Hello Thomas, Le lun. 18 nov. 2019 à 05:33, Thomas Petazzoni <thomas.petazz...@bootlin.com> a écrit : > > Hello Petr, > > Thanks for your feedback again. > > On Sat, 16 Nov 2019 14:22:13 +0100 > Petr Štetiar <yn...@true.cz> wrote: > > > (nitpick, it's OpenWrt, not OpenWRT) > > Thanks for this clarification, it's always good to use the proper > capitalization for project names. I'll try to use OpenWrt in the > future, but please bear with me if I sometimes forget. > > > > No, this patch is not RFC, it should be ready for merging, I'm already > > > using it in some devices. > > > > Ok, this patch is good enough for your limited use case, but in order to > > include SELinux support in OpenWrt, then the first patch series should be > > more > > comprehensive, minimal yet complete. > > I guess I'll send the patch series itself, so we can have the > discussion on the actual proposal. I sent this procd patch separately, > just because it is a requirement for the rest of the series to work > (right now I was working with this procd patch in the OpenWrt procd > package). > > > > The thing is that the SELinux support in OpenWRT needs this improvement > > > in procd, otherwise it won't work at runtime as nothing will be loading > > > the SELinux policy. > > > > Where is that policy? What about kernel part? What about userspace part? > > What > > about filesystem image? And so on. > > In terms of policy, I'm simply using the reference policy provided by > the SELinux project itself, with no specific customization for OpenWrt. > Of course, additional tuning may be required, but for my use case, it > was sufficient. In terms of kernel part, it of course requires some > kernel options to be enabled. In terms of user-space parts, this is > where my patch series is the most interesting: it packages all the > user-space components that are necessary to be able to work with > SELinux.
If you can include the compressed size of each part, this is also important for the discussion I think I know part of the debug tools on regular distro, like audit2why, are python scripts, so pretty huge dependency Regards Etienne > > > > Regarding the flash space, RAM and CPU overhead, I'm not sure it's that > > > relevant: the SELinux packaging I've done makes it completely optional, > > > so you only have an impact of flash space, RAM and CPU if you enable > > > SELinux support. > > > > Once its merged, we basically say, that its more or less supported, even if > > it's optional. > > > > It's pretty much crystal clear, that some additional hardening layer would > > be > > very welcome. I think, that OpenWrt should aim for something, which could be > > usable on most of modern devices today and enabled by default. Security > > shouldn't be an option, it should be default. > > > > SELinux is just one of the LSMs in Linux. Is SELinux the right one for > > OpenWrt project? Are we going to support all of them? I doubt that, so > > decision needs to be made. > > I guess here I don't have the OpenWrt mindset, as I come from a > Buildroot background. Buildroot supports multiple solutions for the > same "problem", and let users decide which solution they want to use > (so the users have some integration work to do), while it seems that > OpenWrt wants to make a decision on one solution to use, but provide > something that is seamlessly integrated for users. > > > > Do you have more details about entering failsafe mode ? How do you do > > > that ? > > > > It's usually triggered by the button during the boot process[1], but it > > should > > be possible to force it from procd as well. > > > > 1. > > https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset > > OK, thanks. > > Thomas > -- > Thomas Petazzoni, CTO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel