[yocto] [meta-selinux][PATCH 4/4] refpolicy: add minimum targeted policy
wenzong.fan at windriver.com
wenzong.fan at windriver.com
Mon Mar 24 18:07:50 PDT 2014
From: Wenzong Fan <wenzong.fan at windriver.com>
This is a minimum targeted policy with just core policy modules, and
could be used as a base for customizing targeted policy.
Pretty much everything runs as initrc_t or unconfined_t so all of the
domains are unconfined.
Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
---
.../refpolicy/refpolicy-minimum_2.20130424.bb | 46 ++++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
new file mode 100644
index 0000000..e904810
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
@@ -0,0 +1,46 @@
+include refpolicy-targeted_${PV}.bb
+
+SUMMARY = "SELinux minimum policy"
+DESCRIPTION = "\
+This is a minimum reference policy with just core policy modules, and \
+could be used as a base for customizing targeted policy. \
+Pretty much everything runs as initrc_t or unconfined_t so all of the \
+domains are unconfined. \
+"
+
+POLICY_NAME = "minimum"
+
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:"
+
+CORE_POLICY_MODULES = "unconfined \
+ selinuxutil storage sysnetwork \
+ application libraries miscfiles logging userdomain \
+ init mount modutils getty authlogin locallogin \
+ "
+
+# nscd caches libc-issued requests to the name service.
+# Without nscd.pp, commands want to use these caches will be blocked.
+EXTRA_POLICY_MODULES += "nscd"
+
+# pam_mail module enables checking and display of mailbox status upon
+# "login", so "login" process will access to /var/spool/mail.
+EXTRA_POLICY_MODULES += "mta"
+
+POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
+
+prepare_policy_store () {
+ oe_runmake install \
+ DESTDIR=${D}
+
+ # Prepare to create policy store
+ mkdir -p ${D}${sysconfdir}/selinux/
+ mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
+ mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
+ mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
+ bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp > \
+ ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
+ for i in ${POLICY_MODULES_MIN}; do
+ bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/$i.pp > \
+ ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/$i.pp
+ done
+}
--
1.7.9.5
More information about the yocto
mailing list