAS_THREADS # libsepol
depends on BR2_TOOLCHAIN_GCC_AT_LEAST_5 # libsepol
depends on BR2_HOST_GCC_AT_LEAST_5 # host-setools -> host-libsepol
# Even though libsepol is not necessary for building, we get
# the policy version from libsepol, so we select it, and treat
# it like a runtime dependency.
select BR2_PACKAGE_LIBSEPOL
help
The SELinux Reference Policy project (refpolicy) is a
complete SELinux policy that can be used as the system
policy for a variety of systems and used as the basis for
creating other policies. Reference Policy was originally
based on the NSA example policy, but aims to accomplish many
additional goals.
The current refpolicy does not fully support Buildroot and
needs modifications to work with the default system file
layout. These changes should be added as patches to the
refpolicy that modify a single SELinux policy.
The refpolicy works for the most part in permissive
mode. Only the basic set of utilities are enabled in the
example policy config and some of the pathing in the
policies is not correct. Individual policies would need to
be tweaked to get everything functioning properly.
https://github.com/TresysTechnology/refpolicy
if BR2_PACKAGE_REFPOLICY
choice
prompt "Refpolicy version"
default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
bool "Upstream version"
# Consider reworking the following when adding new entries:
# Upstream refpolicy for openssh expects linux-pam to be used
select BR2_PACKAGE_LINUX_PAM if BR2_PACKAGE_OPENSSH \
&& BR2_USE_MMU \
&& BR2_ENABLE_LOCALE \
&& BR2_USE_WCHAR \
&& !BR2_STATIC_LIBS \
&& BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
help
Use the refpolicy as provided by Buildroot.
config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
bool "Custom git repository"
help
Allows to get the refpolicy from a custom git repository.
The custom refpolicy must define the full policy explicitly,
and must be a fork of the original refpolicy, to have the
same build system. When this is selected, only the custom
policy definition are taken into account and all the modules
of the policy are built into the binary policy.
endchoice
if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
string "URL of custom repository"
config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
string "Custom repository version"
help
Revision to use in the typical format used by Git.
E.g. a sha id, tag, branch...
endif
choice
prompt "SELinux default state"
default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
bool "Enforcing"
help
SELinux security policy is enforced
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
bool "Permissive"
help
SELinux prints warnings instead of enforcing
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
bool "Disabled"
help
No SELinux policy is loaded
endchoice
config BR2_PACKAGE_REFPOLICY_POLICY_STATE
string
default "permissive" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
if BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
config BR2_REFPOLICY_EXTRA_MODULES_DIRS
string "Extra modules directories"
help
Specify a space-separated list of directories containing
SELinux modules that will be built into the SELinux
policy. The modules will be automatically enabled in the
policy.
Each of those directories must contain the SELinux policy
.fc, .if and .te files directly at the top-level, with no
sub-directories. Also, you cannot have several modules with
the same name in different directories.
config BR2_REFPOLICY_EXTRA_MODULES
string "Extra modules to enable"
help
List of extra SELinux modules to enable in the refpolicy.
endif
endif
comment "refpolicy needs a toolchain w/ threads, gcc >= 5, host gcc >= 5"
depends on !BR2_TOOLCHAIN_HAS_THREADS || \
!BR2_TOOLCHAIN_GCC_AT_LEAST_5 || \
!BR2_HOST_GCC_AT_LEAST_5
Reference in New Issue View Git Blame Copy Permalink