[yocto] [meta-selinux] What's the point of refpolicy-minimum?

Joe MacDonald Joe_MacDonald at mentor.com
Tue Jan 10 06:48:22 PST 2017 

Wenzong / Shrikant,

I thought I knew the answer to the above question, and maybe my
understanding is still correct, but I think I need to ask it now anyway.

I don't use refpolicy-minimum for anything, so when I did the updates to
refpolicy*_git I didn't even glance at refpolicy-minimum_git.  Wenzong's
change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
of the recipe) piqued my curiosity, so I had a look.  Of course,
refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
now that I'm looking at the recipe I see what seems like conflicting
statements in the recipe:

   recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:

     1 include refpolicy-targeted_${PV}.bb
     2 
     3 SUMMARY = "SELinux minimum policy"
     4 DESCRIPTION = "\
     5 This is a minimum reference policy with just core policy modules, and \
     6 could be used as a base for customizing targeted policy. \
     7 Pretty much everything runs as initrc_t or unconfined_t so all of the \
     8 domains are unconfined. \
     9 "

and:

   recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:

     1 SUMMARY = "SELinux targeted policy"
     2 DESCRIPTION = "\
     3 This is the targeted variant of the SELinux reference policy.  Most service \
     4 domains are locked down. Users and admins will login in with unconfined_t \
     5 domain, so they have the same access to the system as if SELinux was not \
     6 enabled. \
     7 "

So now I'm trying to understand what the point of refpolicy-minimum
really is here.  Those of you who are using it, what are you using it
for and what do you expect would be the correct behaviour of a system
running that policy?

At the very least, I'm going to remove the 'include [...].bb' from both
'minimum' recipes, as that's completely incorrect, but when I do that I
want to know what anyone using this recipe wants to see from it, so
whatever the 'include' gets replaced with is doing the right thing
(which isn't necessarily what it's doing today).

-- 
-Joe MacDonald.
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20170110/e3bb15d7/attachment.pgp>

More information about the yocto mailing list