[Buildroot] [PATCH 00/12] SELinux: Basic config enforcing mode support.

[Buildroot] [PATCH 00/12] SELinux: Basic config enforcing mode support.

[Adam Duskett]

SELinux support in Buildroot is currently outstanding! However, one last major
issue remains: Enforcing mode needs to work out of the box correctly, without
denials, at least with a minimal defconfig.

This patch series seeks to remedy this problem with a basic set of policies in
several commonly selected packages to allow a user who wishes to use SELinux in
enforcing mode the ability to do so without having to spend several hours
writing the same policy that everyone who wishes to do the same thing would
have to do.

The packages I have selected are based on the pc_x86_64_bios_defconfig with all
of the selinux packages selected because it was the most straightforward option
I had to create a small, bootable system in Virtual Manager with ssh support to
quickly build out a policy that didn't generate any denials in
/var/log/audit.log.

I want to address Yann's questions from a previous discussion on IRC:
  Q) What will be the maintenance effort?
  A) Minimal after this patch series. As you will see, most policies are only a
     few lines long!

  Q) How much time will we invest when we bump a package or add a dependency?
  A) Usually none! If a package bump/new dependency requires new permissions to
     the SELinux policy, this is a good thing! We should step back and question
     why a package previously accessing only files and libraries suddenly needs
     to (e.g.), change permissions on a /dev/ device!

Note: This series depends on the following pending patches:
https://patchwork.ozlabs.org/project/buildroot/patch/20231009161817.2832969-1-adam.duskett@amarulasolutions.com/
https://patchwork.ozlabs.org/project/buildroot/patch/20231009143440.1776155-1-adam.duskett@amarulasolutions.com/
https://patchwork.ozlabs.org/project/buildroot/patch/20231009170428.2836853-1-adam.duskett@amarulasolutions.com/

Thank you for considering and reviewing this series!

Adam

Adam Duskett (12):
  package/refpolicy/selinux: Add buildroot base policy
  package/busybox/selinux: Add buildroot busybox policy
  package/sysvinit/selinux: Add buildroot sysvinit policy
  package/systemd/selinux: Add buildroot systemd selinux policy
  package/openssh/selinux: Add buildroot openssh policy
  package/audit/selinux: Add buildroot audit policy
  package/polkit/selinux: Add buildroot polkit policy
  package/restorecond/selinux: Add buildroot restorecond policy
  package/acpid/selinux: Add buildroot acpid policy
  package/network-manager/selinux: Add buildroot network-manager policy
  package/iptables/selinux: Add buildroot iptables policy
  package/kmod/selinux: Add buildroot kmod policy

 DEVELOPERS                                    | 12 ++++
 package/acpid/selinux/buildroot-acpid.fc      |  0
 package/acpid/selinux/buildroot-acpid.if      |  1 +
 package/acpid/selinux/buildroot-acpid.te      | 10 +++
 package/audit/selinux/buildroot-audit.fc      |  0
 package/audit/selinux/buildroot-audit.if      |  1 +
 package/audit/selinux/buildroot-audit.te      | 13 ++++
 package/busybox/selinux/buildroot-busybox.fc  |  1 +
 package/busybox/selinux/buildroot-busybox.if  |  1 +
 package/busybox/selinux/buildroot-busybox.te  | 16 +++++
 .../iptables/selinux/buildroot-iptables.fc    |  0
 .../iptables/selinux/buildroot-iptables.if    |  1 +
 .../iptables/selinux/buildroot-iptables.te    |  5 ++
 package/kmod/selinux/buildroot-kmod.fc        |  0
 package/kmod/selinux/buildroot-kmod.if        |  1 +
 package/kmod/selinux/buildroot-kmod.te        |  4 ++
 .../selinux/buildroot-network-manager.fc      |  0
 .../selinux/buildroot-network-manager.if      |  1 +
 .../selinux/buildroot-network-manager.te      |  4 ++
 package/openssh/selinux/buildroot-openssh.fc  |  0
 package/openssh/selinux/buildroot-openssh.if  |  1 +
 package/openssh/selinux/buildroot-openssh.te  | 23 +++++++
 package/polkit/selinux/buildroot-polkit.fc    |  0
 package/polkit/selinux/buildroot-polkit.if    |  1 +
 package/polkit/selinux/buildroot-polkit.te    |  5 ++
 package/refpolicy/selinux/buildroot.fc        |  0
 package/refpolicy/selinux/buildroot.if        |  1 +
 package/refpolicy/selinux/buildroot.te        | 67 +++++++++++++++++++
 .../selinux/buildroot-restorecond.fc          |  0
 .../selinux/buildroot-restorecond.if          |  1 +
 .../selinux/buildroot-restorecond.te          | 13 ++++
 package/systemd/selinux/buildroot-systemd.fc  |  0
 package/systemd/selinux/buildroot-systemd.if  |  1 +
 package/systemd/selinux/buildroot-systemd.te  | 66 ++++++++++++++++++
 .../sysvinit/selinux/buildroot-sysvinit.fc    |  0
 .../sysvinit/selinux/buildroot-sysvinit.if    |  1 +
 .../sysvinit/selinux/buildroot-sysvinit.te    |  8 +++
 37 files changed, 259 insertions(+)
 create mode 100644 package/acpid/selinux/buildroot-acpid.fc
 create mode 100644 package/acpid/selinux/buildroot-acpid.if
 create mode 100644 package/acpid/selinux/buildroot-acpid.te
 create mode 100644 package/audit/selinux/buildroot-audit.fc
 create mode 100644 package/audit/selinux/buildroot-audit.if
 create mode 100644 package/audit/selinux/buildroot-audit.te
 create mode 100644 package/busybox/selinux/buildroot-busybox.fc
 create mode 100644 package/busybox/selinux/buildroot-busybox.if
 create mode 100644 package/busybox/selinux/buildroot-busybox.te
 create mode 100644 package/iptables/selinux/buildroot-iptables.fc
 create mode 100644 package/iptables/selinux/buildroot-iptables.if
 create mode 100644 package/iptables/selinux/buildroot-iptables.te
 create mode 100644 package/kmod/selinux/buildroot-kmod.fc
 create mode 100644 package/kmod/selinux/buildroot-kmod.if
 create mode 100644 package/kmod/selinux/buildroot-kmod.te
 create mode 100644 package/network-manager/selinux/buildroot-network-manager.fc
 create mode 100644 package/network-manager/selinux/buildroot-network-manager.if
 create mode 100644 package/network-manager/selinux/buildroot-network-manager.te
 create mode 100644 package/openssh/selinux/buildroot-openssh.fc
 create mode 100644 package/openssh/selinux/buildroot-openssh.if
 create mode 100644 package/openssh/selinux/buildroot-openssh.te
 create mode 100644 package/polkit/selinux/buildroot-polkit.fc
 create mode 100644 package/polkit/selinux/buildroot-polkit.if
 create mode 100644 package/polkit/selinux/buildroot-polkit.te
 create mode 100644 package/refpolicy/selinux/buildroot.fc
 create mode 100644 package/refpolicy/selinux/buildroot.if
 create mode 100644 package/refpolicy/selinux/buildroot.te
 create mode 100644 package/restorecond/selinux/buildroot-restorecond.fc
 create mode 100644 package/restorecond/selinux/buildroot-restorecond.if
 create mode 100644 package/restorecond/selinux/buildroot-restorecond.te
 create mode 100644 package/systemd/selinux/buildroot-systemd.fc
 create mode 100644 package/systemd/selinux/buildroot-systemd.if
 create mode 100644 package/systemd/selinux/buildroot-systemd.te
 create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.fc
 create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.if
 create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.te

