Community,
Optional SELinux support has been added to OpenWrt for a while now and I gave a talk about the status at "Battle of the meshes 13th edition". There was a comment mentioning that there was an impression that "rolling out SELinux on OpenWrt" would still require lots of work and that there are still lots of "loose ends". I failed to ask the person what work and what loose ends he still see's. Regardless in the few months that have passed I have had give or take three times feedback on SELinux in OpenWrt: 1. dangole tests bootstrap every once in a while and if needed he provides me with information and contributions needed to get and keep that to work on atleast devices and configurations he is using. 2. I had one person e-mailing me mentioning that, i guess, WPA enterprise, does not work and that wpa_supplicant needs to be able to connect to a radius server for this (i addressed that issue to the best of my ability but havent heared from the person since and I am not sure whether that means that its is fixed or that the person hasnt tested it since the fixed trickled down) 3. jow gave some casual feedback on running services on alternate network ports and i addressed this issue as well although the fix for that might not have trickled down yet. I was hoping for a little more exposure and feedback than this. The way i see it, it should not be much of an extra burden for OpenWrt devs to build their systems with SELinux support and to report any obvious issues back so that the effort can evolve instead of face early death. My question to the reader is: why haven't you enabled SELinux yet on your test builds at least? Or maybe you have but you havent given any feedback. Why is that? Is it too much of a burden? If that is the case we could for now consider shipping a "permissive" policy so that SELinux will never be in your way if that helps. Can you please consider just enabling SELinux on your tests? If there are any observations and SELinux related messages in the logs then please report those to me via email or IRC? If you have objections then please let me know what those objections are so that I can identify whether those objections can be addressed. I did not, and do not expect that SELinux adoption would be popular but for developers that are very familiar with OpenWrt I do not see much of a reason not to enable it on test builds/systems either. Your feedback is valuable and is important to help improve the experience. SELinux on OpenWrt works great for me and to be honest that is my first priority but with a little more involvement and interest from others there is much more room for improvement. If you just build your systems with SELinux enabled and then provide feedback if there is something to report then that would be appreciated. If something is stopping you and if there is something i can do to make it easier then please let it be known. Thanks, -- gpg --locate-keys dominick.gr...@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel