Hi Joe,
On Tue, Jan 10, 2017 at 8:18 PM, Joe MacDonald <joe_macdon...@mentor.com> wrote: > > Wenzong / Shrikant, > > I thought I knew the answer to the above question, and maybe my > understanding is still correct, but I think I need to ask it now anyway. > > I don't use refpolicy-minimum for anything, so when I did the updates to > refpolicy*_git I didn't even glance at refpolicy-minimum_git. Wenzong's > change to refpolicy-minimum_2.20161023 (in the same thread as the uprev > of the recipe) piqued my curiosity, so I had a look. Of course, > refpolicy-minimum_git.bb also needs to be updated (or thrown out), but > now that I'm looking at the recipe I see what seems like conflicting > statements in the recipe: > > recipes-security/refpolicy/refpolicy-minimum_2.20161023.bb: > > 1 include refpolicy-targeted_${PV}.bb > 2 > 3 SUMMARY = "SELinux minimum policy" > 4 DESCRIPTION = "\ > 5 This is a minimum reference policy with just core policy modules, and \ > 6 could be used as a base for customizing targeted policy. \ > 7 Pretty much everything runs as initrc_t or unconfined_t so all of the \ > 8 domains are unconfined. \ > 9 " > > and: > > recipes-security/refpolicy/refpolicy-targeted_2.20161023.bb: > > 1 SUMMARY = "SELinux targeted policy" > 2 DESCRIPTION = "\ > 3 This is the targeted variant of the SELinux reference policy. Most service \ > 4 domains are locked down. Users and admins will login in with unconfined_t \ > 5 domain, so they have the same access to the system as if SELinux was not \ > 6 enabled. \ > 7 " > > So now I'm trying to understand what the point of refpolicy-minimum > really is here. Those of you who are using it, what are you using it > for and what do you expect would be the correct behaviour of a system > running that policy? recently used refpolicy-minimum, as it provides protection/security for minimum modules and reaming things with unconfined, the minimum coverage(modules) of policy easy to start on & cross check the prepared infrastructure against the expected selinux behavior. Also it is easy to patch for systemd compared to other policies. Till refpolicy v20151208 release we have refpolicy-minimum working with systemd as init manager. regarding the latest release need to check. But moving ahead similar policy with minimum modules can be used.. > > At the very least, I'm going to remove the 'include [...].bb' from both > 'minimum' recipes, as that's completely incorrect, but when I do that I > want to know what anyone using this recipe wants to see from it, so > whatever the 'include' gets replaced with is doing the right thing > (which isn't necessarily what it's doing today). agree.. > > -- > -Joe MacDonald. > :wq > > -- > _______________________________________________ > yocto mailing list > yocto@yoctoproject.org > https://lists.yoctoproject.org/listinfo/yocto > Thanks Shrikant
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto