[yocto] [meta-selinux] What's the point of refpolicy-minimum?

wenzong fan wenzong.fan at windriver.com
Wed Jan 11 20:57:33 PST 2017 

On 01/10/2017 10:48 PM, Joe MacDonald wrote:
> Wenzong / Shrikant,
>
> I thought I knew the answer to the above question, and maybe my
> understanding is still correct, but I think I need to ask it now anyway.
>
> I don't use refpolicy-minimum for anything, so when I did the updates to
> refpolicy*_git I didn't even glance at refpolicy-minimum_git.  Wenzong's
> change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
> of the recipe) piqued my curiosity, so I had a look.  Of course,
> refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
> now that I'm looking at the recipe I see what seems like conflicting
> statements in the recipe:
>
>    recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:
>
>      1 include refpolicy-targeted_${PV}.bb
>      2
>      3 SUMMARY = "SELinux minimum policy"
>      4 DESCRIPTION = "\
>      5 This is a minimum reference policy with just core policy modules, and \
>      6 could be used as a base for customizing targeted policy. \
>      7 Pretty much everything runs as initrc_t or unconfined_t so all of the \
>      8 domains are unconfined. \
>      9 "
>
> and:
>
>    recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:
>
>      1 SUMMARY = "SELinux targeted policy"
>      2 DESCRIPTION = "\
>      3 This is the targeted variant of the SELinux reference policy.  Most service \
>      4 domains are locked down. Users and admins will login in with unconfined_t \
>      5 domain, so they have the same access to the system as if SELinux was not \
>      6 enabled. \
>      7 "
>
> So now I'm trying to understand what the point of refpolicy-minimum
> really is here.  Those of you who are using it, what are you using it
> for and what do you expect would be the correct behaviour of a system
> running that policy?
>

I don't have much experience on using the refpolicy-minimum as well.

But from the original logs it should be "minimum targeted policy".

commit 65675f02e33f5da31ec5dbac7a45849f4952569b
Author: Wenzong Fan <wenzong.fan at windriver.com>
Date:   Mon Mar 24 21:07:50 2014 -0400

     refpolicy: add minimum targeted policy

     This is a minimum targeted policy with just core policy modules, and
     could be used as a base for customizing targeted policy.
     Pretty much everything runs as initrc_t or unconfined_t so all of the
     domains are unconfined.

     Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
     Signed-off-by: Joe MacDonald <joe at deserted.net>


> At the very least, I'm going to remove the 'include [...].bb' from both
> 'minimum' recipes, as that's completely incorrect, but when I do that I
> want to know what anyone using this recipe wants to see from it, so
> whatever the 'include' gets replaced with is doing the right thing
> (which isn't necessarily what it's doing today).

I won't object to make the changes, if you think there should be a 
different minimum policy with targeted.

Thanks
Wenzong

>

More information about the yocto mailing list