Packages to support the SELinux security mechanism #10664
Conversation
|
I haven't reviewed these in detail, but we're not accepting Python 2 packages anymore (please see the Python packages readme). I suggest compiling/packaging for Python 3. |
|
That audit package is emitting the sync instruction for some reason. Needs to be disabled for MIPS16. |
|
The conflict with libs/libcap-ng/Makefile resulted from Lucian Cristian independently packaging libcap-ng after Thomas Petazzoni published his work. I have since resolved this at https://github.com/flyn-org/packages/tree/selinux. I am very interested in seeing SELinux in OpenWrt, and I plan to experiment with Thomas' work this week. |
|
@tpetazzoni, could you take a look at the work I pushed to https://github.com/flyn-org/packages/tree/selinux? I bumped some versions, and I modified things to use Python 3. See also http://lists.openwrt.org/pipermail/openwrt-devel/2020-July/030084.html. I presently have two problems:
|
|
Gah, I was on the openwrt-devel, but somehow got unsubscribed on June 20, so I did not receive your e-mail. Could you Cc me in the future for SELinux related topics ? Regarding the kernel configuration: I find OpenWRT kernel configuration logic to be very annoying to not run "make olddefconfig" to automatically accept default values of unspecified options. Due to this, any subtle change of the kernel configuration/version might make more options visible, and therefore will require their values to be specified in OpenWRT's kernel configuration file. Regarding the Busybox build issue: there are includes of files in /usr/include from your build machine, this doesn't look good. So it seems like the fact of enabling SELinux support has made it pickup host headers. In any case, I'm glad someone is picking this up. I tried to push dm-verity support (for secure boot) and SELinux in OpenWRT, and got very little feedback even though it's been almost a year. It was not very encouraging to push things further I must admit. |
|
The busybox problem seems related to the following block in Something sets |
|
@jefferyto, is my branch at https://github.com/flyn-org/packages/tree/selinux okay with respect to Python 3? As far as I can tell, I have replaced the use of Python 2. @neheb, is the build of audit still emitting the sync instruction? I plan to clean the sequence of commits for merge once things settle down. |
|
I believe so. |
|
@tpetazzoni, would you be willing to add me as a "collaborator" to this repository? That would allow me to re-blend my work here in a clean way and thus avoid another merge request. Also, did you ever establish a merge-request style proposal for your core OpenWrt changes through GitHub? My understanding is that you went solely with the mailing-list messages, as the core developers seem to rely on that more than GitHub. I have prepared to push the core stuff to GitHub, but I wanted to avoid duplicating work in the case you have already done that. This is taking a long time, so the record keeping of GitHub might serve us well, even if ultimately the proposal flows through the mailing list. |
|
@flyn-org I've added you as a collaborator. Regarding the core OpenWrt changes, I did not open a pull request in Github, and only submitted on the mailing list. The contribution process was not clear for me: it seemed like e-mails on the mailing list was preferred, which is what I did, but then just for the openwrt-packages part, I was asked to open a pull request, which I did. |
|
I updated this repository to base itself on the latest upstream master, and I added my further work here. |
I started a merge request at openwrt/openwrt#3207. My hope is this will be a better basis for revisions, even if we ultimately submit patches using the mailing list. @tpetazzoni, I added you as a collaborator on the source repository for the merge request, https://github.com/flyn-org/openwrt. |
|
@tpetazzoni, did you have a reason for the use of --with-match-limit-recursion? |
|
Currently |
|
Also I had to install |
|
Running |
|
How do you plan to organize policies? Do you plan to add them as selectable packages? |
@flyn-org @tpetazzoni Do you have an idea for this? Would we just add meta packages similar to LuCI translation which contain the policies? Which would be your first secured application? |
As a first step, I suggest to just support the refpolicy, and have it up to users of the SELinux support in OpenWrt to tweak the refpolicy to their needs. As a second step, one could image reducing the refpolicy to just its base modules, and have the additional modules enabled depending on the OpenWrt packages that are enabled. This is something that is now being implemented in the Buildroot project: https://patchwork.ozlabs.org/project/buildroot/list/?series=193483 |
|
@aparcar, regarding the semanage failure, semanage requires setools, but setools requires cython to build. I do not think OpenWrt provides cython. I have an setools package patched to build without cython, but the cython portion is required by semanage. Has anyone ever proposed a cython host package for OpenWrt? I agree with @tpetazzoni on the policy work. I suspect early adopters would be happy to tweak the reference policy. I would do this myself in the beginning, and then I plan to slowly package my work for others to use. If it is okay, I would like to merge this and the work at openwrt/openwrt#3207 first, and then work on policy over a period of time. |
|
Latest commits fix a few things and add a semodule-utils package. |
admin/refpolicy/Makefile
Outdated
|
|
||
| define Build/Configure | ||
| $(SED) "/MONOLITHIC/c\MONOLITHIC = y" $(PKG_BUILD_DIR)/build.conf | ||
| $(SED) "/NAME/c\NAME = targeted" $(PKG_BUILD_DIR)/build.conf |
There was a problem hiding this comment.
