[yocto] [meta-selinux][RFC v2] refpolicy: Add generic refpolicy recipe and make policy type configurable.

[Philip Tricca]

This is a fix up for my previous RFC. I've cleaned up an error with some \
variable use. The intent remains the same:

This RFC is a significant departure from the way the policy packages are
currently set up. The noteworthy differences are:
1) the POLICY_TYPE variable can be set as configuration outside the policy recipe
2) a single refpolicy recipe can be used to build all 3 policy types
3) DEFAULT_POLICY from selinux-config has been changed to be the same POLICY_TYPE variable as the policy
4) refpolicy depends on the config and sets the POLICY_TYPE accordingly

This approach was taken to allow the use of a policy type beyond the default
 MLS. I've left the other refpolicy-* recipes in tact but if this approach is
acceptable they could be removed if we're willing to accept the limitation
that only one policy may be installed on a given image. If this limitation
isn't acceptable then they can be left as is.

After thinking about this a bit I've realized that the same effect can likely
be achieved using the virtual provider mechanism. If this approach would be
preferred I'm happy to whip up a prototype.

Comments and input would be appreciated.

Regards,
- Philip

Signed-off-by: Philip Tricca <flihp at twobit.us>
---
 .../packagegroups/packagegroup-selinux-minimal.bb      |    3 +--
 recipes-security/refpolicy/refpolicy_2.20130424.bb     |   16 ++++++++++++++++
 recipes-security/selinux/selinux-config_0.1.bb         |    4 ++--
 3 files changed, 19 insertions(+), 4 deletions(-)
 create mode 100644 recipes-security/refpolicy/refpolicy_2.20130424.bb

diff --git a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
index 072320d..af29da1 100644
--- a/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
+++ b/recipes-security/packagegroups/packagegroup-selinux-minimal.bb
@@ -13,6 +13,5 @@ ALLOW_EMPTY_${PN} = "1"
 RDEPENDS_${PN} = "\
 	policycoreutils-semodule \
 	policycoreutils-sestatus \
-	selinux-config \
-	refpolicy-mls \
+	refpolicy \
 "
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.bb b/recipes-security/refpolicy/refpolicy_2.20130424.bb
new file mode 100644
index 0000000..f1fa2f8
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.bb
@@ -0,0 +1,16 @@
+SUMMARY = "The SELinux reference policy."
+DESCRIPTION = "\
+This is the reference policy for the SELinux mandatory access control \
+system. There are 3 supported policy types: standard, MCS and MLS. The \
+standard policy is the most simple of the three providing the standard \
+type enforcement policy. The MCS policy adds an additional element to the \
+SELinux label called a category. Finally the MLS variant allows giving data \
+labels such as \"Top Secret\" and preventing such data from leaking to \
+processes or files with lower classification. \
+"
+
+PR = "r0"
+POLICY_TYPE ??= "mls"
+RDEPENDS_${PN} = "selinux-config"
+
+include refpolicy_${PV}.inc
diff --git a/recipes-security/selinux/selinux-config_0.1.bb b/recipes-security/selinux/selinux-config_0.1.bb
index 27d9995..066581e 100644
--- a/recipes-security/selinux/selinux-config_0.1.bb
+++ b/recipes-security/selinux/selinux-config_0.1.bb
@@ -1,4 +1,4 @@
-DEFAULT_POLICY = "mls"
+POLICY_TYPE ??= "mls"
 
 SUMMARY = "SELinux configuration"
 DESCRIPTION = "\
@@ -45,7 +45,7 @@ SELINUX=enforcing
 # SELINUXTYPE= can take one of these two values:
 #     standard - Standard Security protection.
 #     mls - Multi Level Security protection.
-SELINUXTYPE=${DEFAULT_POLICY}
+SELINUXTYPE=${POLICY_TYPE}
 " > ${WORKDIR}/config
 	install -d ${D}/${sysconfdir}/selinux
 	install -m 0644 ${WORKDIR}/config ${D}/${sysconfdir}/selinux/
-- 
1.7.10.4