[meta-selinux] What's the point of refpolicy-minimum?

[meta-selinux] What's the point of refpolicy-minimum?

[Joe MacDonald]

[-- Attachment #1: Type: text/plain, Size: 2107 bytes --]

Wenzong / Shrikant,

I thought I knew the answer to the above question, and maybe my
understanding is still correct, but I think I need to ask it now anyway.

I don't use refpolicy-minimum for anything, so when I did the updates to
refpolicy*_git I didn't even glance at refpolicy-minimum_git.  Wenzong's
change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
of the recipe) piqued my curiosity, so I had a look.  Of course,
refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
now that I'm looking at the recipe I see what seems like conflicting
statements in the recipe:

   recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:

     1 include refpolicy-targeted_${PV}.bb
     2 
     3 SUMMARY = "SELinux minimum policy"
     4 DESCRIPTION = "\
     5 This is a minimum reference policy with just core policy modules, and \
     6 could be used as a base for customizing targeted policy. \
     7 Pretty much everything runs as initrc_t or unconfined_t so all of the \
     8 domains are unconfined. \
     9 "

and:

   recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:

     1 SUMMARY = "SELinux targeted policy"
     2 DESCRIPTION = "\
     3 This is the targeted variant of the SELinux reference policy.  Most service \
     4 domains are locked down. Users and admins will login in with unconfined_t \
     5 domain, so they have the same access to the system as if SELinux was not \
     6 enabled. \
     7 "

So now I'm trying to understand what the point of refpolicy-minimum
really is here.  Those of you who are using it, what are you using it
for and what do you expect would be the correct behaviour of a system
running that policy?

At the very least, I'm going to remove the 'include [...].bb' from both
'minimum' recipes, as that's completely incorrect, but when I do that I
want to know what anyone using this recipe wants to see from it, so
whatever the 'include' gets replaced with is doing the right thing
(which isn't necessarily what it's doing today).

-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]

Re: [meta-selinux] What's the point of refpolicy-minimum?

[Shrikant Bobade]

[-- Attachment #1: Type: text/plain, Size: 3045 bytes --]

Hi Joe,


On Tue, Jan 10, 2017 at 8:18 PM, Joe MacDonald <Joe_MacDonald@mentor.com>
wrote:
>
> Wenzong / Shrikant,
>
> I thought I knew the answer to the above question, and maybe my
> understanding is still correct, but I think I need to ask it now anyway.
>
> I don't use refpolicy-minimum for anything, so when I did the updates to
> refpolicy*_git I didn't even glance at refpolicy-minimum_git.  Wenzong's
> change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
> of the recipe) piqued my curiosity, so I had a look.  Of course,
> refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
> now that I'm looking at the recipe I see what seems like conflicting
> statements in the recipe:
>
>    recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:
>
>      1 include refpolicy-targeted_${PV}.bb
>      2
>      3 SUMMARY = "SELinux minimum policy"
>      4 DESCRIPTION = "\
>      5 This is a minimum reference policy with just core policy modules,
and \
>      6 could be used as a base for customizing targeted policy. \
>      7 Pretty much everything runs as initrc_t or unconfined_t so all of
the \
>      8 domains are unconfined. \
>      9 "
>
> and:
>
>    recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:
>
>      1 SUMMARY = "SELinux targeted policy"
>      2 DESCRIPTION = "\
>      3 This is the targeted variant of the SELinux reference policy.
Most service \
>      4 domains are locked down. Users and admins will login in with
unconfined_t \
>      5 domain, so they have the same access to the system as if SELinux
was not \
>      6 enabled. \
>      7 "
>
> So now I'm trying to understand what the point of refpolicy-minimum
> really is here.  Those of you who are using it, what are you using it
> for and what do you expect would be the correct behaviour of a system
> running that policy?

recently used refpolicy-minimum, as it provides protection/security for
minimum modules
and reaming things with unconfined, the minimum coverage(modules) of policy
easy to start on
& cross check the prepared infrastructure against the expected selinux
behavior.

Also it is easy to patch for systemd compared to other policies. Till
refpolicy v20151208 release
we have refpolicy-minimum working with systemd as init manager.
regarding the latest release need to check.

But moving ahead similar policy with minimum modules can be used..