-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 01/12] package/refpolicy/selinux: Add buildroot base policy

[Adam Duskett]

This policy is the first in several that supports running Buildroot in
enforcing mode without any denials. This is a generic set of Buildroot-specific
permissions that are tied to the enabled repolicy modules enabled when a user
selects the upstream version of refpolicy.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                             |  1 +
 package/refpolicy/selinux/buildroot.fc |  0
 package/refpolicy/selinux/buildroot.if |  1 +
 package/refpolicy/selinux/buildroot.te | 67 ++++++++++++++++++++++++++
 4 files changed, 69 insertions(+)
 create mode 100644 package/refpolicy/selinux/buildroot.fc
 create mode 100644 package/refpolicy/selinux/buildroot.if
 create mode 100644 package/refpolicy/selinux/buildroot.te

diff --git a/DEVELOPERS b/DEVELOPERS
index 3fffc4346c..e863d06535 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -37,6 +37,7 @@ F:	package/flutter-engine/
 F:	package/flutter-gallery/
 F:	package/flutter-pi/
 F:	package/flutter-sdk-bin/
+F:	package/refpolicy/selinux/
 F:	support/testing/tests/package/test_flutter.py
 
 N:	Adam Heinrich <adam@adamh.cz>
diff --git a/package/refpolicy/selinux/buildroot.fc b/package/refpolicy/selinux/buildroot.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/refpolicy/selinux/buildroot.if b/package/refpolicy/selinux/buildroot.if
new file mode 100644
index 0000000000..acf797e604
--- /dev/null
+++ b/package/refpolicy/selinux/buildroot.if
@@ -0,0 +1 @@
+## <summary>Buildroot rules</summary>
diff --git a/package/refpolicy/selinux/buildroot.te b/package/refpolicy/selinux/buildroot.te
new file mode 100644
index 0000000000..1e004452ae
--- /dev/null
+++ b/package/refpolicy/selinux/buildroot.te
@@ -0,0 +1,67 @@
+policy_module(buildroot, 1.0.0)
+
+#============= chkpwd_t ==============
+allow chkpwd_t tmpfs_t:dir search;
+
+#============= getty_t ==============
+allow getty_t device_t:chr_file { getattr ioctl open read setattr write };
+allow getty_t getty_runtime_t:file watch;
+allow getty_t init_runtime_t:dir read;
+allow getty_t init_runtime_t:sock_file write;
+allow getty_t init_tmpfs_t:file { lock open read write };
+allow getty_t init_t:unix_stream_socket connectto;
+allow getty_t proc_t:filesystem getattr;
+allow getty_t sysctl_kernel_t:dir search;
+allow getty_t sysctl_kernel_t:file { open read };
+allow getty_t sysctl_t:dir search;
+allow getty_t tmpfs_t:dir search;
+allow getty_t var_t:lnk_file read;
+
+#============= local_login_t ==============
+allow local_login_t bin_t:file execute;
+allow local_login_t device_t:chr_file { ioctl open read relabelfrom relabelto write };
+allow local_login_t init_tmpfs_t:file { lock open read write };
+allow local_login_t proc_t:filesystem getattr;
+allow local_login_t var_log_t:file { create lock open read write };
+allow local_login_t var_run_t:dir { add_name write };
+allow local_login_t var_run_t:file { create lock open read write };
+
+#============= semanage_t ==============
+allow semanage_t tmpfs_t:dir search;
+
+#============= syslogd_t ==============
+allow syslogd_t device_t:chr_file { open read write };
+allow syslogd_t self:capability audit_control;
+allow syslogd_t self:netlink_audit_socket nlmsg_write;
+allow syslogd_t tmpfs_t:dir { add_name search write };
+allow syslogd_t tmpfs_t:file { append create getattr open };
+allow syslogd_t var_t:dir { add_name write };
+allow syslogd_t var_t:file { append create };
+allow syslogd_t var_t:lnk_file read;
+
+#============= sysadm_t ==============
+allow sysadm_t device_t:chr_file { ioctl open read write };
+allow sysadm_t kernel_t:fd use;
+allow sysadm_t kernel_t:system module_request;
+allow sysadm_t node_t:tcp_socket node_bind;
+allow sysadm_t self:capability { audit_control audit_write};
+allow sysadm_t self:netlink_audit_socket { nlmsg_read nlmsg_write };
+allow sysadm_t selinux_config_t:file watch;
+allow sysadm_t tmpfs_t:dir watch;
+allow sysadm_t unlabeled_t:file { execute map read };
+allow sysadm_t unlabeled_t:lnk_file read;
+allow sysadm_t var_t:dir watch;
+
+#============= klogd_t ==============
+allow klogd_t device_t:chr_file { read write };
+allow klogd_t selinux_config_t:dir search;
+
+#============= ifconfig_t ==============
+allow ifconfig_t device_t:chr_file { getattr ioctl read write };
+allow ifconfig_t proc_t:filesystem getattr;
+allow ifconfig_t root_t:chr_file { read write };
+allow ifconfig_t sysctl_kernel_t:dir search;
+allow ifconfig_t sysctl_kernel_t:file { open read };
+
+#============= kernel_t ==============
+allow kernel_t sysadm_t:process transition;
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 02/12] package/busybox/selinux: Add buildroot busybox policy

[Adam Duskett]

This is a minimal selinux policy required to run busybox in enforcing mode
without denials. It is based off of the applets that Buildroot selects by
default.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                                   |  1 +
 package/busybox/selinux/buildroot-busybox.fc |  1 +
 package/busybox/selinux/buildroot-busybox.if |  1 +
 package/busybox/selinux/buildroot-busybox.te | 16 ++++++++++++++++
 4 files changed, 19 insertions(+)
 create mode 100644 package/busybox/selinux/buildroot-busybox.fc
 create mode 100644 package/busybox/selinux/buildroot-busybox.if
 create mode 100644 package/busybox/selinux/buildroot-busybox.te

diff --git a/DEVELOPERS b/DEVELOPERS
index e863d06535..c206f5262f 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -32,6 +32,7 @@ F:	package/vulkan-loader/
 F:	package/vulkan-tools/
 
 N:	Adam Duskett <adam.duskett@amarulasolutions.com>
+F:	package/busybox/selinux/
 F:	package/depot-tools/
 F:	package/flutter-engine/
 F:	package/flutter-gallery/
diff --git a/package/busybox/selinux/buildroot-busybox.fc b/package/busybox/selinux/buildroot-busybox.fc
new file mode 100644
index 0000000000..6785e466f3
--- /dev/null
+++ b/package/busybox/selinux/buildroot-busybox.fc
@@ -0,0 +1 @@
+/lib/libbusybox*	--	gen_context(system_u:object_r:lib_t,s0)
diff --git a/package/busybox/selinux/buildroot-busybox.if b/package/busybox/selinux/buildroot-busybox.if
new file mode 100644
index 0000000000..60ea4b190d
--- /dev/null
+++ b/package/busybox/selinux/buildroot-busybox.if
@@ -0,0 +1 @@
+## <summary>Buildroot busybox rules</summary>
diff --git a/package/busybox/selinux/buildroot-busybox.te b/package/busybox/selinux/buildroot-busybox.te
new file mode 100644
index 0000000000..e7d0f510b9
--- /dev/null
+++ b/package/busybox/selinux/buildroot-busybox.te
@@ -0,0 +1,16 @@
+policy_module(buildroot-busybox, 1.0.0)
+
+#============= init_tmpfs_t ==============
+allow init_tmpfs_t self:file { lock open read write };
+
+#============= getty_t ==============
+allow getty_t local_login_t:file { lock open read write };
+allow getty_t local_login_t:process { noatsecure rlimitinh siginh };
+allow getty_t security_t:filesystem getattr;
+allow getty_t selinux_config_t:dir search;
+
+#============= local_login_t ==============
+allow local_login_t device_t:chr_file { getattr setattr };
+allow local_login_t shadow_t:file { getattr open read };
+allow local_login_t sysadm_t:process { noatsecure siginh rlimitinh };
+
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 03/12] package/sysvinit/selinux: Add buildroot sysvinit policy

