FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-18-2009, 03:19 PM
"Spann, John W."
 
Default Policy for Embedded Machine

All,

I am working with a 2.6.27.14 kernel on an embedded PowerPC 440 board.
Aside from the operating system and some drivers and libraries, there
will be a few custom applications written which I will need to write
policy for.

I am looking for the best policy writing approach for the environment.
Seems like I could take the latest policy distributed with Fedora and
start ripping out stuff or start with nothing and build up. Not having
written much policy yet, I am seeking advice on the best approach.

I also have read about SELinux Policy Editor (SEEdit) and wonder if this
might be a good approach for a new policy writer.

Thoughts...

SpannMan



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-20-2009, 06:18 PM
Stephen Smalley
 
Default Policy for Embedded Machine

On Wed, 2009-02-18 at 10:19 -0600, Spann, John W. wrote:
> All,
>
> I am working with a 2.6.27.14 kernel on an embedded PowerPC 440 board.
> Aside from the operating system and some drivers and libraries, there
> will be a few custom applications written which I will need to write
> policy for.
>
> I am looking for the best policy writing approach for the environment.
> Seems like I could take the latest policy distributed with Fedora and
> start ripping out stuff or start with nothing and build up. Not having
> written much policy yet, I am seeking advice on the best approach.
>
> I also have read about SELinux Policy Editor (SEEdit) and wonder if this
> might be a good approach for a new policy writer.
>
> Thoughts...

Interestingly, Dan Walsh has created a selinux-policy-minimum package as
a stripped down version of the Fedora targeted policy for this kind of
usage. See:
http://danwalsh.livejournal.com/26759.html

So that is an option, although you may wish to further prune it for your
needs and you likely want to just build the monolithic policy for your
embedded system and dispense with the overhead of the modular policy in
such an environment.

However, starting from anything based on the reference policy (all of
the Fedora policies are built from the reference policy) locks you into
its particular dependencies and its (fine) granularity of domains and
types, and pruning it can be difficult. And I'm not sure how much of
the refpolicy is relevant to an embedded system. So my preferred option
would be to start from "scratch" and build up so that you can tailor the
policy to the precise functionality and security goals of the embedded
system.

To jump-start that process, you can generate the absolute minimum policy
(called the dummy policy) required to boot your kernel, define a single
security context, and allow that context to do everything by running the
scripts/selinux/mdp/mdp program in the kernel source tree - see
Documentation/SELinux.txt and scripts/selinux in the kernel tree. The
difference in sizes is substantial; Fedora's selinux-policy-minimum
yields a ~640K binary kernel policy file, while the dummy policy
generated by mdp from the kernel tree yields a ~9K binary kernel policy
file. Of course, you would then need to extend that dummy policy by
hand to actually do anything useful with it.

SEEdit is an option, and you may wish to try it as well, but be careful
to examine the end result (i.e. the actual policy.conf that it generates
as output, not just the simplified policy language statements) and see
whether it actually meets the security goals you intended. I haven't
used it. I'm not sure it is still actively being developed.

You may want to read over http://elinux.org/SELinux to see what the
Japanese SELinux community has done in the past with regard to embedded
SELinux, although I don't believe that such work is still ongoing.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-03-2009, 12:22 PM
"Spann, John W."
 
Default Policy for Embedded Machine

Do I have to be running the 2.6.28 kernel to have the ability to load
the dummy policy? This seems like the approach I would take, but we must
use the 2.6.27.14 kernel.


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 03-03-2009, 01:29 PM
Stephen Smalley
 
Default Policy for Embedded Machine

On Tue, 2009-03-03 at 07:22 -0600, Spann, John W. wrote:
> Do I have to be running the 2.6.28 kernel to have the ability to load
> the dummy policy? This seems like the approach I would take, but we must
> use the 2.6.27.14 kernel.

No, you should be able to create a dummy policy for 2.6.27.14. You'll
need to grab the scripts/selinux files from 2.6.28 or later, but you
should be able to use those files on the older kernel.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 03:44 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org