On Wed, 2009-02-18 at 10:19 -0600, Spann, John W. wrote: > All, > > I am working with a 2.6.27.14 kernel on an embedded PowerPC 440 board. > Aside from the operating system and some drivers and libraries, there > will be a few custom applications written which I will need to write > policy for. > > I am looking for the best policy writing approach for the environment. > Seems like I could take the latest policy distributed with Fedora and > start ripping out stuff or start with nothing and build up. Not having > written much policy yet, I am seeking advice on the best approach. > > I also have read about SELinux Policy Editor (SEEdit) and wonder if this > might be a good approach for a new policy writer. > > Thoughts... Interestingly, Dan Walsh has created a selinux-policy-minimum package as a stripped down version of the Fedora targeted policy for this kind of usage. See: http://danwalsh.livejournal.com/26759.html So that is an option, although you may wish to further prune it for your needs and you likely want to just build the monolithic policy for your embedded system and dispense with the overhead of the modular policy in such an environment. However, starting from anything based on the reference policy (all of the Fedora policies are built from the reference policy) locks you into its particular dependencies and its (fine) granularity of domains and types, and pruning it can be difficult. And I'm not sure how much of the refpolicy is relevant to an embedded system. So my preferred option would be to start from "scratch" and build up so that you can tailor the policy to the precise functionality and security goals of the embedded system. To jump-start that process, you can generate the absolute minimum policy (called the dummy policy) required to boot your kernel, define a single security context, and allow that context to do everything by running the scripts/selinux/mdp/mdp program in the kernel source tree - see Documentation/SELinux.txt and scripts/selinux in the kernel tree. The difference in sizes is substantial; Fedora's selinux-policy-minimum yields a ~640K binary kernel policy file, while the dummy policy generated by mdp from the kernel tree yields a ~9K binary kernel policy file. Of course, you would then need to extend that dummy policy by hand to actually do anything useful with it. SEEdit is an option, and you may wish to try it as well, but be careful to examine the end result (i.e. the actual policy.conf that it generates as output, not just the simplified policy language statements) and see whether it actually meets the security goals you intended. I haven't used it. I'm not sure it is still actively being developed. You may want to read over http://elinux.org/SELinux to see what the Japanese SELinux community has done in the past with regard to embedded SELinux, although I don't believe that such work is still ongoing. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