>
> At the very least, I'm going to remove the 'include [...].bb' from both
> 'minimum' recipes, as that's completely incorrect, but when I do that I
> want to know what anyone using this recipe wants to see from it, so
> whatever the 'include' gets replaced with is doing the right thing
> (which isn't necessarily what it's doing today).

agree..
>
> --
> -Joe MacDonald.
> :wq
>
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>

Thanks
Shrikant

[-- Attachment #2: Type: text/html, Size: 4018 bytes --]

Re: [meta-selinux] What's the point of refpolicy-minimum?

[wenzong fan]

On 01/10/2017 10:48 PM, Joe MacDonald wrote:
> Wenzong / Shrikant,
>
> I thought I knew the answer to the above question, and maybe my
> understanding is still correct, but I think I need to ask it now anyway.
>
> I don't use refpolicy-minimum for anything, so when I did the updates to
> refpolicy*_git I didn't even glance at refpolicy-minimum_git.  Wenzong's
> change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
> of the recipe) piqued my curiosity, so I had a look.  Of course,
> refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
> now that I'm looking at the recipe I see what seems like conflicting
> statements in the recipe:
>
>    recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:
>
>      1 include refpolicy-targeted_${PV}.bb
>      2
>      3 SUMMARY = "SELinux minimum policy"
>      4 DESCRIPTION = "\
>      5 This is a minimum reference policy with just core policy modules, and \
>      6 could be used as a base for customizing targeted policy. \
>      7 Pretty much everything runs as initrc_t or unconfined_t so all of the \
>      8 domains are unconfined. \
>      9 "
>
> and:
>
>    recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:
>
>      1 SUMMARY = "SELinux targeted policy"
>      2 DESCRIPTION = "\
>      3 This is the targeted variant of the SELinux reference policy.  Most service \
>      4 domains are locked down. Users and admins will login in with unconfined_t \
>      5 domain, so they have the same access to the system as if SELinux was not \
>      6 enabled. \
>      7 "
>
> So now I'm trying to understand what the point of refpolicy-minimum
> really is here.  Those of you who are using it, what are you using it
> for and what do you expect would be the correct behaviour of a system
> running that policy?
>

I don't have much experience on using the refpolicy-minimum as well.

But from the original logs it should be "minimum targeted policy".

commit 65675f02e33f5da31ec5dbac7a45849f4952569b
Author: Wenzong Fan <wenzong.fan@windriver.com>
Date:   Mon Mar 24 21:07:50 2014 -0400

     refpolicy: add minimum targeted policy

     This is a minimum targeted policy with just core policy modules, and
     could be used as a base for customizing targeted policy.
     Pretty much everything runs as initrc_t or unconfined_t so all of the
     domains are unconfined.

     Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
     Signed-off-by: Joe MacDonald <joe@deserted.net>


> At the very least, I'm going to remove the 'include [...].bb' from both
> 'minimum' recipes, as that's completely incorrect, but when I do that I
> want to know what anyone using this recipe wants to see from it, so
> whatever the 'include' gets replaced with is doing the right thing
> (which isn't necessarily what it's doing today).

I won't object to make the changes, if you think there should be a 
different minimum policy with targeted.

Thanks
Wenzong

>

Re: [meta-selinux] What's the point of refpolicy-minimum?

[Joe MacDonald]

[-- Attachment #1: Type: text/plain, Size: 4502 bytes --]

Hi guys,

[Re: [meta-selinux] What's the point of refpolicy-minimum?] On 17.01.12 (Thu 12:57) wenzong fan wrote:

