-
-
Notifications
You must be signed in to change notification settings - Fork 10.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SELinux labels for built packages #3448
Conversation
@flyn-org @tpetazzoni please test this PR if you have the time. |
14aa055
to
596c795
Compare
|
596c795
to
dd53a30
Compare
My initial attempt to build caused the following. Perhaps something is building out-of-order?
|
@flyn-org thanks for testing! Please rebuild package/system/opkg, it should have a dependency on refpolicy/host. |
@aparcar, sure. I am doing a from-scratch build now. |
dd53a30
to
b62f9ac
Compare
I received the same error when trying a from-scratch build. I have the following enabled:
Is "CONFIG_ROOTFS_SECURITY_LABELS" in package/system/opkg/Makefile a typo? Should it be "CONFIG_TARGET_ROOTFS_SECURITY_LABELS?" At any rate, removing "ifdef CONFIG_TARGET_ROOTFS_SECURITY_LABELS" and its companion "endif" seems to allow things to proceed. Later, the compile fails with
I manually selected the checkpolicy package, but running Is there some kind of circular dependency here? |
b62f9ac
to
8c9839b
Compare
Good catch, that's a typo! I'll look into the error you're facing. |
@nbd168 Hey could you please help me out with some build system insights? I'm having a bit of a bootstrapping problem here: By giving |
The refpolicy is required to set SELinux file contexts. It has to be build before any target packet is created. Signed-off-by: Paul Spooren <mail@aparcar.org>
To support SELinux file contexts the host package refpolicy is required before building `opkg` packages. This dependency is only added if `CONFIG_ROOTFS_SECURITY_LABELS` is enabled. Signed-off-by: Paul Spooren <mail@aparcar.org>
To support SELinux labels for built packages `tar` requires support for both SELinux labels and xattrs. This commit enables both in case `CONFIG_TARGET_ROOTFS_SECURITY_LABELS` is set, which also adds SELinux labeling to the created squashfs. Signed-off-by: Paul Spooren <mail@aparcar.org>
The new option `-c` allows to set the path to a SELinux file contexts list, which is then applied to the contests of the package directory. Signed-off-by: Paul Spooren <mail@aparcar.org>
When the option `CONFIG_ROOTFS_SECURITY_LABELS` is active the new option `-c` is passed to the `ipkg-build` script to set SELinux file contexts. Signed-off-by: Paul Spooren <mail@aparcar.org>
Signed-off-by: Paul Spooren <mail@aparcar.org>
8c9839b
to
5f8c487
Compare
The policy must be available on the device and can not be freely extended via externally installed packages, for that reason we decided against package labelling. Instead the initially filesystem will be labelled during creation and packages are labelled via a post-install package manager step, based on the policy available at runtime. |
See also #3472 (comment). |
This PR touches various bits, ultimately allowing to have SELinux file contexts in packages if
CONFIG_ROOTFS_SECURITY_LABELS
is enabled.