[yocto] [meta-selinux] What's the point of refpolicy-minimum?

Shrikant Bobade bobadeshrikant at gmail.com
Mon Jan 16 05:59:00 PST 2017 

Hi Joe,

On Thu, Jan 12, 2017 at 8:57 PM, Joe MacDonald <Joe_MacDonald at mentor.com>
wrote:
>
> Hi guys,
>
> [Re: [meta-selinux] What's the point of refpolicy-minimum?] On 17.01.12
(Thu 12:57) wenzong fan wrote:
>
> > On 01/10/2017 10:48 PM, Joe MacDonald wrote:
> > >Wenzong / Shrikant,
> > >
> > >I thought I knew the answer to the above question, and maybe my
> > >understanding is still correct, but I think I need to ask it now
anyway.
> > >
> > >I don't use refpolicy-minimum for anything, so when I did the updates
to
> > >refpolicy*_git I didn't even glance at refpolicy-minimum_git.
Wenzong's
> > >change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
> > >of the recipe) piqued my curiosity, so I had a look.  Of course,
> > >refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
> > >now that I'm looking at the recipe I see what seems like conflicting
> > >statements in the recipe:
> > >
> > >   recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:
> > >
> > >     1 include refpolicy-targeted_${PV}.bb
> > >     2
> > >     3 SUMMARY = "SELinux minimum policy"
> > >     4 DESCRIPTION = "\
> > >     5 This is a minimum reference policy with just core policy
modules, and \
> > >     6 could be used as a base for customizing targeted policy. \
> > >     7 Pretty much everything runs as initrc_t or unconfined_t so all
of the \
> > >     8 domains are unconfined. \
> > >     9 "
> > >
> > >and:
> > >
> > >   recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:
> > >
> > >     1 SUMMARY = "SELinux targeted policy"
> > >     2 DESCRIPTION = "\
> > >     3 This is the targeted variant of the SELinux reference policy.
Most service \
> > >     4 domains are locked down. Users and admins will login in with
unconfined_t \
> > >     5 domain, so they have the same access to the system as if
SELinux was not \
> > >     6 enabled. \
> > >     7 "
> > >
> > >So now I'm trying to understand what the point of refpolicy-minimum
> > >really is here.  Those of you who are using it, what are you using it
> > >for and what do you expect would be the correct behaviour of a system
> > >running that policy?
> > >
> >
> > I don't have much experience on using the refpolicy-minimum as well.
> >
> > But from the original logs it should be "minimum targeted policy".
> >
> > commit 65675f02e33f5da31ec5dbac7a45849f4952569b
> > Author: Wenzong Fan <wenzong.fan at windriver.com>
> > Date:   Mon Mar 24 21:07:50 2014 -0400
> >
> >     refpolicy: add minimum targeted policy
> >
> >     This is a minimum targeted policy with just core policy modules, and
> >     could be used as a base for customizing targeted policy.
> >     Pretty much everything runs as initrc_t or unconfined_t so all of
the
> >     domains are unconfined.
> >
> >     Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
> >     Signed-off-by: Joe MacDonald <joe at deserted.net>
> >
> >
> > >At the very least, I'm going to remove the 'include [...].bb' from both
> > >'minimum' recipes, as that's completely incorrect, but when I do that I
> > >want to know what anyone using this recipe wants to see from it, so
> > >whatever the 'include' gets replaced with is doing the right thing
> > >(which isn't necessarily what it's doing today).
> >
> > I won't object to make the changes, if you think there should be a
different
> > minimum policy with targeted.
>
> I'm not proposing an alternative, I'm just saying that the statements in
> the descriptions of the recipes seem to conflict.  (And do note that the
> git log you quoted is precisely the text in DESCRIPTION for
> refpolicy-minimum.
>
> What I'm confused by is this in minimum:
>
> >     Pretty much everything runs as initrc_t or unconfined_t so all of
the
> >     domains are unconfined.
>
> and this in targeted:
>
> > >     Most service domains are locked down.
>
> So I guess my question is what is the desired behaviour out of this
> recipe?  If nobody knows and it's not being used, I'm leaning toward a
> 'git rm'-based solution.  :-)
>
> It sounds, though, like Shrikant is using it, so it's of some use, I
> guess.  Shrikant, on the systems you've used the minimum policy, what
> does the policy look like on your running system?  In the current world
> refpolicy-minimum inherits POLICY_TYPE and POLICY_MLS_SENS from
> refpolicy-targeted, is that good / bad / irrelevant to what you're doing
> with it?  If I just rework minimum to remove the include and bring in
> the minimal number of changes to get the policy to load again, is that
> good enough for your purposes?  Do you want to volunteer to test my
> changes for me before I commit them?  :-)

Sure, the rework for minimum to remove the include and minimal no. of
changes to get the policy loading,
seems good to server the expectations from it.
Happy to volunteer  to validate the changes, please advise the location to
fork the in-progress changes. :)

>
> --
> -Joe MacDonald.
> :wq
>
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>

Thanks
Shrikant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20170116/dcae40f1/attachment.html>

More information about the yocto mailing list