phytium
/
phytium-linux-buildroot
mirror of https://gitee.com/phytium_embedded/phytium-linux-buildroot
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
46 Commits
2 Branches
13 Tags
18 MiB
 
 
 
 
 
 
Tree: f221784659
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f221784659'
${ noResults }
phytium-linux-buildroot/docs/manual/selinux-support.txt

74 lines
2.9 KiB
Raw Blame History

// -*- mode:doc; -*-
// vim: set syntax=asciidoc:
[[selinux]]
== Using SELinux in Buildroot
https://selinuxproject.org[SELinux] is a Linux kernel security module
enforcing access control policies. In addition to the traditional file
permissions and access control lists, +SELinux+ allows to write rules
for users or processes to access specific functions of resources
(files, sockets...).
_SELinux_ has three modes of operation:
* _Disabled_: the policy is not applied
* _Permissive_: the policy is applied, and non-authorized actions are
simply logged. This mode is often used for troubleshooting SELinux
issues.
* _Enforcing_: the policy is applied, and non-authorized actions are
denied
In Buildroot the mode of operation is controlled by the
+BR2_PACKAGE_REFPOLICY_POLICY_STATE_*+ configuration options. The
Linux kernel also has various configuration options that affect how
+SELinux+ is enabled (see +security/selinux/Kconfig+ in the Linux
kernel sources).
By default in Buildroot the +SELinux+ policy is provided by the
upstream https://github.com/SELinuxProject/refpolicy[refpolicy]
project, enabled with +BR2_PACKAGE_REFPOLICY+.
[[enabling-selinux]]
=== Enabling SELinux support
To have proper support for +SELinux+ in a Buildroot generated system,
the following configuration options must be enabled:
* +BR2_PACKAGE_LIBSELINUX+
* +BR2_PACKAGE_REFPOLICY+
In addition, your filesystem image format must support extended
attributes.
[[selinux-policy-tweaking]]
=== SELinux policy tweaking
The +SELinux refpolicy+ contains modules that can be enabled or
disabled when being built. Each module provide a number of +SELinux+
rules. In Buildroot the non-base modules are disabled by default and
several ways to enable such modules are provided:
- Packages can enable a list of +SELinux+ modules within the +refpolicy+ using
the +<packagename>_SELINUX_MODULES+ variable.
- Packages can provide additional +SELinux+ modules by putting them (.fc, .if
and .te files) in +package/<packagename>/selinux/+.
- Extra +SELinux+ modules can be added in directories pointed by the
+BR2_REFPOLICY_EXTRA_MODULES_DIRS+ configuration option.
- Additional modules in the +refpolicy+ can be enabled if listed in the
+BR2_REFPOLICY_EXTRA_MODULES_DEPENDENCIES+ configuration option.
Buildroot also allows to completely override the +refpolicy+. This
allows to provide a full custom policy designed specifically for a
given system. When going this way, all of the above mechanisms are
disabled: no extra +SElinux+ module is added to the policy, and all
the available modules within the custom policy are enabled and built
into the final binary policy. The custom policy must be a fork of the
official https://github.com/SELinuxProject/refpolicy[refpolicy].
In order to fully override the +refpolicy+ the following configuration
variables have to be set:
- +BR2_PACKAGE_REFPOLICY_CUSTOM_GIT+
- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL+
- +BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION+