Thanks Dominick , This will be helpful , i will try to use IRC also Thanks , Ashish On Wed, Jan 6, 2021 at 10:09 PM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > > Ashish Mishra <ashishm@xxxxxxxxxx> writes: > > > Hi Dominick / Ondrej , > > > > Thanks for valuable inputs , I will try to evaluate them . > > > > Ashish > > We have a IRC channel on chat.freenode.net where we can have casual and > more interactive conversations if youre interested in that > > https://freenode.net/kb/answer/chat > > > > > On Wed, Jan 6, 2021 at 9:30 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > >> > >> On Wed, Jan 6, 2021 at 4:40 PM Dominick Grift > >> <dominick.grift@xxxxxxxxxxx> wrote: > >> > Ashish Mishra <ashishm@xxxxxxxxxx> writes: > >> > > >> > > Hi Dominick , > >> > > > >> > > Will look at the re-labelling as you suggested. > >> > > Is there any doc / blog / implementation etc to understand the > >> > > sequence and commands to do this. > >> > > To understand this step in a better way. > >> > > > >> > > We are working with such a setup freshly so any inputs / guidance will > >> > > be helpful. > >> > > > >> > > Thanks for your time & inputs for this long thread . > >> > > >> > For docs i would suggest selinuxproject.org and > >> > https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md > >> > > >> > For implementations i would suggest looking at how OpenWrt implemented > >> > SELinux as this is a very simple implementation and the target seems to > >> > be relatively similar to yours with the exception that OpenWrt does not > >> > use a volatile root but instead uses a read-only squashfs and a overlay. > >> > > >> > You can also look at Fedora CoreOS for inspiration, and Googles SEAndroid. > >> > > >> > Implementing meaningful SELinux for exotic use cases like yours is not > >> > trivial though IMHO. Using reference policy as a base-policy might not > >> > be optimal for your use-case (to say the least) and it would probably be easier to create a > >> > policy from scratch instead in the longer run. > >> > >> Well said. I'll just add that you'll at the very least need to remove > >> the "genfscon" rule for "rootfs" from your policy and replace it with > >> an appropriate "fs_use_xattr" one to be able to relabel the root > >> filesystem. (Assuming it uses tmpfs under the hood (or supports > >> xattrs), otherwise you may need to mount tmpfs somewhere and chroot > >> into it at the beginning of your init script. Or something like > >> that...) > >> > >> -- > >> Ondrej Mosnacek > >> Software Engineer, Platform Security - SELinux kernel > >> Red Hat, Inc. > >> > > -- > gpg --locate-keys dominick.grift@xxxxxxxxxxx > Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 > https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 > Dominick Grift
