Help test selinux-policy v2 on your openwrt one

For Developers
1

Do you have a OpenWrt One device and a bit of time to help out? I would really appreciate any help testing selinux-policy v2 on an OpenWrt One device.

I made it as easy as I can for you. You can either download a ready to use sysupgrade image[1] or you can follow the instruction to build the image yourself[2]

Testing is simple. Just try as much functionality as you can, monitor dmesg and logread with dmesg | grep denied and logread | grep denied.
If and when the above commands return then please report to me the exact lines and what you were doing.

The more functionality and scenarios tested the better.

You can provide feedback in multiple ways:

  1. reply with feedback in this forum thread.
  2. reply with feedback in this maillinglist thread.
  3. query grift on irc (oftc/#openwrt, oftc/#openwrt-devel, liberachat/#selinux)
  4. send e-mail to dominick.grift@defensec.nl

[1] https://www.defensec.nl/~kcinimod/stuff/openwrt-mediatek-filogic-openwrt_one-squashfs-sysupgrade.itb
[2] https://git.defensec.nl/?p=selinux-policy.git;a=blob;f=README;h=512667d6a9c4cf2514aaf137921aaab845574eaa;hb=refs/heads/next

2

A few quick questions:

  1. Could you explain a little about the threat model you are mitigating? And how does it apply to CPE-ish vs enterprise-like environments?

  2. Any reason you are specifically targeting the One and not other devices? (I'm specifically thinking about trying your build instructions for an x86 device.)

  3. Do you have a better rendered version of the README instructions? (Reading through the markup blob is somewhat tedious.)

1 Like
3
  1. I am trying to contain damage caused by potential flaws in, and misconfiguration of long running services often facing the network and their dependencies. Continuity is the key for any environment. The policy model is very modest I admit. The kernel, init, root shell, cron and package manager are not targeted. Currently around 50 agents are targeted. Most of which are tools that targeted longer running services depend on.

The focus is on a selection of core components and on providing a solid base to build on top of. The assumption is that the system will be tailored and will be running additional services that may need to be contained. You need a solid base for that. Companies developing devices based on OpenWrt can enjoy a solid base to build on top of. Continuity, integrity and easy to tailor but the focus is limited because there are constraints.

  1. Currently I am targeting OpenWrt One and at this stage only the snapshot image minus LuCI simply to focus on a solid base. If you target a specific device with the smallest set of software then that helps reducing distraction. Once OpenWrt One with base snapshot is solid then I personally will move onto my Linksys MR8300 because that is the device I use for my connectivity. I will then also deal with LuCI and some other optionals, but for now I want to have this working on the OpenWrt One reference model and development platform. The goal is to be at least on par with the current version of selinux-policy in OpenWrt but preferably better and future proof.

  2. Eventually I will probably publish the build instructions and a simple development guide on the Wiki here at OpenWrt. This README version is a stop-gap measure. I will work on it.

Needless to say aside from testing, auditing is also very much appreciated.

2 Likes