[meta-freescale] Cannot enable selinux with imx6ULL. Why?
Stefano Cappa
stefano.cappa.ks89 at gmail.com
Mon Oct 29 02:58:15 PDT 2018
Ok. Yes I created a custom layer with recipes-kernel/linux folders and
inside these files:
- linux-imx_4.9.88.bbappend
- linux-imx_selinux.inc
- linux-imx/selinux.cfg (taken as it is from meta-selinux layer)
The content of linux-imx_4.9.88.bbappend is:
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
SRC_URI += "\
"
require ${@bb.utils.contains('DISTRO_FEATURES', 'selinux',
'${BPN}_selinux.inc', '', d)}
The content of linux-imx_selinux.inc is:
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
# Enable selinux support in the kernel if the feature is enabled
SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux',
'file://selinux.cfg', '', d)}"
And selinux.cfg is:
CONFIG_AUDIT=y
CONFIG_NETWORK_SECMARK=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_JFS_SECURITY=y
CONFIG_REISERFS_FS_SECURITY=y
CONFIG_JFFS2_FS_SECURITY=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_AUDIT_GENERIC=y
Am I missing something?
Thank you.
Il sab 27 ott 2018, 20:10 Otavio Salvador <otavio.salvador at ossystems.com.br>
ha scritto:
> On Sun, Oct 21, 2018 at 7:52 AM Stefano Cappa
> <stefano.cappa.ks89 at gmail.com> wrote:
> > I'm on Sumo branch with the latest linux-imx (no -fscl) and I'm using
> the official NXP imx6 evk board.
> >
> > I'm trying meta-selinux (I'm absolutely a noob with selinux, I'm still
> experimenting and studying it :)) but I'm getting this error running
> "fixfiles -f -F relabel":
> >
> > Cleaning out /tmp
> > fixfiles: No suitable file systems found
> > Cleaning up labels on /tmp
> > secon: SELinux is not enabled
> > cat: /initial_contexts/unlabeled: No such file or directory
> >
> > I wrote to one of the authors of meta-selinux and he said:
> >
> > You need to make sure that the filesystem in use has extendded
> attributes
> > enabled. A lot of silicon vendor versions have this disabled, or
> use a
> > filesystem where it's not supported.
> > ext*fs, xfs, etc usually support it, with the right kernel
> configuration.
> >
> > So, I added xattr to the DISTRO_FEATURES_append in my local.conf, but
> I'm still having the same error.
> > And running 'mount' I get this:
> > /dev/<mynamehere> / type ext4 (rw,relatime,data=ordered)
> >
> > What I'm missing?
> > Also, does imx6ULL supports meta-selinux? Or are there some limitations
> about kernel that block me to activate selinux?
>
> You need to enable the needed features on the kernel config. You
> likely need to make a new layer to store the changes you will do and
> modify the defconfig accordingly.
>
> --
> Otavio Salvador O.S. Systems
> http://www.ossystems.com.br http://code.ossystems.com.br
> Mobile: +55 (53) 9 9981-7854 Mobile: +1 (347) 903-9750
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/meta-freescale/attachments/20181029/b42c96a3/attachment.html>
More information about the meta-freescale
mailing list