[Buildroot] [PATCH 00/12] SELinux: Basic config enforcing mode support.

* [Buildroot] [PATCH 00/12] SELinux: Basic config enforcing mode support.
@ 2023-10-12 10:31 Adam Duskett
  2023-10-12 10:31 ` [Buildroot] [PATCH 01/12] package/refpolicy/selinux: Add buildroot base policy Adam Duskett
                   ` (12 more replies)
  0 siblings, 13 replies; 17+ messages in thread
From: Adam Duskett @ 2023-10-12 10:31 UTC (permalink / raw)
  To: buildroot
  Cc: Adam Duskett, Marek Belisko, Antoine Tenart, Sen Hastings,
	Norbert Lange, Yann E . MORIN

SELinux support in Buildroot is currently outstanding! However, one last major
issue remains: Enforcing mode needs to work out of the box correctly, without
denials, at least with a minimal defconfig.

This patch series seeks to remedy this problem with a basic set of policies in
several commonly selected packages to allow a user who wishes to use SELinux in
enforcing mode the ability to do so without having to spend several hours
writing the same policy that everyone who wishes to do the same thing would
have to do.

The packages I have selected are based on the pc_x86_64_bios_defconfig with all
of the selinux packages selected because it was the most straightforward option
I had to create a small, bootable system in Virtual Manager with ssh support to
quickly build out a policy that didn't generate any denials in
/var/log/audit.log.

I want to address Yann's questions from a previous discussion on IRC:
  Q) What will be the maintenance effort?
  A) Minimal after this patch series. As you will see, most policies are only a
     few lines long!

  Q) How much time will we invest when we bump a package or add a dependency?
  A) Usually none! If a package bump/new dependency requires new permissions to
     the SELinux policy, this is a good thing! We should step back and question
     why a package previously accessing only files and libraries suddenly needs
     to (e.g.), change permissions on a /dev/ device!

Note: This series depends on the following pending patches:
https://patchwork.ozlabs.org/project/buildroot/patch/20231009161817.2832969-1-adam.duskett@amarulasolutions.com/
https://patchwork.ozlabs.org/project/buildroot/patch/20231009143440.1776155-1-adam.duskett@amarulasolutions.com/
https://patchwork.ozlabs.org/project/buildroot/patch/20231009170428.2836853-1-adam.duskett@amarulasolutions.com/

Thank you for considering and reviewing this series!

Adam

Adam Duskett (12):
  package/refpolicy/selinux: Add buildroot base policy
  package/busybox/selinux: Add buildroot busybox policy
  package/sysvinit/selinux: Add buildroot sysvinit policy
  package/systemd/selinux: Add buildroot systemd selinux policy
  package/openssh/selinux: Add buildroot openssh policy
  package/audit/selinux: Add buildroot audit policy
  package/polkit/selinux: Add buildroot polkit policy
  package/restorecond/selinux: Add buildroot restorecond policy
  package/acpid/selinux: Add buildroot acpid policy
  package/network-manager/selinux: Add buildroot network-manager policy
  package/iptables/selinux: Add buildroot iptables policy
  package/kmod/selinux: Add buildroot kmod policy

