1config BR2_PACKAGE_REFPOLICY
2	bool "refpolicy"
3	depends on BR2_TOOLCHAIN_HAS_THREADS # libsepol
4	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_5 # libsepol
5	depends on BR2_HOST_GCC_AT_LEAST_5 # host-setools -> host-libsepol
6	# Even though libsepol is not necessary for building, we get
7	# the policy version from libsepol, so we select it, and treat
8	# it like a runtime dependency.
9	select BR2_PACKAGE_LIBSEPOL
10	help
11	  The SELinux Reference Policy project (refpolicy) is a
12	  complete SELinux policy that can be used as the system
13	  policy for a variety of systems and used as the basis for
14	  creating other policies. Reference Policy was originally
15	  based on the NSA example policy, but aims to accomplish many
16	  additional goals.
17
18	  The current refpolicy does not fully support Buildroot and
19	  needs modifications to work with the default system file
20	  layout. These changes should be added as patches to the
21	  refpolicy that modify a single SELinux policy.
22
23	  The refpolicy works for the most part in permissive
24	  mode. Only the basic set of utilities are enabled in the
25	  example policy config and some of the pathing in the
26	  policies is not correct.  Individual policies would need to
27	  be tweaked to get everything functioning properly.
28
29	  https://github.com/TresysTechnology/refpolicy
30
31if BR2_PACKAGE_REFPOLICY
32
33choice
34	prompt "Refpolicy version"
35	default BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
36
37config BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
38	bool "Upstream version"
39	# Consider reworking the following when adding new entries:
40	# Upstream refpolicy for openssh expects linux-pam to be used
41	select BR2_PACKAGE_LINUX_PAM if BR2_PACKAGE_OPENSSH \
42		&& BR2_USE_MMU \
43		&& BR2_ENABLE_LOCALE \
44		&& BR2_USE_WCHAR \
45		&& !BR2_STATIC_LIBS \
46		&& BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
47	help
48	  Use the refpolicy as provided by Buildroot.
49
50config BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
51	bool "Custom git repository"
52	help
53	  Allows to get the refpolicy from a custom git repository.
54
55	  The custom refpolicy must define the full policy explicitly,
56	  and must be a fork of the original refpolicy, to have the
57	  same build system.  When this is selected, only the custom
58	  policy definition are taken into account and all the modules
59	  of the policy are built into the binary policy.
60
61endchoice
62
63if BR2_PACKAGE_REFPOLICY_CUSTOM_GIT
64
65config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_URL
66	string "URL of custom repository"
67
68config BR2_PACKAGE_REFPOLICY_CUSTOM_REPO_VERSION
69	string "Custom repository version"
70	help
71	  Revision to use in the typical format used by Git.
72	  E.g. a sha id, tag, branch...
73
74endif
75
76choice
77	prompt "SELinux default state"
78	default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
79
80config BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
81	bool "Enforcing"
82	help
83	  SELinux security policy is enforced
84
85config BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
86	bool "Permissive"
87	help
88	  SELinux prints warnings instead of enforcing
89
90config BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
91	bool "Disabled"
92	help
93	  No SELinux policy is loaded
94endchoice
95
96config BR2_PACKAGE_REFPOLICY_POLICY_STATE
97	string
98	default "permissive" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
99	default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
100	default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
101
102if BR2_PACKAGE_REFPOLICY_UPSTREAM_VERSION
103
104config BR2_REFPOLICY_EXTRA_MODULES_DIRS
105	string "Extra modules directories"
106	help
107	  Specify a space-separated list of directories containing
108	  SELinux modules that will be built into the SELinux
109	  policy. The modules will be automatically enabled in the
110	  policy.
111
112	  Each of those directories must contain the SELinux policy
113	  .fc, .if and .te files directly at the top-level, with no
114	  sub-directories. Also, you cannot have several modules with
115	  the same name in different directories.
116
117config BR2_REFPOLICY_EXTRA_MODULES
118	string "Extra modules to enable"
119	help
120	  List of extra SELinux modules to enable in the refpolicy.
121
122endif
123
124endif
125
126comment "refpolicy needs a toolchain w/ threads, gcc >= 5, host gcc >= 5"
127	depends on !BR2_TOOLCHAIN_HAS_THREADS || \
128		!BR2_TOOLCHAIN_GCC_AT_LEAST_5 || \
129		!BR2_HOST_GCC_AT_LEAST_5
130