@@ -1658,6 +1658,7 @@ endmenu
menu "Security"
source "package/policycoreutils/Config.in"
+ source "package/refpolicy/Config.in"
source "package/setools/Config.in"
endmenu
new file mode 100644
@@ -0,0 +1,42 @@
+From 1d4c826e8de366bccb93f167cd9be834ab5911c8 Mon Sep 17 00:00:00 2001
+From: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+Date: Fri, 8 May 2015 14:13:00 -0500
+Subject: [PATCH] Fix awk references to use variable
+
+Ensure all awk calls use the variable setup in the makefile rather than
+relying on the system.
+
+Signed-off-by: Clayton Shotwell <clayton.shotwell@rockwellcollins.com>
+---
+ Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 85d4cfb..3aa4b51 100644
+--- a/Makefile
++++ b/Makefile
+@@ -292,9 +292,9 @@ cmdline_mods := $(addsuffix .te,$(APPS_MODS))
+ cmdline_off := $(addsuffix .te,$(APPS_OFF))
+
+ # extract settings from modules.conf
+-mod_conf_base := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
+-mod_conf_mods := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
+-mod_conf_off := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_base := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configbase)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_mods := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configmod)") print $$1 }' $(mod_conf) 2> /dev/null)))
++mod_conf_off := $(addsuffix .te,$(sort $(shell $(AWK) '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(configoff)") print $$1 }' $(mod_conf) 2> /dev/null)))
+
+ base_mods := $(cmdline_base)
+ mod_mods := $(cmdline_mods)
+@@ -308,7 +308,7 @@ off_mods += $(filter-out $(cmdline_off) $(cmdline_base) $(cmdline_mods), $(mod_c
+ off_mods += $(filter-out $(base_mods) $(mod_mods) $(off_mods),$(notdir $(detected_mods)))
+
+ # filesystems to be used in labeling targets
+-filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
++filesystems = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | $(AWK) '/(ext[234]|btrfs| xfs| jfs).*rw/{print $$3}';)
+ fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
+
+ ########################################
+--
+1.9.1
+
new file mode 100644
@@ -0,0 +1,146 @@
+config BR2_PACKAGE_REFPOLICY
+ bool "refpolicy"
+ select BR2_PACKAGE_POLICYCOREUTILS
+ select BR2_PACKAGE_BUSYBOX_SELINUX if BR2_PACKAGE_BUSYBOX
+ depends on BR2_TOOLCHAIN_HAS_THREADS # policycoreutils
+ depends on BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL # policycoreutils
+ help
+ The SELinux Reference Policy project (refpolicy) is a
+ complete SELinux policy that can be used as the system
+ policy for a variety of systems and used as the basis
+ for creating other policies. Reference Policy was originally
+ based on the NSA example policy, but aims to accomplish
+ many additional goals.
+
+ The current refpolicy does not fully support Buildroot
+ and needs modifications to work with the default system
+ file layout. These changes should be added as patches to
+ the refpolicy that modify a single SELinux policy.
+
+ The refpolicy works for the most part in permissive mode. Only the
+ basic set of utilities are enabled in the example policy config and
+ some of the pathing in the policies is not correct. Individual
+ policies would need to be tweaked to get everything functioning
+ properly.
+
+comment "refpolicy needs a toolchain w/ threads, glibc or musl"
+ depends on !BR2_TOOLCHAIN_HAS_THREADS \
+ || !(BR2_TOOLCHAIN_USES_GLIBC || BR2_TOOLCHAIN_USES_MUSL)
+
+if BR2_PACKAGE_REFPOLICY
+
+choice
+prompt "SELinux policy type"
+default BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+
+config BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+bool "Standard"
+help
+Standard SELinux policy
+
+config BR2_PACKAGE_REFPOLICY_TYPE_MCS
+bool "MCS"
+help
+SELinux policy with multi-catagory support
+
+config BR2_PACKAGE_REFPOLICY_TYPE_MLS
+bool "MLS"
+help
+SELinux policy with multi-catagory and multi-level support
+endchoice
+
+config BR2_PACKAGE_REFPOLICY_TYPE
+ string
+ default "standard" if BR2_PACKAGE_REFPOLICY_TYPE_STANDARD
+ default "mcs" if BR2_PACKAGE_REFPOLICY_TYPE_MCS
+ default "mls" if BR2_PACKAGE_REFPOLICY_TYPE_MLS
+
+choice
+prompt "SELinux default state"
+default BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
+
+config BR2_PACKAGE_REFPOLICY_STATE_ENFORCE
+bool "Enforcing"
+help
+SELinux security policy is enforced
+
+config BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
+bool "Permissive"
+help
+SELinux prints warnings instead of enforcing
+
+config BR2_PACKAGE_REFPOLICY_STATE_DISABLE
+bool "Disabled"
+help
+No SELinux policy is loaded
+endchoice
+
+config BR2_PACKAGE_REFPOLICY_NAME
+ string "Custom policy Name"
+ default "Buildroot"
+
+config BR2_PACKAGE_REFPOLICY_STATE
+ string
+ default "permissive" if BR2_PACKAGE_REFPOLICY_STATE_PERMISSIVE
+ default "enforcing" if BR2_PACKAGE_REFPOLICY_STATE_ENFORCE
+ default "disabled" if BR2_PACKAGE_REFPOLICY_STATE_DISABLE
+
+config BR2_PACKAGE_REFPOLICY_MODULES_FILE
+ string "Refpolicy modules configuration"
+ default "package/refpolicy/modules.conf"
+ help
+ Location of a custom modules.conf file that lists the
+ SELinux policy modules to be included in the compiled
+ policy. See policy/modules.conf in the refpolicy sources for
+ the complete list of available modules.
+ NOTE: This file is only used if a Custom Git repo is
+ not specified.
+
+config BR2_PACKAGE_REFPOLICY_BOOLEAN_FILE
+ string "Refpolicy boolean configuration"
+ default "package/refpolicy/booleans.conf"
+ help
+ Location of a custom booleans.conf file that lists the
+ SELinux booleans to be set in the compiled
+ policy. See policy/booleans.conf in the refpolicy sources for
+ the complete list of available modules.
