[Buildroot] [PATCH 00/29] SELinux Buildroot Additions

Matt Weber matthew.weber at rockwellcollins.com
Tue Dec 16 03:53:52 UTC 2014


### What's SELinux?

Security-Enhanced Linux (SELinux) is a Linux feature that provides
a variety of security policies, including U.S. Department of Defense
style mandatory access controls (MAC), through the use of Linux
Security Modules (LSM) in the Linux kernel. It is not a Linux
distribution, but rather a set of modifications that can be applied
to Unix-like operating systems, such as Linux and BSD.

Running SELinux under a Linux distribution requires three things:
An SELinux enabled kernel, SELinux Userspace tools and libraries,
and SELinux Policies (mostly based on the Reference Policy). Some
common Linux programs will also need to be patched/compiled with
SELinux features. (Credit Archlinux wiki)

### What's in this patchset?

This patchset adds the required userspace tools, libraries, example
QEMU target, existing package modifications, and initial policy
to Buildroot.
The design approach took a minimalist view to the selinux capability.
The necessary packages have been added but all the ways in which they
could be used (target vs host) are not exposed.  One example is
the audit2allow framework that requires python.  This is currently
setup for "host only use" to post analyze audit service output.  It
could also be setup for target use but it would require the target
to have python and other supporting libs present.
Another aspect that utilized known SELinux capable applications
was for init and logging.  We choose to use sysvinit and rsyslog
instead of the busybox applet version.  This simplified getting
this initial configuration pulled together.  Use of busybox
applications is definitely an area where things could slim down
with more time and testing.
Lastly, the building of libselinux was limited to a set of
architectures and libraries that have been tested.  An area for
future work will be to enable broader use.

Some references to help with the review of this patchset.
Arch and Gentoo implementation and design details:
  https://wiki.archlinux.org/index.php/SELinux
  http://wiki.gentoo.org/wiki/SELinux
  http://wiki.gentoo.org/wiki/SELinux/Installation

### Details of changes from previous patchsets

This is a new round of patches based on the v5 patchset from
last year.  The changes since v5 consist of:
  * The removal of on target policy debugging using audit2allow.
    The host tools have been setup to provide a offline capability
    for analyzing audit output.
  * The example qemu configuration defaults to using full versions
    of applications instead of the busybox applets.  This simplified
    the configuration but as a side affect grew the filesystem size.
    There is definitely opportunity to slim down the approach to
    just using busybox applets (I've still included the patches
    that enable the capability to create individual applets).
  * Added documentation of the qemu target to that targets readme
  * Updated for structural changes (OPTS vs OPT, patch naming,
    improvements to existing packages)
  * Autobuilder was modified to run against our upstreaming
    branch (over 600 tests so far).  It identified the issues
    noted below.

### Known issues:

  * libselinux/libsemanage/setools have been limited to just
    glibc and arm/ppc/x86 archs for now until QEMU targets
    are configured to test against additional configurations.
    * libselinux]
      - error: dlfcn.h: No such file or directory -
        (bfin-buildroot-uclinux-uclibc)
      - #error Sorry... uClibc was built without large file
        support - (powerpc-buildroot-linux-uclibc)
      - /crtbeginT.o: relocation R_MIPS_HI16 against `a local
        symbol' can not be used when making a shared object;
        recompile with -fPIC - (mipsel-buildroot-linux-uclibc)
    * setools]
      - configure: error: SETools requires a C99-compliant
        C compiler to build. - (i486-ctng-linux-uclibc-gcc)
    * shadow]
      - (configure: error: posix_spawn is needed for nscd
        support) (mipsel-ctng-linux-uclibc)

Since Refpolicy is heavily tailored for a projects use, the
package exposed options of using the provided version with
patches or a custom GIT repo. Here's a bit more detail on
those assumptions.
  * Refpolicy as the package defines with default patches
    plus possibly some global patches applied.  Using a default
    modules config file provided in the package folder or
    provided by the user.
  * Refpolicy looking at specific git repo revisions.  Using a
    modules config file from within that git repo.
  * Repolicy using src override which assumes the same as the
    git repo case for where the modules config file originates.

