On Wed, Jan 6, 2021 at 4:40 PM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > Ashish Mishra <ashishm@xxxxxxxxxx> writes: > > > Hi Dominick , > > > > Will look at the re-labelling as you suggested. > > Is there any doc / blog / implementation etc to understand the > > sequence and commands to do this. > > To understand this step in a better way. > > > > We are working with such a setup freshly so any inputs / guidance will > > be helpful. > > > > Thanks for your time & inputs for this long thread . > > For docs i would suggest selinuxproject.org and > https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md > > For implementations i would suggest looking at how OpenWrt implemented > SELinux as this is a very simple implementation and the target seems to > be relatively similar to yours with the exception that OpenWrt does not > use a volatile root but instead uses a read-only squashfs and a overlay. > > You can also look at Fedora CoreOS for inspiration, and Googles SEAndroid. > > Implementing meaningful SELinux for exotic use cases like yours is not > trivial though IMHO. Using reference policy as a base-policy might not > be optimal for your use-case (to say the least) and it would probably be easier to create a > policy from scratch instead in the longer run. Well said. I'll just add that you'll at the very least need to remove the "genfscon" rule for "rootfs" from your policy and replace it with an appropriate "fs_use_xattr" one to be able to relabel the root filesystem. (Assuming it uses tmpfs under the hood (or supports xattrs), otherwise you may need to mount tmpfs somewhere and chroot into it at the beginning of your init script. Or something like that...) -- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.