From: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To: buildroot@busybox.net
Subject: [Buildroot] SELinux Buildroot Additions
Date: Tue, 27 Aug 2013 22:08:19 +0200 [thread overview]
Message-ID: <20130827220819.6ea4fcae@skate> (raw)
In-Reply-To: <OF965741C3.D223706B-ON86257BD4.0066A1F9-86257BD4.00680C50@rockwellcollins.com>
Clayton,
On Tue, 27 Aug 2013 13:56:28 -0500, clshotwe at rockwellcollins.com wrote:
> > Can you expand on what is the huge issue between Busybox and the
> > SELinux Refpolicy? The fact that the Refpolicy doesn't include a policy
> > for Busybox? If so, isn't it possible to contribute a policy that would
> > be suitable for usage with Busybox? A quick Google search returns
> > http://code.google.com/p/sebusybox/.
>
> Since Busybox is one executable that runs a bunch of different commands,
> there is an issue with the SELinux type transitions happening correctly.
> Programs, including init, end up running in an incorrect context and break
> SELinux rules. A policy could probably be created to let Busybox do what
> it needs to do but then that opens up the issue of having one application
> do everything. A lot of potential security vulnerabilities can be blocked
> by having a bunch of different applications that cannot all be compromised
> at once. It would be really easy to use busybox if it was possible to
> build separate executables for security critical applications but I don't
> think that feature is available yet.
This is actually possible, with the option CONFIG_FEATURE_INDIVIDUAL of
Busybox. It creates a libbusybox shared library, and then creates one
small (~6 KB) binary for each busybox program. This way, each program
is really separate, even though the program code is really within
libbusybox.
Wouldn't this make SELinux handling easier? If yes, then I believe we
could certainly decide to build and install Busybox this way when
SELinux support is enabled.
However, it seems like this Busybox feature installs those binary
programs in a directory called 0_lib/ in the source directory, and
"make install" keeps installing symbolic links. Well, I guess this is
probably something we can improve/fix.
> The packages that I will be adding are all from Tresys (
> http://userspace.selinuxproject.org/trac/). I looked into the sebusybox
> stuff a while ago but it looks like no one has done any development on it
> in a while.
Ok.
Thomas
--
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com
prev parent reply other threads:[~2013-08-27 20:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-27 16:20 [Buildroot] SELinux Buildroot Additions clshotwe at rockwellcollins.com
2013-08-27 17:04 ` Thomas Petazzoni
2013-08-27 17:46 ` clshotwe at rockwellcollins.com
2013-08-27 18:25 ` Thomas Petazzoni
2013-08-27 18:56 ` clshotwe at rockwellcollins.com
2013-08-27 20:08 ` Thomas Petazzoni [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130827220819.6ea4fcae@skate \
--to=thomas.petazzoni@free-electrons.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.