Hi Dominick / Ondrej , Thanks for valuable inputs , I will try to evaluate them . Ashish On Wed, Jan 6, 2021 at 9:30 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > > On Wed, Jan 6, 2021 at 4:40 PM Dominick Grift > <dominick.grift@xxxxxxxxxxx> wrote: > > Ashish Mishra <ashishm@xxxxxxxxxx> writes: > > > > > Hi Dominick , > > > > > > Will look at the re-labelling as you suggested. > > > Is there any doc / blog / implementation etc to understand the > > > sequence and commands to do this. > > > To understand this step in a better way. > > > > > > We are working with such a setup freshly so any inputs / guidance will > > > be helpful. > > > > > > Thanks for your time & inputs for this long thread . > > > > For docs i would suggest selinuxproject.org and > > https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md > > > > For implementations i would suggest looking at how OpenWrt implemented > > SELinux as this is a very simple implementation and the target seems to > > be relatively similar to yours with the exception that OpenWrt does not > > use a volatile root but instead uses a read-only squashfs and a overlay. > > > > You can also look at Fedora CoreOS for inspiration, and Googles SEAndroid. > > > > Implementing meaningful SELinux for exotic use cases like yours is not > > trivial though IMHO. Using reference policy as a base-policy might not > > be optimal for your use-case (to say the least) and it would probably be easier to create a > > policy from scratch instead in the longer run. > > Well said. I'll just add that you'll at the very least need to remove > the "genfscon" rule for "rootfs" from your policy and replace it with > an appropriate "fs_use_xattr" one to be able to relabel the root > filesystem. (Assuming it uses tmpfs under the hood (or supports > xattrs), otherwise you may need to mount tmpfs somewhere and chroot > into it at the beginning of your init script. Or something like > that...) > > -- > Ondrej Mosnacek > Software Engineer, Platform Security - SELinux kernel > Red Hat, Inc. >
