[OpenWrt-Devel] [PATCH procd] initd/init: add minimal SELinux policy loading support

Etienne Champetier champetier.etienne at gmail.com
Mon Nov 18 10:14:48 EST 2019


Hello Thomas,

Le lun. 18 nov. 2019 à 05:33, Thomas Petazzoni
<thomas.petazzoni at bootlin.com> a écrit :
>
> Hello Petr,
>
> Thanks for your feedback again.
>
> On Sat, 16 Nov 2019 14:22:13 +0100
> Petr Štetiar <ynezz at true.cz> wrote:
>
> > (nitpick, it's OpenWrt, not OpenWRT)
>
> Thanks for this clarification, it's always good to use the proper
> capitalization for project names. I'll try to use OpenWrt in the
> future, but please bear with me if I sometimes forget.
>
> > > No, this patch is not RFC, it should be ready for merging, I'm already
> > > using it in some devices.
> >
> > Ok, this patch is good enough for your limited use case, but in order to
> > include SELinux support in OpenWrt, then the first patch series should be more
> > comprehensive, minimal yet complete.
>
> I guess I'll send the patch series itself, so we can have the
> discussion on the actual proposal. I sent this procd patch separately,
> just because it is a requirement for the rest of the series to work
> (right now I was working with this procd patch in the OpenWrt procd
> package).
>
> > > The thing is that the SELinux support in OpenWRT needs this improvement
> > > in procd, otherwise it won't work at runtime as nothing will be loading
> > > the SELinux policy.
> >
> > Where is that policy? What about kernel part? What about userspace part? What
> > about filesystem image? And so on.
>
> In terms of policy, I'm simply using the reference policy provided by
> the SELinux project itself, with no specific customization for OpenWrt.
> Of course, additional tuning may be required, but for my use case, it
> was sufficient. In terms of kernel part, it of course requires some
> kernel options to be enabled. In terms of user-space parts, this is
> where my patch series is the most interesting: it packages all the
> user-space components that are necessary to be able to work with
> SELinux.

If you can include the compressed size of each part, this is also
important for the discussion I think
I know part of the debug tools on regular distro, like audit2why, are
python scripts, so pretty huge dependency

Regards
Etienne

>
> > > Regarding the flash space, RAM and CPU overhead, I'm not sure it's that
> > > relevant: the SELinux packaging I've done makes it completely optional,
> > > so you only have an impact of flash space, RAM and CPU if you enable
> > > SELinux support.
> >
> > Once its merged, we basically say, that its more or less supported, even if
> > it's optional.
> >
> > It's pretty much crystal clear, that some additional hardening layer would be
> > very welcome. I think, that OpenWrt should aim for something, which could be
> > usable on most of modern devices today and enabled by default. Security
> > shouldn't be an option, it should be default.
> >
> > SELinux is just one of the LSMs in Linux.  Is SELinux the right one for
> > OpenWrt project? Are we going to support all of them? I doubt that, so
> > decision needs to be made.
>
> I guess here I don't have the OpenWrt mindset, as I come from a
> Buildroot background. Buildroot supports multiple solutions for the
> same "problem", and let users decide which solution they want to use
> (so the users have some integration work to do), while it seems that
> OpenWrt wants to make a decision on one solution to use, but provide
> something that is seamlessly integrated for users.
>
> > > Do you have more details about entering failsafe mode ? How do you do that ?
> >
> > It's usually triggered by the button during the boot process[1], but it should
> > be possible to force it from procd as well.
> >
> > 1. https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset
>
> OK, thanks.
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list