[yocto] SELinux doesn't work on t4240qds
Mark Hatle
mark.hatle at windriver.com
Tue Jul 22 10:30:42 PDT 2014
On 7/22/14, 10:11 AM, zhenhua.luo at freescale.com wrote:
> Hi all,
Which release are you using. The last version I used w/ meta-selinux was the
1.5 release.
We're planning on updating it to master in the 'near' future [patches welcome!],
and I've been told by a few others of success w/ 1.7.
Did you enable the 'selinux' distribution flag? If so, it should have enabled
all of the components necessary for this stuff to be enabled.
--Mark
> I use the meta-selinux layer to build a core-image-selinux rootfs image, and
> build kernel with following options enabled.
>
> CONFIG_AUDIT=y
>
> CONFIG_NETWORK_SECMARK=y
>
> CONFIG_EXT2_FS_SECURITY=y
>
> CONFIG_EXT3_FS_SECURITY=y
>
> CONFIG_EXT4_FS_SECURITY=y
>
> CONFIG_JFS_SECURITY=y
>
> CONFIG_REISERFS_FS_SECURITY=y
>
> CONFIG_JFFS2_FS_SECURITY=y
>
> CONFIG_SECURITY_NETWORK=y
>
> CONFIG_SECURITY_SELINUX=y
>
> CONFIG_SECURITY_SELINUX_BOOTPARAM=y
>
> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
>
> CONFIG_SECURITY_SELINUX_DISABLE=y
>
> CONFIG_SECURITY_SELINUX_DEVELOP=y
>
> CONFIG_SECURITY_SELINUX_AVC_STATS=y
>
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
>
> I use the generated images to boot up FSL PPC t4240qds board(tried both NFS boot
> and RAM boot with ext2.gz.u-boot rootfs), the SELinux is not turned on after
> kernel boot up.
>
> following is some information in rootfs.
>
> root at t4240qds:~# sestatus
>
> SELinux status: disabled
>
> root at t4240qds:~#
>
> root at t4240qds:~# cat /etc/selinux/config
>
> # This file controls the state of SELinux on the system.
>
> # SELINUX= can take one of these three values:
>
> # enforcing - SELinux security policy is enforced.
>
> # permissive - SELinux prints warnings instead of enforcing.
>
> # disabled - No SELinux policy is loaded.
>
> SELINUX=enforcing
>
> # SELINUXTYPE= can take one of these two values:
>
> # standard - Standard Security protection.
>
> # mls - Multi Level Security protection.
>
> SELINUXTYPE=mls
>
> root at t4240qds:~# cat /proc/cmdline
>
> root=/dev/ram rw console=ttyS0,115200 selinux=1
>
> root at t4240qds:~# setenforce 1
>
> setenforce: SELinux is disabled
>
> root at t4240qds:~# getenforce
>
> Disabled
>
> root at t4240qds:~#
>
> Can somebody shed some light on the issue?
>
> Best Regards,
>
> Zhenhua
>
>
>
More information about the yocto
mailing list