Security Working Group - Wednesday April 1

Ratan Gupta ratagupt at linux.vnet.ibm.com
Mon Apr 6 21:24:08 AEST 2020


Hi Anton,

I brought  the meta-selinux layer, that enables the selinux framework on 
obmc-phosphor-image and it increases the size of the image by 18MB.

This layer enables the linux kernel support for selinux framework and 
brings in a lot of tools and scripts.
Just to name a few,layer comes with binaries like

- getenforce
- setenforce
- semange
- sestatus
- audit2why
- audit2allow
- restorecon
- chcon

It also brings in various scripts that would help to label the entire 
system during the first boot.

While lot of these binaries may be only required by the developer during 
the inital phase if selinux enablement and not to the end customer.

I need to spend a little more time to see what can we remove form the 
layer.

My suggestion is  we can defer this size work for later and start 
working on how selinux can help in openBMC security.

We would be publishing the se-linux use cases in a week.

Manoj is working with me on bringing down the size of se-linux layer.

Regards

Ratan

On 4/5/20 6:58 PM, Anton Kachalov wrote:
> Hello, Ratan.
>
> Would you mind breaking down the estimation, curious about what 
> brought up 18MB when enabling SELinux.
> Precompiled rules in Android took 3MB on average.
>
> On Wed, 1 Apr 2020 at 16:22, Ratan Gupta <ratagupt at linux.vnet.ibm.com 
> <mailto:ratagupt at linux.vnet.ibm.com>> wrote:
>
>     Hi Joseph,
>
>     We did some POC around selinux, will share the detailed use-cases
>     with
>     selinux which can be useful in openbmc stack.
>
>     selinux is taking around 18MB space on flash, Is it a concern?
>
>     Regards
>
>     Ratan
>
>     On 3/31/20 9:51 PM, Joseph Reynolds wrote:
>     > This is a reminder of the OpenBMC Security Working Group meeting
>     > scheduled for this Wednesday April 1 at 10:00am PDT.
>     >
>     > We'll discuss current development items, and anything else that
>     comes up.
>     >
>     > The current topics:
>     >
>     > 1. SELinux or AppArmor plans
>     >
>     > Access, agenda, and notes are in the wiki:
>     >
>     > https://github.com/openbmc/openbmc/wiki/Security-working-group
>     >
>     > - Joseph
>     >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200406/8b86eb8f/attachment.htm>


More information about the openbmc mailing list