Message ID | 20200301151747.25723-4-unixmania@gmail.com |
---|---|
State | Superseded |
Headers | show |
Series | openrc: bump to version 0.42.1 | expand |
Carlos, All, On 2020-03-01 12:17 -0300, unixmania@gmail.com spake thusly: > From: Adam Duskett <Aduskett@gmail.com> > > If the libselinux package is selected, add the package to the dependency list > and explicitly set OPENRC_MAKE_OPTS += MKSELINUX=yes This SELinux stuff has always been a bit boo-I-dont-want-too-touch for me, because it looks overly complex, so just adding the dependency without explanations on how openrc uses/fits with SELinux is a bit too much for me to handle, so I defer to a SELinux-knowledgeable maintainer to look a it... Regards, Yann E. MORIN. > Signed-off-by: Adam Duskett <Aduskett@gmail.com> > Signed-off-by: Carlos Santos <unixmania@gmail.com> > --- > package/openrc/openrc.mk | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/package/openrc/openrc.mk b/package/openrc/openrc.mk > index 6057451bfe..97536dad37 100644 > --- a/package/openrc/openrc.mk > +++ b/package/openrc/openrc.mk > @@ -18,7 +18,6 @@ OPENRC_MAKE_OPTS = \ > LIBNAME=lib \ > LIBEXECDIR=/usr/libexec/rc \ > MKPKGCONFIG=no \ > - MKSELINUX=no \ > MKSYSVINIT=yes \ > BRANDING="Buildroot $(BR2_VERSION_FULL)" \ > CC=$(TARGET_CC) > @@ -29,6 +28,13 @@ else > OPENRC_MAKE_OPTS += MKSTATICLIBS=yes > endif > > +ifeq ($(BR2_PACKAGE_LIBSELINUX),y) > +OPENRC_MAKE_OPTS += MKSELINUX=yes > +OPENRC_DEPENDENCIES += libselinux > +else > +OPENRC_MAKE_OPTS += MKSELINUX=no > +endif > + > define OPENRC_BUILD_CMDS > $(MAKE) $(OPENRC_MAKE_OPTS) -C $(@D) > endef > -- > 2.18.2 > > _______________________________________________ > buildroot mailing list > buildroot@busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot
CArlos, Adam, All, On 2020-03-11 18:26 +0100, Yann E. MORIN spake thusly: > On 2020-03-01 12:17 -0300, unixmania@gmail.com spake thusly: > > From: Adam Duskett <Aduskett@gmail.com> > > If the libselinux package is selected, add the package to the dependency list > > and explicitly set OPENRC_MAKE_OPTS += MKSELINUX=yes > > This SELinux stuff has always been a bit boo-I-dont-want-too-touch for > me, because it looks overly complex, so just adding the dependency > without explanations on how openrc uses/fits with SELinux is a bit too > much for me to handle, so I defer to a SELinux-knowledgeable maintainer > to look a it... WHAT I forgot to say above the current commit log, is that it is not that helpful: it just repeats in english what the patch does, which is anyway already pretty trivial to see... What a commit log should say, is why the patch exists, and how the patch works. Totally hypotetical commit log: package/openrc: add libselinux support OpenRC has suport for SELinux contexts, but we currently forcibly disable it. When SELinux is enabled, we know a policy will be installed, so we can enable SELinux support in OpenRC. Signed-off-by: you Signed-off-by: the other Regards, Yann E. MORIN.
On Wed, Mar 11, 2020 at 2:26 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote: > > Carlos, All, > > On 2020-03-01 12:17 -0300, unixmania@gmail.com spake thusly: > > From: Adam Duskett <Aduskett@gmail.com> > > > > If the libselinux package is selected, add the package to the dependency list > > and explicitly set OPENRC_MAKE_OPTS += MKSELINUX=yes > > This SELinux stuff has always been a bit boo-I-dont-want-too-touch for > me, because it looks overly complex, so just adding the dependency > without explanations on how openrc uses/fits with SELinux is a bit too > much for me to handle, so I defer to a SELinux-knowledgeable maintainer > to look a it... I tested it.
On Wed, Mar 11, 2020 at 2:35 PM Yann E. MORIN <yann.morin.1998@free.fr> wrote: > > CArlos, Adam, All, > > On 2020-03-11 18:26 +0100, Yann E. MORIN spake thusly: > > On 2020-03-01 12:17 -0300, unixmania@gmail.com spake thusly: > > > From: Adam Duskett <Aduskett@gmail.com> > > > If the libselinux package is selected, add the package to the dependency list > > > and explicitly set OPENRC_MAKE_OPTS += MKSELINUX=yes > > > > This SELinux stuff has always been a bit boo-I-dont-want-too-touch for > > me, because it looks overly complex, so just adding the dependency > > without explanations on how openrc uses/fits with SELinux is a bit too > > much for me to handle, so I defer to a SELinux-knowledgeable maintainer > > to look a it... > > WHAT I forgot to say above the current commit log, is that it is not > that helpful: it just repeats in english what the patch does, which is > anyway already pretty trivial to see... What a commit log should say, is > why the patch exists, and how the patch works. > > Totally hypotetical commit log: > > package/openrc: add libselinux support > > OpenRC has suport for SELinux contexts, but we currently forcibly > disable it. OK, I will send a new patch with a better commit message and explained how I tested it. > When SELinux is enabled, we know a policy will be installed, so we > can enable SELinux support in OpenRC. Actually no policy is installed along with OpenRC. Enabling SELinux in OpenRC only adds code to perform the initial policy load and set the enforcing mode. See the security_load_policy(3) man page for additional details. In order to make the SELinux support useful you also need a complete policy, currently provided by the refpolicy package, as well as the policycoreutils (for restorecon and other utilities). I'm not sure if those packages should be selected along with openrc (they are not selected by systemd, for instance). As explained in the package help, the refpolicy works for the most part in permissive mode, only.
diff --git a/package/openrc/openrc.mk b/package/openrc/openrc.mk index 6057451bfe..97536dad37 100644 --- a/package/openrc/openrc.mk +++ b/package/openrc/openrc.mk @@ -18,7 +18,6 @@ OPENRC_MAKE_OPTS = \ LIBNAME=lib \ LIBEXECDIR=/usr/libexec/rc \ MKPKGCONFIG=no \ - MKSELINUX=no \ MKSYSVINIT=yes \ BRANDING="Buildroot $(BR2_VERSION_FULL)" \ CC=$(TARGET_CC) @@ -29,6 +28,13 @@ else OPENRC_MAKE_OPTS += MKSTATICLIBS=yes endif +ifeq ($(BR2_PACKAGE_LIBSELINUX),y) +OPENRC_MAKE_OPTS += MKSELINUX=yes +OPENRC_DEPENDENCIES += libselinux +else +OPENRC_MAKE_OPTS += MKSELINUX=no +endif + define OPENRC_BUILD_CMDS $(MAKE) $(OPENRC_MAKE_OPTS) -C $(@D) endef