[DSE-Dev] Sid SELinux packages are now working
Russell Coker
russell at coker.com.au
Tue May 22 00:46:09 UTC 2007
On Monday 21 May 2007 22:56, Erich Schubert <erich at debian.org> wrote:
> > How would that method cope with a cross-build? Emdebian has already
> > built some selinux packages from the Debian sources for a rootfs and
>
> We're talking about policy package dependencies, not about debian
> package dependencies. These dependencies mean that the foobar.pp policy
> package can't be installed unless quux.pp is also installed.
> If you want to change that for Emdebian, you'll be building a different
> policy, and then you can just include a different dependency file with
> that policy. Now refpolicy is already very tight on permissions; I don't
> think you'll really want to further narrow down permissions for Emdebian
> (though you e.g. could put perl into a separate domain and then prevent
> some domains from executing perl... right now, any process that can
> run /usr/bin/less can also run /usr/bin/perl)
The strict policy is by design quite restrictive. In many cases where there
are multiple ways of configuring things the policy allows for several options
and thus is larger than necessary.
For an embedded system running on a known platform you should be able to
remove a lot of policy without any problems, maybe half the volume of the
policy or more.
http://www.coker.com.au/selinux/talks/ols2003/
Also for an embedded platform you have to deal with busybox and related
optimisations. My paper at the above URL describes some possible solutions
to this problem.
--
russell at coker.com.au
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
More information about the SELinux-devel
mailing list