[yocto] [meta-selinux] What's the point of refpolicy-minimum?
wenzong fan
wenzong.fan at windriver.com
Wed Jan 11 20:57:33 PST 2017
On 01/10/2017 10:48 PM, Joe MacDonald wrote:
> Wenzong / Shrikant,
>
> I thought I knew the answer to the above question, and maybe my
> understanding is still correct, but I think I need to ask it now anyway.
>
> I don't use refpolicy-minimum for anything, so when I did the updates to
> refpolicy*_git I didn't even glance at refpolicy-minimum_git. Wenzong's
> change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
> of the recipe) piqued my curiosity, so I had a look. Of course,
> refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
> now that I'm looking at the recipe I see what seems like conflicting
> statements in the recipe:
>
> recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:
>
> 1 include refpolicy-targeted_${PV}.bb
> 2
> 3 SUMMARY = "SELinux minimum policy"
> 4 DESCRIPTION = "\
> 5 This is a minimum reference policy with just core policy modules, and \
> 6 could be used as a base for customizing targeted policy. \
> 7 Pretty much everything runs as initrc_t or unconfined_t so all of the \
> 8 domains are unconfined. \
> 9 "
>
> and:
>
> recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:
>
> 1 SUMMARY = "SELinux targeted policy"
> 2 DESCRIPTION = "\
> 3 This is the targeted variant of the SELinux reference policy. Most service \
> 4 domains are locked down. Users and admins will login in with unconfined_t \
> 5 domain, so they have the same access to the system as if SELinux was not \
> 6 enabled. \
> 7 "
>
> So now I'm trying to understand what the point of refpolicy-minimum
> really is here. Those of you who are using it, what are you using it
> for and what do you expect would be the correct behaviour of a system
> running that policy?
>
I don't have much experience on using the refpolicy-minimum as well.
But from the original logs it should be "minimum targeted policy".
commit 65675f02e33f5da31ec5dbac7a45849f4952569b
Author: Wenzong Fan <wenzong.fan at windriver.com>
Date: Mon Mar 24 21:07:50 2014 -0400
refpolicy: add minimum targeted policy
This is a minimum targeted policy with just core policy modules, and
could be used as a base for customizing targeted policy.
Pretty much everything runs as initrc_t or unconfined_t so all of the
domains are unconfined.
Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
Signed-off-by: Joe MacDonald <joe at deserted.net>
> At the very least, I'm going to remove the 'include [...].bb' from both
> 'minimum' recipes, as that's completely incorrect, but when I do that I
> want to know what anyone using this recipe wants to see from it, so
> whatever the 'include' gets replaced with is doing the right thing
> (which isn't necessarily what it's doing today).
I won't object to make the changes, if you think there should be a
different minimum policy with targeted.
Thanks
Wenzong
>
More information about the yocto
mailing list