* Security Working Group meeting - Wednesday April 13 @ 2022-04-12 16:28 Joseph Reynolds 2022-04-12 16:35 ` Fwd: Security Working Group meeting - Wednesday April 13 - SELinux Joseph Reynolds 2022-04-13 21:29 ` Security Working Group meeting - Wednesday April 13 - results Joseph Reynolds 0 siblings, 2 replies; 4+ messages in thread From: Joseph Reynolds @ 2022-04-12 16:28 UTC (permalink / raw) To: openbmc This is a reminder of the OpenBMC Security Working Group meeting scheduled for this Wednesday April 13 at 10:00am PDT. We'll discuss the following items on the agenda <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, and anything else that comes up: 1. Renewed interest in securing D-Bus interfaces and using SELinux. Access, agenda and notes are in the wiki: https://github.com/openbmc/openbmc/wiki/Security-working-group <https://github.com/openbmc/openbmc/wiki/Security-working-group> - Joseph ^ permalink raw reply [flat|nested] 4+ messages in thread
* Fwd: Security Working Group meeting - Wednesday April 13 - SELinux 2022-04-12 16:28 Security Working Group meeting - Wednesday April 13 Joseph Reynolds @ 2022-04-12 16:35 ` Joseph Reynolds 2022-04-13 21:29 ` Security Working Group meeting - Wednesday April 13 - results Joseph Reynolds 1 sibling, 0 replies; 4+ messages in thread From: Joseph Reynolds @ 2022-04-12 16:35 UTC (permalink / raw) To: openbmc, Anton Kachalov Anton, Folks from IBM research are planning to attend the OpenBMC Security Working Group meeting to learn more about how to apply SELinux to OpenBMC. I understand this is an alternate solution to the work you had started here: https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/42748 <https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/42748> and https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49100 <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/49100>. Joseph -------- Forwarded Message -------- Subject: Security Working Group meeting - Wednesday April 13 Date: Tue, 12 Apr 2022 11:28:24 -0500 From: Joseph Reynolds <jrey@linux.ibm.com> To: openbmc <openbmc@lists.ozlabs.org> This is a reminder of the OpenBMC Security Working Group meeting scheduled for this Wednesday April 13 at 10:00am PDT. We'll discuss the following items on the agenda <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, and anything else that comes up: 1. Renewed interest in securing D-Bus interfaces and using SELinux. Access, agenda and notes are in the wiki: https://github.com/openbmc/openbmc/wiki/Security-working-group <https://github.com/openbmc/openbmc/wiki/Security-working-group> - Joseph ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Security Working Group meeting - Wednesday April 13 - results 2022-04-12 16:28 Security Working Group meeting - Wednesday April 13 Joseph Reynolds 2022-04-12 16:35 ` Fwd: Security Working Group meeting - Wednesday April 13 - SELinux Joseph Reynolds @ 2022-04-13 21:29 ` Joseph Reynolds 2022-04-18 15:02 ` Ratan Gupta 1 sibling, 1 reply; 4+ messages in thread From: Joseph Reynolds @ 2022-04-13 21:29 UTC (permalink / raw) To: openbmc On 4/12/22 11:28 AM, Joseph Reynolds wrote: > This is a reminder of the OpenBMC Security Working Group meeting > scheduled for this Wednesday April 13 at 10:00am PDT. > > We'll discuss the following items on the agenda > <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, > and anything else that comes up: > Attended: Joseph Reynolds, Ruud Haring, Chris Engel, Dick (Phoenix), Dong Chen, Jesse Arroyo, Yakatawa Sugawara, Russel Wilson, Krishnan Sugvanam, Manojkiran Eda, McCawley, Robert Senger, Sandhya Keteshwara, Surya (Intel), James Mihm, Terry Duncan, (and unknown caller who joined as the meeting was ending). > 1. Renewed interest in securing D-Bus interfaces and using SELinux. Ruud Haring and Yataka Sugawara and Russel Wilson from IBM Research presented a proposal. A recording was made of the presentation and discussion. TODO: Post the recording. DISCUSSION: The proposal PDF will be shared with the OpenBMC community. Here is my summary of the main points: SELinux is preferred by IBM and some large customers to solve several related access control problems: limiting access of root processes, application trust, systemd, and D-Bus. See previous discussion 2020-05-13 below: SELinux email use cases and email https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html <https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html> Next steps: Follow https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes <https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes>with email discussion, Discord (per https://github.com/openbmc/openbmc#contact <https://github.com/openbmc/openbmc#contact>) and creating a design for phase 1 (below). TODO: Joseph to send email to begin the discussion about SELinux use cases which might be shared by multiple OpenBMC users. IBM plans to work in the OpenBMC community project: stage 1 is an opt-in SELinux in permissive mode to collect data about which policies are needed. Later stages are to create SELinux policies for access control, and then to change configure SELinux to enforce them. Does OpenBMC have existing SELinux policies? None are known, but see the Yocto/OE meta-selinux layer and associated docs. We discussed