refpolicy: new package

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[update to 2.20200229, adjust Makefile, and move to openwrt.git]
Signed-off-by: W. Michael Petullo <mike@flyn.org>

package/system/refpolicy/Makefile

@@ -0,0 +1,80 @@
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=refpolicy
+PKG_VERSION:=2.20200229
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:=https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20200229
+PKG_HASH:=dec854512ed00cd057408f330c2cea4de7a4405f7a147458f59c994bf578e4b0
+PKG_INSTALL:=1
+PKG_BUILD_DEPENDS:=checkpolicy/host policycoreutils/host
+
+PKG_MAINTAINER:=Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+PKG_CPE_ID:=cpe:/a:tresys:refpolicy
+PKG_LICENSE:=GPL-2.0-or-later
+PKG_LICENSE_FILES:=COPYING
+
+TAR_OPTIONS:=--transform='s%^refpolicy%$(PKG_NAME)-$(PKG_VERSION)%' -xf -
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/refpolicy
+  SECTION:=system
+  CATEGORY:=Base system
+  TITLE:=SELinux reference policy
+  URL:=http://selinuxproject.org/page/Main_Page
+endef
+
+define Package/refpolicy/description
+	The SELinux Reference Policy project (refpolicy) is a
+	complete SELinux policy that can be used as the system
+	policy for a variety of systems and used as the basis for
+	creating other policies. Reference Policy was originally
+	based on the NSA example policy, but aims to accomplish many
+	additional goals.
+
+	The current refpolicy does not fully support OpenWRT and
+	needs modifications to work with the default system file
+	layout. These changes should be added as patches to the
+	refpolicy that modify a single SELinux policy.
+
+	The refpolicy works for the most part in permissive
+	mode. Only the basic set of utilities are enabled in the
+	example policy config and some of the pathing in the
+	policies is not correct.  Individual policies would need to
+	be tweaked to get everything functioning properly.
+endef
+
+# Yes, we want CC=$(HOSTCC) because the only code that checkpolicy
+# builds is a small host tool that gets run as part of the build
+# process.
+MAKE_FLAGS += \
+	TEST_TOOLCHAIN="$(STAGING_DIR_HOSTPKG)" \
+	BINDIR=/bin \
+	SBINDIR=/sbin \
+	CC="$(HOSTCC)" \
+	CFLAGS="$(HOST_CFLAGS)"
+
+define Build/Configure
+	$(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(PKG_BUILD_DIR)/build.conf
+	$(SED) "/NAME/c\NAME = targeted" $(PKG_BUILD_DIR)/build.conf
+	$(call Build/Compile/Default,conf)
+endef
+
+define Package/refpolicy/conffiles
+/etc/selinux/config
+endef
+
+define Package/refpolicy/install
+	$(INSTALL_DIR) $(1)/etc/selinux
+	$(CP) $(PKG_INSTALL_DIR)/etc/selinux/* $(1)/etc/selinux/
+	$(CP) ./files/selinux-config $(1)/etc/selinux/config
+endef
+
+$(eval $(call BuildPackage,refpolicy))

package/system/refpolicy/files/selinux-config

@@ -0,0 +1,7 @@
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#     enforcing - SELinux security policy is enforced.
+#     permissive - SELinux prints warnings instead of enforcing.
+#     disabled - No SELinux policy is loaded.
+SELINUX=permissive
+SELINUXTYPE=targeted