From: Joe MacDonald <Joe_MacDonald@mentor.com>
To: <wenzong.fan@windriver.com>, <shrikant_bobade@mentor.com>
Cc: yocto@yoctoproject.org
Subject: [meta-selinux] What's the point of refpolicy-minimum?
Date: Tue, 10 Jan 2017 09:48:22 -0500 [thread overview]
Message-ID: <20170110144821.GC8258@mentor.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2107 bytes --]
Wenzong / Shrikant,
I thought I knew the answer to the above question, and maybe my
understanding is still correct, but I think I need to ask it now anyway.
I don't use refpolicy-minimum for anything, so when I did the updates to
refpolicy*_git I didn't even glance at refpolicy-minimum_git. Wenzong's
change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
of the recipe) piqued my curiosity, so I had a look. Of course,
refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
now that I'm looking at the recipe I see what seems like conflicting
statements in the recipe:
recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:
1 include refpolicy-targeted_${PV}.bb
2
3 SUMMARY = "SELinux minimum policy"
4 DESCRIPTION = "\
5 This is a minimum reference policy with just core policy modules, and \
6 could be used as a base for customizing targeted policy. \
7 Pretty much everything runs as initrc_t or unconfined_t so all of the \
8 domains are unconfined. \
9 "
and:
recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:
1 SUMMARY = "SELinux targeted policy"
2 DESCRIPTION = "\
3 This is the targeted variant of the SELinux reference policy. Most service \
4 domains are locked down. Users and admins will login in with unconfined_t \
5 domain, so they have the same access to the system as if SELinux was not \
6 enabled. \
7 "
So now I'm trying to understand what the point of refpolicy-minimum
really is here. Those of you who are using it, what are you using it
for and what do you expect would be the correct behaviour of a system
running that policy?
At the very least, I'm going to remove the 'include [...].bb' from both
'minimum' recipes, as that's completely incorrect, but when I do that I
want to know what anyone using this recipe wants to see from it, so
whatever the 'include' gets replaced with is doing the right thing
(which isn't necessarily what it's doing today).
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]
next reply other threads:[~2017-01-10 14:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-10 14:48 Joe MacDonald [this message]
2017-01-10 15:40 ` [meta-selinux] What's the point of refpolicy-minimum? Shrikant Bobade
2017-01-12 4:57 ` wenzong fan
2017-01-12 15:27 ` Joe MacDonald
2017-01-16 13:59 ` Shrikant Bobade
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170110144821.GC8258@mentor.com \
--to=joe_macdonald@mentor.com \
--cc=shrikant_bobade@mentor.com \
--cc=wenzong.fan@windriver.com \
--cc=yocto@yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.