[Buildroot] buildroot and SELinux
Jeroen Roovers
jer at airfi.aero
Tue Nov 1 10:49:19 UTC 2016
On 31 October 2016 at 16:33, Patrick Doyle <wpdster at gmail.com> wrote:
> I'm not sure if SELinux is the right answer to my question(*), but
> assuming that it is... how well do buildroot and SELinux play
> together? I found an email thread from 2013 where Clayton Shotwell
> and Tomas Patazzoni were discussing rolling SELinux into buildroot.
> And I see configuration items related to that now.
SELinux works absolutely fine for me. But I don't think it's the best
answer to your question.
> (*) and my real question is: can I use SELinux to make a binary
> executable, but unreadable by anybody, including root? An ancillary
> question would be, if that executable were included as part of the
> CRAMFS rootfs built into the kernel, how would I set the the
> attributes for that executable at buildtime to achieve this
> executable-but-not-readable state?
You could simply ensure that the up and running userland can't read
the file, possibly by excluding userland support for reading cramfs or
whatever filesystem you choose, so that only the kernel can read it at
boot time, and then removing (rm) the file from the ramdisk during
boot up and after you've used it.
Doing this with SELinux would require you to build a policy for that
file so that its execution is only allowed in specific security
contexts.
Regards,
jer
More information about the buildroot
mailing list