[yocto] [meta-selinux] What's the point of refpolicy-minimum?

Shrikant Bobade bobadeshrikant at gmail.com
Tue Jan 10 07:40:20 PST 2017 

Hi Joe,


On Tue, Jan 10, 2017 at 8:18 PM, Joe MacDonald <Joe_MacDonald at mentor.com>
wrote:
>
> Wenzong / Shrikant,
>
> I thought I knew the answer to the above question, and maybe my
> understanding is still correct, but I think I need to ask it now anyway.
>
> I don't use refpolicy-minimum for anything, so when I did the updates to
> refpolicy*_git I didn't even glance at refpolicy-minimum_git.  Wenzong's
> change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
> of the recipe) piqued my curiosity, so I had a look.  Of course,
> refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
> now that I'm looking at the recipe I see what seems like conflicting
> statements in the recipe:
>
>    recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:
>
>      1 include refpolicy-targeted_${PV}.bb
>      2
>      3 SUMMARY = "SELinux minimum policy"
>      4 DESCRIPTION = "\
>      5 This is a minimum reference policy with just core policy modules,
and \
>      6 could be used as a base for customizing targeted policy. \
>      7 Pretty much everything runs as initrc_t or unconfined_t so all of
the \
>      8 domains are unconfined. \
>      9 "
>
> and:
>
>    recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:
>
>      1 SUMMARY = "SELinux targeted policy"
>      2 DESCRIPTION = "\
>      3 This is the targeted variant of the SELinux reference policy.
Most service \
>      4 domains are locked down. Users and admins will login in with
unconfined_t \
>      5 domain, so they have the same access to the system as if SELinux
was not \
>      6 enabled. \
>      7 "
>
> So now I'm trying to understand what the point of refpolicy-minimum
> really is here.  Those of you who are using it, what are you using it
> for and what do you expect would be the correct behaviour of a system
> running that policy?

recently used refpolicy-minimum, as it provides protection/security for
minimum modules
and reaming things with unconfined, the minimum coverage(modules) of policy
easy to start on
& cross check the prepared infrastructure against the expected selinux
behavior.

Also it is easy to patch for systemd compared to other policies. Till
refpolicy v20151208 release
we have refpolicy-minimum working with systemd as init manager.
regarding the latest release need to check.

But moving ahead similar policy with minimum modules can be used..

>
> At the very least, I'm going to remove the 'include [...].bb' from both
> 'minimum' recipes, as that's completely incorrect, but when I do that I
> want to know what anyone using this recipe wants to see from it, so
> whatever the 'include' gets replaced with is doing the right thing
> (which isn't necessarily what it's doing today).

agree..
>
> --
> -Joe MacDonald.
> :wq
>
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>

Thanks
Shrikant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20170110/a49e47b9/attachment.html>

More information about the yocto mailing list