On Monday 21 May 2007 22:56, Erich Schubert <[EMAIL PROTECTED]> wrote: > > How would that method cope with a cross-build? Emdebian has already > > built some selinux packages from the Debian sources for a rootfs and > > We're talking about policy package dependencies, not about debian > package dependencies. These dependencies mean that the foobar.pp policy > package can't be installed unless quux.pp is also installed. > If you want to change that for Emdebian, you'll be building a different > policy, and then you can just include a different dependency file with > that policy. Now refpolicy is already very tight on permissions; I don't > think you'll really want to further narrow down permissions for Emdebian > (though you e.g. could put perl into a separate domain and then prevent > some domains from executing perl... right now, any process that can > run /usr/bin/less can also run /usr/bin/perl)
The strict policy is by design quite restrictive. In many cases where there are multiple ways of configuring things the policy allows for several options and thus is larger than necessary. For an embedded system running on a known platform you should be able to remove a lot of policy without any problems, maybe half the volume of the policy or more. http://www.coker.com.au/selinux/talks/ols2003/ Also for an embedded platform you have to deal with busybox and related optimisations. My paper at the above URL describes some possible solutions to this problem. -- [EMAIL PROTECTED] http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]