[OpenWrt-Devel] [PATCH procd] initd/init: add minimal SELinux policy loading support

Petr Štetiar ynezz at true.cz
Sat Nov 16 08:22:13 EST 2019

Thomas Petazzoni <thomas.petazzoni at bootlin.com> [2019-11-15 09:16:32]:

(nitpick, it's OpenWrt, not OpenWRT)

> No, this patch is not RFC, it should be ready for merging, I'm already
> using it in some devices.

Ok, this patch is good enough for your limited use case, but in order to
include SELinux support in OpenWrt, then the first patch series should be more
comprehensive, minimal yet complete.

> The thing is that the SELinux support in OpenWRT needs this improvement
> in procd, otherwise it won't work at runtime as nothing will be loading
> the SELinux policy.

Where is that policy? What about kernel part? What about userspace part? What
about filesystem image? And so on.

> Regarding the flash space, RAM and CPU overhead, I'm not sure it's that
> relevant: the SELinux packaging I've done makes it completely optional,
> so you only have an impact of flash space, RAM and CPU if you enable
> SELinux support.

Once its merged, we basically say, that its more or less supported, even if
it's optional.

It's pretty much crystal clear, that some additional hardening layer would be
very welcome. I think, that OpenWrt should aim for something, which could be
usable on most of modern devices today and enabled by default. Security
shouldn't be an option, it should be default.

SELinux is just one of the LSMs in Linux.  Is SELinux the right one for
OpenWrt project? Are we going to support all of them? I doubt that, so
decision needs to be made.

> Do you have more details about entering failsafe mode ? How do you do that ?

It's usually triggered by the button during the boot process[1], but it should
be possible to force it from procd as well.

1. https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset

-- ynezz

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list