All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dominick Grift <dominick.grift@defensec.nl>
To: Ashish Mishra <ashishm@mvista.com>
Cc: Ondrej Mosnacek <omosnace@redhat.com>,
	SElinux list <selinux@vger.kernel.org>,
	Paul Moore <paul@paul-moore.com>
Subject: Re: Selinux context type is same for root & normal user both
Date: Wed, 06 Jan 2021 17:39:43 +0100	[thread overview]
Message-ID: <ypjlble2f29c.fsf@defensec.nl> (raw)
In-Reply-To: <CAP2Ojci+UGvCCr6XMHYvm6jCr4p9GmwM3j97ZFLoqB2prNH4gQ@mail.gmail.com> (Ashish Mishra's message of "Wed, 6 Jan 2021 21:46:13 +0530")

Ashish Mishra <ashishm@mvista.com> writes:

> Hi Dominick / Ondrej ,
>
> Thanks for valuable inputs , I will try to evaluate them .
>
> Ashish

We have a IRC channel on chat.freenode.net where we can have casual and
more interactive conversations if youre interested in that

https://freenode.net/kb/answer/chat

>
> On Wed, Jan 6, 2021 at 9:30 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>>
>> On Wed, Jan 6, 2021 at 4:40 PM Dominick Grift
>> <dominick.grift@defensec.nl> wrote:
>> > Ashish Mishra <ashishm@mvista.com> writes:
>> >
>> > > Hi Dominick ,
>> > >
>> > > Will look at the re-labelling as you suggested.
>> > > Is there any doc / blog / implementation etc to understand the
>> > > sequence and commands to do this.
>> > > To understand this step in a better way.
>> > >
>> > > We are working with such a setup freshly so any inputs / guidance will
>> > > be helpful.
>> > >
>> > > Thanks for your time & inputs for this long thread .
>> >
>> > For docs i would suggest selinuxproject.org and
>> > https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md
>> >
>> > For implementations i would suggest looking at how OpenWrt implemented
>> > SELinux as this is a very simple implementation and the target seems to
>> > be relatively similar to yours with the exception that OpenWrt does not
>> > use a volatile root but instead uses a read-only squashfs and a overlay.
>> >
>> > You can also look at Fedora CoreOS for inspiration, and Googles SEAndroid.
>> >
>> > Implementing meaningful SELinux for exotic use cases like yours is not
>> > trivial though IMHO. Using reference policy as a base-policy might not
>> > be optimal for your use-case (to say the least) and it would probably be easier to create a
>> > policy from scratch instead in the longer run.
>>
>> Well said. I'll just add that you'll at the very least need to remove
>> the "genfscon" rule for "rootfs" from your policy and replace it with
>> an appropriate "fs_use_xattr" one to be able to relabel the root
>> filesystem. (Assuming it uses tmpfs under the hood (or supports
>> xattrs), otherwise you may need to mount tmpfs somewhere and chroot
>> into it at the beginning of your init script. Or something like
>> that...)
>>
>> --
>> Ondrej Mosnacek
>> Software Engineer, Platform Security - SELinux kernel
>> Red Hat, Inc.
>>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

  reply	other threads:[~2021-01-06 16:40 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-04 10:55 Selinux context type is same for root & normal user both Ashish Mishra
2021-01-04 12:16 ` Dominick Grift
2021-01-04 12:39   ` Ashish Mishra
2021-01-04 12:51     ` Dominick Grift
2021-01-06 13:35       ` Ashish Mishra
2021-01-06 13:52         ` Dominick Grift
     [not found]           ` <CAP2OjcjOEXsWM1H2pkMzhb3y2ss7SCTw8_1Tsb23kUnEDVfx-g@mail.gmail.com>
2021-01-06 14:30             ` Dominick Grift
2021-01-06 14:55               ` Ashish Mishra
2021-01-06 15:04                 ` Dominick Grift
2021-01-06 15:20                   ` Ashish Mishra
2021-01-06 15:39                     ` Dominick Grift
2021-01-06 16:00                       ` Ondrej Mosnacek
2021-01-06 16:16                         ` Ashish Mishra
2021-01-06 16:39                           ` Dominick Grift [this message]
2021-01-07  7:35                             ` Ashish Mishra
2021-01-06 14:25       ` Ashish Mishra
2021-01-06 14:27       ` Ashish Mishra
2021-01-06 14:41         ` Dominick Grift
2021-01-06 14:45           ` Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ypjlble2f29c.fsf@defensec.nl \
    --to=dominick.grift@defensec.nl \
    --cc=ashishm@mvista.com \
    --cc=omosnace@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.