[meta-freescale] Cannot enable selinux with imx6ULL. Why?

Stefano Cappa stefano.cappa.ks89 at gmail.com
Mon Oct 29 02:58:15 PDT 2018 

Ok. Yes I created a custom layer with recipes-kernel/linux folders and
inside these files:
- linux-imx_4.9.88.bbappend
- linux-imx_selinux.inc
- linux-imx/selinux.cfg (taken as it is from meta-selinux layer)

The content of linux-imx_4.9.88.bbappend is:

FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"

SRC_URI += "\
"

require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux',
'${BPN}_selinux.inc', '', d)}


The content of linux-imx_selinux.inc is:

FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"

# Enable selinux support in the kernel if the feature is enabled
SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux',
'file://selinux.cfg', '', d)}"


And selinux.cfg is:

CONFIG_AUDIT=y
CONFIG_NETWORK_SECMARK=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_JFS_SECURITY=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_JFFS2_FS_SECURITY=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_AUDIT_GENERIC=y

Am I missing something?

Thank you.



Il sab 27 ott 2018, 20:10 Otavio Salvador <otavio.salvador at ossystems.com.br>
ha scritto:

> On Sun, Oct 21, 2018 at 7:52 AM Stefano Cappa
> <stefano.cappa.ks89 at gmail.com> wrote:
> > I'm on Sumo branch with the latest linux-imx (no -fscl) and I'm using
> the official NXP imx6 evk board.
> >
> > I'm trying meta-selinux (I'm absolutely a noob with selinux, I'm still
> experimenting and studying it :)) but I'm getting this error running
> "fixfiles -f -F relabel":
> >
> > Cleaning out /tmp
> >     fixfiles: No suitable file systems found
> >     Cleaning up labels on /tmp
> >     secon: SELinux is not enabled
> >     cat: /initial_contexts/unlabeled: No such file or directory
> >
> > I wrote to one of the authors of meta-selinux and he said:
> >
> >     You need to make sure that the filesystem in use has extendded
> attributes
> >     enabled.  A lot of silicon vendor versions have this disabled, or
> use a
> >     filesystem where it's not supported.
> >     ext*fs, xfs, etc usually support it, with the right kernel
> configuration.
> >
> > So, I added xattr to the DISTRO_FEATURES_append in my local.conf, but
> I'm still having the same error.
> > And running 'mount' I get this:
> >    /dev/<mynamehere>   / type ext4 (rw,relatime,data=ordered)
> >
> > What I'm missing?
> > Also, does imx6ULL supports meta-selinux? Or are there some limitations
> about kernel that block me to activate selinux?
>
> You need to enable the needed features on the kernel config. You
> likely need to make a new layer to store the changes you will do and
> modify the defconfig accordingly.
>
> --
> Otavio Salvador                             O.S. Systems
> http://www.ossystems.com.br        http://code.ossystems.com.br
> Mobile: +55 (53) 9 9981-7854          Mobile: +1 (347) 903-9750
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/meta-freescale/attachments/20181029/b42c96a3/attachment.html>

More information about the meta-freescale mailing list