<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi Anton,</p>
<p>I brought the meta-selinux layer, that enables the selinux
framework on obmc-phosphor-image and it increases the size of the
image by 18MB.</p>
<p>This layer enables the linux kernel support for selinux framework
and brings in a lot of tools and scripts.<br>
Just to name a few,layer comes with binaries like</p>
<p>- getenforce<br>
- setenforce<br>
- semange<br>
- sestatus<br>
- audit2why<br>
- audit2allow<br>
- restorecon<br>
- chcon</p>
<p>It also brings in various scripts that would help to label the
entire system during the first boot.</p>
<p>While lot of these binaries may be only required by the developer
during the inital phase if selinux enablement and not to the end
customer.</p>
<p>I need to spend a little more time to see what can we remove form
the layer. <br>
</p>
<p>My suggestion is we can defer this size work for later and start
working on how selinux can help in openBMC security.</p>
<p>We would be publishing the se-linux use cases in a week. <br>
</p>
<p>Manoj is working with me on bringing down the size of se-linux
layer.<br>
</p>
<p>Regards</p>
<p>Ratan<br>
</p>
<div class="moz-cite-prefix">On 4/5/20 6:58 PM, Anton Kachalov
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CADVsX8-r8ebFydQJgGQ=C7sTFVQmxk_vFinbRi2kkJ5skRgXcA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hello, Ratan.
<div><br>
</div>
<div>Would you mind breaking down the estimation, curious about
what brought up 18MB when enabling SELinux.</div>
<div>Precompiled rules in Android took 3MB on average.</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, 1 Apr 2020 at 16:22,
Ratan Gupta <<a href="mailto:ratagupt@linux.vnet.ibm.com"
moz-do-not-send="true">ratagupt@linux.vnet.ibm.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi
Joseph,<br>
<br>
We did some POC around selinux, will share the detailed
use-cases with <br>
selinux which can be useful in openbmc stack.<br>
<br>
selinux is taking around 18MB space on flash, Is it a concern?<br>
<br>
Regards<br>
<br>
Ratan<br>
<br>
On 3/31/20 9:51 PM, Joseph Reynolds wrote:<br>
> This is a reminder of the OpenBMC Security Working Group
meeting <br>
> scheduled for this Wednesday April 1 at 10:00am PDT.<br>
><br>
> We'll discuss current development items, and anything
else that comes up.<br>
><br>
> The current topics:<br>
><br>
> 1. SELinux or AppArmor plans<br>
><br>
> Access, agenda, and notes are in the wiki:<br>
><br>
> <a
href="https://github.com/openbmc/openbmc/wiki/Security-working-group"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://github.com/openbmc/openbmc/wiki/Security-working-group</a><br>
><br>
> - Joseph<br>
><br>
<br>
</blockquote>
</div>
</blockquote>
</body>
</html>