+ NOTE: This file is only used if a Custom Git repo is
+ not specified.
+
+config BR2_PACKAGE_REFPOLICY_MODULAR
+ bool "Build a modular SELinux policy"
+ help
+ Select Y to build a modular SELinux policy. By default,
+ a monolithic policy will be built to save space on the
+ target. A modular policy can also be built if policies
+ need to be modified without reloading the target.
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
+ bool "Custom Git repository"
+ select BR2_PACKAGE_REFPOLICY_CONTRIB
+ help
+ This option allows Buildroot to get the refpolicy source
+ code from a Git repository. This option should generally
+ be used to add custom SELinux policy to the base refpolicy
+ without having to deal with lots of patches.
+
+ Please note that with the current configuration of the
+ mainline refpolicy git repositories, a refpolicy and a
+ refpolicy-contrib git repo must be specified. These are
+ linked using a git submodule which does not get initialized
+ during the Buildroot build.
+
+if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
+ string "URL of custom repository"
+
+config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
+ string "Custom repository version"
+ help
+ Revision to use in the typical format used by Git
+ e.g. a SHA id, a tag, branch, ..
+
+endif
+
+endif
new file mode 100644
@@ -0,0 +1,126 @@
+#!/bin/sh
+################################################################################
+#
+# This file labels the security contexts of memory based filesystems such as
+# /dev/ and checks for auto relabel request if '/.autorelabel' file exists.
+#
+# This script is a heavily stripped down and modified version of the one used
+# in CentOS 6.2
+#
+################################################################################
+
+failed()
+{
+ echo $1
+ exit 1
+}
+
+# Get SELinux config env vars
+. /etc/selinux/config || failed "Failed to source the SELinux config"
+
+setup_selinux() {
+ # Create required directories
+ mkdir -p /etc/selinux/${SELINUXTYPE}/policy/ ||
+ failed "Failed to create the policy folder"
+ mkdir -p /etc/selinux/${SELINUXTYPE}/modules/active/modules || \
+ failed "Failed to create the modules folder"
+ if [ ! -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local ]
+ then
+ touch /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts.local || \
+ failed "Failed to create the file_contexts.local file"
+ fi
+
+ # Load the policy to activate it
+ load_policy -i || failed "Failed to load the SELinux policy"
+}
+
+relabel_selinux() {
+ # if /sbin/init is not labeled correctly this process is running in the
+ # wrong context, so a reboot will be required after relabel
+ AUTORELABEL=
+
+ # Switch to Permissive mode
+ echo "0" > /sys/fs/selinux/enforce || failed "Failed to disable enforcing mode"
+
+ echo
+ echo "*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
+ echo "*** Relabeling could take a very long time, depending on file"
+ echo "*** system size and speed of hard drives."
+
+ # Relabel mount points
+ restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) \
+ >/dev/null 2>&1 || failed "Failed to relabel the mount points"
+
+ # Relabel file system
+ echo "Relabeling file systems"
+ restorecon -R -F / || failed "Failed to relabel the file system"
+
+ # Remove label
+ rm -f /.autorelabel || failed "Failed to remove the autorelabel flag"
+
+ # Reboot to activate relabeled file system
+ echo "Automatic reboot in progress."
+ reboot -f
+}
+
+start() {
+ printf "Initializing SELinux: "
+
+ # Check to see if the default policy has been installed
+ if [ "`sestatus | grep "SELinux status" | grep enabled`" == "" ]; then
+ if [ ! -f /etc/selinux/${SELINUXTYPE}/policy/policy.* ]
+ then
+ setup_selinux
+ else
+ # Load the policy to activate it
+ load_policy -i || failed "Failed to load the SELinux policy"
+ fi
+ fi
+
+ # Check SELinux status
+ SELINUX_STATE=
+ if [ -e "/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then
+ if [ -r "/selinux/enforce" ] ; then
+ SELINUX_STATE=$(cat "/selinux/enforce")
+ else
+ # assume enforcing if you can't read it
+ SELINUX_STATE=1
+ fi
+ fi
+
+ # Context Label /dev/
+ /sbin/restorecon -R -F /dev 2>/dev/null
+
+ # Context Label tmpfs mounts.
+ # using /proc/mounts to discover tmpfs mounts
+ /sbin/restorecon -R -F $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// && $3 =="tmpfs" { print $2 }' /etc/fstab) >/dev/null 2>&1
+
+ # Clean up SELinux labels
+ restorecon -F /etc/mtab /etc/ld.so.cache /etc/resolv.conf >/dev/null 2>&1
+
+ # Check for filesystem relabel request
+ if [ -f /.autorelabel ] ; then
+ relabel_selinux
+ fi
+
+ echo "OK"
+}
+stop() {
+ # There is nothing to do
+ echo "OK"
+}
+
+case "$1" in
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ *)
+ echo "Usage: $0 {start|stop}"
+ exit 1
+ ;;
+esac
+
+exit $?
new file mode 100644
@@ -0,0 +1,1278 @@
+#
+# Disable kernel module loading.
+#
+secure_mode_insmod = false
+
+#
+# Boolean to determine whether the system permits loading policy, setting
+# enforcing mode, and changing boolean values. Set this to true and you
+# have to reboot to set it back.
+#
+secure_mode_policyload = false
+
+#
+# Enabling secure mode disallows programs, such as
+# newrole, from transitioning to administrative
+# user domains.
+#
+secure_mode = false
+
+#
+# Control users use of ping and traceroute
+#
+user_ping = false
+
+#
+# Determine whether ABRT can modify
+# public files used for public file
+# transfer services.
+#
+abrt_anon_write = false
+
+#
+# Determine whether abrt-handle-upload
+# can modify public files used for public file
+# transfer services in /var/spool/abrt-upload/.
+#
+abrt_upload_watch_anon_write = true
+
+#
+# Determine whether ABRT can run in
+# the abrt_handle_event_t domain to
+# handle ABRT event scripts.
+#
+abrt_handle_event = false
+
+#
+# Determine whether amavis can
+# use JIT compiler.
+#
+amavis_use_jit = false
+
+#
+# Determine whether httpd can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+allow_httpd_anon_write = false
+
+#
+# Determine whether httpd can use mod_auth_pam.
