[OpenWrt-Devel] [PATCH procd] initd/init: add minimal SELinux policy loading support

Mon Nov 18 08:32:36 EST 2019

Hello Petr,

Thanks for your feedback again.

On Sat, 16 Nov 2019 14:22:13 +0100
Petr Štetiar <ynezz at true.cz> wrote:

> (nitpick, it's OpenWrt, not OpenWRT)

Thanks for this clarification, it's always good to use the proper
capitalization for project names. I'll try to use OpenWrt in the
future, but please bear with me if I sometimes forget.

> > No, this patch is not RFC, it should be ready for merging, I'm already
> > using it in some devices.  
> 
> Ok, this patch is good enough for your limited use case, but in order to
> include SELinux support in OpenWrt, then the first patch series should be more
> comprehensive, minimal yet complete.

I guess I'll send the patch series itself, so we can have the
discussion on the actual proposal. I sent this procd patch separately,
just because it is a requirement for the rest of the series to work
(right now I was working with this procd patch in the OpenWrt procd
package).

> > The thing is that the SELinux support in OpenWRT needs this improvement
> > in procd, otherwise it won't work at runtime as nothing will be loading
> > the SELinux policy.  
> 
> Where is that policy? What about kernel part? What about userspace part? What
> about filesystem image? And so on.

In terms of policy, I'm simply using the reference policy provided by
the SELinux project itself, with no specific customization for OpenWrt.
Of course, additional tuning may be required, but for my use case, it
was sufficient. In terms of kernel part, it of course requires some
kernel options to be enabled. In terms of user-space parts, this is
where my patch series is the most interesting: it packages all the
user-space components that are necessary to be able to work with
SELinux.

> > Regarding the flash space, RAM and CPU overhead, I'm not sure it's that
> > relevant: the SELinux packaging I've done makes it completely optional,
> > so you only have an impact of flash space, RAM and CPU if you enable
> > SELinux support.  
> 
> Once its merged, we basically say, that its more or less supported, even if
> it's optional.
> 
> It's pretty much crystal clear, that some additional hardening layer would be
> very welcome. I think, that OpenWrt should aim for something, which could be
> usable on most of modern devices today and enabled by default. Security
> shouldn't be an option, it should be default.
> 
> SELinux is just one of the LSMs in Linux.  Is SELinux the right one for
> OpenWrt project? Are we going to support all of them? I doubt that, so
> decision needs to be made.

I guess here I don't have the OpenWrt mindset, as I come from a
Buildroot background. Buildroot supports multiple solutions for the
same "problem", and let users decide which solution they want to use
(so the users have some integration work to do), while it seems that
OpenWrt wants to make a decision on one solution to use, but provide
something that is seamlessly integrated for users.

> > Do you have more details about entering failsafe mode ? How do you do that ?  
> 
> It's usually triggered by the button during the boot process[1], but it should
> be possible to force it from procd as well.
> 
> 1. https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset

OK, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel