Thomas Petazzoni <thomas.petazz...@bootlin.com> [2019-11-13 16:12:41]:
Hi, is this some kind of RFC/idea probe? I like the idea, additional hardening is needed and welcome I would say. > I have patches ready to add some minimal SELinux support to OpenWRT, > which I intend to send in the near future. It would probably make more sense to send somehow minimal but complete working SELinux support so one could see what it would mean in terms of flash space, RAM, CPU overhead etc. Maybe adding one of the default services exposed to the network as initial example? > + pkg_search_module(SELINUX REQUIRED libselinux) This looks like a missing dependency. > fprintf(stderr, "Cannot load SELinux policy, but system in enforcing mode. > Halting.\n"); Just a side note, halting in the context of running on the router means flashing of factory image. Halting doesn't provide any feedback to the user, if we don't consider stuck-in-the-bootlop as a proper feedback. Probably entering failsafe(has LED feedback) or such would make more sense here? I'm not implying, that this needs to be solved from the beginning, halting during development is alright, just something to think about. -- ynezz _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
