refpolicy: add minimum targeted policy

This is a minimum targeted policy with just core policy modules, and could be used as a base for customizing targeted policy. Pretty much everything runs as initrc_t or unconfined_t so all of the domains are unconfined. Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
author: Wenzong Fan <wenzong.fan@windriver.com> 2014-03-24 21:07:50 -0400
committer: Joe MacDonald <joe@deserted.net> 2014-04-24 14:23:50 -0400
commit: 65675f02e33f5da31ec5dbac7a45849f4952569b (patch)
tree: 0027b5ed0e4e20d3d6485b8086f311cf0793f935
parent: cdb1ef995342b430141d4d052c20acda9ad054be (diff)
download: meta-selinux-65675f02e33f5da31ec5dbac7a45849f4952569b.tar.gz
1 files changed, 46 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
new file mode 100644
index 0000000..e904810
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
@@ -0,0 +1,46 @@
+include refpolicy-targeted_${PV}.bb
+SUMMARY = "SELinux minimum policy"
+DESCRIPTION = "\
+This is a minimum reference policy with just core policy modules, and \
+could be used as a base for customizing targeted policy. \
+Pretty much everything runs as initrc_t or unconfined_t so all of the \
+domains are unconfined. \
+"
+POLICY_NAME = "minimum"
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:"
+CORE_POLICY_MODULES = "unconfined \
+        selinuxutil storage sysnetwork \
+        application libraries miscfiles logging userdomain \
+        init mount modutils getty authlogin locallogin \
+        "
+# nscd caches libc-issued requests to the name service.
+# Without nscd.pp, commands want to use these caches will be blocked.
+EXTRA_POLICY_MODULES += "nscd"
+# pam_mail module enables checking and display of mailbox status upon
+# "login", so "login" process will access to /var/spool/mail.
+EXTRA_POLICY_MODULES += "mta"
+POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
+prepare_policy_store () {
+        oe_runmake install \
+                DESTDIR=${D}
+        # Prepare to create policy store
+        mkdir -p ${D}${sysconfdir}/selinux/
+        mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
+        mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
+        mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
+        bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp  > \
+                ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
+        for i in ${POLICY_MODULES_MIN}; do
+                bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/$i.pp > \
+                        ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/$i.pp
+        done
+}
author	Wenzong Fan <wenzong.fan@windriver.com>	2014-03-24 21:07:50 -0400
committer	Joe MacDonald <joe@deserted.net>	2014-04-24 14:23:50 -0400
commit	65675f02e33f5da31ec5dbac7a45849f4952569b (patch)
tree	0027b5ed0e4e20d3d6485b8086f311cf0793f935
parent	cdb1ef995342b430141d4d052c20acda9ad054be (diff)
download	meta-selinux-65675f02e33f5da31ec5dbac7a45849f4952569b.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb new file mode 100644 index 0000000..e904810 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
@@ -0,0 +1,46 @@
	1	include refpolicy-targeted_${PV}.bb
	2
	3	SUMMARY = "SELinux minimum policy"
	4	DESCRIPTION = "\
	5	This is a minimum reference policy with just core policy modules, and \
	6	could be used as a base for customizing targeted policy. \
	7	Pretty much everything runs as initrc_t or unconfined_t so all of the \
	8	domains are unconfined. \
	9	"
	10
	11	POLICY_NAME = "minimum"
	12
	13	FILESEXTRAPATHS_prepend := "${THISDIR}/files:${THISDIR}/refpolicy-${PV}:${THISDIR}/refpolicy-targeted:"
	14
	15	CORE_POLICY_MODULES = "unconfined \
	16	selinuxutil storage sysnetwork \
	17	application libraries miscfiles logging userdomain \
	18	init mount modutils getty authlogin locallogin \
	19	"
	20
	21	# nscd caches libc-issued requests to the name service.
	22	# Without nscd.pp, commands want to use these caches will be blocked.
	23	EXTRA_POLICY_MODULES += "nscd"
	24
	25	# pam_mail module enables checking and display of mailbox status upon
	26	# "login", so "login" process will access to /var/spool/mail.
	27	EXTRA_POLICY_MODULES += "mta"
	28
	29	POLICY_MODULES_MIN = "${CORE_POLICY_MODULES} ${EXTRA_POLICY_MODULES}"
	30
	31	prepare_policy_store () {
	32	oe_runmake install \
	33	DESTDIR=${D}
	34
	35	# Prepare to create policy store
	36	mkdir -p ${D}${sysconfdir}/selinux/
	37	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/policy
	38	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules
	39	mkdir -p ${D}${sysconfdir}/selinux/${POLICY_NAME}/contexts/files
	40	bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/base.pp > \
	41	${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/base.pp
	42	for i in ${POLICY_MODULES_MIN}; do
	43	bzip2 -c ${D}${datadir}/selinux/${POLICY_NAME}/$i.pp > \
	44	${D}${sysconfdir}/selinux/${POLICY_NAME}/modules/active/modules/$i.pp
	45	done
	46	}