Hello Petr, Thanks for your feedback!
On Fri, 15 Nov 2019 06:29:49 +0100 Petr Štetiar <[email protected]> wrote: > is this some kind of RFC/idea probe? I like the idea, additional hardening is > needed and welcome I would say. No, this patch is not RFC, it should be ready for merging, I'm already using it in some devices. > > I have patches ready to add some minimal SELinux support to OpenWRT, > > which I intend to send in the near future. > > It would probably make more sense to send somehow minimal but complete working > SELinux support so one could see what it would mean in terms of flash space, > RAM, CPU overhead etc. Maybe adding one of the default services exposed to the > network as initial example? The thing is that the SELinux support in OpenWRT needs this improvement in procd, otherwise it won't work at runtime as nothing will be loading the SELinux policy. Regarding the flash space, RAM and CPU overhead, I'm not sure it's that relevant: the SELinux packaging I've done makes it completely optional, so you only have an impact of flash space, RAM and CPU if you enable SELinux support. If you don't, then your OpenWRT system is exactly like it was before. > > + pkg_search_module(SELINUX REQUIRED libselinux) > > This looks like a missing dependency. Sorry, but I don't understand what you mean here. Or maybe you're saying that there is no libselinux package in OpenWRT ? That is true, and will be part of my patch series to OpenWRT adding all the packages related to OpenWRT support. > > fprintf(stderr, "Cannot load SELinux policy, but system in enforcing mode. > > Halting.\n"); > > Just a side note, halting in the context of running on the router means > flashing of factory image. Halting doesn't provide any feedback to the user, > if we don't consider stuck-in-the-bootlop as a proper feedback. Probably > entering failsafe(has LED feedback) or such would make more sense here? Do you have more details about entering failsafe mode ? How do you do that ? Thanks, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
