SELinux status report and call to action

Dominick Grift dominick.grift at defensec.nl
Tue Jan 12 12:27:29 EST 2021 

Community,

Optional SELinux support has been added to OpenWrt for a while now and I
gave a talk about the status at "Battle of the meshes 13th edition".

There was a comment mentioning that there was an impression that
"rolling out SELinux on OpenWrt" would still require lots of work and
that there are still lots of "loose ends". I failed to ask the person
what work and what loose ends he still see's.

Regardless in the few months that have passed I have had give or take three
times feedback on SELinux in OpenWrt:

1. dangole tests bootstrap every once in a while and if needed he
provides me with information and contributions needed to get and keep
that to work on atleast devices and configurations he is using.

2. I had one person e-mailing me mentioning that, i guess, WPA
enterprise, does not work and that wpa_supplicant needs to be able to
connect to a radius server for this  (i addressed that issue to the
best of my ability but havent heared from the person since and I am not
sure whether that means that its is fixed or that the person hasnt
tested it since the fixed trickled down)

3. jow gave some casual feedback on running services on alternate
network ports and i addressed this issue as well although the fix for
that might not have trickled down yet.

I was hoping for a little more exposure and feedback than this. The way
i see it, it should not be much of an extra burden for OpenWrt devs to
build their systems with SELinux support and to report any obvious
issues back so that the effort can evolve instead of face early death.

My question to the reader is: why haven't you enabled SELinux yet on
your test builds at least? Or maybe you have but you havent given any
feedback. Why is that?

Is it too much of a burden? If that is the case we could for now
consider shipping a "permissive" policy so that SELinux will never
be in your way if that helps.

Can you please consider just enabling SELinux on your tests? If there
are any observations and SELinux related messages in the logs then
please report those to me via email or IRC?

If you have objections then please let me know what those objections are
so that I can identify whether those objections can be addressed.

I did not, and do not expect that SELinux adoption would be popular but
for developers that are very familiar with OpenWrt I do not see much of
a reason not to enable it on test builds/systems either. Your feedback
is valuable and is important to help improve the experience.

SELinux on OpenWrt works great for me and to be honest that is my first
priority but with a little more involvement and interest from others
there is much more room for improvement.

If you just build your systems with SELinux enabled and then provide
feedback if there is something to report then that would be
appreciated. If something is stopping you and if there is something i
can do to make it easier then please let it be known.

Thanks,
-- 
gpg --locate-keys dominick.grift at defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

More information about the openwrt-devel mailing list