config BR2_PACKAGE_REFPOLICY
	bool "refpolicy"
	depends on BR2_TOOLCHAIN_HAS_THREADS # libsepol
	# Even though libsepol is not necessary for building, we get
	# the policy version from libsepol, so we select it, and treat
	# it like a runtime dependency.
	select BR2_PACKAGE_LIBSEPOL
	help
	  The SELinux Reference Policy project (refpolicy) is a
	  complete SELinux policy that can be used as the system
	  policy for a variety of systems and used as the basis for
	  creating other policies. Reference Policy was originally
	  based on the NSA example policy, but aims to accomplish many
	  additional goals.

	  The current refpolicy does not fully support Buildroot and
	  needs modifications to work with the default system file
	  layout. These changes should be added as patches to the
	  refpolicy that modify a single SELinux policy.

	  The refpolicy works for the most part in permissive
	  mode. Only the basic set of utilities are enabled in the
	  example policy config and some of the pathing in the
	  policies is not correct.  Individual policies would need to
	  be tweaked to get everything functioning properly.

	  https://github.com/TresysTechnology/refpolicy

if BR2_PACKAGE_REFPOLICY

choice
	prompt "SELinux default state"
	default BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE

config BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
	bool "Enforcing"
	help
	  SELinux security policy is enforced

config BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
	bool "Permissive"
	help
	  SELinux prints warnings instead of enforcing

config BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED
	bool "Disabled"
	help
	  No SELinux policy is loaded
endchoice

config BR2_PACKAGE_REFPOLICY_POLICY_STATE
	string
	default "permissive" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_PERMISSIVE
	default "enforcing" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_ENFORCING
	default "disabled" if BR2_PACKAGE_REFPOLICY_POLICY_STATE_DISABLED

endif

comment "refpolicy needs a toolchain w/ threads"
	depends on !BR2_TOOLCHAIN_HAS_THREADS