[Adam Duskett]

This policy is required to run systems with sysvinit in enforcing mode without
denials.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                                     | 1 +
 package/sysvinit/selinux/buildroot-sysvinit.fc | 0
 package/sysvinit/selinux/buildroot-sysvinit.if | 1 +
 package/sysvinit/selinux/buildroot-sysvinit.te | 8 ++++++++
 4 files changed, 10 insertions(+)
 create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.fc
 create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.if
 create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.te

diff --git a/DEVELOPERS b/DEVELOPERS
index c206f5262f..36108715bf 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -39,6 +39,7 @@ F:	package/flutter-gallery/
 F:	package/flutter-pi/
 F:	package/flutter-sdk-bin/
 F:	package/refpolicy/selinux/
+F:	package/sysvinit/selinux/
 F:	support/testing/tests/package/test_flutter.py
 
 N:	Adam Heinrich <adam@adamh.cz>
diff --git a/package/sysvinit/selinux/buildroot-sysvinit.fc b/package/sysvinit/selinux/buildroot-sysvinit.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/sysvinit/selinux/buildroot-sysvinit.if b/package/sysvinit/selinux/buildroot-sysvinit.if
new file mode 100644
index 0000000000..2b8195dfe3
--- /dev/null
+++ b/package/sysvinit/selinux/buildroot-sysvinit.if
@@ -0,0 +1 @@
+## <summary>Buildroot sysvinit rules</summary>
diff --git a/package/sysvinit/selinux/buildroot-sysvinit.te b/package/sysvinit/selinux/buildroot-sysvinit.te
new file mode 100644
index 0000000000..58c3e14580
--- /dev/null
+++ b/package/sysvinit/selinux/buildroot-sysvinit.te
@@ -0,0 +1,8 @@
+policy_module(buildroot-sysvinit, 1.0.0)
+
+#============= getty_t ==============
+allow getty_t tmpfs_t:dir { add_name write };
+allow getty_t tmpfs_t:file { create lock open read write };
+
+#============= local_login_t ==============
+allow local_login_t tmpfs_t:file { lock open read write };
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 04/12] package/systemd/selinux: Add buildroot systemd selinux policy

[Adam Duskett]

Systemd requires quite a bit of extra permissions not provided by the refpolicy
systemd module to function properly in enforcing mode without denials. This is
based off of Maxime Chevallier's previous work found here:
https://patchwork.ozlabs.org/project/buildroot/patch/20210107135307.1762186-3-maxime.chevallier@bootlin.com/

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                                   |  1 +
 package/systemd/selinux/buildroot-systemd.fc |  0
 package/systemd/selinux/buildroot-systemd.if |  1 +
 package/systemd/selinux/buildroot-systemd.te | 66 ++++++++++++++++++++
 4 files changed, 68 insertions(+)
 create mode 100644 package/systemd/selinux/buildroot-systemd.fc
 create mode 100644 package/systemd/selinux/buildroot-systemd.if
 create mode 100644 package/systemd/selinux/buildroot-systemd.te

diff --git a/DEVELOPERS b/DEVELOPERS
index 36108715bf..e49960f572 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -39,6 +39,7 @@ F:	package/flutter-gallery/
 F:	package/flutter-pi/
 F:	package/flutter-sdk-bin/
 F:	package/refpolicy/selinux/
+F:	package/systemd/selinux/
 F:	package/sysvinit/selinux/
 F:	support/testing/tests/package/test_flutter.py
 
diff --git a/package/systemd/selinux/buildroot-systemd.fc b/package/systemd/selinux/buildroot-systemd.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/systemd/selinux/buildroot-systemd.if b/package/systemd/selinux/buildroot-systemd.if
new file mode 100644
index 0000000000..7c56777c32
--- /dev/null
+++ b/package/systemd/selinux/buildroot-systemd.if
@@ -0,0 +1 @@
+## <summary>Buildroot systemd rules</summary>
diff --git a/package/systemd/selinux/buildroot-systemd.te b/package/systemd/selinux/buildroot-systemd.te
new file mode 100644
index 0000000000..8d6dee99cf
--- /dev/null
+++ b/package/systemd/selinux/buildroot-systemd.te
@@ -0,0 +1,66 @@
+policy_module(buildroot-systemd, 1.0.0)
+
+#============= sysadm_t ==============
+allow sysadm_t init_t:fd use;
+
+#============= system_dbusd_t ==============
+allow system_dbusd_t init_t:unix_stream_socket connectto;
+
+#============= systemd_generator_t ==============
+allow systemd_generator_t locale_t:dir search;
+allow systemd_generator_t locale_t:file { getattr open read };
+allow systemd_generator_t locale_t:lnk_file read;
+allow systemd_generator_t self:capability dac_override;
+allow systemd_generator_t self:process setfscreate;
+allow systemd_generator_t selinux_config_t:dir { getattr search };
+allow systemd_generator_t tty_device_t:chr_file { ioctl open read write };
+
+#============= systemd_homed_t ==============
+allow systemd_homed_t self:unix_stream_socket listen;
+allow systemd_homed_t selinux_config_t:dir search;
+
+#============= systemd_hw_t ==============
+# allow systemd_hw_t init_runtime_t:dir search;
+
+#============= systemd_journal_init_t ==============
+allow systemd_journal_init_t self:capability net_admin;
+allow systemd_journal_init_t selinux_config_t:dir { getattr search };
+
+#============= systemd_networkd_t ==============
+allow systemd_networkd_t net_conf_t:dir { getattr open read search };
+allow systemd_networkd_t selinux_config_t:dir { getattr search };
+allow systemd_networkd_t selinux_config_t:dir search;
+allow systemd_networkd_t system_dbusd_runtime_t:dir read;
+allow systemd_networkd_t system_dbusd_runtime_t:sock_file read;
+allow systemd_networkd_t var_run_t:dir read;
+
+#============= systemd_resolved_t ==============
+allow systemd_resolved_t system_dbusd_runtime_t:dir read;
+allow systemd_resolved_t system_dbusd_runtime_t:sock_file read;
+allow systemd_resolved_t var_run_t:dir read;
+
+#============= systemd_sessions_t ==============
+allow systemd_sessions_t self:capability net_admin;
+
+#============= systemd_sysctl_t ==============
+allow systemd_sysctl_t selinux_config_t:dir { getattr search };
+
+#============= systemd_sysusers_t ==============
+allow systemd_sysusers_t self:capability net_admin;
+
+#============= systemd_tmpfiles_t ==============
+allow systemd_tmpfiles_t auditd_log_t:dir { create getattr open read relabelfrom relabelto };
+allow systemd_tmpfiles_t etc_t:dir relabelfrom;
+allow systemd_tmpfiles_t etc_t:file { relabelfrom relabelto };
+allow systemd_tmpfiles_t init_t:unix_stream_socket connectto;
+allow systemd_tmpfiles_t ssh_home_t:dir { getattr relabelfrom relabelto };
+allow systemd_tmpfiles_t system_dbusd_var_lib_t:dir read;
+allow systemd_tmpfiles_t systemd_journal_t:lnk_file { read getattr relabelfrom relabelto };
+allow systemd_tmpfiles_t user_home_dir_t:dir { getattr search relabelfrom relabelto };
+allow systemd_tmpfiles_t user_home_t:dir { getattr search relabelfrom relabelto };
+allow systemd_tmpfiles_t usr_t:dir read;
+allow systemd_tmpfiles_t usr_t:file { open read };
+allow systemd_tmpfiles_t var_spool_t:dir create;
+
+#============= systemd_update_done_t ==============
+allow systemd_update_done_t self:capability net_admin;
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 05/12] package/openssh/selinux: Add buildroot openssh policy