+#
+allow_httpd_mod_auth_pam = false
+
+#
+# Determine whether httpd can use built in scripting.
+#
+httpd_builtin_scripting = false
+
+#
+# Determine whether httpd can check spam.
+#
+httpd_can_check_spam = false
+
+#
+# Determine whether httpd scripts and modules
+# can connect to the network using TCP.
+#
+httpd_can_network_connect = true
+
+#
+# Determine whether httpd scripts and modules
+# can connect to cobbler over the network.
+#
+httpd_can_network_connect_cobbler = false
+
+#
+# Determine whether scripts and modules can
+# connect to databases over the network.
+#
+httpd_can_network_connect_db = false
+
+#
+# Determine whether httpd can connect to
+# ldap over the network.
+#
+httpd_can_network_connect_ldap = false
+
+#
+# Determine whether httpd can connect
+# to memcache server over the network.
+#
+httpd_can_network_connect_memcache = false
+
+#
+# Determine whether httpd can act as a relay.
+#
+httpd_can_network_relay = false
+
+#
+# Determine whether httpd daemon can
+# connect to zabbix over the network.
+#
+httpd_can_network_connect_zabbix = false
+
+#
+# Determine whether httpd can send mail.
+#
+httpd_can_sendmail = false
+
+#
+# Determine whether httpd can communicate
+# with avahi service via dbus.
+#
+httpd_dbus_avahi = false
+
+#
+# Determine wether httpd can use support.
+#
+httpd_enable_cgi = false
+
+#
+# Determine whether httpd can act as a
+# FTP server by listening on the ftp port.
+#
+httpd_enable_ftp_server = false
+
+#
+# Determine whether httpd can traverse
+# user home directories.
+#
+httpd_enable_homedirs = false
+
+#
+# Determine whether httpd gpg can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+httpd_gpg_anon_write = false
+
+#
+# Determine whether httpd can execute
+# its temporary content.
+#
+httpd_tmp_exec = false
+
+#
+# Determine whether httpd scripts and
+# modules can use execmem and execstack.
+#
+httpd_execmem = true
+
+#
+# Determine whether httpd can connect
+# to port 80 for graceful shutdown.
+#
+httpd_graceful_shutdown = false
+
+#
+# Determine whether httpd can
+# manage IPA content files.
+#
+httpd_manage_ipa = false
+
+#
+# Determine whether httpd can use mod_auth_ntlm_winbind.
+#
+httpd_mod_auth_ntlm_winbind = false
+
+#
+# Determine whether httpd can read
+# generic user home content files.
+#
+httpd_read_user_content = true
+
+#
+# Determine whether httpd can change
+# its resource limits.
+#
+httpd_setrlimit = false
+
+#
+# Determine whether httpd can run
+# SSI executables in the same domain
+# as system CGI scripts.
+#
+httpd_ssi_exec = false
+
+#
+# Determine whether httpd can communicate
+# with the terminal. Needed for entering the
+# passphrase for certificates at the terminal.
+#
+httpd_tty_comm = false
+
+#
+# Determine whether httpd can have full access
+# to its content types.
+#
+httpd_unified = false
+
+#
+# Determine whether httpd can use
+# cifs file systems.
+#
+httpd_use_cifs = false
+
+#
+# Determine whether httpd can
+# use fuse file systems.
+#
+httpd_use_fusefs = false
+
+#
+# Determine whether httpd can use gpg.
+#
+httpd_use_gpg = false
+
+#
+# Determine whether httpd can use
+# nfs file systems.
+#
+httpd_use_nfs = false
+
+#
+# Determine whether awstats can
+# purge httpd log files.
+#
+awstats_purge_apache_log_files = false
+
+#
+# Determine whether Bind can bind tcp socket to http ports.
+#
+named_tcp_bind_http_port = false
+
+#
+# Determine whether Bind can write to master zone files.
+# Generally this is used for dynamic DNS or zone transfers.
+#
+named_write_master_zones = false
+
+#
+# Determine whether boinc can execmem/execstack.
+#
+boinc_execmem = true
+
+#
+# Determine whether cdrecord can read
+# various content. nfs, samba, removable
+# devices, user temp and untrusted
+# content files
+#
+cdrecord_read_content = false
+
+#
+# Determine whether clamscan can
+# read user content files.
+#
+clamav_read_user_content_files_clamscan = false
+
+#
+# Determine whether clamscan can read
+# all non-security files.
+#
+clamav_read_all_non_security_files_clamscan = false
+
+#
+# Determine whether can clamd use JIT compiler.
+#
+clamd_use_jit = false
+
+#
+# Determine whether Cobbler can modify
+# public files used for public file
+# transfer services.
+#
+cobbler_anon_write = false
+
+#
+# Determine whether Cobbler can connect
+# to the network using TCP.
+#
+cobbler_can_network_connect = false
+
+#
+# Determine whether Cobbler can access
+# cifs file systems.
+#
+cobbler_use_cifs = false
+
+#
+# Determine whether Cobbler can access
+# nfs file systems.
+#
+cobbler_use_nfs = false
+
+#
+# Determine whether collectd can connect
+# to the network using TCP.
+#
+collectd_tcp_network_connect = false
+
+#
+# Determine whether Condor can connect
+# to the network using TCP.
+#
+condor_tcp_network_connect = false
+
+#
+# Determine whether system cron jobs
+# can relabel filesystem for
+# restoring file contexts.
+#
+cron_can_relabel = false
+
+#
+# Determine whether crond can execute jobs
+# in the user domain as opposed to the
+# the generic cronjob domain.
+#
+cron_userdomain_transition = false
+
+#
+# Determine whether extra rules
+# should be enabled to support fcron.
+#
+fcron_crond = false
+
+#
+# Determine whether cvs can read shadow
+# password files.
+#
+allow_cvs_read_shadow = false
+
+#
+# Determine whether dbadm can manage
+# generic user files.
+#
+dbadm_manage_user_files = false
+
+#
+# Determine whether dbadm can read
+# generic user files.
+#
+dbadm_read_user_files = false
+
+#
+# Determine whether DHCP daemon
+# can use LDAP backends.
+#
+dhcpd_use_ldap = false
+
+#
+# Determine whether entropyd can use
+# audio devices as the source for
+# the entropy feeds.
