[yocto] [meta-selinux] What's the point of refpolicy-minimum?

Joe MacDonald Joe_MacDonald at mentor.com
Thu Jan 12 07:27:28 PST 2017 

Hi guys,

[Re: [meta-selinux] What's the point of refpolicy-minimum?] On 17.01.12 (Thu 12:57) wenzong fan wrote:

> On 01/10/2017 10:48 PM, Joe MacDonald wrote:
> >Wenzong / Shrikant,
> >
> >I thought I knew the answer to the above question, and maybe my
> >understanding is still correct, but I think I need to ask it now anyway.
> >
> >I don't use refpolicy-minimum for anything, so when I did the updates to
> >refpolicy*_git I didn't even glance at refpolicy-minimum_git.  Wenzong's
> >change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
> >of the recipe) piqued my curiosity, so I had a look.  Of course,
> >refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
> >now that I'm looking at the recipe I see what seems like conflicting
> >statements in the recipe:
> >
> >   recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:
> >
> >     1 include refpolicy-targeted_${PV}.bb
> >     2
> >     3 SUMMARY = "SELinux minimum policy"
> >     4 DESCRIPTION = "\
> >     5 This is a minimum reference policy with just core policy modules, and \
> >     6 could be used as a base for customizing targeted policy. \
> >     7 Pretty much everything runs as initrc_t or unconfined_t so all of the \
> >     8 domains are unconfined. \
> >     9 "
> >
> >and:
> >
> >   recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:
> >
> >     1 SUMMARY = "SELinux targeted policy"
> >     2 DESCRIPTION = "\
> >     3 This is the targeted variant of the SELinux reference policy.  Most service \
> >     4 domains are locked down. Users and admins will login in with unconfined_t \
> >     5 domain, so they have the same access to the system as if SELinux was not \
> >     6 enabled. \
> >     7 "
> >
> >So now I'm trying to understand what the point of refpolicy-minimum
> >really is here.  Those of you who are using it, what are you using it
> >for and what do you expect would be the correct behaviour of a system
> >running that policy?
> >
> 
> I don't have much experience on using the refpolicy-minimum as well.
> 
> But from the original logs it should be "minimum targeted policy".
> 
> commit 65675f02e33f5da31ec5dbac7a45849f4952569b
> Author: Wenzong Fan <wenzong.fan at windriver.com>
> Date:   Mon Mar 24 21:07:50 2014 -0400
> 
>     refpolicy: add minimum targeted policy
> 
>     This is a minimum targeted policy with just core policy modules, and
>     could be used as a base for customizing targeted policy.
>     Pretty much everything runs as initrc_t or unconfined_t so all of the
>     domains are unconfined.
> 
>     Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
>     Signed-off-by: Joe MacDonald <joe at deserted.net>
> 
> 
> >At the very least, I'm going to remove the 'include [...].bb' from both
> >'minimum' recipes, as that's completely incorrect, but when I do that I
> >want to know what anyone using this recipe wants to see from it, so
> >whatever the 'include' gets replaced with is doing the right thing
> >(which isn't necessarily what it's doing today).
> 
> I won't object to make the changes, if you think there should be a different
> minimum policy with targeted.

I'm not proposing an alternative, I'm just saying that the statements in
the descriptions of the recipes seem to conflict.  (And do note that the
git log you quoted is precisely the text in DESCRIPTION for
refpolicy-minimum.

What I'm confused by is this in minimum:

>     Pretty much everything runs as initrc_t or unconfined_t so all of the
>     domains are unconfined.

and this in targeted:

> >     Most service domains are locked down.

So I guess my question is what is the desired behaviour out of this
recipe?  If nobody knows and it's not being used, I'm leaning toward a
'git rm'-based solution.  :-)

It sounds, though, like Shrikant is using it, so it's of some use, I
guess.  Shrikant, on the systems you've used the minimum policy, what
does the policy look like on your running system?  In the current world
refpolicy-minimum inherits POLICY_TYPE and POLICY_MLS_SENS from
refpolicy-targeted, is that good / bad / irrelevant to what you're doing
with it?  If I just rework minimum to remove the include and bring in
the minimal number of changes to get the policy to load again, is that
good enough for your purposes?  Do you want to volunteer to test my
changes for me before I commit them?  :-)

-- 
-Joe MacDonald.
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20170112/ca9a1d20/attachment.pgp>

More information about the yocto mailing list