[vote] release OpenWrt 21.02 with additional SELinux SDKs and IBs
Daniel Golle
daniel at makrotopia.org
Thu Mar 18 02:47:40 GMT 2021
Hi everybody!
As you most likely already know, Dominick Grift, W. Michael Petullo,
Thomas Petazzoni and a few more contributors have added very nice
SELinux support to OpenWrt.
To allow a wider public to enjoy an SELinux-enabled distribution, it
would be very helpful to offer SELinux-enabled builds of
openwrt-imagebuilder-21.02*
openwrt-sdk-21.02*
as well as the corresponding kmod packages feeds for the upcoming
release. All other binary package repositories can be shared with the
non-SELinux builds as everything has been implemented having that in
mind (ie. using VARIANTs instead of build-time configuration).
Providing SELinux-enaled SDK and IB for all targets/subtargets allows
SELinux users to make use of the binary distribution of a release,
enjoying all the advantages which come with that.
I believe that SELinux support widens the potential audience of
OpenWrt in a way which gives something quite valuable back to even
to users not interested in running SELinux themselves:
Developing a policy has helped a lot to uncover many hidden oddities
and reduce potential attack surface. It's part of the nature of writing
a policy, especially when addressing problems with it, that throughout
the process thorrow review of the involved bits of targetted code, from
the perspective of mandatory access control is required. This has
already helped to improve the security **also on systems which don't
even run SELinux** in case of sysntpd (and potentially other
non-priviledged hotplug callers).
And of course, a lot of less problematic stuff also immediately
pops into ones eyes when running SELinux, just one example:
https://github.com/openwrt/luci/commit/153ec5f46b5a39d0719fdb4eaf4e6fd3530fc26c
>From a practical point of view, we would need to add additional steps
to the buildbot master.cfg. My idea would be to just re-run most of
phase1 but seed .config with with additional lines (example):
---
CONFIG_SELINUX=y
CONFIG_IMAGEOPT=y
CONFIG_VERSIONOPT=y
CONFIG_VERSION_DIST="OpenWrt-SELinux"
CONFIG_VERSION_REPO="http://downloads.openwrt.org/releases/21.02.0-SELinux"
---
then make clean, make all and provide only the resulting SDK and IB for
download (and a bunch of symlinks, so opkg finds the regular package
repos at the expected URLs).
I'm aware that this will increase the time needed to build phase1 quite
a bit, even only building SDK, IB and all kmods again.
On the other hand, I believe that OpenWrt-SELinux has been a quite big
success story so far, it's very much usable by now (more than well
enough for a basic AP or gateway with LuCI) with regular updates to
the policy being provided by Dominick Grift, a bunch of people on IRC
testing and reporting issues.
Hence I'd like to invite you to vote:
Option A: Yes, provide SELinux SDK and IB for the 21.02.x releases.
Option B: Yes, and even start offering that for 21.02-SNAPSHOTS asap.
Option C: No, let's not do any of that.
Thank you!
Daniel
More information about the openwrt-adm
mailing list