[Adam Duskett]

This is a basic policy necessary for OpenSSH to work properly in enforcing
mode without any denials.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                                   |  1 +
 package/openssh/selinux/buildroot-openssh.fc |  0
 package/openssh/selinux/buildroot-openssh.if |  1 +
 package/openssh/selinux/buildroot-openssh.te | 23 ++++++++++++++++++++
 4 files changed, 25 insertions(+)
 create mode 100644 package/openssh/selinux/buildroot-openssh.fc
 create mode 100644 package/openssh/selinux/buildroot-openssh.if
 create mode 100644 package/openssh/selinux/buildroot-openssh.te

diff --git a/DEVELOPERS b/DEVELOPERS
index e49960f572..a90f453261 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -38,6 +38,7 @@ F:	package/flutter-engine/
 F:	package/flutter-gallery/
 F:	package/flutter-pi/
 F:	package/flutter-sdk-bin/
+F:	package/openssh/selinux/
 F:	package/refpolicy/selinux/
 F:	package/systemd/selinux/
 F:	package/sysvinit/selinux/
diff --git a/package/openssh/selinux/buildroot-openssh.fc b/package/openssh/selinux/buildroot-openssh.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/openssh/selinux/buildroot-openssh.if b/package/openssh/selinux/buildroot-openssh.if
new file mode 100644
index 0000000000..1969c20a4b
--- /dev/null
+++ b/package/openssh/selinux/buildroot-openssh.if
@@ -0,0 +1 @@
+## <summary>Buildroot openssh rules</summary>
diff --git a/package/openssh/selinux/buildroot-openssh.te b/package/openssh/selinux/buildroot-openssh.te
new file mode 100644
index 0000000000..5dc8945c3e
--- /dev/null
+++ b/package/openssh/selinux/buildroot-openssh.te
@@ -0,0 +1,23 @@
+policy_module(buildroot-openssh, 1.0.0)
+
+#============= sshd_t ==============
+allow sshd_t device_t:chr_file { getattr open read write };
+allow sshd_t kernel_t:fd use;
+allow sshd_t root_t:chr_file { read write };
+allow sshd_t sysadm_t:process { noatsecure rlimitinh siginh };
+allow sshd_t sysadm_t:process transition;
+allow sshd_t var_t:lnk_file read;
+
+#============= ssh_keygen_t ==============
+allow ssh_keygen_t cert_t:dir search;
+allow ssh_keygen_t cert_t:file { getattr open read };
+allow ssh_keygen_t device_t:chr_file { open read write };
+allow ssh_keygen_t kernel_t:fd use;
+allow ssh_keygen_t root_t:chr_file { getattr ioctl read write };
+allow ssh_keygen_t security_t:filesystem getattr;
+allow ssh_keygen_t selinux_config_t:dir search;
+allow ssh_keygen_t tmpfs_t:dir search;
+
+#============= restorecond_t ==============
+allow restorecond_t ssh_home_t:dir watch;
+
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 06/12] package/audit/selinux: Add buildroot audit policy

[Adam Duskett]

This is a basic policy necessary for audit to work properly in enforcing mode
without any denials.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                               |  1 +
 package/audit/selinux/buildroot-audit.fc |  0
 package/audit/selinux/buildroot-audit.if |  1 +
 package/audit/selinux/buildroot-audit.te | 13 +++++++++++++
 4 files changed, 15 insertions(+)
 create mode 100644 package/audit/selinux/buildroot-audit.fc
 create mode 100644 package/audit/selinux/buildroot-audit.if
 create mode 100644 package/audit/selinux/buildroot-audit.te

diff --git a/DEVELOPERS b/DEVELOPERS
index a90f453261..5f4b7320ba 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -32,6 +32,7 @@ F:	package/vulkan-loader/
 F:	package/vulkan-tools/
 
 N:	Adam Duskett <adam.duskett@amarulasolutions.com>
+F:	package/audit/selinux/
 F:	package/busybox/selinux/
 F:	package/depot-tools/
 F:	package/flutter-engine/
diff --git a/package/audit/selinux/buildroot-audit.fc b/package/audit/selinux/buildroot-audit.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/audit/selinux/buildroot-audit.if b/package/audit/selinux/buildroot-audit.if
new file mode 100644
index 0000000000..2a739a1113
--- /dev/null
+++ b/package/audit/selinux/buildroot-audit.if
@@ -0,0 +1 @@
+## <summary>Buildroot audit rules</summary>
diff --git a/package/audit/selinux/buildroot-audit.te b/package/audit/selinux/buildroot-audit.te
new file mode 100644
index 0000000000..3cac330d30
--- /dev/null
+++ b/package/audit/selinux/buildroot-audit.te
@@ -0,0 +1,13 @@
+policy_module(buildroot-audit, 1.0.0)
+
+#============= auditd_t ==============
+allow auditd_t auditd_etc_t:file map;
+allow auditd_t device_t:chr_file { open read write };
+allow auditd_t kernel_t:fd use;
+allow auditd_t root_t:chr_file { read write };
+allow auditd_t selinux_config_t:dir search;
+allow auditd_t tmpfs_t:dir { remove_name add_name search write };
+allow auditd_t tmpfs_t:file { create open write unlink };
+allow auditd_t tmp_t:dir { add_name getattr open read search setattr write };
+allow auditd_t tmp_t:file { append create setattr getattr read open };
+allow auditd_t var_t:lnk_file read;
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 07/12] package/polkit/selinux: Add buildroot polkit policy

[Adam Duskett]