+#
+entropyd_use_audio = false
+
+#
+# Determine whether exim can connect to
+# databases.
+#
+exim_can_connect_db = false
+
+#
+# Determine whether exim can read generic
+# user content files.
+#
+exim_read_user_files = false
+
+#
+# Determine whether exim can create,
+# read, write, and delete generic user
+# content files.
+#
+exim_manage_user_files = false
+
+#
+# Determine whether ftpd can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+allow_ftpd_anon_write = false
+
+#
+# Determine whether ftpd can login to
+# local users and can read and write
+# all files on the system, governed by DAC.
+#
+allow_ftpd_full_access = false
+
+#
+# Determine whether ftpd can use CIFS
+# used for public file transfer services.
+#
+allow_ftpd_use_cifs = false
+
+#
+# Determine whether ftpd can use NFS
+# used for public file transfer services.
+#
+allow_ftpd_use_nfs = false
+
+#
+# Determine whether ftpd can connect to
+# databases over the TCP network.
+#
+ftpd_connect_db = false
+
+#
+# Determine whether ftpd can bind to all
+# unreserved ports for passive mode.
+#
+ftpd_use_passive_mode = false
+
+#
+# Determine whether ftpd can connect to
+# all unreserved ports.
+#
+ftpd_connect_all_unreserved = false
+
+#
+# Determine whether ftpd can read and write
+# files in user home directories.
+#
+ftp_home_dir = false
+
+#
+# Determine whether sftpd can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+sftpd_anon_write = false
+
+#
+# Determine whether sftpd-can read and write
+# files in user home directories.
+#
+sftpd_enable_homedirs = false
+
+#
+# Determine whether sftpd-can login to
+# local users and read and write all
+# files on the system, governed by DAC.
+#
+sftpd_full_access = false
+
+#
+# Determine whether sftpd can read and write
+# files in user ssh home directories.
+#
+sftpd_write_ssh_home = false
+
+#
+# Determine whether Git CGI
+# can search home directories.
+#
+git_cgi_enable_homedirs = false
+
+#
+# Determine whether Git CGI
+# can access cifs file systems.
+#
+git_cgi_use_cifs = false
+
+#
+# Determine whether Git CGI
+# can access nfs file systems.
+#
+git_cgi_use_nfs = false
+
+#
+# Determine whether Git session daemon
+# can bind TCP sockets to all
+# unreserved ports.
+#
+git_session_bind_all_unreserved_ports = false
+
+#
+# Determine whether calling user domains
+# can execute Git daemon in the
+# git_session_t domain.
+#
+git_session_users = false
+
+#
+# Determine whether Git session daemons
+# can send syslog messages.
+#
+git_session_send_syslog_msg = false
+
+#
+# Determine whether Git system daemon
+# can search home directories.
+#
+git_system_enable_homedirs = false
+
+#
+# Determine whether Git system daemon
+# can access cifs file systems.
+#
+git_system_use_cifs = false
+
+#
+# Determine whether Git system daemon
+# can access nfs file systems.
+#
+git_system_use_nfs = false
+
+#
+# Determine whether Gitosis can send mail.
+#
+gitosis_can_sendmail = false
+
+#
+# Determine whether GPG agent can manage
+# generic user home content files. This is
+# required by the --write-env-file option.
+#
+gpg_agent_env_file = false
+
+#
+# Determine whether icecast can listen
+# on and connect to any TCP port.
+#
+icecast_use_any_tcp_ports = false
+
+#
+# Determine whether irc clients can
+# listen on and connect to any
+# unreserved TCP ports.
+#
+irc_use_any_tcp_ports = false
+
+#
+# Determine whether java can make
+# its stack executable.
+#
+allow_java_execstack = false
+
+#
+# Determine whether kerberos is supported.
+#
+allow_kerberos = false
+
+#
+# Determine whether logwatch can connect
+# to mail over the network.
+#
+logwatch_can_network_connect_mail = false
+
+#
+# Determine whether to support lpd server.
+#
+use_lpd_server = false
+
+#
+# Determine whether mcelog supports
+# client mode.
+#
+mcelog_client = false
+
+#
+# Determine whether mcelog can execute scripts.
+#
+mcelog_exec_scripts = true
+
+#
+# Determine whether mcelog can use all
+# the user ttys.
+#
+mcelog_foreground = false
+
+#
+# Determine whether mcelog supports
+# server mode.
+#
+mcelog_server = false
+
+#
+# Determine whether mcelog can use syslog.
+#
+mcelog_syslog = false
+
+#
+# Determine whether minidlna can read generic user content.
+#
+minidlna_read_generic_user_content = false
+
+#
+# Determine whether mozilla can
+# make its stack executable.
+#
+mozilla_execstack = false
+
+#
+# Determine whether mpd can traverse
+# user home directories.
+#
+mpd_enable_homedirs = false
+
+#
+# Determine whether mpd can use
+# cifs file systems.
+#
+mpd_use_cifs = false
+
+#
+# Determine whether mpd can use
+# nfs file systems.
+#
+mpd_use_nfs = false
+
+#
+# Determine whether mplayer can make
+# its stack executable.
+#
+allow_mplayer_execstack = false
+
+#
+# Determine whether mysqld can
+# connect to all TCP ports.
+#
+mysql_connect_any = false
+
+#
+# Determine whether confined applications
+# can use nscd shared memory.
+#
+nscd_use_shm = false
+
+#
+# Determine whether openvpn can
+# read generic user home content files.
+#
+openvpn_enable_homedirs = false
+
+#
+# Determine whether openvpn can
+# connect to the TCP network.
+#
+openvpn_can_network_connect = false
+
+#
+# Determine whether Polipo system
+# daemon can access CIFS file systems.
+#
+polipo_system_use_cifs = false
+
+#
+# Determine whether Polipo system
+# daemon can access NFS file systems.
+#
+polipo_system_use_nfs = false
+
+#
+# Determine whether calling user domains
+# can execute Polipo daemon in the
+# polipo_session_t domain.
+#
+polipo_session_users = false
+
+#
+# Determine whether Polipo session daemon
+# can send syslog messages.