> On 01/10/2017 10:48 PM, Joe MacDonald wrote:
> >Wenzong / Shrikant,
> >
> >I thought I knew the answer to the above question, and maybe my
> >understanding is still correct, but I think I need to ask it now anyway.
> >
> >I don't use refpolicy-minimum for anything, so when I did the updates to
> >refpolicy*_git I didn't even glance at refpolicy-minimum_git.  Wenzong's
> >change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
> >of the recipe) piqued my curiosity, so I had a look.  Of course,
> >refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
> >now that I'm looking at the recipe I see what seems like conflicting
> >statements in the recipe:
> >
> >   recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:
> >
> >     1 include refpolicy-targeted_${PV}.bb
> >     2
> >     3 SUMMARY = "SELinux minimum policy"
> >     4 DESCRIPTION = "\
> >     5 This is a minimum reference policy with just core policy modules, and \
> >     6 could be used as a base for customizing targeted policy. \
> >     7 Pretty much everything runs as initrc_t or unconfined_t so all of the \
> >     8 domains are unconfined. \
> >     9 "
> >
> >and:
> >
> >   recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:
> >
> >     1 SUMMARY = "SELinux targeted policy"
> >     2 DESCRIPTION = "\
> >     3 This is the targeted variant of the SELinux reference policy.  Most service \
> >     4 domains are locked down. Users and admins will login in with unconfined_t \
> >     5 domain, so they have the same access to the system as if SELinux was not \
> >     6 enabled. \
> >     7 "
> >
> >So now I'm trying to understand what the point of refpolicy-minimum
> >really is here.  Those of you who are using it, what are you using it
> >for and what do you expect would be the correct behaviour of a system
> >running that policy?
> >
> 
> I don't have much experience on using the refpolicy-minimum as well.
> 
> But from the original logs it should be "minimum targeted policy".
> 
> commit 65675f02e33f5da31ec5dbac7a45849f4952569b
> Author: Wenzong Fan <wenzong.fan@windriver.com>
> Date:   Mon Mar 24 21:07:50 2014 -0400
> 
>     refpolicy: add minimum targeted policy
> 
>     This is a minimum targeted policy with just core policy modules, and
>     could be used as a base for customizing targeted policy.
>     Pretty much everything runs as initrc_t or unconfined_t so all of the
>     domains are unconfined.
> 
>     Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
>     Signed-off-by: Joe MacDonald <joe@deserted.net>
> 
> 
> >At the very least, I'm going to remove the 'include [...].bb' from both
> >'minimum' recipes, as that's completely incorrect, but when I do that I
> >want to know what anyone using this recipe wants to see from it, so
> >whatever the 'include' gets replaced with is doing the right thing
> >(which isn't necessarily what it's doing today).
> 
> I won't object to make the changes, if you think there should be a different
> minimum policy with targeted.

I'm not proposing an alternative, I'm just saying that the statements in
the descriptions of the recipes seem to conflict.  (And do note that the
git log you quoted is precisely the text in DESCRIPTION for
refpolicy-minimum.

What I'm confused by is this in minimum:

>     Pretty much everything runs as initrc_t or unconfined_t so all of the
>     domains are unconfined.

and this in targeted:

> >     Most service domains are locked down.

So I guess my question is what is the desired behaviour out of this
recipe?  If nobody knows and it's not being used, I'm leaning toward a
'git rm'-based solution.  :-)

It sounds, though, like Shrikant is using it, so it's of some use, I
guess.  Shrikant, on the systems you've used the minimum policy, what
does the policy look like on your running system?  In the current world
refpolicy-minimum inherits POLICY_TYPE and POLICY_MLS_SENS from
refpolicy-targeted, is that good / bad / irrelevant to what you're doing
with it?  If I just rework minimum to remove the include and bring in
the minimal number of changes to get the policy to load again, is that
good enough for your purposes?  Do you want to volunteer to test my
changes for me before I commit them?  :-)

-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]

Re: [meta-selinux] What's the point of refpolicy-minimum?

[Shrikant Bobade]

[-- Attachment #1: Type: text/plain, Size: 5252 bytes --]

