On Tue, Oct 27, 2020 at 7:13 AM Ashish Mishra <ashishm@xxxxxxxxxx> wrote: > Hi All , > > I am evaluating a use case of SELINUX + RAMFS scenario & came across > this thread. > > Can team please provide pointer on : > a) Use of TMPFS over RAMFS for initramfs > As that would allow use of "fs_use_xattr" and hence restorecon > would not be required with "REFPOLICY" > Am I correct in my understanding here or am I missing any aspect ? I'm not sure how you would use tpmfs as an initramfs as it is not a persistent filesystem. Perhaps there is a way to use a tmpfs as an initramfs but I don't know how that would would work. > b) Team input / comment on https://lwn.net/Articles/745260/ > patch to extend initramfs archive format to support xattrs I'm not sure how useful that would be in practice as you would still need to load a SELinux policy before you could actually enforce any security policy with those labels/xattrs. We have recently added support to manage filesystem labels when a policy isn't loaded; the main motivation was to allow different use cases where the root filesystem was created and labeled dynamically by the initramfs. * https://www.paul-moore.com/blog/d/2020/01/linux_v55.html * https://www.paul-moore.com/blog/d/2020/10/linux_v59.html > c) Any standard way / location to derive "dependent packages " that > should be present > on ROOTFS before trying to build ref-policy from > "https://github.com/TresysTechnology/refpolicy"; Reference policy is now located at the repo below. Generally the SELinux policy is built offline on a build system and the resulting SELinux policy binary artifact is loaded at runtime; building the reference policy from source during boot would likely slow the boot process dramatically. * https://github.com/SELinuxProject/refpolicy -- paul moore www.paul-moore.com
