SELinux GSoC '08 Project Update
vandevwa at jmu.edu
Fri Jul 4 21:59:05 CEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
I am the GSoC student working on the SELinux project.
The URL for the projectpage is
http://code.google.com/p/selinux-openmoko (recently ported
fromprojects.openmoko.org) if this status report leaves you wanting
- - - - -----------
A mobile device is, by nature, a single user device. As a design
consequence, many Linux based mobile devices run all processes as
root. Obviously, this presents an attacker with lots of opportunities
for privilege escalation.
Design a simplified "targeted" SELinux policy to sandbox system
daemons on the OpenMoko device. This policy could
prevent privilege escalation and improve overall security on a mobile
There are two main phases to the project. The first is porting SELinux
on to the device (this will eventually become a package available
through opkg) and the second is developing the "targeted" policy
The first phase is almost complete. It has taken a lot longer than I
had anticipated =)).
What has been completed so far:
- The required SELinux tools and library binaries have been
built (using the OpenMoko tool chain)
- SELinux enabled kernel is running
- SELinux will run on the device (it doesn't enforce the policy though)
What needs to be done:
- there is an error relabeling the filesystem. This is
preventing the policy from being enforced.
As mentioned before, the second part of the project is developing and
testing the "targeted" policy itself. Currently, there is a bare bones
targeted policy in the SVN repo which should compile correctly on the
device (see the wiki for installation details). The next step in
policy development will be adding on to this basic policy. The daemon
we will be focusing on is dbus.
- - - - -----------------------
That about sums it up. The wiki on the project page is updated
regularly if you want to stay current with the status of the project.
*Hopefully* a beta build will be ready pretty soon =). I will send out
an announcement when it is.
- - - Willis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openmoko-devel