### What's next:

* Testing out support for using busybox applets instead of
  sysvinit/util-linux/etc.
* Updating the qemu example to use a auto generated busybox config
  based on package selections and selinux being enabled.
* qemu targets for ARM and PPC



Clayton Shotwell (14):
  libselinux: new package
  ustr: new package
  libsemanage: new package
  checkpolicy: new package
  sepolgen: new package
  sqlite: Add host build support
  setools: new package
  python-pyparsing: Add host build option
  audit: new package
  policycoreutils: new package
  python-pyxml: new package
  refpolicy: new package
  shadow: new package
  qemu_x86_selinux_defconfig: base SELinux QEMU image for x86

Matt Weber (15):
  repolicy: base policy modifications for embedded target
  refpolicy: custom git repo
  busybox: applets as individual binaries
  busybox: selinux support
  busybox: added linux-pam support
  busybox: default selinux config which disables init and uses sysvinit
  linux-pam: selinux support
  sysvinit: added libselinux dependency
  dbus: selinux file context support
  logrotate: selinux support
  openssh: selinux and pam support
  util-linux: selinux, audit, and pam support
  vim: selinux support
  rsyslog: fix config file comment style
  qemu x86 readme: documented selinux target

 board/qemu/x86/busybox-selinux.config              | 1038 ++++++++++++++
 board/qemu/x86/linux-3.12-selinux.config           |   77 ++
 board/qemu/x86/readme.txt                          |   18 +
 configs/qemu_x86_selinux_defconfig                 |   53 +
 package/Config.in                                  |   20 +
 package/Config.in.host                             |    1 +
 .../0001-cross-compile-header-creation-fix.patch   | 1424 ++++++++++++++++++++
 package/audit/0002-remove-zos-plugin.patch         |   35 +
 package/audit/Config.in                            |   14 +
 package/audit/S01auditd                            |  172 +++
 package/audit/audit.mk                             |   57 +
 package/busybox/Config.in                          |   10 +
 ...s-Add-installation-of-individual-binaries.patch |  103 ++
 ...ags-strip-non-l-arguments-returned-by-pkg.patch |   28 +
 package/busybox/busybox.mk                         |   52 +
 package/checkpolicy/Config.in.host                 |   10 +
 package/checkpolicy/checkpolicy.mk                 |   26 +
 package/dbus/S30dbus                               |    4 +
 package/dbus/dbus.mk                               |   14 +
 package/libselinux/Config.in                       |   19 +
 package/libselinux/libselinux.mk                   |   70 +
 .../libsemanage/0001-execption-lib-path-fix.patch  |   14 +
 package/libsemanage/Config.in                      |   30 +
 package/libsemanage/libsemanage.mk                 |   72 +
 .../linux-pam-08-audit-log-acct_message_ret.patch  |   16 +
 package/linux-pam/linux-pam.mk                     |   58 +-
 package/linux-pam/system-auth.pamd                 |   15 +
 package/logrotate/logrotate.mk                     |   11 +-
 package/openssh/openssh.mk                         |   12 +
 .../policycoreutils/0001-cross-compile-fixes.patch |  332 +++++
 package/policycoreutils/Config.in                  |   73 +
 package/policycoreutils/S15restorecond             |   85 ++
 package/policycoreutils/policycoreutils.mk         |  224 +++
 package/python-pyparsing/python-pyparsing.mk       |    1 +
 package/python-pyxml/Config.in                     |   11 +
 package/python-pyxml/python-xml.mk                 |   50 +
 package/refpolicy-contrib/Config.in                |   20 +
 package/refpolicy-contrib/refpolicy-contrib.mk     |   19 +
 package/refpolicy/0001-gentoo-hardened-fixes.patch | 1250 +++++++++++++++++
 package/refpolicy/0002-baseDirectoryChanges.patch  |   39 +
 package/refpolicy/0003-filesChanges.patch          |   69 +
 package/refpolicy/0004-initChanges.patch           |   20 +
 package/refpolicy/0005-selinuxutilChanges.patch    |  103 ++
 package/refpolicy/0006-sshChanges.patch            |   22 +
 package/refpolicy/0007-loggingChanges.patch        |   87 ++
 package/refpolicy/0008-mountChanges.patch          |   11 +
 package/refpolicy/0009-sysadmChanges.patch         |   24 +
 package/refpolicy/0010-authloginChanges.patch      |   14 +
 package/refpolicy/0011-localloginChanges.patch     |   20 +
 package/refpolicy/0012-udevChanges.patch           |   21 +
 package/refpolicy/0013-netutilsChanges.patch       |   20 +
 package/refpolicy/0014-devicesChanges.patch        |   55 +
 package/refpolicy/0015-awk-fix.patch               |   37 +
 .../refpolicy/0016-enablePolyinstantiation.patch   |   11 +
 package/refpolicy/Config.in                        |   94 ++
 package/refpolicy/S12selinux                       |  137 ++
 package/refpolicy/config                           |    8 +
 package/refpolicy/modules.conf                     |  406 ++++++
 package/refpolicy/refpolicy.mk                     |  109 ++
 package/rsyslog/rsyslog.mk                         |    4 +
 package/sepolgen/Config.in                         |   15 +
 package/sepolgen/sepolgen.mk                       |   25 +
 package/setools/0001-cross-compile-fixes.patch     |  121 ++
 .../setools/0002-swig-typedef-python-fixes.patch   | 1014 ++++++++++++++
 package/setools/Config.in                          |   23 +
 package/setools/setools.mk                         |   69 +
 package/shadow/Config.in                           |   13 +
 package/shadow/shadow.mk                           |   50 +
 package/sqlite/sqlite.mk                           |    1 +
 .../sysvinit-0010-fix-WITH-SELINUX-define.patch    |   24 +
 package/sysvinit/sysvinit.mk                       |   11 +-
 .../ustr/0001-cross-compile-modifications.patch    |  144 ++
 package/ustr/Config.in                             |   11 +
 package/ustr/ustr.mk                               |   48 +
 package/util-linux/util-linux.mk                   |   21 +
 package/vim/vim.mk                                 |    7 +
 76 files changed, 8443 insertions(+), 3 deletions(-)
 create mode 100644 board/qemu/x86/busybox-selinux.config
 create mode 100644 board/qemu/x86/linux-3.12-selinux.config
 create mode 100644 configs/qemu_x86_selinux_defconfig
 create mode 100644 package/audit/0001-cross-compile-header-creation-fix.patch
 create mode 100644 package/audit/0002-remove-zos-plugin.patch
 create mode 100644 package/audit/Config.in
 create mode 100644 package/audit/S01auditd
 create mode 100644 package/audit/audit.mk
 create mode 100644 package/busybox/busybox-0007-applets-Add-installation-of-individual-binaries.patch
 create mode 100644 package/busybox/busybox-0008-Makefile.flags-strip-non-l-arguments-returned-by-pkg.patch
 create mode 100644 package/checkpolicy/Config.in.host
 create mode 100644 package/checkpolicy/checkpolicy.mk
 mode change 100755 => 100644 package/dbus/S30dbus
 create mode 100644 package/libselinux/Config.in
 create mode 100644 package/libselinux/libselinux.mk
 create mode 100644 package/libsemanage/0001-execption-lib-path-fix.patch
 create mode 100644 package/libsemanage/Config.in
 create mode 100644 package/libsemanage/libsemanage.mk
 create mode 100644 package/linux-pam/linux-pam-08-audit-log-acct_message_ret.patch
 create mode 100644 package/linux-pam/system-auth.pamd
 create mode 100644 package/policycoreutils/0001-cross-compile-fixes.patch
 create mode 100644 package/policycoreutils/Config.in
 create mode 100644 package/policycoreutils/S15restorecond
 create mode 100644 package/policycoreutils/policycoreutils.mk
 create mode 100644 package/python-pyxml/Config.in
 create mode 100644 package/python-pyxml/python-xml.mk
 create mode 100644 package/refpolicy-contrib/Config.in
 create mode 100644 package/refpolicy-contrib/refpolicy-contrib.mk
 create mode 100644 package/refpolicy/0001-gentoo-hardened-fixes.patch
 create mode 100644 package/refpolicy/0002-baseDirectoryChanges.patch
 create mode 100644 package/refpolicy/0003-filesChanges.patch
 create mode 100644 package/refpolicy/0004-initChanges.patch
 create mode 100644 package/refpolicy/0005-selinuxutilChanges.patch
 create mode 100644 package/refpolicy/0006-sshChanges.patch
 create mode 100644 package/refpolicy/0007-loggingChanges.patch
 create mode 100644 package/refpolicy/0008-mountChanges.patch
 create mode 100644 package/refpolicy/0009-sysadmChanges.patch
 create mode 100644 package/refpolicy/0010-authloginChanges.patch
 create mode 100644 package/refpolicy/0011-localloginChanges.patch
 create mode 100644 package/refpolicy/0012-udevChanges.patch
 create mode 100644 package/refpolicy/0013-netutilsChanges.patch
 create mode 100644 package/refpolicy/0014-devicesChanges.patch
 create mode 100644 package/refpolicy/0015-awk-fix.patch
 create mode 100644 package/refpolicy/0016-enablePolyinstantiation.patch
 create mode 100644 package/refpolicy/Config.in
 create mode 100644 package/refpolicy/S12selinux
 create mode 100644 package/refpolicy/config
 create mode 100644 package/refpolicy/modules.conf
 create mode 100644 package/refpolicy/refpolicy.mk
 create mode 100644 package/sepolgen/Config.in
 create mode 100644 package/sepolgen/sepolgen.mk
 create mode 100644 package/setools/0001-cross-compile-fixes.patch
 create mode 100644 package/setools/0002-swig-typedef-python-fixes.patch
 create mode 100644 package/setools/Config.in
 create mode 100644 package/setools/setools.mk
 create mode 100644 package/shadow/Config.in
 create mode 100644 package/shadow/shadow.mk
 create mode 100644 package/sysvinit/sysvinit-0010-fix-WITH-SELINUX-define.patch
 create mode 100644 package/ustr/0001-cross-compile-modifications.patch
 create mode 100644 package/ustr/Config.in
 create mode 100644 package/ustr/ustr.mk

-- 
1.9.1



More information about the buildroot mailing list