 DEVELOPERS                                    | 12 ++++
 package/acpid/selinux/buildroot-acpid.fc      |  0
 package/acpid/selinux/buildroot-acpid.if      |  1 +
 package/acpid/selinux/buildroot-acpid.te      | 10 +++
 package/audit/selinux/buildroot-audit.fc      |  0
 package/audit/selinux/buildroot-audit.if      |  1 +
 package/audit/selinux/buildroot-audit.te      | 13 ++++
 package/busybox/selinux/buildroot-busybox.fc  |  1 +
 package/busybox/selinux/buildroot-busybox.if  |  1 +
 package/busybox/selinux/buildroot-busybox.te  | 16 +++++
 .../iptables/selinux/buildroot-iptables.fc    |  0
 .../iptables/selinux/buildroot-iptables.if    |  1 +
 .../iptables/selinux/buildroot-iptables.te    |  5 ++
 package/kmod/selinux/buildroot-kmod.fc        |  0
 package/kmod/selinux/buildroot-kmod.if        |  1 +
 package/kmod/selinux/buildroot-kmod.te        |  4 ++
 .../selinux/buildroot-network-manager.fc      |  0
 .../selinux/buildroot-network-manager.if      |  1 +
 .../selinux/buildroot-network-manager.te      |  4 ++
 package/openssh/selinux/buildroot-openssh.fc  |  0
 package/openssh/selinux/buildroot-openssh.if  |  1 +
 package/openssh/selinux/buildroot-openssh.te  | 23 +++++++
 package/polkit/selinux/buildroot-polkit.fc    |  0
 package/polkit/selinux/buildroot-polkit.if    |  1 +
 package/polkit/selinux/buildroot-polkit.te    |  5 ++
 package/refpolicy/selinux/buildroot.fc        |  0
 package/refpolicy/selinux/buildroot.if        |  1 +
 package/refpolicy/selinux/buildroot.te        | 67 +++++++++++++++++++
 .../selinux/buildroot-restorecond.fc          |  0
 .../selinux/buildroot-restorecond.if          |  1 +
 .../selinux/buildroot-restorecond.te          | 13 ++++
 package/systemd/selinux/buildroot-systemd.fc  |  0
 package/systemd/selinux/buildroot-systemd.if  |  1 +
 package/systemd/selinux/buildroot-systemd.te  | 66 ++++++++++++++++++
 .../sysvinit/selinux/buildroot-sysvinit.fc    |  0
 .../sysvinit/selinux/buildroot-sysvinit.if    |  1 +
 .../sysvinit/selinux/buildroot-sysvinit.te    |  8 +++
 37 files changed, 259 insertions(+)
 create mode 100644 package/acpid/selinux/buildroot-acpid.fc
 create mode 100644 package/acpid/selinux/buildroot-acpid.if
 create mode 100644 package/acpid/selinux/buildroot-acpid.te
 create mode 100644 package/audit/selinux/buildroot-audit.fc
 create mode 100644 package/audit/selinux/buildroot-audit.if
 create mode 100644 package/audit/selinux/buildroot-audit.te
 create mode 100644 package/busybox/selinux/buildroot-busybox.fc
 create mode 100644 package/busybox/selinux/buildroot-busybox.if
 create mode 100644 package/busybox/selinux/buildroot-busybox.te
 create mode 100644 package/iptables/selinux/buildroot-iptables.fc
 create mode 100644 package/iptables/selinux/buildroot-iptables.if
 create mode 100644 package/iptables/selinux/buildroot-iptables.te
 create mode 100644 package/kmod/selinux/buildroot-kmod.fc
 create mode 100644 package/kmod/selinux/buildroot-kmod.if
 create mode 100644 package/kmod/selinux/buildroot-kmod.te
 create mode 100644 package/network-manager/selinux/buildroot-network-manager.fc
 create mode 100644 package/network-manager/selinux/buildroot-network-manager.if
 create mode 100644 package/network-manager/selinux/buildroot-network-manager.te
 create mode 100644 package/openssh/selinux/buildroot-openssh.fc
 create mode 100644 package/openssh/selinux/buildroot-openssh.if
 create mode 100644 package/openssh/selinux/buildroot-openssh.te
 create mode 100644 package/polkit/selinux/buildroot-polkit.fc
 create mode 100644 package/polkit/selinux/buildroot-polkit.if
 create mode 100644 package/polkit/selinux/buildroot-polkit.te
 create mode 100644 package/refpolicy/selinux/buildroot.fc
 create mode 100644 package/refpolicy/selinux/buildroot.if
 create mode 100644 package/refpolicy/selinux/buildroot.te
 create mode 100644 package/restorecond/selinux/buildroot-restorecond.fc
 create mode 100644 package/restorecond/selinux/buildroot-restorecond.if
 create mode 100644 package/restorecond/selinux/buildroot-restorecond.te
 create mode 100644 package/systemd/selinux/buildroot-systemd.fc
 create mode 100644 package/systemd/selinux/buildroot-systemd.if
 create mode 100644 package/systemd/selinux/buildroot-systemd.te
 create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.fc
 create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.if
 create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.te

-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 17+ messages in thread