[yocto] [meta-selinux] What's the point of refpolicy-minimum?
Shrikant Bobade
bobadeshrikant at gmail.com
Tue Jan 10 07:40:20 PST 2017
Hi Joe,
On Tue, Jan 10, 2017 at 8:18 PM, Joe MacDonald <Joe_MacDonald at mentor.com>
wrote:
>
> Wenzong / Shrikant,
>
> I thought I knew the answer to the above question, and maybe my
> understanding is still correct, but I think I need to ask it now anyway.
>
> I don't use refpolicy-minimum for anything, so when I did the updates to
> refpolicy*_git I didn't even glance at refpolicy-minimum_git. Wenzong's
> change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
> of the recipe) piqued my curiosity, so I had a look. Of course,
> refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
> now that I'm looking at the recipe I see what seems like conflicting
> statements in the recipe:
>
> recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:
>
> 1 include refpolicy-targeted_${PV}.bb
> 2
> 3 SUMMARY = "SELinux minimum policy"
> 4 DESCRIPTION = "\
> 5 This is a minimum reference policy with just core policy modules,
and \
> 6 could be used as a base for customizing targeted policy. \
> 7 Pretty much everything runs as initrc_t or unconfined_t so all of
the \
> 8 domains are unconfined. \
> 9 "
>
> and:
>
> recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:
>
> 1 SUMMARY = "SELinux targeted policy"
> 2 DESCRIPTION = "\
> 3 This is the targeted variant of the SELinux reference policy.
Most service \
> 4 domains are locked down. Users and admins will login in with
unconfined_t \
> 5 domain, so they have the same access to the system as if SELinux
was not \
> 6 enabled. \
> 7 "
>
> So now I'm trying to understand what the point of refpolicy-minimum
> really is here. Those of you who are using it, what are you using it
> for and what do you expect would be the correct behaviour of a system
> running that policy?
recently used refpolicy-minimum, as it provides protection/security for
minimum modules
and reaming things with unconfined, the minimum coverage(modules) of policy
easy to start on
& cross check the prepared infrastructure against the expected selinux
behavior.
Also it is easy to patch for systemd compared to other policies. Till
refpolicy v20151208 release
we have refpolicy-minimum working with systemd as init manager.
regarding the latest release need to check.
But moving ahead similar policy with minimum modules can be used..
>
> At the very least, I'm going to remove the 'include [...].bb' from both
> 'minimum' recipes, as that's completely incorrect, but when I do that I
> want to know what anyone using this recipe wants to see from it, so
> whatever the 'include' gets replaced with is doing the right thing
> (which isn't necessarily what it's doing today).
agree..
>
> --
> -Joe MacDonald.
> :wq
>
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>
Thanks
Shrikant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20170110/a49e47b9/attachment.html>
More information about the yocto
mailing list