BusyBox: load_policy applet
Yuichi Nakamura
ynakam at hitachisoft.jp
Mon Mar 26 01:28:09 UTC 2007
Hi.
On Fri, 23 Mar 2007 08:49:37 -0400
Stephen Smalley wrote:
> On Fri, 2007-03-23 at 15:15 +0900, Yuichi Nakamura wrote:
> > Attached patch is to support load_policy for BusyBox.
> > load_policy is a program to load SELinux policy to kernel.
> > This applet is very important for SELinux,
> > because SELinux is not activated until policy is loaded.
> >
> > And this applet is _not_ based on latest load_policy,
> > is based on old load_policy.
> > This is because the size of latest load_policy is bigger than old one,
> > and old load_policy has enough feature for embedded device.
>
> Hmm...are you sure? Functionality that you are losing from the new load
> policy logic that lives in libselinux these days:
> - automatic discovery of the right policy file,
> - automatic downgrading of the policy file format to the kernel
> supported format if necessary (e.g. new policy, old kernel),
> - loading of local user and/or boolean definitions (obsolete if you
> choose to use libsemanage and managed policy, but not clear you are
> doing that in embedded),
> - preservation of boolean settings across a policy reload so they aren't
> reset to the policy defaults.
>
> Boolean management seems the greatest concern, and using policy booleans
> on an embedded device to change policy states based on events /
> environmental factors is quite reasonable.
We wanted to prepare minimum(the smallest) load_policy at first.
Boolean is useful as you say,
we will submit boolean support to BusyBox in the future,
as a separate CONFIG option.
# And we have to prepare separating libselinux/libsepol..
> I know that you have a concern about libsepol size, but we may be able
> to reduce that to a minimal subset for your purposes without dropping it
> altogether on embedded (and it is expected to get smaller anyway as as
> result of the proposed new policy representation).
>
> As a minor point on your applet, shouldn't you munmap and close before
> returning?
I've forgotten, I will fix.
>
> --
> Stephen Smalley
> National Security Agency
--
Yuichi Nakamura
Hitachi Software Engineering Co., Ltd.
SELinux Policy Editor: http://seedit.sourceforge.net/
More information about the busybox
mailing list