4

I am working on an appliance device running Linux. I would like to utilize the work done so far with the targeted policy in SELinux space. Since I own everything that should be installed and running on this system I will know exactly what applications will be running at any given time.

I don't want to re-write a full SELinux policy from scratch and instead I'd like to have the targeted policy moved into a "strict" policy to enable application white-listing and process control.

Then just write the policies for my newly created services that aren't part of the targeted policy.

How would I do that?

IguyKing
  • 41
  • 1
  • 3

1 Answers1

1

Disable or remove the "unconfined" module.

Reference policy is, in my view, not optimal for embedded systems, or appliances with exotic requirements as it written in the old module language. This module language is, unlike the name implies, not so modular in practice.

You will end up with a much bigger policy than strictly needed.

I wrote a base and minimal policy model that leverages the new SELinux Intermediate policy language. The minimal policy was designed for just this purpose: to provide policy to build on top of and to make as little assumptions as possible.

This allows for smaller policy that builds faster and requires less resources.

DSSP2-minimal is DSSP2-base with an addition "minimal.cil" module to make it "just" work. That means that the sole process type is made unconfined. By just excluding the "minimal.cil" module by either removing it from the makefile or by running semodule -d minimal will give you a policy with as little rules possible, and even the rules that are in there can easily be removed.

The policy is not perfect, and it requires knowledge of the CIL language to leverage it but in my view it could be an idea base for any project with exotic requirements.

https://github.com/DefenSec/dssp2-minimal

dac.override
  • 11
  • 1