This is a basic policy necessary for polkit to work properly in enforcing mode
without any denials.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                                 | 1 +
 package/polkit/selinux/buildroot-polkit.fc | 0
 package/polkit/selinux/buildroot-polkit.if | 1 +
 package/polkit/selinux/buildroot-polkit.te | 5 +++++
 4 files changed, 7 insertions(+)
 create mode 100644 package/polkit/selinux/buildroot-polkit.fc
 create mode 100644 package/polkit/selinux/buildroot-polkit.if
 create mode 100644 package/polkit/selinux/buildroot-polkit.te

diff --git a/DEVELOPERS b/DEVELOPERS
index 5f4b7320ba..f7506da57a 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -40,6 +40,7 @@ F:	package/flutter-gallery/
 F:	package/flutter-pi/
 F:	package/flutter-sdk-bin/
 F:	package/openssh/selinux/
+F:	package/polkit/selinux/
 F:	package/refpolicy/selinux/
 F:	package/systemd/selinux/
 F:	package/sysvinit/selinux/
diff --git a/package/polkit/selinux/buildroot-polkit.fc b/package/polkit/selinux/buildroot-polkit.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/polkit/selinux/buildroot-polkit.if b/package/polkit/selinux/buildroot-polkit.if
new file mode 100644
index 0000000000..8db3562fa5
--- /dev/null
+++ b/package/polkit/selinux/buildroot-polkit.if
@@ -0,0 +1 @@
+## <summary>Buildroot polkit rules</summary>
diff --git a/package/polkit/selinux/buildroot-polkit.te b/package/polkit/selinux/buildroot-polkit.te
new file mode 100644
index 0000000000..3cc244868c
--- /dev/null
+++ b/package/polkit/selinux/buildroot-polkit.te
@@ -0,0 +1,5 @@
+policy_module(buildroot-polkit, 1.0.0)
+
+#============= policykit_t ==============
+allow policykit_t security_t:filesystem getattr;
+allow policykit_t selinux_config_t:dir search;
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 08/12] package/restorecond/selinux: Add buildroot restorecond policy

[Adam Duskett]

This is a basic policy necessary for restorecond to work properly in enforcing
mode without any denials.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                                          |  1 +
 .../restorecond/selinux/buildroot-restorecond.fc    |  0
 .../restorecond/selinux/buildroot-restorecond.if    |  1 +
 .../restorecond/selinux/buildroot-restorecond.te    | 13 +++++++++++++
 4 files changed, 15 insertions(+)
 create mode 100644 package/restorecond/selinux/buildroot-restorecond.fc
 create mode 100644 package/restorecond/selinux/buildroot-restorecond.if
 create mode 100644 package/restorecond/selinux/buildroot-restorecond.te

diff --git a/DEVELOPERS b/DEVELOPERS
index f7506da57a..5082448b56 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -42,6 +42,7 @@ F:	package/flutter-sdk-bin/
 F:	package/openssh/selinux/
 F:	package/polkit/selinux/
 F:	package/refpolicy/selinux/
+F:	package/restorecond/selinux/
 F:	package/systemd/selinux/
 F:	package/sysvinit/selinux/
 F:	support/testing/tests/package/test_flutter.py
diff --git a/package/restorecond/selinux/buildroot-restorecond.fc b/package/restorecond/selinux/buildroot-restorecond.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/restorecond/selinux/buildroot-restorecond.if b/package/restorecond/selinux/buildroot-restorecond.if
new file mode 100644
index 0000000000..cec6d9d9a4
--- /dev/null
+++ b/package/restorecond/selinux/buildroot-restorecond.if
@@ -0,0 +1 @@
+## <summary>Buildroot restorecond rules</summary>
diff --git a/package/restorecond/selinux/buildroot-restorecond.te b/package/restorecond/selinux/buildroot-restorecond.te
new file mode 100644
index 0000000000..382e4c8f54
--- /dev/null
+++ b/package/restorecond/selinux/buildroot-restorecond.te
@@ -0,0 +1,13 @@
+policy_module(buildroot-restorecond, 1.0.0)
+
+#============= restorecond_t ==============
+allow restorecond_t device_t:chr_file { open read write };
+allow restorecond_t etc_t:dir watch;
+allow restorecond_t file_context_t:file { open read };
+allow restorecond_t selinux_config_t:file watch;
+allow restorecond_t tmpfs_t:dir { remove_name write watch };
+allow restorecond_t tmpfs_t:file { append getattr open lock read write unlink };
+allow restorecond_t user_home_dir_t:dir watch;
+allow restorecond_t var_log_t:dir watch;
+allow restorecond_t var_run_t:dir watch;
+allow restorecond_t var_t:dir watch;
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 09/12] package/acpid/selinux: Add buildroot acpid policy

[Adam Duskett]

This is a basic policy necessary for acpid to work properly in enforcing
mode without any denials.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                               |  1 +
 package/acpid/selinux/buildroot-acpid.fc |  0
 package/acpid/selinux/buildroot-acpid.if |  1 +
 package/acpid/selinux/buildroot-acpid.te | 10 ++++++++++
 4 files changed, 12 insertions(+)
 create mode 100644 package/acpid/selinux/buildroot-acpid.fc
 create mode 100644 package/acpid/selinux/buildroot-acpid.if
 create mode 100644 package/acpid/selinux/buildroot-acpid.te

diff --git a/DEVELOPERS b/DEVELOPERS
index 5082448b56..695738c4a9 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -32,6 +32,7 @@ F:	package/vulkan-loader/
 F:	package/vulkan-tools/
 
 N:	Adam Duskett <adam.duskett@amarulasolutions.com>
+F:	package/acpid/selinux/
 F:	package/audit/selinux/
 F:	package/busybox/selinux/
 F:	package/depot-tools/
diff --git a/package/acpid/selinux/buildroot-acpid.fc b/package/acpid/selinux/buildroot-acpid.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/acpid/selinux/buildroot-acpid.if b/package/acpid/selinux/buildroot-acpid.if
new file mode 100644
index 0000000000..b2b568a823
--- /dev/null
+++ b/package/acpid/selinux/buildroot-acpid.if
@@ -0,0 +1 @@
+## <summary>Buildroot acpid rules</summary>
diff --git a/package/acpid/selinux/buildroot-acpid.te b/package/acpid/selinux/buildroot-acpid.te
new file mode 100644
index 0000000000..dd10e65c42
--- /dev/null
+++ b/package/acpid/selinux/buildroot-acpid.te
@@ -0,0 +1,10 @@
+policy_module(buildroot-acpid, 1.0.0)
+
+#============= acpid_t ==============
+allow acpid_t device_t:chr_file { read open write ioctl };
+allow acpid_t kernel_t:fd use;
+allow acpid_t root_t:chr_file { read write open ioctl };
+allow acpid_t tmpfs_t:dir { add_name write remove_name };
+allow acpid_t tmpfs_t:file { create open write unlink };
+allow acpid_t tmpfs_t:sock_file create;
+
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 10/12] package/network-manager/selinux: Add buildroot network-manager policy

[Adam Duskett]

This is a basic policy necessary for network-manager to work properly in
enforcing mode without any denials.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                                                   | 1 +
 package/network-manager/selinux/buildroot-network-manager.fc | 0
 package/network-manager/selinux/buildroot-network-manager.if | 1 +
 package/network-manager/selinux/buildroot-network-manager.te | 4 ++++
 4 files changed, 6 insertions(+)
 create mode 100644 package/network-manager/selinux/buildroot-network-manager.fc
 create mode 100644 package/network-manager/selinux/buildroot-network-manager.if
 create mode 100644 package/network-manager/selinux/buildroot-network-manager.te

diff --git a/DEVELOPERS b/DEVELOPERS
index 695738c4a9..05b4be1830 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -40,6 +40,7 @@ F:	package/flutter-engine/
 F:	package/flutter-gallery/
 F:	package/flutter-pi/
 F:	package/flutter-sdk-bin/
+F:	package/network-manager/selinux/
 F:	package/openssh/selinux/
 F:	package/polkit/selinux/
 F:	package/refpolicy/selinux/
diff --git a/package/network-manager/selinux/buildroot-network-manager.fc b/package/network-manager/selinux/buildroot-network-manager.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/network-manager/selinux/buildroot-network-manager.if b/package/network-manager/selinux/buildroot-network-manager.if
new file mode 100644
index 0000000000..2f33fa0b81
--- /dev/null
+++ b/package/network-manager/selinux/buildroot-network-manager.if
@@ -0,0 +1 @@
+## <summary>Buildroot network-manager rules</summary>
diff --git a/package/network-manager/selinux/buildroot-network-manager.te b/package/network-manager/selinux/buildroot-network-manager.te
new file mode 100644
index 0000000000..ce5180494c
--- /dev/null
+++ b/package/network-manager/selinux/buildroot-network-manager.te
@@ -0,0 +1,4 @@
+policy_module(buildroot-network-manager, 1.0.0)
+
+#============= NetworkManager_t ==============
+allow NetworkManager_t tmpfs_t:sock_file write;
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 11/12] package/iptables/selinux: Add buildroot iptables policy

[Adam Duskett]

This is a basic policy necessary for iptables to work properly in enforcing
mode without any denials.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                                     | 1 +
 package/iptables/selinux/buildroot-iptables.fc | 0
 package/iptables/selinux/buildroot-iptables.if | 1 +
 package/iptables/selinux/buildroot-iptables.te | 5 +++++
 4 files changed, 7 insertions(+)
 create mode 100644 package/iptables/selinux/buildroot-iptables.fc
 create mode 100644 package/iptables/selinux/buildroot-iptables.if
 create mode 100644 package/iptables/selinux/buildroot-iptables.te

diff --git a/DEVELOPERS b/DEVELOPERS
index 05b4be1830..cfa0095969 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -40,6 +40,7 @@ F:	package/flutter-engine/
 F:	package/flutter-gallery/
 F:	package/flutter-pi/
 F:	package/flutter-sdk-bin/
+F:	package/iptables/selinux/
 F:	package/network-manager/selinux/
 F:	package/openssh/selinux/
 F:	package/polkit/selinux/
diff --git a/package/iptables/selinux/buildroot-iptables.fc b/package/iptables/selinux/buildroot-iptables.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/iptables/selinux/buildroot-iptables.if b/package/iptables/selinux/buildroot-iptables.if
new file mode 100644
index 0000000000..cb7e08744e
--- /dev/null
+++ b/package/iptables/selinux/buildroot-iptables.if
@@ -0,0 +1 @@
+## <summary>Buildroot iptables rules</summary>
diff --git a/package/iptables/selinux/buildroot-iptables.te b/package/iptables/selinux/buildroot-iptables.te
new file mode 100644
index 0000000000..37107749ea
--- /dev/null
+++ b/package/iptables/selinux/buildroot-iptables.te
@@ -0,0 +1,5 @@
+policy_module(buildroot-iptables, 1.0.0)
+
+#============= iptables_t ==============
+allow iptables_t root_t:chr_file { read write };
+
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 12/12] package/kmod/selinux: Add buildroot kmod policy

[Adam Duskett]

This is a basic policy necessary for kmod to work properly in enforcing mode
without any denials.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                             | 1 +
 package/kmod/selinux/buildroot-kmod.fc | 0
 package/kmod/selinux/buildroot-kmod.if | 1 +
 package/kmod/selinux/buildroot-kmod.te | 4 ++++
 4 files changed, 6 insertions(+)
 create mode 100644 package/kmod/selinux/buildroot-kmod.fc
 create mode 100644 package/kmod/selinux/buildroot-kmod.if
 create mode 100644 package/kmod/selinux/buildroot-kmod.te

diff --git a/DEVELOPERS b/DEVELOPERS
index cfa0095969..879aa96361 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -41,6 +41,7 @@ F:	package/flutter-gallery/
 F:	package/flutter-pi/
 F:	package/flutter-sdk-bin/
 F:	package/iptables/selinux/
+F:	package/kmod/selinux/
 F:	package/network-manager/selinux/
 F:	package/openssh/selinux/
 F:	package/polkit/selinux/
diff --git a/package/kmod/selinux/buildroot-kmod.fc b/package/kmod/selinux/buildroot-kmod.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/kmod/selinux/buildroot-kmod.if b/package/kmod/selinux/buildroot-kmod.if
new file mode 100644
index 0000000000..fd978bf190
--- /dev/null
+++ b/package/kmod/selinux/buildroot-kmod.if
@@ -0,0 +1 @@
+## <summary>Buildroot kmod rules</summary>
diff --git a/package/kmod/selinux/buildroot-kmod.te b/package/kmod/selinux/buildroot-kmod.te
new file mode 100644
index 0000000000..c06b81345d
--- /dev/null
+++ b/package/kmod/selinux/buildroot-kmod.te
@@ -0,0 +1,4 @@
+policy_module(buildroot-kmod, 1.0.0)
+
+#============= kmod_t ==============
+allow kmod_t proc_t:filesystem getattr;
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 00/12] SELinux: Basic config enforcing mode support.

[Thomas Petazzoni via buildroot]

Hello Adam,

On Thu, 12 Oct 2023 12:31:57 +0200
Adam Duskett <adam.duskett@amarulasolutions.com> wrote:

> SELinux support in Buildroot is currently outstanding! However, one last major
> issue remains: Enforcing mode needs to work out of the box correctly, without
> denials, at least with a minimal defconfig.
> 
> This patch series seeks to remedy this problem with a basic set of policies in
> several commonly selected packages to allow a user who wishes to use SELinux in
> enforcing mode the ability to do so without having to spend several hours
> writing the same policy that everyone who wishes to do the same thing would
> have to do.
> 
> The packages I have selected are based on the pc_x86_64_bios_defconfig with all
> of the selinux packages selected because it was the most straightforward option
> I had to create a small, bootable system in Virtual Manager with ssh support to
> quickly build out a policy that didn't generate any denials in
> /var/log/audit.log.
> 
> I want to address Yann's questions from a previous discussion on IRC:
>   Q) What will be the maintenance effort?
>   A) Minimal after this patch series. As you will see, most policies are only a
>      few lines long!
> 
>   Q) How much time will we invest when we bump a package or add a dependency?
>   A) Usually none! If a package bump/new dependency requires new permissions to
>      the SELinux policy, this is a good thing! We should step back and question
>      why a package previously accessing only files and libraries suddenly needs
>      to (e.g.), change permissions on a /dev/ device!

Thanks a lot for working on this.

However, I'd like to understand why these policy files need to be in
Buildroot. For example, you're adding some policy for OpenSSH. But
Buildroot just builds upstream OpenSSH with no change. Why do we need
some policy specifically in Buildroot for OpenSSH that cannot be in
upstream refpolicy?

Back when Antoine Ténart (which you have in Cc) was working on this,
and also my colleague Maxime Chevallier (which I have added in Cc),
their plan was to make it possible to use the upstream refpolicy for a
Buildroot system, by contributing changes to the refpolicy (and they
contributed quite a few).

Why are we not continuing on this approach?

Or is your policy a "from scratch" policy that can be used as a
complete alternative to the upstream refpolicy?

(Note: we will clearly want a runtime test case for this.)

Best regards,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 00/12] SELinux: Basic config enforcing mode support.

[Adam Duskett]

[-- Attachment #1.1: Type: text/plain, Size: 3691 bytes --]

Hey Thomas, sorry for the late reply!

