BusyBox: load_policy applet

Yuichi Nakamura ynakam at hitachisoft.jp
Mon Mar 26 01:28:09 UTC 2007 

Hi.

On Fri, 23 Mar 2007 08:49:37 -0400
Stephen Smalley  wrote:
> On Fri, 2007-03-23 at 15:15 +0900, Yuichi Nakamura wrote:
> > Attached patch is to support load_policy for BusyBox.
> > load_policy is a program to load SELinux policy to kernel.
> > This applet is very important for SELinux, 
> > because SELinux is not activated until policy is loaded.
> > 
> > And this applet is _not_ based on latest load_policy, 
> > is based on old load_policy.
> > This is because the size of latest load_policy is bigger than old one,
> > and old load_policy has enough feature for embedded device.
> 
> Hmm...are you sure?  Functionality that you are losing from the new load
> policy logic that lives in libselinux these days:
> - automatic discovery of the right policy file,
> - automatic downgrading of the policy file format to the kernel
> supported format if necessary (e.g. new policy, old kernel),
> - loading of local user and/or boolean definitions (obsolete if you
> choose to use libsemanage and managed policy, but not clear you are
> doing that in embedded),
> - preservation of boolean settings across a policy reload so they aren't
> reset to the policy defaults.
> 
> Boolean management seems the greatest concern, and using policy booleans
> on an embedded device to change policy states based on events /
> environmental factors is quite reasonable.
We wanted to prepare minimum(the smallest) load_policy at first.
Boolean is useful as you say, 
we will submit boolean support to BusyBox in the future, 
as a separate CONFIG option.
# And we have to prepare separating libselinux/libsepol..

> I know that you have a concern about libsepol size, but we may be able
> to reduce that to a minimal subset for your purposes without dropping it
> altogether on embedded (and it is expected to get smaller anyway as as
> result of the proposed new policy representation).
> 
> As a minor point on your applet, shouldn't you munmap and close before
> returning?
I've forgotten, I will fix.

> 
> -- 
> Stephen Smalley
> National Security Agency

-- 
Yuichi Nakamura
Hitachi Software Engineering Co., Ltd.
SELinux Policy Editor: http://seedit.sourceforge.net/

More information about the busybox mailing list