[vote] release OpenWrt 21.02 with additional SELinux SDKs and IBs
Daniel Golle
daniel at makrotopia.org
Thu Mar 18 12:45:15 GMT 2021
On Thu, Mar 18, 2021 at 08:24:51AM +0000, David Woodhouse wrote:
>
> What does the support experience look like?
See https://git.defensec.nl/selinux-policy
>
> For an end user for whom something is failing due to an SELinux
> denial... what do they see in the logs? Are they supposed to
> *recognise* the typical audit logs and realise that they need to file a
> ticket, and/or set SELinux to permissive mode until it's fixed?
I believe that users who deliberate pick the SELinux-enabled IB to
build an iamge for their device will be able to also recognize the
AVC messages as such ;)
Once again, this is NOT about enabing ANYTHING for regular builds,
not a single kernel symbol or userland chyange.
>
> Where do they file a ticket? Are the SELinux "team" going to handle
> those, much as the owners of the selinux-policy package tend to in
> Fedora? Or do they end up at the door of random package maintainers,
> who will have very little clue how to handle them, and very little
> inclination to care?
Right now this is mostly Dominick Grift doing that job. It might
be good to have more channels for that in the future once it becomes
more relevant.
>
> Or are we not actually talking about *enabling* SELinux in any default
> builds just yet, and merely providing the tools so that sufficiently
> clueful developers can *start* to build it and develop policies, and
> maybe in a year or three we'll be able to talk about enabling it by
> default (or through luci without having to rebuild for it), and *then*
> we get to have the discussion about support?
>
Yes, I think you understood :) This is about enabling the necessasry
bits for interested people and developers to join in. Nothing, really
nothing, is changing for regular users. (All changes which were needed
for fstools, base-files, procd, ... are already part of that release
anyway).
I'm quite surprised myself about the speed in which OpenWrt-SELinux
has become something useful, the version number 0.8 of the policy is
not misleading, it is usable by now.
Also things are much more simple compared to using the reference policy
on Fedora: There are not settings (sebools) and no need to setup or
configure things in any way (not even an option to do so).
Also the size of the policy is less than 10% of the size of refpolicy.
More information about the openwrt-adm
mailing list