Any reason we can't use multiple -e invocations on a single sed process?
|
@flyn-org please rebase this PR to make use of the newly added CI :) |
|
@aparcar, running CI now. |
| SECTION:=lang | ||
| CATEGORY:=Languages | ||
| SUBMENU:=Python | ||
| TITLE:=Python package for creating and manipulating graphs and networks |
There was a problem hiding this comment.
| TITLE:=Python package for creating and manipulating graphs and networks | |
| TITLE:=Creating and manipulating graphs and networks |
Not a big issue, but the title is probably a bit too long for menuconfig.
There was a problem hiding this comment.
@aparcar, CI is failing after this superficial change. Is the CI system okay?
|
Paul Spooren <notifications@github.com> writes:
@aparcar commented on this pull request.
---------------------------------------------------------------------------------------------------------------------------
In lang/python/python3-networkx/Makefile:
> +PYPI_NAME:=networkx
+PKG_HASH:=7978955423fbc9639c10498878be59caf99b44dc304c2286162fd24b458c1602
+
+PKG_LICENSE:=BSD-3-clause
+PKG_LICENSE_FILES:=LICENSE.txt
+PKG_MAINTAINER:=W. Michael Petullo ***@***.***>
+
+include ../pypi.mk
+include $(INCLUDE_DIR)/package.mk
+include ../python3-package.mk
+
+define Package/python3-networkx
+ SECTION:=lang
+ CATEGORY:=Languages
+ SUBMENU:=Python
+ TITLE:=Python package for creating and manipulating graphs and networks
Time to switch to nconfig :)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
It would be really nice if someome would write (or point to) detailed build
instructions on either a wiki page and/or blog post.
I tried building an x86_64 image last week using these instructions:
openwrt/openwrt#3207 (comment)
Was unable to complete because I probably configured some features
wrong. For example I was unable to compile newrole with PAM and Audit support
https://lore.kernel.org/selinux/20200901110452.386724-1-dominick.grift@defensec.nl/
and once I got around that I hit issues with busybox-selinux
The above most likely because I selected a wrong combination of options in
menuconfig. This was probably because the instructions (especially with
regard to features to enable) were inaccurate (at least incomplete).
…--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
|
Sorry that's on my todo list, I'll try to write something useful up tomorrow! |
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [strip library after adding it to openwrt repository] Signed-off-by: W. Michael Petullo <mike@flyn.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [strip C library after adding it to openwrt repository]] Signed-off-by: W. Michael Petullo <mike@flyn.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [strip C library after adding it to openwrt repository] Signed-off-by: W. Michael Petullo <mike@flyn.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> [update to 3.1, make use of Python 3, and update dependencies] Signed-off-by: W. Michael Petullo <mike@flyn.org>
Signed-off-by: W. Michael Petullo <mike@flyn.org>
Signed-off-by: W. Michael Petullo <mike@flyn.org>
Signed-off-by: W. Michael Petullo <mike@flyn.org>
|
I wrote a short blog post on how to enable SELinux in it's current state: |
|
I rebased the PR running the CI in my fork and everything compiles fine except
|
|
So for
|
|
@aparcar, @jefferyto, @tpetazzoni, @dangowrt, and everyone else: thank you for helping to see this through! |
|
The journey is not yet quite over, please stay tuned for further adventures on SELinux |
|
@neheb, I should be able to fix the build failure today. I will create a separate merge request. |
And thanks a lot to you for finishing the work and pushing it upstream! Really happy to see that this hasn't been just left aside forever. |
|
@flyn-org just noticed that semodule-utils has a host build - is there a reason why this is necessary? |
|
I don't see any evidence that the host package is needed. Neither semodule_package, semodule_link, nor semodule_expand appear in any of the other package Makefiles. @tpetazzoni, what do you think? |
This patch series integrates a number of additional user-space packages for the various components that are needed to have SELinux support in OpenWrt. It has been sent on the OpenWrt mailing list already, together with another patch series for the core OpenWrt, with other related SELinux changes. But those packages are what is needed first to bring SELinux support in OpenWrt.