+#
+polipo_session_send_syslog_msg = false
+
+#
+# Determine whether portage can
+# use nfs filesystems.
+#
+portage_use_nfs = false
+
+#
+# Determine whether postfix local
+# can manage mail spool content.
+#
+postfix_local_write_mail_spool = true
+
+#
+# Determine whether pppd can
+# load kernel modules.
+#
+pppd_can_insmod = false
+
+#
+# Determine whether common users can
+# run pppd with a domain transition.
+#
+pppd_for_user = false
+
+#
+# Determine whether privoxy can
+# connect to all tcp ports.
+#
+privoxy_connect_any = false
+
+#
+# Determine whether puppet can
+# manage all non-security files.
+#
+puppet_manage_all_files = false
+
+#
+# Determine whether qemu has full
+# access to the network.
+#
+qemu_full_network = false
+
+#
+# Determine whether rgmanager can
+# connect to the network using TCP.
+#
+rgmanager_can_network_connect = false
+
+#
+# Determine whether fenced can
+# connect to the TCP network.
+#
+fenced_can_network_connect = false
+
+#
+# Determine whether fenced can use ssh.
+#
+fenced_can_ssh = false
+
+#
+# Determine whether gssd can read
+# generic user temporary content.
+#
+allow_gssd_read_tmp = false
+
+#
+# Determine whether gssd can write
+# generic user temporary content.
+#
+allow_gssd_write_tmp = false
+
+#
+# Determine whether nfs can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+allow_nfsd_anon_write = false
+
+#
+# Determine whether rsync can use
+# cifs file systems.
+#
+rsync_use_cifs = false
+
+#
+# Determine whether rsync can
+# use fuse file systems.
+#
+rsync_use_fusefs = false
+
+#
+# Determine whether rsync can use
+# nfs file systems.
+#
+rsync_use_nfs = false
+
+#
+# Determine whether rsync can
+# run as a client
+#
+rsync_client = false
+
+#
+# Determine whether rsync can
+# export all content read only.
+#
+rsync_export_all_ro = false
+
+#
+# Determine whether rsync can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+allow_rsync_anon_write = false
+
+#
+# Determine whether samba can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+allow_smbd_anon_write = false
+
+#
+# Determine whether samba can
+# create home directories via pam.
+#
+samba_create_home_dirs = false
+
+#
+# Determine whether samba can act as the
+# domain controller, add users, groups
+# and change passwords.
+#
+samba_domain_controller = false
+
+#
+# Determine whether samba can
+# act as a portmapper.
+#
+samba_portmapper = false
+
+#
+# Determine whether samba can share
+# users home directories.
+#
+samba_enable_home_dirs = false
+
+#
+# Determine whether samba can share
+# any content read only.
+#
+samba_export_all_ro = false
+
+#
+# Determine whether samba can share any
+# content readable and writable.
+#
+samba_export_all_rw = false
+
+#
+# Determine whether samba can
+# run unconfined scripts.
+#
+samba_run_unconfined = false
+
+#
+# Determine whether samba can
+# use nfs file systems.
+#
+samba_share_nfs = false
+
+#
+# Determine whether samba can
+# use fuse file systems.
+#
+samba_share_fusefs = false
+
+#
+# Determine whether sanlock can use
+# nfs file systems.
+#
+sanlock_use_nfs = false
+
+#
+# Determine whether sanlock can use
+# cifs file systems.
+#
+sanlock_use_samba = false
+
+#
+# Determine whether sasl can
+# read shadow files.
+#
+allow_saslauthd_read_shadow = false
+
+#
+# Determine whether smartmon can support
+# devices on 3ware controllers.
+#
+smartmon_3ware = false
+
+#
+# Determine whether spamassassin
+# clients can use the network.
+#
+spamassassin_can_network = false
+
+#
+# Determine whether spamd can manage
+# generic user home content.
+#
+spamd_enable_home_dirs = false
+
+#
+# Determine whether squid can
+# connect to all TCP ports.
+#
+squid_connect_any = false
+
+#
+# Determine whether squid can run
+# as a transparent proxy.
+#
+squid_use_tproxy = false
+
+#
+# Determine whether telepathy connection
+# managers can connect to generic tcp ports.
+#
+telepathy_tcp_connect_generic_network_ports = false
+
+#
+# Determine whether telepathy connection
+# managers can connect to any port.
+#
+telepathy_connect_all_ports = false
+
+#
+# Determine whether tftp can modify
+# public files used for public file
+# transfer services. Directories/Files must
+# be labeled public_content_rw_t.
+#
+tftp_anon_write = false
+
+#
+# Determine whether tftp can manage
+# generic user home content.
+#
+tftp_enable_homedir = false
+
+#
+# Determine whether tor can bind
+# tcp sockets to all unreserved ports.
+#
+tor_bind_all_unreserved_ports = false
+
+#
+# Determine whether varnishd can
+# use the full TCP network.
+#
+varnishd_connect_any = false
+
+#
+# Determine whether attempts by
+# vbetool to mmap low regions should
+# be silently blocked.
+#
+vbetool_mmap_zero_ignore = false
+
+#
+# Determine whether confined virtual guests
+# can use serial/parallel communication ports.
+#
+virt_use_comm = false
+
+#
+# Determine whether confined virtual guests
+# can use executable memory and can make
+# their stack executable.
+#
+virt_use_execmem = false
+
+#
+# Determine whether confined virtual guests
+# can use fuse file systems.
+#
+virt_use_fusefs = false
+
+#
+# Determine whether confined virtual guests
+# can use nfs file systems.
+#
+virt_use_nfs = false
+
+#
+# Determine whether confined virtual guests
+# can use cifs file systems.
+#
+virt_use_samba = false
+
+#
+# Determine whether confined virtual guests
+# can manage device configuration.
+#
+virt_use_sysfs = false
+
+#
+# Determine whether confined virtual guests
+# can use usb devices.
+#
+virt_use_usb = false
+
+#
+# Determine whether confined virtual guests
+# can interact with xserver.
+#
+virt_use_xserver = false
+
+#
+# Determine whether confined virtual guests
+# can use vfio for pci device pass through (vt-d).
+#
+virt_use_vfio = false
+
+#
+# Determine whether webadm can
+# manage generic user files.
