[OpenWrt-Devel] [PATCH procd] initd/init: add minimal SELinux policy loading support

Petr Štetiar ynezz at true.cz
Fri Nov 15 00:29:49 EST 2019


Thomas Petazzoni <thomas.petazzoni at bootlin.com> [2019-11-13 16:12:41]:

Hi,

is this some kind of RFC/idea probe? I like the idea, additional hardening is
needed and welcome I would say.

> I have patches ready to add some minimal SELinux support to OpenWRT,
> which I intend to send in the near future.

It would probably make more sense to send somehow minimal but complete working
SELinux support so one could see what it would mean in terms of flash space,
RAM, CPU overhead etc. Maybe adding one of the default services exposed to the
network as initial example?

> +  pkg_search_module(SELINUX REQUIRED libselinux)

This looks like a missing dependency.

> fprintf(stderr, "Cannot load SELinux policy, but system in enforcing mode. Halting.\n");

Just a side note, halting in the context of running on the router means
flashing of factory image. Halting doesn't provide any feedback to the user,
if we don't consider stuck-in-the-bootlop as a proper feedback.  Probably
entering failsafe(has LED feedback) or such would make more sense here?

I'm not implying, that this needs to be solved from the beginning, halting
during development is alright, just something to think about.

-- ynezz

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list