Re: Enabling SELinux in an application #selinux

Khem Raj

On 4/21/20 11:50 AM, wrote:
I am with The Middleby Corporation.  We manufacture a wide variety of
commercial ovens, ice machines, coffee brewers, microwaves, soft-serve
machines and virtually anything you’d find in a commercial restaurant
kitchen.  Much of our equipment has a touch-screen display on it – often
4.3” to 10.1” in size.  This is part of an embedded control system that
includes a separate I/O board to talk to motors, heating elements, etc. 
The touch-screen control are most often running Yocto Linux with a QT or
similar application running on top of Linux.  Recently, we have been
asked to explore enabling SELinux security provisions in our
applications.  In speaking with several of our vendors, they all
indicated they don’t generally need to enable SELinux and have never
done so in the past.  

I now know what SELinux is, but I can’t get a good answer if it even is
needed to be enabled on a touch-screen application on equipment that a
16 year old kid generally operates.  We often do have USB ports on our
equipment for software updates and some is connected to the internet as
well, but I still don’t see how the security access provisions in
SELinux are needed for our application. 
Generally devices having ports, or being connected to Internet can
become a door to your network and cause some serious damage, so you
sould assess the security needs for your devices, I would think. As far
as technologies needed to achieve security needs SELinux is one of many
options, you have apparmor, tomoyo, and other MAC technologies, and I
would think you should do some experiments to see which of these will
fit your needs to manage MAC. Then there are other methods to address
security concerns.

Lastly, I'm not a programmer. I manage the business end of all of
Middleby's electronic controls, so the aim of this message is to ask for
general guidance regarding the need for SELinux or not.
I would think you need security, SELinux is one cog in the wheel and
there are other options, I would think doing some proof of concept
within your setups after you have done some security analysis, would be
the steps to take.

Join to automatically receive all group messages.