buildroot/package/refpolicy/Config.in

122 lines
3.8 KiB
Plaintext

config BR2_PACKAGE_REFPOLICY
bool "refpolicy"
depends on BR2_TOOLCHAIN_HAS_THREADS # libsepol
depends on BR2_TOOLCHAIN_GCC_AT_LEAST_5 # libsepol
depends on BR2_HOST_GCC_AT_LEAST_5 # host-setools -> host-libsepol
# Even though libsepol is not necessary for building, we get
# the policy version from libsepol, so we select it, and treat
# it like a runtime dependency.
select BR2_PACKAGE_LIBSEPOL
help
The SELinux Reference Policy project (refpolicy) is a
complete SELinux policy that can be used as the system
policy for a variety of systems and used as the basis for
creating other policies. Reference Policy was originally
based on the NSA example policy, but aims to accomplish many
additional goals.
The current refpolicy does not fully support Buildroot and
needs modifications to work with the default system file
layout. These changes should be added as patches to the
refpolicy that modify a single SELinux policy.
The refpolicy works for the most part in permissive
mode. Only the basic set of utilities are enabled in the
example policy config and some of the pathing in the
policies is not correct. Individual policies would need to
be tweaked to get everything functioning properly.
https://github.com/TresysTechnology/refpolicy
if BR2_PACKAGE_REFPOLICY
choice
prompt "Refpolicy version"
default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
bool "Upstream version"
help
Use the refpolicy as provided by Buildroot.
config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
bool "Custom git repository"
help
Allows to get the refpolicy from a custom git repository.
The custom refpolicy must define the full policy explicitly,
and must be a fork of the original refpolicy, to have the
same build system. When this is selected, only the custom
policy definition are taken into account and all the modules
of the policy are built into the binary policy.
endchoice
if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
string "URL of custom repository"
config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
string "Custom repository version"
help
Revision to use in the typical format used by Git.
E.g. a sha id, tag, branch...
endif
choice
prompt "SELinux default state"
default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
bool "Enforcing"
help
SELinux security policy is enforced
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
bool "Permissive"
help
SELinux prints warnings instead of enforcing
config BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
bool "Disabled"
help
No SELinux policy is loaded
endchoice
config BR2_PACKAGE_REFPOLICY_POLICY_STATE
string
default "permissive" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
if BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
config BR2_REFPOLICY_EXTRA_MODULES_DIRS
string "Extra modules directories"
help
Specify a space-separated list of directories containing
SELinux modules that will be built into the SELinux
policy. The modules will be automatically enabled in the
policy.
Each of those directories must contain the SELinux policy
.fc, .if and .te files directly at the top-level, with no
sub-directories. Also, you cannot have several modules with
the same name in different directories.
config BR2_REFPOLICY_EXTRA_MODULES
string "Extra modules to enable"
help
List of extra SELinux modules to enable in the refpolicy.
endif
endif
comment "refpolicy needs a toolchain w/ threads, gcc >= 5, host gcc >= 5"
depends on !BR2_TOOLCHAIN_HAS_THREADS || \
!BR2_TOOLCHAIN_GCC_AT_LEAST_5 || \
!BR2_HOST_GCC_AT_LEAST_5