[yocto] SELinux doesn't work on t4240qds

Mark Hatle mark.hatle at windriver.com
Tue Jul 22 10:30:42 PDT 2014 

On 7/22/14, 10:11 AM, zhenhua.luo at freescale.com wrote:
> Hi all,

Which release are you using.  The last version I used w/ meta-selinux was the 
1.5 release.

We're planning on updating it to master in the 'near' future [patches welcome!], 
and I've been told by a few others of success w/ 1.7.

Did you enable the 'selinux' distribution flag?  If so, it should have enabled 
all of the components necessary for this stuff to be enabled.

--Mark

> I use the meta-selinux layer to build a core-image-selinux rootfs image, and
> build kernel with following options enabled.
>
> CONFIG_AUDIT=y
>
> CONFIG_NETWORK_SECMARK=y
>
> CONFIG_EXT2_FS_SECURITY=y
>
> CONFIG_EXT3_FS_SECURITY=y
>
> CONFIG_EXT4_FS_SECURITY=y
>
> CONFIG_JFS_SECURITY=y
>
> CONFIG_REISERFS_FS_SECURITY=y
>
> CONFIG_JFFS2_FS_SECURITY=y
>
> CONFIG_SECURITY_NETWORK=y
>
> CONFIG_SECURITY_SELINUX=y
>
> CONFIG_SECURITY_SELINUX_BOOTPARAM=y
>
> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
>
> CONFIG_SECURITY_SELINUX_DISABLE=y
>
> CONFIG_SECURITY_SELINUX_DEVELOP=y
>
> CONFIG_SECURITY_SELINUX_AVC_STATS=y
>
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
>
> I use the generated images to boot up FSL PPC t4240qds board(tried both NFS boot
> and RAM boot with ext2.gz.u-boot rootfs), the SELinux is not turned on after
> kernel boot up.
>
> following is some information in rootfs.
>
> root at t4240qds:~# sestatus
>
> SELinux status:                 disabled
>
> root at t4240qds:~#
>
> root at t4240qds:~# cat /etc/selinux/config
>
> # This file controls the state of SELinux on the system.
>
> # SELINUX= can take one of these three values:
>
> #     enforcing - SELinux security policy is enforced.
>
> #     permissive - SELinux prints warnings instead of enforcing.
>
> #     disabled - No SELinux policy is loaded.
>
> SELINUX=enforcing
>
> # SELINUXTYPE= can take one of these two values:
>
> #     standard - Standard Security protection.
>
> #     mls - Multi Level Security protection.
>
> SELINUXTYPE=mls
>
> root at t4240qds:~# cat /proc/cmdline
>
> root=/dev/ram rw console=ttyS0,115200 selinux=1
>
> root at t4240qds:~# setenforce 1
>
> setenforce: SELinux is disabled
>
> root at t4240qds:~# getenforce
>
> Disabled
>
> root at t4240qds:~#
>
> Can somebody shed some light on the issue?
>
> Best Regards,
>
> Zhenhua
>
>
>

More information about the yocto mailing list