some difficulties in using SELinux: Configuring the meta-selinux layer, configuring the Linux Kernel, and additional space requirements (about 20MB) We discussed SELinux vs AppArmor. IBM has chosen SELinux because it is well known to IBM and customers, and has an active community. Note the planned SELinux support is opt-in, so another contributor can add AppArmor as needed. The intended reference platform is an x86 system running with the AST2600 and 256Mb (or more) flash storage.. We discussed SELinux & D-Bus tie-ins. (OpenBMC D-Bus runs in system mode.) Note that D-Bus has built-in support for SELinux. > Access, agenda and notes are in the wiki: > https://github.com/openbmc/openbmc/wiki/Security-working-group > <https://github.com/openbmc/openbmc/wiki/Security-working-group> > > - Joseph > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Security Working Group meeting - Wednesday April 13 - results 2022-04-13 21:29 ` Security Working Group meeting - Wednesday April 13 - results Joseph Reynolds @ 2022-04-18 15:02 ` Ratan Gupta 0 siblings, 0 replies; 4+ messages in thread From: Ratan Gupta @ 2022-04-18 15:02 UTC (permalink / raw) To: Joseph Reynolds; +Cc: openbmc [-- Attachment #1: Type: text/plain, Size: 3568 bytes --] Hi Team, Apparmor doesn't work with openbmc stack, I tried it around 6 months back, opened up the issue and finally it was told by the apparmor that it is not trivial one. https://gitlab.com/apparmor/apparmor/-/issues/183 Ratan On Thu, Apr 14, 2022 at 3:00 AM Joseph Reynolds <jrey@linux.ibm.com> wrote: > On 4/12/22 11:28 AM, Joseph Reynolds wrote: > > This is a reminder of the OpenBMC Security Working Group meeting > > scheduled for this Wednesday April 13 at 10:00am PDT. > > > > We'll discuss the following items on the agenda > > < > https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>, > > > and anything else that comes up: > > > > Attended: Joseph Reynolds, Ruud Haring, Chris Engel, Dick (Phoenix), > Dong Chen, Jesse Arroyo, Yakatawa Sugawara, Russel Wilson, Krishnan > Sugvanam, Manojkiran Eda, McCawley, Robert Senger, Sandhya Keteshwara, > Surya (Intel), James Mihm, Terry Duncan, (and unknown caller who joined > as the meeting was ending). > > > > 1. Renewed interest in securing D-Bus interfaces and using SELinux. > > Ruud Haring and Yataka Sugawara and Russel Wilson from IBM Research > presented a proposal. > > > A recording was made of the presentation and discussion. TODO: Post the > recording. > > > DISCUSSION: > > The proposal PDF will be shared with the OpenBMC community. Here is my > summary of the main points: SELinux is preferred by IBM and some large > customers to solve several related access control problems: limiting > access of root processes, application trust, systemd, and D-Bus. See > previous discussion 2020-05-13 below: SELinux email use cases and email > https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html > <https://lists.ozlabs.org/pipermail/openbmc/2020-April/021477.html> > > > Next steps: Follow > > https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes > < > https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#planning-changes>with > > email discussion, Discord (per > https://github.com/openbmc/openbmc#contact > <https://github.com/openbmc/openbmc#contact>) and creating a design for > phase 1 (below). > > > TODO: Joseph to send email to begin the discussion about SELinux use > cases which might be shared by multiple OpenBMC users. > > > IBM plans to work in the OpenBMC community project: stage 1 is an opt-in > SELinux in permissive mode to collect data about which policies are > needed. Later stages are to create SELinux policies for access control, > and then to change configure SELinux to enforce them. > > > Does OpenBMC have existing SELinux policies? None are known, but see > the Yocto/OE meta-selinux layer and associated docs. > > > We discussed some difficulties in using SELinux: Configuring the > meta-selinux layer, configuring the Linux Kernel, and additional space > requirements (about 20MB) > > > We discussed SELinux vs AppArmor. IBM has chosen SELinux because it is > well known to IBM and customers, and has an active community. Note the > planned SELinux support is opt-in, so another contributor can add > AppArmor as needed. > > > The intended reference platform is an x86 system running with the > AST2600 and 256Mb (or more) flash storage.. > > > We discussed SELinux & D-Bus tie-ins. (OpenBMC D-Bus runs in system > mode.) Note that D-Bus has built-in support for SELinux. > > > > > Access, agenda and notes are in the wiki: > > https://github.com/openbmc/openbmc/wiki/Security-working-group > > <https://github.com/openbmc/openbmc/wiki/Security-working-group> > > > > - Joseph > > > > [-- Attachment #2: Type: text/html, Size: 5392 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-04-18 15:03 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-04-12 16:28 Security Working Group meeting - Wednesday April 13 Joseph Reynolds 2022-04-12 16:35 ` Fwd: Security Working Group meeting - Wednesday April 13 - SELinux Joseph Reynolds 2022-04-13 21:29 ` Security Working Group meeting - Wednesday April 13 - results Joseph Reynolds 2022-04-18 15:02 ` Ratan Gupta
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.