Support SELinux labels for built packages

[aparcar]

This PR touches various bits, ultimately allowing to have SELinux file contexts in packages if CONFIG_ROOTFS_SECURITY_LABELS is enabled.

[aparcar]

@flyn-org @tpetazzoni please test this PR if you have the time.

[dhewg]

tar needs a PKG_CONFIG_DEPENDS:=CONFIG_TARGET_ROOTFS_SECURITY_LABELS, so that it gets rebuild if one flips the switch

[flyn-org]

My initial attempt to build caused the following. Perhaps something is building out-of-order?

install -d -m0755 /home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/bin/targets/x86/64/packages
/home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/staging_dir/host/bin/fakeroot -l /home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/staging_dir/host/lib/libfakeroot.so -f /home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/staging_dir/host/bin/faked /home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/scripts/ipkg-build -m "" -c "/home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/staging_dir/hostpkg/etc/selinux/targeted/contexts/files/file_contexts" /home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/build_dir/target-x86_64_musl/toolchain/ipkg-x86_64/libgcc /home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/bin/targets/x86/64/packages
/home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/staging_dir/hostpkg/etc/selinux/targeted/contexts/files/file_contexts: No such file or directory
make[3]: *** [Makefile:764: /home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/bin/targets/x86/64/packages/libgcc1_8.4.0-2_x86_64.ipk] Error 255
make[3]: Leaving directory '/home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/package/libs/toolchain'
time: package/libs/toolchain/compile#0.13#0.16#0.28
make[2]: *** [package/Makefile:113: package/libs/toolchain/compile] Error 2
make[2]: Leaving directory '/home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux'
make[1]: *** [package/Makefile:107: /home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/staging_dir/target-x86_64_musl/stamp/.package_compile] Error 2
make[1]: Leaving directory '/home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux'
make: *** [/home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/include/toplevel.mk:232: world] Error 2

[aparcar]

@flyn-org thanks for testing! Please rebuild package/system/opkg, it should have a dependency on refpolicy/host.

[flyn-org]

@aparcar, sure. I am doing a from-scratch build now.

[flyn-org]

I received the same error when trying a from-scratch build. I have the following enabled:

CONFIG_DEFAULT_opkg=y
CONFIG_TARGET_ROOTFS_SECURITY_LABELS=y
CONFIG_PACKAGE_refpolicy=y

Is "CONFIG_ROOTFS_SECURITY_LABELS" in package/system/opkg/Makefile a typo? Should it be "CONFIG_TARGET_ROOTFS_SECURITY_LABELS?" At any rate, removing "ifdef CONFIG_TARGET_ROOTFS_SECURITY_LABELS" and its companion "endif" seems to allow things to proceed.

Later, the compile fails with

WARNING: Policy version mismatch!  Is your OUTPUT_POLICY set correctly?

env LD_LIBRARY_PATH="/home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/staging_dir/hostpkg/lib:/home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/staging_dir/hostpkg/usr/lib" /home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/staging_dir/hostpkg/bin/checkpolicy -U deny policy.conf -o policy.
env: '/home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/staging_dir/hostpkg/bin/checkpolicy': No such file or directory
make[4]: *** [Rules.monolithic:71: policy.] Error 127
make[4]: Leaving directory '/home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/build_dir/hostpkg/refpolicy-2.20200229'
make[3]: *** [Makefile:97: /home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/build_dir/hostpkg/refpolicy-2.20200229/.built] Error 2
make[3]: Leaving directory '/home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/package/system/refpolicy'

I manually selected the checkpolicy package, but running make V=99 package/checkpolicy/compile failed with the /home/mike/Source/aq/aquinas/aquinas-projects/selinux/openwrt-selinux/staging_dir/hostpkg/etc/selinux/targeted/contexts/files/file_contexts: No such file or directory error.

Is there some kind of circular dependency here?

[aparcar]

Good catch, that's a typo! I'll look into the error you're facing.

[aparcar]

@nbd168 Hey could you please help me out with some build system insights? I'm having a bit of a bootstrapping problem here: By giving ipkg-build the ability to set SELinux labels the file_contexts, generated by the refpolicy packge needs to exists. Now how can I disable the context setting (8c9839b) if it's a host package, but enable it for all regular packages?

[aparcar]

The policy must be available on the device and can not be freely extended via externally installed packages, for that reason we decided against package labelling. Instead the initially filesystem will be labelled during creation and packages are labelled via a post-install package manager step, based on the policy available at runtime.

[flyn-org]

See also #3472 (comment).