Hi,
not sure how far along you are with
SELinux intergration, so just to make sure you are on the same
page...
In order for the policy to be useful
you need SELinux kernel module and userspace tools.
It seems that Yocto already has SELinux
layer (https://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/)
providing all the necessary parts including policy (based on
refpolicy https://github.com/SELinuxProject/refpolicy). I believe
using this policy would be your best bet since you wouldn't be the
first one trying to use it in a custom BSP.
As for your questions below:
selinux-policy-contrib hosts policy
modules for specific services. They need the base policy
(https://github.com/fedora-selinux/selinux-policy) to work. They
are designed to work together, but you can choose which ones will
be active in your system. As said, I believe you should start with
refpolicy, but if you still want to use Fedora SELinux policy
please let me know and I'll try to elaborate on the necessary
steps.
If you want to learn more about
SELinux, I recommend
https://freecomputerbooks.com/books/The_SELinux_Notebook-4th_Edition.pdf
(but you are still welcome to ask questions here)
Have a great day,
Vit
On 10/13/20 7:58 AM, Ashish Mishra
wrote:
Hi All ,
Good Morning .
I was trying to get FEDORA SELINUX policy on our custom BSPCan the team please let me know their feedback / comments / inputs on the same .
Below is the description of what i am trying to do :1) We are having a custom BSP ( Yocto / Buildroot ) for one of our products.This BSP doesn't have SELINUX on it as of now.
2) I can find the policy ".te" file at https://github.com/fedora-selinux/selinux-policy-contrib ( approx 1005 files )But unable to understand the process of adding these policies to my custom BSP.Is there any way we can add these Fedora SELINUX policies to our BSP ?
3) Is there any standard way of bifurcating these ".te" files orone has to make use of all of these as a standard practice.
Please feel free to seek any details or clarification from my side .Also , do let me know if I am missing any aspect here or mis-understood something completely .
Thanks ,Ashish Kumar Mishra
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
