Hi All ,
This is my first post here so please let me know if this is the correct group .
I am starting to learn about SELINUX for one of our internal projects.
The ROOT_FS of the planned project is supposed to be RAMFS. I haven't much experience with SELINUX , hence :
1) Does the team can share any comment / risk / feedback w.r.t RAMFS ?
2) Is there any specific module / functionality that I should look at to have default SELINUX supported with RAMFS ?
3) Or is default SELINUX can handle the storage of required tags / context by default of the available filesystem ( RAMFS ) in our case ?
I was planning to have "targeted" policy to be enabled by default
Thanks , Ashish Kumar Mishra.
On Mon, Oct 5, 2020 at 7:31 AM Ashish Mishra ashishm@mvista.com wrote:
Hi All ,
This is my first post here so please let me know if this is the correct group .
I am starting to learn about SELINUX for one of our internal projects.
The ROOT_FS of the planned project is supposed to be RAMFS. I haven't much experience with SELINUX , hence :
- Does the team can share any comment / risk / feedback w.r.t RAMFS ?
Well, ramfs doesn't support extended attributes, so it wouldn't be possible to label individual files. They would all be labeled as "system_u:object_r:ramfs_t:s0". So I think such system likely wouldn't work with SELinux + stock Fedora policy.
Any chance you could use tmpfs instead of ramfs? It has xattr support, so it could work fine (or at least should be easier to get to work :).
Is there any specific module / functionality that I should look at to have default SELINUX supported with RAMFS ?
Or is default SELINUX can handle the storage of required tags / context by default of the available filesystem ( RAMFS ) in our case ?
I was planning to have "targeted" policy to be enabled by default
Thanks , Ashish Kumar Mishra.
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
-- Ondrej Mosnacek Software Engineer, Platform Security - SELinux kernel Red Hat, Inc.
Hi Ondrej ,
Thanks for sharing valuable information.
1) Since it's in an evaluation state , we might have a chance to look at tmpfs options . *Can you please share some pointers on this option ?*
2) Worst case scenario , if we can't go ahead with a tmpfs approach .. a) Are there any specific files / directories or services that might create a problem ? Or if b) Any way we can customize STOCK fedora policies ( so that they can work with RAMFS) ( *I can sense that this option might be complex , time-consuming & risky *. But in case ramfs is mandatory , at-least we will know the effort & plan schedule accordingly )
Thanks for sharing the comment as it has definitely saved us some time & will help us to use Fedora in a better way .
Thanks , Ashish Kumar Mishra
On Mon, Oct 5, 2020 at 2:02 PM Ashish Mishra ashishm@mvista.com wrote:
Hi Ondrej ,
Thanks for sharing valuable information.
- Since it's in an evaluation state , we might have a chance to look at tmpfs options . Can you please share some pointers on this option ?
It should be pretty much a "drop in replacement" for ramfs, it just has a couple more filesystem features (including the extended attributes needed by SELinux). It will probably have a bit higher per-file memory overhead though.
It would be helpful if you could share why you want to use ramfs as the root filesystem? Is it just to have a fast I/O? If all your files fit into RAM, then the disk cache should already hold all used files in memory anyway. And obviously you'll have to load the files initially from some storage anyway, no? And how are you going to handle software updates?
- Worst case scenario , if we can't go ahead with a tmpfs approach .. a) Are there any specific files / directories or services that might create a problem ?
Well, now that I think about it a little bit deeper, I think without a way to label (system) files, you'd pretty much lose the security advantages of SELinux completely. Because if you can't label the binaries, then you also can't have (automatic) type transitions, so in the end all your system would run as a single domain, making SELinux entirely pointless.
Or if b) Any way we can customize STOCK fedora policies ( so that they can work with RAMFS) ( I can sense that this option might be complex , time-consuming & risky . But in case ramfs is mandatory , at-least we will know the effort & plan schedule accordingly )
Well, you could probably create your own minimal policy that would allow booting and running such a system, but as I said above there would be no point in using SELinux at all then. I mean, you could probably selectively "sandbox" some programs using dynamic transitions, but that would require both modifying the programs and writing the policy from scratch...
So I strongly recommend using tmpfs instead of ramfs. Ramfs is simply too minimal for SELinux and probably doesn't give you any practical advantage over tmpfs anyway.
Thanks for sharing the comment as it has definitely saved us some time & will help us to use Fedora in a better way .
Thanks , Ashish Kumar Mishra
Hi Ondrej ,
Thanks for sharing your valuable inputs.
The project we are targetting is on line of Hardware security module which will be an plug and play.
Its not expected to access nand as one of features which customer has . Might not be in a position to share specific , hope you understand. Still we are evaluation phase and hence things are scattered here .
Will check the options you suggested and revert back to you. If there are any links / discussion on tmpfs sharable to me , that would be great help.
Thanks, Ashish Kumar Mishra.
selinux@lists.fedoraproject.org