Hi Joe,

On Thu, Jan 12, 2017 at 8:57 PM, Joe MacDonald <Joe_MacDonald@mentor.com>
wrote:
>
> Hi guys,
>
> [Re: [meta-selinux] What's the point of refpolicy-minimum?] On 17.01.12
(Thu 12:57) wenzong fan wrote:
>
> > On 01/10/2017 10:48 PM, Joe MacDonald wrote:
> > >Wenzong / Shrikant,
> > >
> > >I thought I knew the answer to the above question, and maybe my
> > >understanding is still correct, but I think I need to ask it now
anyway.
> > >
> > >I don't use refpolicy-minimum for anything, so when I did the updates
to
> > >refpolicy*_git I didn't even glance at refpolicy-minimum_git.
Wenzong's
> > >change to refpolicy-minimum_2.20161023 (in the same thread as the uprev
> > >of the recipe) piqued my curiosity, so I had a look.  Of course,
> > >refpolicy-minimum_git.bb also needs to be updated (or thrown out), but
> > >now that I'm looking at the recipe I see what seems like conflicting
> > >statements in the recipe:
> > >
> > >   recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb:
> > >
> > >     1 include refpolicy-targeted_${PV}.bb
> > >     2
> > >     3 SUMMARY = "SELinux minimum policy"
> > >     4 DESCRIPTION = "\
> > >     5 This is a minimum reference policy with just core policy
modules, and \
> > >     6 could be used as a base for customizing targeted policy. \
> > >     7 Pretty much everything runs as initrc_t or unconfined_t so all
of the \
> > >     8 domains are unconfined. \
> > >     9 "
> > >
> > >and:
> > >
> > >   recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb:
> > >
> > >     1 SUMMARY = "SELinux targeted policy"
> > >     2 DESCRIPTION = "\
> > >     3 This is the targeted variant of the SELinux reference policy.
Most service \
> > >     4 domains are locked down. Users and admins will login in with
unconfined_t \
> > >     5 domain, so they have the same access to the system as if
SELinux was not \
> > >     6 enabled. \
> > >     7 "
> > >
> > >So now I'm trying to understand what the point of refpolicy-minimum
> > >really is here.  Those of you who are using it, what are you using it
> > >for and what do you expect would be the correct behaviour of a system
> > >running that policy?
> > >
> >
> > I don't have much experience on using the refpolicy-minimum as well.
> >
> > But from the original logs it should be "minimum targeted policy".
> >
> > commit 65675f02e33f5da31ec5dbac7a45849f4952569b
> > Author: Wenzong Fan <wenzong.fan@windriver.com>
> > Date:   Mon Mar 24 21:07:50 2014 -0400
> >
> >     refpolicy: add minimum targeted policy
> >
> >     This is a minimum targeted policy with just core policy modules, and
> >     could be used as a base for customizing targeted policy.
> >     Pretty much everything runs as initrc_t or unconfined_t so all of
the
> >     domains are unconfined.
> >
> >     Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
> >     Signed-off-by: Joe MacDonald <joe@deserted.net>
> >
> >
> > >At the very least, I'm going to remove the 'include [...].bb' from both
> > >'minimum' recipes, as that's completely incorrect, but when I do that I
> > >want to know what anyone using this recipe wants to see from it, so
> > >whatever the 'include' gets replaced with is doing the right thing
> > >(which isn't necessarily what it's doing today).
> >
> > I won't object to make the changes, if you think there should be a
different
> > minimum policy with targeted.
>
> I'm not proposing an alternative, I'm just saying that the statements in
> the descriptions of the recipes seem to conflict.  (And do note that the
> git log you quoted is precisely the text in DESCRIPTION for
> refpolicy-minimum.
>
> What I'm confused by is this in minimum:
>
> >     Pretty much everything runs as initrc_t or unconfined_t so all of
the
> >     domains are unconfined.
>
> and this in targeted:
>
> > >     Most service domains are locked down.
>
> So I guess my question is what is the desired behaviour out of this
> recipe?  If nobody knows and it's not being used, I'm leaning toward a
> 'git rm'-based solution.  :-)
>
> It sounds, though, like Shrikant is using it, so it's of some use, I
> guess.  Shrikant, on the systems you've used the minimum policy, what
> does the policy look like on your running system?  In the current world
> refpolicy-minimum inherits POLICY_TYPE and POLICY_MLS_SENS from
> refpolicy-targeted, is that good / bad / irrelevant to what you're doing
> with it?  If I just rework minimum to remove the include and bring in
> the minimal number of changes to get the policy to load again, is that
> good enough for your purposes?  Do you want to volunteer to test my
> changes for me before I commit them?  :-)

Sure, the rework for minimum to remove the include and minimal no. of
changes to get the policy loading,
seems good to server the expectations from it.
Happy to volunteer  to validate the changes, please advise the location to
fork the in-progress changes. :)

>
> --
> -Joe MacDonald.
> :wq
>
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>

Thanks
Shrikant

[-- Attachment #2: Type: text/html, Size: 6947 bytes --]