Refpolicy itself is just that, a reference policy. Quite a few gaps are
missing with several packages.
In fact, Fedora/RHEL have their own policy based on the refpolicy package
found here:
https://github.com/fedora-selinux/selinux-policy because refpolicy itself
is not adequate for a complete
system in enforcing mode.

Also note, that the yocto selinux layer went another route and patches
refpolicy instead of providing separate
selinux policy files.

To summarize: These are necessary because refpolicy is not complete nor
suitable for a system running in
enforcing mode.

On Wed, Nov 8, 2023 at 1:55 PM Thomas Petazzoni via buildroot <
buildroot@buildroot.org> wrote:

> Hello Adam,
>
> On Thu, 12 Oct 2023 12:31:57 +0200
> Adam Duskett <adam.duskett@amarulasolutions.com> wrote:
>
> > SELinux support in Buildroot is currently outstanding! However, one last
> major
> > issue remains: Enforcing mode needs to work out of the box correctly,
> without
> > denials, at least with a minimal defconfig.
> >
> > This patch series seeks to remedy this problem with a basic set of
> policies in
> > several commonly selected packages to allow a user who wishes to use
> SELinux in
> > enforcing mode the ability to do so without having to spend several hours
> > writing the same policy that everyone who wishes to do the same thing
> would
> > have to do.
> >
> > The packages I have selected are based on the pc_x86_64_bios_defconfig
> with all
> > of the selinux packages selected because it was the most straightforward
> option
> > I had to create a small, bootable system in Virtual Manager with ssh
> support to
> > quickly build out a policy that didn't generate any denials in
> > /var/log/audit.log.
> >
> > I want to address Yann's questions from a previous discussion on IRC:
> >   Q) What will be the maintenance effort?
> >   A) Minimal after this patch series. As you will see, most policies are
> only a
> >      few lines long!
> >
> >   Q) How much time will we invest when we bump a package or add a
> dependency?
> >   A) Usually none! If a package bump/new dependency requires new
> permissions to
> >      the SELinux policy, this is a good thing! We should step back and
> question
> >      why a package previously accessing only files and libraries
> suddenly needs
> >      to (e.g.), change permissions on a /dev/ device!
>
> Thanks a lot for working on this.
>
> However, I'd like to understand why these policy files need to be in
> Buildroot. For example, you're adding some policy for OpenSSH. But
> Buildroot just builds upstream OpenSSH with no change. Why do we need
> some policy specifically in Buildroot for OpenSSH that cannot be in
> upstream refpolicy?
>
> Back when Antoine Ténart (which you have in Cc) was working on this,
> and also my colleague Maxime Chevallier (which I have added in Cc),
> their plan was to make it possible to use the upstream refpolicy for a
> Buildroot system, by contributing changes to the refpolicy (and they
> contributed quite a few).
>
> Why are we not continuing on this approach?
>
> Or is your policy a "from scratch" policy that can be used as a
> complete alternative to the upstream refpolicy?
>
> (Note: we will clearly want a runtime test case for this.)
>
> Best regards,
>
> Thomas
> --
> Thomas Petazzoni, co-owner and CEO, Bootlin
> Embedded Linux and Kernel engineering and training
> https://bootlin.com
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
>

[-- Attachment #1.2: Type: text/html, Size: 4675 bytes --]

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 00/12] SELinux: Basic config enforcing mode support.

[Arnout Vandecappelle via buildroot]

On 10/11/2023 17:49, Adam Duskett wrote:
> Hey Thomas, sorry for the late reply!
> 
> Refpolicy itself is just that, a reference policy.

  If refpolicy only provides a reference policy, how can Buildroot do any 
better? We don't do any weird things with packages, so any policy that is 
applicable to Buildroot is applicable to everyone.

> Quite a few gaps are missing 
> with several packages.
> In fact, Fedora/RHEL have their own policy based on the refpolicy package found 
> here:
> https://github.com/fedora-selinux/selinux-policy 
> <https://github.com/fedora-selinux/selinux-policy> because refpolicy itself is 
> not adequate for a complete
> system in enforcing mode.

  The basic question is: if there is anything we need to change, why would such 
a change not be acceptable for upstream refpolicy?

  Also, how come our SELinux runtime tests don't fail if the upstream refpolicy 
doesn't work?


> Also note, that the yocto selinux layer went another route and patches refpolicy 
> instead of providing separate
> selinux policy files.

  That seems like a much saner approach - I'd expect the diff to be pretty 
small. Also, I expect that any changes that yocto needs to make, we need to do 
as well - which is all the more reason to upstream them!


> To summarize: These are necessary because refpolicy is not complete nor suitable 
> for a system running in
> enforcing mode.

  Why does upstream refpolicy provide a "reference" that is not suitable for 
actual use?


  Not I know next to nothing about SELinux, I may be missing something glaringly 
obvious. Please consider all of the above questions as honest questions, not as 
snide remarks.

  Regards,
  Arnout

> 
> On Wed, Nov 8, 2023 at 1:55 PM Thomas Petazzoni via buildroot 
> <buildroot@buildroot.org <mailto:buildroot@buildroot.org>> wrote:
> 
>     Hello Adam,
> 
>     On Thu, 12 Oct 2023 12:31:57 +0200
>     Adam Duskett <adam.duskett@amarulasolutions.com
>     <mailto:adam.duskett@amarulasolutions.com>> wrote:
> 
>      > SELinux support in Buildroot is currently outstanding! However, one last
>     major
>      > issue remains: Enforcing mode needs to work out of the box correctly, without
>      > denials, at least with a minimal defconfig.
>      >
>      > This patch series seeks to remedy this problem with a basic set of
>     policies in
>      > several commonly selected packages to allow a user who wishes to use
>     SELinux in
>      > enforcing mode the ability to do so without having to spend several hours
>      > writing the same policy that everyone who wishes to do the same thing would
>      > have to do.
>      >
>      > The packages I have selected are based on the pc_x86_64_bios_defconfig
>     with all
>      > of the selinux packages selected because it was the most straightforward
>     option
>      > I had to create a small, bootable system in Virtual Manager with ssh
>     support to
>      > quickly build out a policy that didn't generate any denials in
>      > /var/log/audit.log.
>      >
>      > I want to address Yann's questions from a previous discussion on IRC:
>      >   Q) What will be the maintenance effort?
>      >   A) Minimal after this patch series. As you will see, most policies are
>     only a
>      >      few lines long!
>      >
>      >   Q) How much time will we invest when we bump a package or add a dependency?
>      >   A) Usually none! If a package bump/new dependency requires new
>     permissions to
>      >      the SELinux policy, this is a good thing! We should step back and
>     question
>      >      why a package previously accessing only files and libraries suddenly
>     needs
>      >      to (e.g.), change permissions on a /dev/ device!
> 
>     Thanks a lot for working on this.
> 
>     However, I'd like to understand why these policy files need to be in
>     Buildroot. For example, you're adding some policy for OpenSSH. But
>     Buildroot just builds upstream OpenSSH with no change. Why do we need
>     some policy specifically in Buildroot for OpenSSH that cannot be in
>     upstream refpolicy?
> 
>     Back when Antoine Ténart (which you have in Cc) was working on this,
>     and also my colleague Maxime Chevallier (which I have added in Cc),
>     their plan was to make it possible to use the upstream refpolicy for a
>     Buildroot system, by contributing changes to the refpolicy (and they
>     contributed quite a few).
> 
>     Why are we not continuing on this approach?
> 
>     Or is your policy a "from scratch" policy that can be used as a
>     complete alternative to the upstream refpolicy?
> 
>     (Note: we will clearly want a runtime test case for this.)
> 
>     Best regards,
> 
>     Thomas
>     -- 
>     Thomas Petazzoni, co-owner and CEO, Bootlin
>     Embedded Linux and Kernel engineering and training
>     https://bootlin.com <https://bootlin.com>
>     _______________________________________________
>     buildroot mailing list
>     buildroot@buildroot.org <mailto:buildroot@buildroot.org>
>     https://lists.buildroot.org/mailman/listinfo/buildroot
>     <https://lists.buildroot.org/mailman/listinfo/buildroot>
> 
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 00/12] SELinux: Basic config enforcing mode support.

