Hi, I really like the idea of SELinux support in OpenWrt, but I think that if you send these patches directly to https://github.com/openwrt/packages/ they will receive more attention than here in mailing list.
J.P. Dne 22. 11. 19 v 10:55 Thomas Petazzoni napsal(a): > Hello, > > This patch series is one part of the changes needed to bring minimal > SELinux support to OpenWrt. SELinux is a mandatory access control > Linux security module, which I assume most if not all OpenWrt users > are already familiar with. The work presented in these patch series > presents a minimal integration, in the sense that it allows to: > > (1) Build all the important SELinux components, both on the build > system (for example to compile a SELinux policy) and on the > target system (libselinux, policy management tools, etc.) > > (2) Set the SELinux security contexts on the files in the filesystem > image generated by OpenWrt. > > (3) Compile the SELinux policy on the build machine, and integrate > the compiled SELinux policy in the target filesystem. > > (4) Load at boot time the SELinux policy and enable it. > > The provided SELinux policy is the default SELinux policy from the > upstream project: it has not been tuned specifically for OpenWrt. > > There are two patch series for this work: > > - One for OpenWrt itself > > - One for the OpenWrt packages feed (this patch series) > > OpenWrt changes > =============== > > This patch series brings the following changes: > > - Allow to build Busybox with SELinux support, mainly to get -Z > option support in several commands. This requires linking against > libselinux, which is provided in the packages feeds as part of the > second patch series. > > - Addition of minimal SELinux support in procd, to load the SELinux > policy at boot time. The patch has been submitted separately to > procd, and is being discussed. > > - Addition of the fakeroot tool, which we need when generating the > filesystem image to run the SELinux command "setfiles" that sets > the appropriate security context for the files in the > filesystem. It obviously requires root access, which is why it is > executed under fakeroot. > > - Addition of support for generating a SquashFS image with the > SELinux security contexts defined. It could be extended to other > filesystem formats of course. > > - Add some logic to be able to enable SquashFS extended attribute > support in the kernel configuration, as well as SELinux support. > > - Enable extended attribute support in mksquashfs. > > OpenWrt packages feed changes > ============================= > > This patch series brings new packages for the different user-space > components of SELinux and their dependencies: > > - libsepol > - libselinux, including its Python bindings > - audit > - libcap-ng > - libsemanage > - policycoreutils > - checkpolicy > - refpolicy > - selinux-python > > These are pretty regular packages. > > I'm looking forward to the feedback of the OpenWrt community on this > proposal. > > Best regards, > > Thomas Petazzoni > > > > Thomas Petazzoni (11): > libs/pcre: add host variant of libpcre > libs/libsepol: new package > libs/libselinux: new package > utils/audit: new package > libs/libcap-ng: new package > libs/libsemanage: new package > utils/policycoreutils: new package > utils/checkpolicy: new package > admin/refpolicy: new package > libs/libselinux: add support for building the Python bindings > utils/selinux-python: new package > > admin/refpolicy/Makefile | 78 +++++++++ > admin/refpolicy/files/selinux-config | 7 + > libs/libcap-ng/Makefile | 53 ++++++ > libs/libselinux/Makefile | 104 ++++++++++++ > libs/libsemanage/Makefile | 70 ++++++++ > libs/libsepol/Makefile | 65 ++++++++ > libs/pcre/Makefile | 11 ++ > utils/audit/Makefile | 125 ++++++++++++++ > utils/audit/files/audit.init | 16 ++ > ...tue-functions-for-strndupa-rawmemchr.patch | 133 +++++++++++++++ > utils/checkpolicy/Makefile | 42 +++++ > utils/policycoreutils/Makefile | 60 +++++++ > utils/selinux-python/Makefile | 155 ++++++++++++++++++ > .../0001-sepolgen-adjust-data_dir.patch | 26 +++ > ...hardcode-search-for-ausearch-in-sbin.patch | 38 +++++ > .../0003-Don-t-force-using-python3.patch | 67 ++++++++ > 16 files changed, 1050 insertions(+) > create mode 100644 admin/refpolicy/Makefile > create mode 100644 admin/refpolicy/files/selinux-config > create mode 100644 libs/libcap-ng/Makefile > create mode 100644 libs/libselinux/Makefile > create mode 100644 libs/libsemanage/Makefile > create mode 100644 libs/libsepol/Makefile > create mode 100644 utils/audit/Makefile > create mode 100644 utils/audit/files/audit.init > create mode 100644 > utils/audit/patches/0001-Add-substitue-functions-for-strndupa-rawmemchr.patch > create mode 100644 utils/checkpolicy/Makefile > create mode 100644 utils/policycoreutils/Makefile > create mode 100644 utils/selinux-python/Makefile > create mode 100644 > utils/selinux-python/patches/0001-sepolgen-adjust-data_dir.patch > create mode 100644 > utils/selinux-python/patches/0002-sepolgen-don-t-hardcode-search-for-ausearch-in-sbin.patch > create mode 100644 > utils/selinux-python/patches/0003-Don-t-force-using-python3.patch > _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
