[LEDE-DEV] running stuff as !root

Ferry Huberts mailings at hupie.com
Wed May 18 02:41:11 PDT 2016



On 18/05/16 11:10, David Lang wrote:
> On Wed, 18 May 2016, Ferry Huberts wrote:
>
>> On 18/05/16 10:03, David Lang wrote:
>>> On Wed, 18 May 2016, John Crispin wrote:
>>>
>>>> On 18/05/2016 09:46, Ferry Huberts wrote:
>>>>>
>>>>>
>>>>> already in-place in Fedora and RedHat/CentOS.
>>>>>
>>>>> You then get even stronger protection and run-time performance
>>>>> impact is
>>>>> negligible.
>>>>>
>>>> the stuff i proposed has not runtime hit. selinux is simple to full
>>
>> SELinux's hit is for all intents and purposes zero as well nowadays.
>>
>>>> blown and hard to maintain. the idea would be to create a custom
>>>> tailored solution for our requirements.
>>>
>>> That is why I prefer AppArmor, you don't have the interaction between
>>> different application configs that you do with SELinux, so you can focus
>>> on the specific application that you are concerned about.
>>
>> AppArmor is significantly less secure than SELinux.
>> And with SELinux you don't need all the preloading stuff that was
>> talked about, you can just declare which ports are allowed.
>
> tightly configured in expert hands, you are right. However, that's not
> the normal user of LEDE/OpenWRT. For what (little) it's worth, I'll
> point out that if home users are familar with Linux, the odds are good
> that it's a flavor of Ubuntu that uses AA rather than Fedora that uses
> SELinux. (not worth much because the home user probably hasn't touched
> AA or SELinux)

That should not be an argument to do one or the other.
You should ask yourself how far you would want to go in securing a 
router. Personally, I would absolutely love a router with a tight 
SELinux policy since it protects me well from unsavory access from the 
outside.

>
> do all the compressed filesystems support the tagging needed by SELinux?
> what about external drives with FAT* or NTFS?

FAT and NTFS do not support it AFAIK, but how is that a problem?
You'd run SELinux on your internal filesystem.

For the compressed filesystems: I don't know, they will probably support 
it if they're good citizen Linux filesystems.


>
> How do you handle the possible need to re-label your files on a
> read-only filesystem?


Don't know, but take a look at Android, it has SELinux enabled in 
enforcing mode (the strongest mode).

>
> what is the difference in kernel size (and tool size) between AA and
> SELinux?
>



Don't know.


For clarity (and for weaseling out): I read a snip of the discussion and 
wanted to offer another alternative, so that the discussion could 
consider it.



-- 
Ferry Huberts



More information about the Lede-dev mailing list