+#
+webadm_manage_user_files = false
+
+#
+# Determine whether webadm can
+# read generic user files.
+#
+webadm_read_user_files = false
+
+#
+# Determine whether attempts by
+# wine to mmap low regions should
+# be silently blocked.
+#
+wine_mmap_zero_ignore = false
+
+#
+# Determine whether xend can
+# run blktapctrl and tapdisk.
+#
+xend_run_blktap = false
+
+#
+# Determine whether xen can
+# use fusefs file systems.
+#
+xen_use_fusefs = false
+
+#
+# Determine whether xen can
+# use nfs file systems.
+#
+xen_use_nfs = false
+
+#
+# Determine whether xen can
+# use samba file systems.
+#
+xen_use_samba = false
+
+#
+# Determine whether xguest can
+# mount removable media.
+#
+xguest_mount_media = false
+
+#
+# Determine whether xguest can
+# configure network manager.
+#
+xguest_connect_network = false
+
+#
+# Determine whether xguest can
+# use blue tooth devices.
+#
+xguest_use_bluetooth = false
+
+#
+# Determine whether zabbix can
+# connect to all TCP ports
+#
+zabbix_can_network = false
+
+#
+# Determine whether zebra daemon can
+# manage its configuration files.
+#
+allow_zebra_write_config = false
+
+#
+# Control the ability to mmap a low area of the address space,
+# as configured by /proc/sys/kernel/mmap_min_addr.
+#
+mmap_low_allowed = false
+
+#
+# Allow sysadm to debug or ptrace all processes.
+#
+allow_ptrace = false
+
+#
+# Allow unprived users to execute DDL statement
+#
+sepgsql_enable_users_ddl = false
+
+#
+# Allow transmit client label to foreign database
+#
+sepgsql_transmit_client_label = false
+
+#
+# Allow database admins to execute DML statement
+#
+sepgsql_unconfined_dbadm = false
+
+#
+# allow host key based authentication
+#
+allow_ssh_keysign = false
+
+#
+# Allow ssh logins as sysadm_r:sysadm_t
+#
+ssh_sysadm_login = false
+
+#
+# Allow ssh to use gpg-agent
+#
+ssh_use_gpg_agent = false
+
+#
+# Allows clients to write to the X server shared
+# memory segments.
+#
+allow_write_xshm = false
+
+#
+# Allow xdm logins as sysadm
+#
+xdm_sysadm_login = false
+
+#
+# Support X userspace object manager
+#
+xserver_object_manager = false
+
+#
+# Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
+#
+authlogin_nsswitch_use_ldap = false
+
+#
+# Enable support for upstart as the init program.
+#
+init_upstart = false
+
+#
+# Allow racoon to read shadow
+#
+racoon_read_shadow = false
+
+#
+# Allow the mount command to mount any directory or file.
+#
+allow_mount_anyfile = false
+
+#
+# Enable support for systemd-tmpfiles to manage all non-security files.
+#
+systemd_tmpfiles_manage_all = false
+
+#
+# Allow users to connect to mysql
+#
+allow_user_mysql_connect = false
+
+#
+# Allow users to connect to PostgreSQL
+#
+allow_user_postgresql_connect = false
+
+#
+# Allow regular users direct mouse access
+#
+user_direct_mouse = false
+
+#
+# Allow users to read system messages.
+#
+user_dmesg = false
+
+#
+# Allow user to r/w files on filesystems
+# that do not have extended attributes (FAT, CDROM, FLOPPY)
+#
+user_rw_noexattrfile = false
+
+#
+# Allow w to display everyone
+#
+user_ttyfile_stat = false
+
+#
+# Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
+#
+allow_execheap = false
+
+#
+# Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla")
+#
+allow_execmem = false
+
+#
+# Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t")
+#
+allow_execmod = false
+
+#
+# Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla")
+#
+allow_execstack = false
+
+#
+# Enable polyinstantiated directory support.
+#
+allow_polyinstantiation = false
+
+#
+# Allow system to run with NIS
+#
+allow_ypbind = false
+
+#
+# Allow logging in and using the system from /dev/console.
+#
+console_login = true
+
+#
+# Enable reading of urandom for all domains.
+#
+#
+#
+#
+# This should be enabled when all programs
+# are compiled with ProPolice/SSP
+# stack smashing protection. All domains will
+# be allowed to read from /dev/urandom.
+#
+global_ssp = false
+
+#
+# Allow email client to various content.
+# nfs, samba, removable devices, and user temp
+# files
+#
+mail_read_content = false
+
+#
+# Allow any files/directories to be exported read/write via NFS.
+#
+nfs_export_all_rw = false
+
+#
+# Allow any files/directories to be exported read/only via NFS.
+#
+nfs_export_all_ro = false
+
+#
+# Support NFS home directories
+#
+use_nfs_home_dirs = false
+
+#
+# Support SAMBA home directories
+#
+use_samba_home_dirs = false
+
+#
+# Allow users to run TCP servers (bind to ports and accept connection from
+# the same domain and outside users) disabling this forces FTP passive mode
+# and may change other protocols.
+#
+user_tcp_server = false
+
new file mode 100644
@@ -0,0 +1,8 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=permissive
+# SELINUXTYPE= name of the selinux policy to use
+SELINUXTYPE=refpolicy
new file mode 100644
@@ -0,0 +1,430 @@
+#
+# This file contains a listing of available modules.
+# To prevent a module from being used in policy
+# creation, set the module name to "off".
+#
+# For monolithic policies, modules set to "base" and "module"
+# will be built into the policy.
+#
+# For modular policies, modules set to "base" will be
+# included in the base module. "module" will be compiled
+# as individual loadable modules.
+#
+
+# Layer: kernel
+# Module: corecommands
+# Required in base
+#
+# Core policy for shells, and generic programs
+# in /bin, /sbin, /usr/bin, and /usr/sbin.
+#
+corecommands = base
+
+# Layer: kernel
+# Module: corenetwork
+# Required in base
+#
+# Policy controlling access to network objects
+#
+corenetwork = base
+
+# Layer: kernel
+# Module: devices
+# Required in base
+#
+# Device nodes and interfaces for many basic system devices.
+#
+devices = base
+
+# Layer: kernel
+# Module: domain
+# Required in base
+#
+# Core policy for domains.
