[vote] release OpenWrt 21.02 with additional SELinux SDKs and IBs

Thu Mar 18 13:27:33 GMT 2021

On Thu, Mar 18, 2021 at 11:20:17AM +0100, Dominick Grift wrote:
> Re-sent (forgot to cc list)
> 
> > On 3/18/21 10:39 AM, Petr Štetiar wrote:
> >> Dominick Grift <dominick.grift at defensec.nl> [2021-03-18 09:13:46]:
> >>
> >> Hi Dominick,
> >>
> >>> Petr Štetiar <ynezz at true.cz> writes:
> >>>>
> >>>> Option D: Start as always in master/snapshots and if the feature is usable
> >>>> and in a shape for a release, then include it in release.
> >>>
> >>> I like this idea, but it is quite ambitious because then it becomes part
> >>> of base-os and that means that it is going to affect a majority. 
> >>
> >> BTW I didn't explicitly stated that, but I was still referring to SELinux
> >> enabled SDKs and IBs. So it wasn't about providing SELinux enabled images by
> >> default.
> 
> I guess I misinterpreted it.
> 
> There are already SELinux enabled IB's in master.

There is the option to build them (in master and in openwrt-21.02), but
they are not being built by the buildbots right now.
Sorry, I guess my proposal was not very clear about that.
What I'm suggesting is a change of configuration for the buildbots
creating the release binaries to also build only the SDK, IB and kmods
in SELinux-enabled variants and offer them for download.
This would help users to try SELinux from a consistent state (rather
than building from source, which is more likely to cause non-SELinux-
related locally caused problems)

> 
> >>
> >>> and we can expect the snapshot users to pro-actively disable it if they want
> >>> to opt-out.
> >>
> >> Nope, it needs to be opt-in.
> 
> Fine
> 
> I admire Daniel for his ambitions and vision for OpenWrt, and it was not
> my idea to propose this idea but the result is already telling
> nonetheless. I have been clear about my own position from the start:
> SELinux sell's itself or bust. I take this as bust because as I
> mentioned I think we are at a crossroads when it comes to this feature
> since without any feedback I will not be able to further improve it in a
> significant way. For me it was alway's about scratching my own itch.
> However it is pretty clear that this feature has little support in the
> wider community. I will scale my involvement back and instead focus on
> other more productive things.

I think you did an amazing job and you entering the picture doing what
you did (writing OpenWrt-specific policy) is exactly what I was hoping
for when this whole SELinux story started. Running refpolicy has never
been even a remote option for production.

I also believe that most members of the wider community are not yet
aware of your work. It has not yet been part of a release. Once the
release notes of 21.02 state that there is optional SELinux support
(which is true independently of the decission to offer binary builds
or not), people will read about that on lwn.net, phoronix.com, ...
And for things to trickle down to even vendor firmware built on top of
SDKs which are built on top of OpenWrt it's going to take **years**.
(which is not meant to discourage you, but rather just consider this
as the state of the world as it is and unrelated to the quality or
usefulness of your work)

Cheers

Daniel