[DSE-Dev] Sid SELinux packages are now working

Russell Coker russell at coker.com.au
Tue May 22 00:46:09 UTC 2007

On Monday 21 May 2007 22:56, Erich Schubert <erich at debian.org> wrote:
> > How would that method cope with a cross-build? Emdebian has already
> > built some selinux packages from the Debian sources for a rootfs and
> We're talking about policy package dependencies, not about debian
> package dependencies. These dependencies mean that the foobar.pp policy
> package can't be installed unless quux.pp is also installed.
> If you want to change that for Emdebian, you'll be building a different
> policy, and then you can just include a different dependency file with
> that policy. Now refpolicy is already very tight on permissions; I don't
> think you'll really want to further narrow down permissions for Emdebian
> (though you e.g. could put perl into a separate domain and then prevent
> some domains from executing perl... right now, any process that can
> run /usr/bin/less can also run /usr/bin/perl)

The strict policy is by design quite restrictive.  In many cases where there 
are multiple ways of configuring things the policy allows for several options 
and thus is larger than necessary.

For an embedded system running on a known platform you should be able to 
remove a lot of policy without any problems, maybe half the volume of the 
policy or more.


Also for an embedded platform you have to deal with busybox and related 
optimisations.  My paper at the above URL describes some possible solutions 
to this problem.

russell at coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

More information about the SELinux-devel mailing list