Ashish Mishra <ashishm@xxxxxxxxxx> writes: > Hi Dominick , > > Will look at the re-labelling as you suggested. > Is there any doc / blog / implementation etc to understand the > sequence and commands to do this. > To understand this step in a better way. > > We are working with such a setup freshly so any inputs / guidance will > be helpful. > > Thanks for your time & inputs for this long thread . For docs i would suggest selinuxproject.org and https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md For implementations i would suggest looking at how OpenWrt implemented SELinux as this is a very simple implementation and the target seems to be relatively similar to yours with the exception that OpenWrt does not use a volatile root but instead uses a read-only squashfs and a overlay. You can also look at Fedora CoreOS for inspiration, and Googles SEAndroid. Implementing meaningful SELinux for exotic use cases like yours is not trivial though IMHO. Using reference policy as a base-policy might not be optimal for your use-case (to say the least) and it would probably be easier to create a policy from scratch instead in the longer run. > > Thanks , > Ashish > > > > > > > > > > > On Wed, Jan 6, 2021 at 8:34 PM Dominick Grift > <dominick.grift@xxxxxxxxxxx> wrote: >> >> Ashish Mishra <ashishm@xxxxxxxxxx> writes: >> >> > Hi Dominick , >> > Thanks for your valuable time and inputs . >> > >> > As a background w.r.t ROOTFS : >> > a) We had an custom SDK which is a basic makefile based SDK . >> > >> > b) The rootfs was RAMFS based . >> > For selinux we switched from RAMFS to TEMPFS >> > >> > c) It was not having SELINUX , so we added refpolicy & selinux-userland >> > Expectation was we will get working selinux context & policy. >> > I have the policy but the context is being the same for each file >> > and folder . >> >> You also have to address labeling. If your filesystem is ram-based >> (volatile) then I >> suspect you will have to address labeling at runtime (ie run >> setfiles/restorecon to label the filesystem). The point is that >> your filesystem is currently not labeled according to the reference >> policy. >> >> > >> > d) The setup is being evaluated for tempfs ( INITRAMFS-as -TEMPFS + >> > SELINUX ) w.r.t output of mount command : >> > ~ # mount >> > rootfs on / type rootfs (rw,seclabel,size=253620k,nr_inodes=63405) >> > sysfs on /sys type sysfs (rw,seclabel,relatime) >> > selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime) >> > nodev on /dev type devtmpfs >> > (rw,seclabel,relatime,size=253620k,nr_inodes=63405,mode=755) >> > none on /proc type proc (rw,relatime) >> > none on /dev/shm type tmpfs (rw,seclabel,relatime) >> > none on /dev/pts type devpts (rw,seclabel,relatime,mode=600,ptmxmode=000) >> > none on /sys/kernel/debug type debugfs (rw,seclabel,relatime) >> > none on /mnth type hugetlbfs (rw,seclabel,relatime) >> > cgroup on /sys/fs/cgroup type tmpfs (rw,seclabel,relatime,mode=755) >> > cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,relatime,cpuset) >> > cgroup on /sys/fs/cgroup/cpu type cgroup (rw,relatime,cpu) >> > cgroup on /sys/fs/cgroup/cpuacct type cgroup (rw,relatime,cpuacct) >> > cgroup on /sys/fs/cgroup/blkio type cgroup (rw,relatime,blkio) >> > cgroup on /sys/fs/cgroup/memory type cgroup (rw,relatime,memory) >> > cgroup on /sys/fs/cgroup/devices type cgroup (rw,relatime,devices) >> > cgroup on /sys/fs/cgroup/freezer type cgroup (rw,relatime,freezer) >> > cgroup on /sys/fs/cgroup/net_cls type cgroup (rw,relatime,net_cls) >> > cgroup on /sys/fs/cgroup/net_prio type cgroup (rw,relatime,net_prio) >> > cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,relatime,hugetlb) >> > cgroup on /sys/fs/cgroup/pids type cgroup (rw,relatime,pids) >> > cgroup on /sys/fs/cgroup/debug type cgroup (rw,relatime,debug) >> > cgroups on /sys/fs/cgroup/unified type cgroup2 (rw,relatime) >> > >> > >> > Thanks , >> > Ashish >> >> -- >> gpg --locate-keys dominick.grift@xxxxxxxxxxx >> Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 >> https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 >> Dominick Grift -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift
