[Buildroot] [PATCH 1/1] package/drbd-utils: add SELinux module

Yann E. MORIN yann.morin.1998 at free.fr
Wed Jul 28 19:45:46 UTC 2021 

Thomas, All,

+Matt, our resident SELinux expert ;-]

On 2021-07-26 14:15 +0200, Thomas Petazzoni spake thusly:
> On Mon, 26 Jul 2021 10:21:31 +0200
> Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:
> 
> > Support for drbd-utils is added by the services/drbd module in the
> > SELinux refpolicy.
> > 
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> > ---
> >  package/drbd-utils/drbd-utils.mk | 1 +
> >  1 file changed, 1 insertion(+)
> 
> I have a question: are you testing/using all these packages in an
> SELinux context ?

That is eaxctly what I was pointing out with our addition of the
handling of the SELinux refpolicy in our package infrastructure.

On one side, either we consider that the refpolicy is authoritative and
represents the state of the art of the SELinux policy for packages, in
which case we can "blindly" add SELinux metadata to our packages, or...

on the other side, I fail to see how a generic policy can be applied to
a specialised product, where constraints vary wildly from the "server
world" where refpolicy and SELinux originate from, and even vary wildly
between different specialised products, in which case basing out SELinux
handling in our infra on refpolicy does not make much sense.

So, it is my understanding that we decided that the refpolicy was to be
seen as the gold-standard of a policy, from which customised, local
policies would be derived, and as such we could safely use the refpolicy
modules on the assumption that a local policy would also have them...

And as such, we can just batch-apply Fabrice's patches on the topic.

But I am not an expert in SELinux, so... Maybe an SELinux expert (Matt?)
could chime in and explain a bit?  Please? ;-)

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

More information about the buildroot mailing list