[yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and some updates

wenzong fan wenzong.fan at windriver.com
Fri Apr 4 01:00:31 PDT 2014


On 04/04/2014 02:57 PM, Pascal Ouyang wrote:
> 于 14-4-4 上午3:20, Joe MacDonald 写道:
>> Hey Wenzong,
>>
>> I merged two of these four.
>>
>> [[yocto] [meta-selinux][PATCH 0/4] add targeted/minimum policy and
>> some updates] On 14.03.24 (Mon 21:07) wenzong.fan at windriver.com wrote:
>>
>>> From: Wenzong Fan <wenzong.fan at windriver.com>
>>>
>>> Changes:
>>> * backport tmpfs_t patch from upstream;
>>> * add rules for /var/log symlink on poky;
>>
>> These both went in.  These:
>>
>>> * add targeted policy type
>>> * add minimum targeted policy
>>
>> I'm less clear on.  They both look like significant changes to
>> refpolicy-* behaviour, which is fine, but in that case I think it'd be
>> better to give them a different name.  Or one that differentiates them
>> significantly.  For example the "minimum" policy has users unconfined
>> and applications confined?  Or neither?  I'm not sure what the value is
>> of these.
>>
>> If they really are just specialized versions of the standard reference
>> policy, they should at least be ported to use the refpolicy_common
>> infrastructure Phil set up a while back.

We have used the refpolicy_common via: include refpolicy_${PV}.inc -> 
refpolicy_common.inc

And appreciate for Pascal clarify the usage & difference between those 
two policies:)

Wenzong

>
> Hi Joe&Wenzong,
>
> According to the origin design, both policy types are targeted policies.
>
> For targeted policies,
> * Users will login into shells on unconfined domain.
> * For applications with no policy module or with policy module disabled,
> they will also run on unconfined domain.
> * For applications "targeted", they would have policy module enabled,
> with rules to do domtrans from unconfined/init* domain to their own domain.
>
> The result will be:
> - standard/mls :
>    un-ruled applications(usually bin_t) will run on unconfined domain,
> so operations will *not* be blocked.
> - targeted/minimum
>    un-ruled applications will run on user's current domain, such as
> user_t,sysadm_t, so most privileged operations will be blocked.
>
>
> Difference between refpolicy-minium&refpolicy-targeted
> * refpolicy-minium = targeted policy with only core policies
>    It should just be used for admins to defined their own policy.
>    For example, a httpd server could just use refpolicy-minium + httpd
> module. Actually, I have thought to use refpolicy-targeted-minium as its
> name, but not in the end.
> * refpolicy-targeted = targeted policy with all 300+ modules
>
> Thanks. :)
>
> - Pascal
>
>>
>> Thanks,
>> -J.
>>
>>>
>>> The following changes since commit
>>> a6079a43719e79e12a57e609923a0cccdba06916:
>>>
>>>    refpolicy: fix real path for su.shadow (2014-02-13 10:52:07 -0500)
>>>
>>> are available in the git repository at:
>>>
>>>    git://git.pokylinux.org/poky-contrib wenzong/ref-minimum
>>>
>>> http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=wenzong/ref-minimum
>>>
>>>
>>> Wenzong Fan (4):
>>>    refpolicy: associate tmpfs_t (shm) to device_t (devtmpfs) file
>>>      systems
>>>    refpolicy: add rules for /var/log symlink on poky
>>>    refpolicy: add targeted policy type
>>>    refpolicy: add minimum targeted policy
>>>
>>>   ...associate-tmpfs_t-shm-to-device_t-devtmpf.patch |   30 +++
>>>   ...ky-policy-add-rules-for-syslogd_t-symlink.patch |   30 +++
>>>   ...rules-for-var-log-symlink-audisp_remote_t.patch |   29 +++
>>>   .../refpolicy/refpolicy-minimum_2.20130424.bb      |   46 +++++
>>>   ...olicy-fix-optional-issue-on-sysadm-module.patch |   60 ++++++
>>>   .../refpolicy-unconfined_u-default-user.patch      |  198
>>> ++++++++++++++++++++
>>>   .../refpolicy/refpolicy-targeted_2.20130424.bb     |   18 ++
>>>   .../refpolicy/refpolicy_2.20130424.inc             |    3 +
>>>   8 files changed, 414 insertions(+)
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-2.20130424/filesystem-associate-tmpfs_t-shm-to-device_t-devtmpf.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-minimum_2.20130424.bb
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-targeted/refpolicy-fix-optional-issue-on-sysadm-module.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-targeted/refpolicy-unconfined_u-default-user.patch
>>>
>>>   create mode 100644
>>> recipes-security/refpolicy/refpolicy-targeted_2.20130424.bb
>>>
>
>



More information about the yocto mailing list