SELinux on OpenWrt
W. Michael Petullo
mike at flyn.org
Sun Jul 12 16:20:15 EDT 2020
I am very interested in Thomas Petazzoni's work to add SELinux support
to OpenWrt. I spent some time today trying to reproduce his build. I
found a few things needed updating, so I wanted to share my results
here.
1. I pulled Thomas Petazzoni's package tree, available at
https://github.com/openwrt/packages/pull/10664.
2. I updated Thomas' selinux-python, libselinux, libsemanage,
checkpolicy, and policycoreutils packages to version 3.1, and I
modified the packages to make use of Python 3. I pushed this work to
https://github.com/flyn-org/packages/tree/selinux. I also submitted the
following patches to the upstream SELinux project:
- https://github.com/SELinuxProject/selinux/pull/255
- https://github.com/SELinuxProject/selinux/issues/254
3. I applied the patches Thomas Petazzoni made for the core OpenWrt
tree:
-
http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025974.html
-
http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025975.html
-
http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025976.html
-
http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025977.html
-
http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025978.html
-
http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025979.html
-
http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025980.html
4. I ran "./scripts/feeds install python3 pcre libselinux audi libcap-
ng policycoreutils libsemanage checkpolicy refpolicy selinux-python".
5. I used "make menuconfig" to select:
- x86_64 build
- Base system->busybox->Settings->Support NSA Security ...
- ...->busybox->Archival Utilities->Support extracting SELinux
- ...->busybox->SELinux utilities (I selected all of them)
- Languages->Python->{python-sepolgen,python-sepolicy}
- Utilities->selinux-*
6. The build prompted me to answer a number of kernel configuration
questions. This is common when changes to the kernel configuration get
out of sync.
7. I am currently working through some build errors in busybox when
configured to support SELinux:
...
In file included from /usr/include/features.h:465,
from /usr/include/bits/libc-header-start.h:33,
from /usr/include/limits.h:26,
from include/platform.h:153,
from include/libbb.h:13,
from include/busybox.h:8,
from applets/applets.c:9:
/usr/include/bits/stdio2.h:78:35: error: unknown type name
'__gnuc_va_list'; did you mean 'va_list'?
const char *__restrict __fmt, __gnuc_va_list __ap))
^~~~~~~~~~~~~~
/usr/include/sys/cdefs.h:57:59: note: in definition of macro '__NTH'
# define __NTH(fct) __attribute__ ((__nothrow__ __LEAF)) fct
^~~
In file included from /usr/include/stdlib.h:1017,
from include/libbb.h:32,
from include/busybox.h:8,
from applets/applets.c:9:
/usr/include/bits/stdlib.h: In function 'wctomb':
/usr/include/bits/stdlib.h:90:3: error: #error "Assumed value of
MB_LEN_MAX wrong"
# error "Assumed value of MB_LEN_MAX wrong"
^~~~~
make[5]: *** [scripts/Makefile.build:198: applets/applets.o] Error 1
make[4]: *** [Makefile:372: applets_dir] Error 2
make[4]: Leaving directory
'/home/mike/Scratch/openwrt/build_dir/target-x86_64_musl/busybox-
1.31.1'
make[3]: *** [Makefile:134:
/home/mike/Scratch/openwrt/build_dir/target-x86_64_musl/busybox-
1.31.1/.built] Error 2
make[3]: Leaving directory
'/home/mike/Scratch/openwrt/package/utils/busybox'
time: package/utils/busybox/compile#0.96#0.64#3.25
make[2]: *** [package/Makefile:113: package/utils/busybox/compile]
Error 2
make[2]: Leaving directory '/home/mike/Scratch/openwrt'
make[1]: *** [package/Makefile:107:
/home/mike/Scratch/openwrt/staging_dir/target-
x86_64_musl/stamp/.package_compile] Error 2
make[1]: Leaving directory '/home/mike/Scratch/openwrt'
make: *** [/home/mike/Scratch/openwrt/include/toplevel.mk:235: world]
Error 2
--
Mike
:wq
More information about the openwrt-devel
mailing list