On Tue, 2013-10-22 at 11:45 -0500, Don Hoefer wrote: > We are building an embedded system where the customer is requiring > SELinux. It is our own hardware so we build our own kernel and > drivers and use the ext2, jfs and tempfs file systems. This is not > new for us, but incorporating SELinux is. > > > Does anyone know of a good knowledge resource for building embedded > systems with SELinux? http://selinuxproject.org/page/Main_Page > > We are currently plowing through a frustrating step ahead/step back > process. We have SELinux running but it seems to be broken, for > example one of our problems is that ls -Z shows "?" for SELinux file > contexts: > root@generic-powerpc:/#getfattr -m . -d var > # file: var > security.selinux="system_u:object_r:var_t" > > root@generic-powerpc:/# ls -Z > ? bin ? boot ? dev ? etc ? home ? lib ?lost+found ? media ? > mnt ? proc ? sbin ?selinux ? share ? sys ? tmp ? usr ? > var ?www > > We were unsuccessful building policies on any of our development > systems (Ubuntu/Debian based) but we are now using a Fedora 19 system > and that is looking promising. I wonder what problems you were having on Debian > > Any pointers or help would be appreciated. I just recently played a bit with SELinux for embedded systems ( also on Debian), and for the most part it worked fine There are plenty "gotchas" though, and it helps if you know SELinux well You can create a nice lean monolithic policy, but some of the tools you need are part of the policycoreutils package which is bloated with modular policy specific utils. ( the policycoreutils package should be split up in "core"/"not core" ) I believe i might be able to give good tips, advice, and guidance but i can't suggest much without information about your requirements, and what you've been trying etc What i can already tell you is that there is a program called mdp in the kernel source tree, that generates a "dummy" policy. Its very small and probably a good start for someone not familiar with SELinux policy There are some bugs in the program though, and the policy it generates will not work without at least one change to it. I can also recommend the book "SELinux by example". It touches on some of the fundamentals ( much of the information is also on selinuxproject.org though) I would also send this question to the selinux maillist because the seandroid maintainer is reading that, and seandroid is a good example of using SELinux on systems with very limited resources. He might also be able to give good advice > > Don Hoefer > > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
