diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in index 69785629cc..954dc3a093 100644 --- a/package/refpolicy/Config.in +++ b/package/refpolicy/Config.in @@ -40,4 +40,30 @@ config BR2_PACKAGE_REFPOLICY_POLICY_VERSION string "Policy version" default "30" +choice + prompt "SELinux default state" + default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE + +config BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING + bool "Enforcing" + help + SELinux security policy is enforced + +config BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE + bool "Permissive" + help + SELinux prints warnings instead of enforcing + +config BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED + bool "Disabled" + help + No SELinux policy is loaded +endchoice + +config BR2_PACKAGE_REFPOLICY_POLICY_STATE + string + default "permissive" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE + default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING + default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED + endif diff --git a/package/refpolicy/config b/package/refpolicy/config new file mode 100644 index 0000000000..087297c12e --- /dev/null +++ b/package/refpolicy/config @@ -0,0 +1,8 @@ +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=disabled + +SELINUXTYPE=targeted diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index 4d85ee5edc..aab1877418 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -31,6 +31,8 @@ REFPOLICY_MAKE = \ REFPOLICY_POLICY_VERSION = \ $(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_VERSION)) +REFPOLICY_POLICY_STATE = \ + $(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE)) define REFPOLICY_CONFIGURE_CMDS $(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \ @@ -50,6 +52,10 @@ endef define REFPOLICY_INSTALL_TARGET_CMDS $(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install + $(INSTALL) -m 0755 -D package/refpolicy/config \ + $(TARGET_DIR)/etc/selinux/config + $(SED) "/^SELINUX=/c\SELINUX=$(REFPOLICY_POLICY_STATE)" \ + $(TARGET_DIR)/etc/selinux/config endef $(eval $(generic-package))