Policy for Embedded Machine

Stephen Smalley sds at tycho.nsa.gov
Fri Feb 20 19:18:47 UTC 2009 

On Wed, 2009-02-18 at 10:19 -0600, Spann, John W. wrote:
> All,
> 
> I am working with a 2.6.27.14 kernel on an embedded PowerPC 440 board.
> Aside from the operating system and some drivers and libraries, there
> will be a few custom applications written which I will need to write
> policy for. 
> 
> I am looking for the best policy writing approach for the environment.
> Seems like I could take the latest policy distributed with Fedora and
> start ripping out stuff or start with nothing and build up. Not having
> written much policy yet, I am seeking advice on the best approach. 
> 
> I also have read about SELinux Policy Editor (SEEdit) and wonder if this
> might be a good approach for a new policy writer. 
> 
> Thoughts...

Interestingly, Dan Walsh has created a selinux-policy-minimum package as
a stripped down version of the Fedora targeted policy for this kind of
usage.  See:
http://danwalsh.livejournal.com/26759.html

So that is an option, although you may wish to further prune it for your
needs and you likely want to just build the monolithic policy for your
embedded system and dispense with the overhead of the modular policy in
such an environment.

However, starting from anything based on the reference policy (all of
the Fedora policies are built from the reference policy) locks you into
its particular dependencies and its (fine) granularity of domains and
types, and pruning it can be difficult.  And I'm not sure how much of
the refpolicy is relevant to an embedded system.  So my preferred option
would be to start from "scratch" and build up so that you can tailor the
policy to the precise functionality and security goals of the embedded
system.  

To jump-start that process, you can generate the absolute minimum policy
(called the dummy policy) required to boot your kernel, define a single
security context, and allow that context to do everything by running the
scripts/selinux/mdp/mdp program in the kernel source tree - see
Documentation/SELinux.txt and scripts/selinux in the kernel tree. The
difference in sizes is substantial; Fedora's selinux-policy-minimum
yields a ~640K binary kernel policy file, while the dummy policy
generated by mdp from the kernel tree yields a ~9K binary kernel policy
file.  Of course, you would then need to extend that dummy policy by
hand to actually do anything useful with it.

SEEdit is an option, and you may wish to try it as well, but be careful
to examine the end result (i.e. the actual policy.conf that it generates
as output, not just the simplified policy language statements) and see
whether it actually meets the security goals you intended.  I haven't
used it.  I'm not sure it is still actively being developed.

You may want to read over http://elinux.org/SELinux to see what the
Japanese SELinux community has done in the past with regard to embedded
SELinux, although I don't believe that such work is still ongoing.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list