[Adam Duskett]

[-- Attachment #1.1: Type: text/plain, Size: 7076 bytes --]

Hello Arnout:

To answer your questions:

Q) If there is anything we need to change, why would such a change not be
acceptable for upstream refpolicy?
A) I am, but one person and I don't have time to submit all the small
changes for refpolicy.

Q) How come our SELinux runtime tests don't fail if the upstream refpolicy
doesn't work?
A) Our tests are not performed in enforcing mode.

Q)  That seems like a much saner approach - I'd expect the diff to be pretty
small. Also, I expect that we need to make any changes that Yocto needs to
make
as well - which is all the more reason to upstream them!
A)
https://github.com/ni/meta-selinux/tree/nilrt/master/kirkstone/recipes-security/refpolicy/refpolicy
      There are currently 74 patches to refpolicy they have made. All of
them have been submitted
       upstream and all of them have been deemed Inappropriate [embedded
specific.]
       So not only is the diff not small, it would be enormous compared to
this patch series.

Q) Why does upstream refpolicy provide a "reference" that is not suitable
for
actual use?
A) Ask them! It's quite frustrating! Even RHEL/Fedora does not use
refpolicy, but instead, a fork they made!

Thanks!

Adam

On Fri, Nov 10, 2023 at 12:40 PM Arnout Vandecappelle <arnout@mind.be>
wrote:

>
>
> On 10/11/2023 17:49, Adam Duskett wrote:
> > Hey Thomas, sorry for the late reply!
> >
> > Refpolicy itself is just that, a reference policy.
>
>   If refpolicy only provides a reference policy, how can Buildroot do any
> better? We don't do any weird things with packages, so any policy that is
> applicable to Buildroot is applicable to everyone.
>
> > Quite a few gaps are missing
> > with several packages.
> > In fact, Fedora/RHEL have their own policy based on the refpolicy
> package found
> > here:
> > https://github.com/fedora-selinux/selinux-policy
> > <https://github.com/fedora-selinux/selinux-policy> because refpolicy
> itself is
> > not adequate for a complete
> > system in enforcing mode.
>
>   The basic question is: if there is anything we need to change, why would
> such
> a change not be acceptable for upstream refpolicy?
>
>   Also, how come our SELinux runtime tests don't fail if the upstream
> refpolicy
> doesn't work?
>
>
> > Also note, that the yocto selinux layer went another route and patches
> refpolicy
> > instead of providing separate
> > selinux policy files.
>
>   That seems like a much saner approach - I'd expect the diff to be pretty
> small. Also, I expect that any changes that yocto needs to make, we need
> to do
> as well - which is all the more reason to upstream them!
>
>
> > To summarize: These are necessary because refpolicy is not complete nor
> suitable
> > for a system running in
> > enforcing mode.
>
>   Why does upstream refpolicy provide a "reference" that is not suitable
> for
> actual use?
>
>
>   Not I know next to nothing about SELinux, I may be missing something
> glaringly
> obvious. Please consider all of the above questions as honest questions,
> not as
> snide remarks.
>
>   Regards,
>   Arnout
>
> >
> > On Wed, Nov 8, 2023 at 1:55 PM Thomas Petazzoni via buildroot
> > <buildroot@buildroot.org <mailto:buildroot@buildroot.org>> wrote:
> >
> >     Hello Adam,
> >
> >     On Thu, 12 Oct 2023 12:31:57 +0200
> >     Adam Duskett <adam.duskett@amarulasolutions.com
> >     <mailto:adam.duskett@amarulasolutions.com>> wrote:
> >
> >      > SELinux support in Buildroot is currently outstanding! However,
> one last
> >     major
> >      > issue remains: Enforcing mode needs to work out of the box
> correctly, without
> >      > denials, at least with a minimal defconfig.
> >      >
> >      > This patch series seeks to remedy this problem with a basic set of
> >     policies in
> >      > several commonly selected packages to allow a user who wishes to
> use
> >     SELinux in
> >      > enforcing mode the ability to do so without having to spend
> several hours
> >      > writing the same policy that everyone who wishes to do the same
> thing would
> >      > have to do.
> >      >
> >      > The packages I have selected are based on the
> pc_x86_64_bios_defconfig
> >     with all
> >      > of the selinux packages selected because it was the most
> straightforward
> >     option
> >      > I had to create a small, bootable system in Virtual Manager with
> ssh
> >     support to
> >      > quickly build out a policy that didn't generate any denials in
> >      > /var/log/audit.log.
> >      >
> >      > I want to address Yann's questions from a previous discussion on
> IRC:
> >      >   Q) What will be the maintenance effort?
> >      >   A) Minimal after this patch series. As you will see, most
> policies are
> >     only a
> >      >      few lines long!
> >      >
> >      >   Q) How much time will we invest when we bump a package or add a
> dependency?
> >      >   A) Usually none! If a package bump/new dependency requires new
> >     permissions to
> >      >      the SELinux policy, this is a good thing! We should step
> back and
> >     question
> >      >      why a package previously accessing only files and libraries
> suddenly
> >     needs
> >      >      to (e.g.), change permissions on a /dev/ device!
> >
> >     Thanks a lot for working on this.
> >
> >     However, I'd like to understand why these policy files need to be in
> >     Buildroot. For example, you're adding some policy for OpenSSH. But
> >     Buildroot just builds upstream OpenSSH with no change. Why do we need
> >     some policy specifically in Buildroot for OpenSSH that cannot be in
> >     upstream refpolicy?
> >
> >     Back when Antoine Ténart (which you have in Cc) was working on this,
> >     and also my colleague Maxime Chevallier (which I have added in Cc),
> >     their plan was to make it possible to use the upstream refpolicy for
> a
> >     Buildroot system, by contributing changes to the refpolicy (and they
> >     contributed quite a few).
> >
> >     Why are we not continuing on this approach?
> >
> >     Or is your policy a "from scratch" policy that can be used as a
> >     complete alternative to the upstream refpolicy?
> >
> >     (Note: we will clearly want a runtime test case for this.)
> >
> >     Best regards,
> >
> >     Thomas
> >     --
> >     Thomas Petazzoni, co-owner and CEO, Bootlin
> >     Embedded Linux and Kernel engineering and training
> >     https://bootlin.com <https://bootlin.com>
> >     _______________________________________________
> >     buildroot mailing list
> >     buildroot@buildroot.org <mailto:buildroot@buildroot.org>
> >     https://lists.buildroot.org/mailman/listinfo/buildroot
> >     <https://lists.buildroot.org/mailman/listinfo/buildroot>
> >
> >
> > _______________________________________________
> > buildroot mailing list
> > buildroot@buildroot.org
> > https://lists.buildroot.org/mailman/listinfo/buildroot
>

[-- Attachment #1.2: Type: text/html, Size: 9764 bytes --]

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot