[Buildroot] SELinux Buildroot Additions
clshotwe at rockwellcollins.com
clshotwe at rockwellcollins.com
Tue Aug 27 18:56:28 UTC 2013
Thomas,
Thomas Petazzoni <thomas.petazzoni at free-electrons.com> wrote on 08/27/2013
01:25:05 PM:
> Can you expand on what is the huge issue between Busybox and the
> SELinux Refpolicy? The fact that the Refpolicy doesn't include a policy
> for Busybox? If so, isn't it possible to contribute a policy that would
> be suitable for usage with Busybox? A quick Google search returns
> http://code.google.com/p/sebusybox/.
Since Busybox is one executable that runs a bunch of different commands,
there is an issue with the SELinux type transitions happening correctly.
Programs, including init, end up running in an incorrect context and break
SELinux rules. A policy could probably be created to let Busybox do what
it needs to do but then that opens up the issue of having one application
do everything. A lot of potential security vulnerabilities can be blocked
by having a bunch of different applications that cannot all be compromised
at once. It would be really easy to use busybox if it was possible to
build separate executables for security critical applications but I don't
think that feature is available yet.
The packages that I will be adding are all from Tresys (
http://userspace.selinuxproject.org/trac/). I looked into the sebusybox
stuff a while ago but it looks like no one has done any development on it
in a while.
Thanks,
Clayton
Clayton Shotwell
Software Engineer
clshotwe at rockwellcollins.com
www.rockwellcollins.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20130827/bc0f7ca6/attachment-0002.html>
More information about the buildroot
mailing list