diff options
| author |   Scott Murray <scott.murray@konsulko.com> | 2022-07-25 14:23:13 -0400 |
|---|---|---|
| committer |   Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2022-07-27 12:31:58 +0000 |
| commit | 2ea9cbefb8e0923f2f58e7e8022f3e134977a87a (patch) | |
| tree | d9440b8d8ccfaa496086842eef5ca7d588b58a17 /meta-agl-core/dynamic-layers/meta-selinux/recipes-platform/packagegroups/packagegroup-agl-core-selinux.bb | |
| parent | 6c9fa75459cf86576c47411fc239e0d7896d483c (diff) | |
Add SELinux feature
Add agl-selinux feature to enable SELinux support.
Notes:
- SELinux is in permissive mode by default for now, and using the
targeted policy by default.
- The linux-yocto specific bbappend in meta-selinux is masked out in
favor of adding a more universal kernel configuration fragment with
AGL's own scheme.
- SELinux specific recipes and bbappends are added via a meta-selinux
dynamic-layers addition in meta-agl-core to keep using meta-selinux
optional. This will avoid issues with the Yocto autobuilder testing
of meta-agl-core.
- To avoid the effectively hard-coded autorelabel on first boot, a
bbappend is added to the selinux-autorelabel recipe to remove the
flag creation. In the off chance that a build happens on a filesystem
without xattr support, the logic in the selinux-image bbclass will
still touch the /.autorelabel flag and trigger relabeling.
- A systemd unit and script are added with a new systemd-selinux-relabel
recipe to handle relabeling of some systemd generated files that do
not get handled during root filesystem construction. Some of these
can be addressed by some upstream tweaks, but /etc/machine-id will
always need special handling unless there is a shift to using
read-only or stateless root by default. With this workaround we still
avoid doing a full relabel and reboot on first boot, which helps
simplify CI.
Bug-AGL: SPEC-4332
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Change-Id: Ibf469e11eb3a67709074cc6794b3d12cd5071a90
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/27790
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
Diffstat (limited to 'meta-agl-core/dynamic-layers/meta-selinux/recipes-platform/packagegroups/packagegroup-agl-core-selinux.bb')
| -rw-r--r-- | meta-agl-core/dynamic-layers/meta-selinux/recipes-platform/packagegroups/packagegroup-agl-core-selinux.bb | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/meta-agl-core/dynamic-layers/meta-selinux/recipes-platform/packagegroups/packagegroup-agl-core-selinux.bb b/meta-agl-core/dynamic-layers/meta-selinux/recipes-platform/packagegroups/packagegroup-agl-core-selinux.bb new file mode 100644 index 000000000..493a46f25 --- /dev/null +++ b/meta-agl-core/dynamic-layers/meta-selinux/recipes-platform/packagegroups/packagegroup-agl-core-selinux.bb @@ -0,0 +1,57 @@ +SUMMARY = "SELinux packages" +DESCRIPTION = "SELinux packages required for AGL" +LICENSE = "MIT" + +inherit packagegroup features_check + +REQUIRED_DISTRO_FEATURES = "selinux" + +PACKAGES = " \ + packagegroup-agl-core-selinux \ + packagegroup-agl-core-selinux-devel \ +" + +# +# meta-selinux's packagegroup-core-selinux includes a lot of +# policy development tools with its inclusion of the layer's +# packagegroup-selinux-policycoreutils, which is not really +# desirable for a production image. Create our own base +# packagegroup and an accompanying devel packagegroup that +# agl-devel can trigger pulling in. +# +# NOTES: +# - It seems likely we will always want auditd, so include +# it in the base packagegroup. +# - selinux-autorelabel seems required to handle both the +# edge case of builds done on non-xattr capable filesystems, +# and to allow driving relabeling after potential package +# installation during runtime. +# - packagegroup-selinux-policycoreutils includes a lot of +# things that seem not useful in a lot of systems (e.g. +# the gtk dependent selinux-gui), so for now the devel +# packagegroup aims to include a more minimal set of tools +# aimed at enabling checkpolicy and audit2allow use. +# - Some thought needs to go into whether the relabeling +# fixup packages should be handled separately, as they +# ideally should not go into images using read-only or +# stateless rootfs, but those are image features so we +# cannot check for them here. +# + +RDEPENDS:${PN} = " \ + packagegroup-selinux-minimal \ + auditd \ + selinux-autorelabel \ + systemd-selinux-relabel \ +" + +RDEPENDS:${PN}-devel = " \ + ${BPN} \ + libsepol-bin \ + checkpolicy \ + policycoreutils-loadpolicy \ + policycoreutils-setsebool \ + policycoreutils-hll \ + semodule-utils-semodule-package \ + selinux-python-audit2allow \ +" |