[yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates
Pascal Ouyang
xin.ouyang at windriver.com
Thu Apr 3 23:57:17 PDT 2014
于 14-4-4 上午3:20, Joe MacDonald 写道:
> Hey Wenzong,
>
> I merged two of these four.
>
> [[yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates] On 14.03.24 (Mon 21:07) wenzong.fan at windriver.com wrote:
>
>> From: Wenzong Fan <wenzong.fan at windriver.com>
>>
>> Changes:
>> * backport tmpfs_t patch from upstream;
>> * add rules for /var/log symlink on poky;
>
> These both went in. These:
>
>> * add targeted policy type
>> * add minimum targeted policy
>
> I'm less clear on. They both look like significant changes to
> refpolicy-* behaviour, which is fine, but in that case I think it'd be
> better to give them a different name. Or one that differentiates them
> significantly. For example the "minimum" policy has users unconfined
> and applications confined? Or neither? I'm not sure what the value is
> of these.
>
> If they really are just specialized versions of the standard reference
> policy, they should at least be ported to use the refpolicy_common
> infrastructure Phil set up a while back.
Hi Joe&Wenzong,
According to the origin design, both policy types are targeted policies.
For targeted policies,
* Users will login into shells on unconfined domain.
* For applications with no policy module or with policy module disabled,
they will also run on unconfined domain.
* For applications "targeted", they would have policy module enabled,
with rules to do domtrans from unconfined/init* domain to their own domain.
The result will be:
- standard/mls :
un-ruled applications(usually bin_t) will run on unconfined domain,
so operations will *not* be blocked.
- targeted/minimum
un-ruled applications will run on user's current domain, such as
user_t,sysadm_t, so most privileged operations will be blocked.
Difference between refpolicy-minium&refpolicy-targeted
* refpolicy-minium = targeted policy with only core policies
It should just be used for admins to defined their own policy.
For example, a httpd server could just use refpolicy-minium + httpd
module. Actually, I have thought to use refpolicy-targeted-minium as its
name, but not in the end.
* refpolicy-targeted = targeted policy with all 300+ modules
Thanks. :)
- Pascal
>
> Thanks,
> -J.
>
>>
>> The following changes since commit a6079a43719e79e12a57e609923a0cccdba06916:
>>
>> refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500)
>>
>> are available in the git repository at:
>>
>> git://git.pokylinux.org/poky-contrib wenzong/ref-minimum
>> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/ref-minimum
>>
>> Wenzong Fan (4):
>> refpolicy: associate tmpfs_t (shm) to device_t (devtmpfs) file
>> systems
>> refpolicy: add rules for /var/log symlink on poky
>> refpolicy: add targeted policy type
>> refpolicy: add minimum targeted policy
>>
>> ...associate-tmpfs_t-shm-to-device_t-devtmpf.patch | 30 +++
>> ...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 +++
>> ...rules-for-var-log-symlink-audisp_remote_t.patch | 29 +++
>> .../refpolicy/refpolicy-minimum_2.20130424.bb | 46 +++++
>> ...olicy-fix-optional-issue-on-sysadm-module.patch | 60 ++++++
>> .../refpolicy-unconfined_u-default-user.patch | 198 ++++++++++++++++++++
>> .../refpolicy/refpolicy-targeted_2.20130424.bb | 18 ++
>> .../refpolicy/refpolicy_2.20130424.inc | 3 +
>> 8 files changed, 414 insertions(+)
>> create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
>> create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
>> create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
>> create mode 100644 recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
>> create mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
>> create mode 100644 recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
>> create mode 100644 recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
>>
--
- Pascal
More information about the yocto
mailing list