[OpenWrt-Devel] [PATCH procd] initd/init: add minimal SELinux policy loading support

Thomas Petazzoni thomas.petazzoni at bootlin.com
Fri Nov 15 03:16:32 EST 2019 

Hello Petr,

Thanks for your feedback!

On Fri, 15 Nov 2019 06:29:49 +0100
Petr Štetiar <ynezz at true.cz> wrote:

> is this some kind of RFC/idea probe? I like the idea, additional hardening is
> needed and welcome I would say.

No, this patch is not RFC, it should be ready for merging, I'm already
using it in some devices.

> > I have patches ready to add some minimal SELinux support to OpenWRT,
> > which I intend to send in the near future.  
> 
> It would probably make more sense to send somehow minimal but complete working
> SELinux support so one could see what it would mean in terms of flash space,
> RAM, CPU overhead etc. Maybe adding one of the default services exposed to the
> network as initial example?

The thing is that the SELinux support in OpenWRT needs this improvement
in procd, otherwise it won't work at runtime as nothing will be loading
the SELinux policy.

Regarding the flash space, RAM and CPU overhead, I'm not sure it's that
relevant: the SELinux packaging I've done makes it completely optional,
so you only have an impact of flash space, RAM and CPU if you enable
SELinux support. If you don't, then your OpenWRT system is exactly like
it was before.

> > +  pkg_search_module(SELINUX REQUIRED libselinux)  
> 
> This looks like a missing dependency.

Sorry, but I don't understand what you mean here. Or maybe you're
saying that there is no libselinux package in OpenWRT ? That is true,
and will be part of my patch series to OpenWRT adding all the packages
related to OpenWRT support.

> > fprintf(stderr, "Cannot load SELinux policy, but system in enforcing mode. Halting.\n");  
> 
> Just a side note, halting in the context of running on the router means
> flashing of factory image. Halting doesn't provide any feedback to the user,
> if we don't consider stuck-in-the-bootlop as a proper feedback.  Probably
> entering failsafe(has LED feedback) or such would make more sense here?

Do you have more details about entering failsafe mode ? How do you do
that ?

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list