SELinux status report and call to action

[Dominick Grift]

On 1/12/21 6:27 PM, Dominick Grift wrote:
> 
> Community,
> 
> Optional SELinux support has been added to OpenWrt for a while now and I
> gave a talk about the status at "Battle of the meshes 13th edition".
> 
> There was a comment mentioning that there was an impression that
> "rolling out SELinux on OpenWrt" would still require lots of work and
> that there are still lots of "loose ends". I failed to ask the person
> what work and what loose ends he still see's.
> 
> Regardless in the few months that have passed I have had give or take three
> times feedback on SELinux in OpenWrt:
> 
> 1. dangole tests bootstrap every once in a while and if needed he
> provides me with information and contributions needed to get and keep
> that to work on atleast devices and configurations he is using.
> 
> 2. I had one person e-mailing me mentioning that, i guess, WPA
> enterprise, does not work and that wpa_supplicant needs to be able to
> connect to a radius server for this  (i addressed that issue to the
> best of my ability but havent heared from the person since and I am not
> sure whether that means that its is fixed or that the person hasnt
> tested it since the fixed trickled down)
> 
> 3. jow gave some casual feedback on running services on alternate
> network ports and i addressed this issue as well although the fix for
> that might not have trickled down yet.
> 
> I was hoping for a little more exposure and feedback than this. The way
> i see it, it should not be much of an extra burden for OpenWrt devs to
> build their systems with SELinux support and to report any obvious
> issues back so that the effort can evolve instead of face early death.
> 
> My question to the reader is: why haven't you enabled SELinux yet on
> your test builds at least? Or maybe you have but you havent given any
> feedback. Why is that?
> 
> Is it too much of a burden? If that is the case we could for now
> consider shipping a "permissive" policy so that SELinux will never
> be in your way if that helps.
> 
> Can you please consider just enabling SELinux on your tests? If there
> are any observations and SELinux related messages in the logs then
> please report those to me via email or IRC?
> 
> If you have objections then please let me know what those objections are
> so that I can identify whether those objections can be addressed.
> 
> I did not, and do not expect that SELinux adoption would be popular but
> for developers that are very familiar with OpenWrt I do not see much of
> a reason not to enable it on test builds/systems either. Your feedback
> is valuable and is important to help improve the experience.
> 
> SELinux on OpenWrt works great for me and to be honest that is my first
> priority but with a little more involvement and interest from others
> there is much more room for improvement.
> 
> If you just build your systems with SELinux enabled and then provide
> feedback if there is something to report then that would be
> appreciated. If something is stopping you and if there is something i
> can do to make it easier then please let it be known.
> 
> Thanks,
> 

I received some feedback off-list and there was some chatter on IRC.
This reminds me that I should mention that LuCI integration is known to
have a lot of rough edges (although, with the exception of sysupgrade
and package management, most of the *LuCI-basics* should work). To be
honest I did not expect it that aside from LuCI developers, users of
this list would be using LuCI on development snapshots.

Nevertheless, be aware that LuCI has known rough edges and that I see
LuCI as a separate optional layer. I am not trying to justify the issues
there (and I do also appreciate any LuCI feedback), but LuCI needs a lot
more work.

Please do not let that stand in the way of testing the remainder of OpenWrt.

Thanks