package/refpolicy: add option to set policy booleans

Policy booleans allow adjusting certain policy rules at runtime
(including whether changing policy booleans is allowed). The new
option allows setting their defaults at build time.

A monolithic policy (like built by package/refpolicy) does not support
persistent changes to policy booleans, so changing the defaults is
required to make changes across boots. Adjusting policy/booleans.conf
after "make conf" is intended for that purpose [1, 2].

[1] https://github.com/SELinuxProject/refpolicy/pull/355#issuecomment-792758725
[2] https://github.com/SELinuxProject/refpolicy/blob/4d97523c71603b12e92cf1b80cd0e01ac75bc067/README#L186-L191

Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
Signed-off-by: Julien Olivain <ju.o@free.fr>

package/refpolicy/Config.in

@@ -121,6 +121,19 @@ config BR2_REFPOLICY_EXTRA_MODULES
 
 endif
 
+config BR2_REFPOLICY_SET_BOOLEANS
+	string "Set policy booleans"
+	help
+	  Set default values for policy booleans before compiling the
+	  policy (see policy/booleans.conf in the refpolicy
+	  README). The value of this option is a space separated list
+	  of either plain names (to set that boolean to true), or
+	  "name=(true|false)" pairs (to set the given value).
+
+	  Boolean values can still be changed at runtime if the policy
+	  permits, but such changes cannot be persisted with a
+	  monolithic policy.
+
 config BR2_REFPOLICY_ENABLEAUDIT
 	bool "remove dontaudit rules from policy (debugging only)"
 	help

package/refpolicy/refpolicy.mk

@@ -107,6 +107,15 @@ define REFPOLICY_CONFIGURE_ENABLEAUDIT
 endef
 endif
 
+# Override defaults for policy booleans. name=(true|false) will result
+# in the given value, just a name implies "true".
+define REFPOLICY_CONFIGURE_BOOLEANS
+	$(foreach b,$(call qstrip,$(BR2_REFPOLICY_SET_BOOLEANS)),
+		read -r name value < <(echo "$(subst =, ,$(b))"); \
+		$(SED) "/^$${name} =/c\\$${name} = $${value:-true}" $(@D)/policy/booleans.conf
+	)
+endef
+
 define REFPOLICY_CONFIGURE_CMDS
 	$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \
 		$(@D)/build.conf
@@ -119,6 +128,7 @@ define REFPOLICY_CONFIGURE_CMDS
 	$(REFPOLICY_MAKE) -C $(@D) bare conf
 	$(REFPOLICY_CONFIGURE_ENABLEAUDIT)
 	$(REFPOLICY_CONFIGURE_MODULES)
+	$(REFPOLICY_CONFIGURE_BOOLEANS)
 endef
 
 define REFPOLICY_BUILD_CMDS

support/testing/tests/core/test_selinux.py

@@ -51,6 +51,24 @@ class TestSELinuxExtraModulesDirs(TestSELinuxInfra):
         self.assertEqual(out[2].strip(), "buildroot_test_t")
 
 
+class TestSELinuxSetBooleans(TestSELinuxInfra):
+    config = TestSELinuxInfra.config + \
+        """
+        BR2_REFPOLICY_SET_BOOLEANS="user_dmesg user_all_users_send_syslog=false"
+        """
+
+    def test_run(self):
+        TestSELinuxInfra.base_test_run(self)
+
+        out, ret = self.emulator.run("seinfo -x -b", 15)
+        self.assertEqual(ret, 0)
+        # lines follow the pattern "name (true|false);", plus indentation
+        bools = dict(line.strip().rstrip(';').split()[1:] for line in out[2:])
+        # both of these booleans have the opposite default in refpolicy
+        self.assertEqual(bools["user_dmesg"], "true")
+        self.assertEqual(bools["user_all_users_send_syslog"], "false")
+
+
 class TestSELinuxCustomGit(TestSELinuxInfra):
     config = TestSELinuxInfra.config + \
         """