12:58 a.m.
Hi All ,
Good Morning .
I was trying to get FEDORA SELINUX policy on our custom BSP
Can the team please let me know their feedback / comments / inputs on the
same .
Below is the description of what i am trying to do :
1) We are having a custom BSP ( Yocto / Buildroot ) for one of our
products.
This BSP doesn't have SELINUX on it as of now.
2) I can find the policy ".te" file at*
https://github.com/fedora-selinux/selinux-policy-contrib
<https://github.com/fedora-selinux/selinux-policy-contrib> ( approx 1005
files )*
But unable to understand the process of adding these policies to my
custom BSP.
* Is there any way we can add these Fedora SELINUX policies to our BSP ?*
3) Is there any standard way of bifurcating these ".te" files or
one has to make use of all of these as a standard practice.
Please feel free to seek any details or clarification from my side .
Also , do let me know if I am missing any aspect here or mis-understood
something completely .
Thanks ,
Ashish Kumar Mishra
4:51 a.m.
Hi,
not sure how far along you are with SELinux intergration, so just to
make sure you are on the same page...
In order for the policy to be useful you need SELinux kernel module and
userspace tools.
It seems that Yocto already has SELinux layer
(https://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/) providing all
the necessary parts including policy (based on refpolicy
https://github.com/SELinuxProject/refpolicy). I believe using this
policy would be your best bet since you wouldn't be the first one trying
to use it in a custom BSP.
As for your questions below:
selinux-policy-contrib hosts policy modules for specific services. They
need the base policy (https://github.com/fedora-selinux/selinux-policy)
to work. They are designed to work together, but you can choose which
ones will be active in your system. As said, I believe you should start
with refpolicy, but if you still want to use Fedora SELinux policy
please let me know and I'll try to elaborate on the necessary steps.
If you want to learn more about SELinux, I recommend
https://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf
(but you are still welcome to ask questions here)
Have a great day,
Vit
On 10/13/20 7:58 AM, Ashish Mishra wrote:
Hi All ,
Good Morning .
I was trying to get FEDORA SELINUX policy on our custom BSP
Can the team please let me know their feedback / comments / inputs on
the same .
Below is the description of what i am trying to do :
1) We are having a custom BSP ( Yocto / Buildroot ) for one of our
products.
This BSP doesn't have SELINUX on it as of now.
2) I can find the policy ".te" file
at*https://github.com/fedora-selinux/selinux-policy-contrib ( approx
1005 files )*
But unable to understand the process of adding these policies to
my custom BSP.
* Is there any way we can add these Fedora SELINUX policies to our
BSP ?*
3) Is there any standard way of bifurcating these ".te" files or
one has to make use of all of these as a standard practice.
Please feel free to seek any details or clarification from my side .
Also , do let me know if I am missing any aspect here or
mis-understood something completely .
Thanks ,
Ashish Kumar Mishra
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
5:50 a.m.
Hi Vit ,
Thanks for replying back on same.
a) We are in the initial evaluation phase .
As you said will look at the details you shared.
b) Will it be possible if you can please ,
Share the approach in case we don't want to use Yocto or any such
tool.
Like older bsp which was build using makefiles .
This can give me few more pointer's to understand the standard
process in better way.
Apologies if these are too obvious question .
Since I am still at evaluation I wanted to have understanding of approach
as per community.
Thanks ,
Ashish Kumar Mishra.
9:54 a.m.
Hi,
I have no experience with building BSPs, but from what I understand the
most important choice would be the Linux distribution used.
Generally, aside from security policy and userspace tools
(https://github.com/SELinuxProject/selinux), which you should be able to
compile and use just about anywhere, SELinux needs kernel
(https://github.com/SELinuxProject/selinux-kernel) and file system
support (see for example
https://wiki.debian.org/SELinux/Setup#Prerequisites:_filesystems for
more details about support in debian based systems).
Have a great day,
Vit
On 10/13/20 12:50 PM, Ashish Mishra wrote:
Hi Vit ,
Thanks for replying back on same.
a) We are in the initial evaluation phase .
As you said will look at the details you shared.
b) Will it be possible if you can please ,
Share the approach in case we don't want to use Yocto or any
such tool.
Like older bsp which was build using makefiles .
This can give me few more pointer's to understand the standard
process in better way.
Apologies if these are too obvious question .
Since I am still at evaluation I wanted to have understanding of
approach as per community.
Thanks ,
Ashish Kumar Mishra.
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
1290
days inactive
1290
days old
selinux@lists.fedoraproject.org
4 comments
2 participants
participants (2)
-
Ashish Mishra -
Vit Mojzis