+#
+domain = base
+
+# Layer: kernel
+# Module: files
+# Required in base
+#
+# Basic filesystem types and interfaces.
+#
+files = base
+
+# Layer: kernel
+# Module: alsa
+# Required in base
+#
+# alsa types and interfaces.
+#
+alsa = base
+
+# Layer: kernel
+# Module: mta
+# Required in base
+#
+# mta types and interfaces.
+#
+mta = base
+
+# Layer: kernel
+# Module: apache
+# Required in base
+#
+# apache types and interfaces.
+#
+apache = base
+
+# Layer: kernel
+# Module: filesystem
+# Required in base
+#
+# Policy for filesystems.
+#
+filesystem = base
+
+# Layer: kernel
+# Module: kernel
+# Required in base
+#
+# Policy for kernel threads, proc filesystem,
+# and unlabeled processes and objects.
+#
+kernel = base
+
+# Layer: kernel
+# Module: mcs
+# Required in base
+#
+# Multicategory security policy
+#
+mcs = base
+
+# Layer: kernel
+# Module: mls
+# Required in base
+#
+# Multilevel security policy
+#
+mls = base
+
+# Layer: kernel
+# Module: selinux
+# Required in base
+#
+# Policy for kernel security interface, in particular, selinuxfs.
+#
+selinux = base
+
+# Layer: kernel
+# Module: terminal
+# Required in base
+#
+# Policy for terminals.
+#
+terminal = base
+
+# Layer: kernel
+# Module: ubac
+# Required in base
+#
+# User-based access control policy
+#
+ubac = base
+
+# Layer: admin
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = module
+
+# Layer: admin
+# Module: consoletype
+#
+# Determine of the console connected to the controlling terminal.
+#
+consoletype = module
+
+# Layer: admin
+# Module: dmesg
+#
+# Policy for dmesg.
+#
+dmesg = module
+
+# Layer: admin
+# Module: netutils
+#
+# Network analysis utilities
+#
+netutils = module
+
+# Layer: admin
+# Module: su
+#
+# Run shells with substitute user and group
+#
+su = module
+
+# Layer: admin
+# Module: sudo
+#
+# Execute a command with a substitute user
+#
+sudo = module
+
+# Layer: admin
+# Module: usermanage
+#
+# Policy for managing user accounts.
+#
+usermanage = module
+
+# Layer: apps
+# Module: seunshare
+#
+# Filesystem namespacing/polyinstantiation application.
+#
+seunshare = module
+
+# Layer: kernel
+# Module: storage
+#
+# Policy controlling access to storage devices
+#
+storage = module
+
+# Layer: roles
+# Module: auditadm
+#
+# Audit administrator role
+#
+auditadm = module
+
+# Layer: roles
+# Module: logadm
+#
+# Log administrator role
+#
+logadm = module
+
+# Layer: roles
+# Module: secadm
+#
+# Security administrator role
+#
+secadm = module
+
+# Layer: roles
+# Module: staff
+#
+# Administrator's unprivileged user role
+#
+staff = module
+
+# Layer: roles
+# Module: sysadm
+#
+# General system administration role
+#
+sysadm = module
+
+# Layer: roles
+# Module: unprivuser
+#
+# Generic unprivileged user role
+#
+unprivuser = module
+
+# Layer: services
+# Module: postgresql
+#
+# PostgreSQL relational database
+#
+postgresql = module
+
+# Layer: services
+# Module: ssh
+#
+# Secure shell client and server policy.
+#
+ssh = module
+
+# Layer: services
+# Module: xserver
+#
+# X Windows Server
+#
+xserver = module
+
+# Layer: system
+# Module: application
+#
+# Policy for user executable applications.
+#
+application = module
+
+# Layer: system
+# Module: authlogin
+#
+# Common policy for authentication and user login.
+#
+authlogin = module
+
+# Layer: system
+# Module: clock
+#
+# Policy for reading and setting the hardware clock.
+#
+clock = module
+
+# Layer: system
+# Module: fstools
+#
+# Tools for filesystem management, such as mkfs and fsck.
+#
+fstools = module
+
+# Layer: system
+# Module: getty
+#
+# Policy for getty.
+#
+getty = module
+
+# Layer: system
+# Module: hostname
+#
+# Policy for changing the system host name.
+#
+hostname = module
+
+# Layer: system
+# Module: hotplug
+#
+# Policy for hotplug system, for supporting the
+# connection and disconnection of devices at runtime.
+#
+hotplug = module
+
+# Layer: system
+# Module: init
+#
+# System initialization programs (init and init scripts).
+#
+init = module
+
+# Layer: system
+# Module: ipsec
+#
+# TCP/IP encryption
+#
+ipsec = module
+
+# Layer: system
+# Module: iptables
+#
+# Policy for iptables.
+#
+iptables = module
+
+# Layer: system
+# Module: libraries
+#
+# Policy for system libraries.
+#
+libraries = module
+
+# Layer: system
+# Module: locallogin
+#
+# Policy for local logins.
+#
+locallogin = module
+
+# Layer: system
+# Module: logging
+#
+# Policy for the kernel message logger and system logging daemon.
+#
+logging = module
+
+# Layer: system
+# Module: lvm
+#
+# Policy for logical volume management programs.
+#
+lvm = module
+
+# Layer: system
+# Module: miscfiles
+#
+# Miscelaneous files.
+#
+miscfiles = module
+
+# Layer: system
+# Module: modutils
+#
+# Policy for kernel module utilities
+#
+modutils = module
+
+# Layer: system
+# Module: mount
+#
+# Policy for mount.
+#
+mount = module
+
+# Layer: system
+# Module: netlabel
+#
+# NetLabel/CIPSO labeled networking management
+#
+netlabel = module
+
+# Layer: system
+# Module: selinuxutil
+#
+# Policy for SELinux policy and userland applications.
+#
+selinuxutil = module
+
+# Layer: system
+# Module: setrans
+#
+# SELinux MLS/MCS label translation service.
+#
+setrans = module
+
+# Layer: system
+# Module: sysnetwork
+#
+# Policy for network configuration: ifconfig and dhcp client.
+#
+sysnetwork = module
+
+# Layer: system
+# Module: udev
+#
+# Policy for udev.
+#
+udev = module
+
+# Layer: system
+# Module: unconfined
+#
+# The unconfined domain.
+#
+unconfined = module
+
+# Layer: system
+# Module: userdomain
+#
+# Policy for user domains
+#
+userdomain = module
+
new file mode 100644
@@ -0,0 +1,2 @@
+#From https://github.com/TresysTechnology/refpolicy/wiki/DownloadRelease
+sha256 2dd2f45a7132137afe8302805c3b7839739759b9ab73dd1815c01afe34ac99de refpolicy-2.20151208.tar.bz2
new file mode 100644
@@ -0,0 +1,111 @@
+################################################################################
+#
+# refpolicy
+#
+################################################################################
+
+REFPOLICY_VERSION = RELEASE_2_20151208
+REFPOLICY_SITE = https://github.com/TresysTechnology/refpolicy.git
+REFPOLICY_SITE_METHOD = git
+REFPOLICY_GIT_SUBMODULES = y
+REFPOLICY_LICENSE = GPLv2
+REFPOLICY_LICENSE_FILES = COPYING
+
+# Cannot use multiple threads to build the reference policy
+REFPOLICY_MAKE = $(TARGET_MAKE_ENV) $(MAKE1)
+
+REFPOLICY_DEPENDENCIES += host-m4 host-checkpolicy host-policycoreutils \
+ host-setools host-gawk host-python policycoreutils
+
+REFPOLICY_INSTALL_STAGING = YES
+
+
+# To apply board specific customizations, create a refpolicy folder in
+# BR2_GLOBAL_PATCH_DIR. These patches will be applied after the patches
+# in package/refpolicy
+
+# Passing the HOST_CONFIGURE_OPTS to the target build because all of the
+# build utilities are expected to be on system. This fools the make files
+# into using the host built utilities to compile the SELinux policy for
+# the target.
+#
+# Note, the TEST_TOOLCHAIN option will also set the
+# LD_LIBRARY_PATH at run time.
+REFPOLICY_MAKE_OPTS = $(HOST_CONFIGURE_OPTS) \
+ TEST_TOOLCHAIN="$(HOST_DIR)"
+
+# Build requires python2 to run
+REFPOLICY_MAKE_ENV = \
+ PYTHON="$(HOST_DIR)/usr/bin/python2" \
+ AWK="$(HOST_DIR)/usr/bin/gawk" \
+ M4="$(HOST_DIR)/usr/bin/m4"
+
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
+REFPOLICY_MONOLITHIC = n
+else
+REFPOLICY_MONOLITHIC = y
+endif
+
+REFPOLICY_MODULES_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_MODULES_FILE))
+define REFPOLICY_CUSTOM_MODULES_CONF
+ cp $(REFPOLICY_MODULES_FILE) $(@D)/policy/modules.conf
+endef
+
+REFPOLICY_BOOLEAN_FILE = $(call qstrip,$(BR2_PACKAGE_REFPOLICY_BOOLEAN_FILE))
+define REFPOLICY_CUSTOM_BOOLEAN_CONF
+ cp $(REFPOLICY_BOOLEAN_FILE) $(@D)/policy/booleans.conf
+endef
+
+define REFPOLICY_CONFIGURE_CMDS
+ # If an external repo is used to build refpolicy, this preserves the
+ # custom modules.conf which defines the enabled components.
+ if [ -f $(@D)/policy/modules.conf ]; then \
+ mv $(@D)/policy/modules.conf $(@D)/modules.conf.bk ; \
+ fi
+ $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) bare \
+ $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+ $(SED) "/TYPE/c\TYPE = $(BR2_PACKAGE_REFPOLICY_TYPE)" $(@D)/build.conf
+ $(SED) "/MONOLITHIC/c\MONOLITHIC = $(REFPOLICY_MONOLITHIC)" $(@D)/build.conf
+ $(SED) "/NAME/c\NAME = $(BR2_PACKAGE_REFPOLICY_NAME)" $(@D)/build.conf
+
+ $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) conf \
+ $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+ if [ -f $(@D)/modules.conf.bk ]; then \
+ echo "[Preserved modules.conf]" ; \
+ mv $(@D)/modules.conf.bk $(@D)/policy/modules.conf ; \
+ fi
+ $(REFPOLICY_CUSTOM_MODULES_CONF)
+ $(REFPOLICY_CUSTOM_BOOLEAN_CONF)
+endef
+
+define REFPOLICY_INSTALL_STAGING_CMDS
+ $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install-src install-headers \
+ install-docs $(REFPOLICY_MAKE_OPTS) DESTDIR=$(STAGING_DIR)
+endef
+
+define REFPOLICY_INSTALL_TARGET_CMDS
+ $(REFPOLICY_MAKE_ENV) $(REFPOLICY_MAKE) -C $(@D) install \
+ $(REFPOLICY_MAKE_OPTS) DESTDIR=$(TARGET_DIR)
+ $(INSTALL) -m 0755 -D package/refpolicy/config $(TARGET_DIR)/etc/selinux/config
+ $(SED) "/^SELINUXTYPE/c\SELINUXTYPE=$(BR2_PACKAGE_REFPOLICY_NAME)" \
+ $(TARGET_DIR)/etc/selinux/config
+ $(SED) "/^SELINUX=/c\SELINUX=$(BR2_PACKAGE_REFPOLICY_STATE)" \
+ $(TARGET_DIR)/etc/selinux/config
+ touch $(TARGET_DIR)/.autorelabel
+ $(RM) $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/booleans
+endef
+
+define REFPOLICY_INSTALL_INIT_SYSV
+ $(INSTALL) -m 0755 -D package/refpolicy/S00selinux \
+ $(TARGET_DIR)/etc/init.d/S00selinux
+endef
+
+ifeq ($(BR2_PACKAGE_REFPOLICY_MODULAR),y)
+$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/policy
+$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/modules/active/modules
+$(INSTALL) -d -m 0755 $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files
+touch $(TARGET_DIR)/etc/selinux/$(BR2_PACKAGE_REFPOLICY_NAME)/contexts/files/file_contexts.local
+endif
+
+$(eval $(generic-package))