Re: [Buildroot] [PATCH 1/1] package/drbd-utils: add SELinux module

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: Matthew Weber <matthew.weber@rockwellcollins.com>,
	Christophe Vu-Brugier <cvubrugier@fastmail.fm>,
	Fabrice Fontaine <fontaine.fabrice@gmail.com>,
	buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/drbd-utils: add SELinux module
Date: Wed, 28 Jul 2021 21:45:46 +0200	[thread overview]
Message-ID: <20210728194546.GF3189549@scaer> (raw)
In-Reply-To: <20210726141522.38012b89@windsurf>

Thomas, All,

+Matt, our resident SELinux expert ;-]

On 2021-07-26 14:15 +0200, Thomas Petazzoni spake thusly:
> On Mon, 26 Jul 2021 10:21:31 +0200
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> 
> > Support for drbd-utils is added by the services/drbd module in the
> > SELinux refpolicy.
> > 
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > ---
> >  package/drbd-utils/drbd-utils.mk | 1 +
> >  1 file changed, 1 insertion(+)
> 
> I have a question: are you testing/using all these packages in an
> SELinux context ?

That is eaxctly what I was pointing out with our addition of the
handling of the SELinux refpolicy in our package infrastructure.

On one side, either we consider that the refpolicy is authoritative and
represents the state of the art of the SELinux policy for packages, in
which case we can "blindly" add SELinux metadata to our packages, or...

on the other side, I fail to see how a generic policy can be applied to
a specialised product, where constraints vary wildly from the "server
world" where refpolicy and SELinux originate from, and even vary wildly
between different specialised products, in which case basing out SELinux
handling in our infra on refpolicy does not make much sense.

So, it is my understanding that we decided that the refpolicy was to be
seen as the gold-standard of a policy, from which customised, local
policies would be derived, and as such we could safely use the refpolicy
modules on the assumption that a local policy would also have them...

And as such, we can just batch-apply Fabrice's patches on the topic.

But I am not an expert in SELinux, so... Maybe an SELinux expert (Matt?)
could chime in and explain a bit?  Please? ;-)

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot