[yocto] SELinux doesn't work on t4240qds
Mark Hatle
mark.hatle at windriver.com
Wed Jul 23 07:37:44 PDT 2014
On 7/22/14, 9:28 PM, zhenhua.luo at freescale.com wrote:
> Hi Mark,
>
> Thanks for your comments.
>
>> -----Original Message-----
>> From: yocto-bounces at yoctoproject.org [mailto:yocto-
>> bounces at yoctoproject.org] On Behalf Of Mark Hatle
>>
>> On 7/22/14, 10:11 AM, zhenhua.luo at freescale.com wrote:
>>> Hi all,
>>
>> Which release are you using.
> [Luo Zhenhua-B19537] I tried poky daisy + meta-fsl-ppc master + meta-selinux master
This makes me suspect a kernel issues. The last time I looked at meta-fsl-ppc,
it had a custom kernel (didn't use the linux-yocto kernel). It appears (based
on your original message) that all of the needed values were enabled:
http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-kernel/linux/linux-yocto/selinux.cfg
So I'm at a loss to explain the issue. The only other suggestion would be to
pass 'selinux=1' or is it 'enforce=1' on the command line and see if that starts
the system up in enforcing mode.
>> The last version I used w/ meta-selinux was the 1.5 release.
>>
>> We're planning on updating it to master in the 'near' future [patches
>> welcome!], and I've been told by a few others of success w/ 1.7.
(I meant 1.6 above BTW, since there is no 1.7 yet.)
> [Luo Zhenhua-B19537] I will try master and dora.
Try dora, it's possible there is something minor that isn't right.
>> Did you enable the 'selinux' distribution flag?
>> If so, it should have enabled all of the components necessary for this stuff to be enabled.
> [Luo Zhenhua-B19537] Yes, selinux is in DISTRO_FEATURES.
That should be was was needed. The first boot should provision the system and
reboot. After that things should be enabled and functional.
--Mark
>
> Best Regards,
>
> Zhenhua
>
>> --Mark
>>
>>> I use the meta-selinux layer to build a core-image-selinux rootfs
>>> image, and build kernel with following options enabled.
>>>
>>> CONFIG_AUDIT=y
>>>
>>> CONFIG_NETWORK_SECMARK=y
>>>
>>> CONFIG_EXT2_FS_SECURITY=y
>>>
>>> CONFIG_EXT3_FS_SECURITY=y
>>>
>>> CONFIG_EXT4_FS_SECURITY=y
>>>
>>> CONFIG_JFS_SECURITY=y
>>>
>>> CONFIG_REISERFS_FS_SECURITY=y
>>>
>>> CONFIG_JFFS2_FS_SECURITY=y
>>>
>>> CONFIG_SECURITY_NETWORK=y
>>>
>>> CONFIG_SECURITY_SELINUX=y
>>>
>>> CONFIG_SECURITY_SELINUX_BOOTPARAM=y
>>>
>>> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
>>>
>>> CONFIG_SECURITY_SELINUX_DISABLE=y
>>>
>>> CONFIG_SECURITY_SELINUX_DEVELOP=y
>>>
>>> CONFIG_SECURITY_SELINUX_AVC_STATS=y
>>>
>>> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
>>>
>>> I use the generated images to boot up FSL PPC t4240qds board(tried
>>> both NFS boot and RAM boot with ext2.gz.u-boot rootfs), the SELinux is
>>> not turned on after kernel boot up.
>>>
>>> following is some information in rootfs.
>>>
>>> root at t4240qds:~# sestatus
>>>
>>> SELinux status: disabled
>>>
>>> root at t4240qds:~#
>>>
>>> root at t4240qds:~# cat /etc/selinux/config
>>>
>>> # This file controls the state of SELinux on the system.
>>>
>>> # SELINUX= can take one of these three values:
>>>
>>> # enforcing - SELinux security policy is enforced.
>>>
>>> # permissive - SELinux prints warnings instead of enforcing.
>>>
>>> # disabled - No SELinux policy is loaded.
>>>
>>> SELINUX=enforcing
>>>
>>> # SELINUXTYPE= can take one of these two values:
>>>
>>> # standard - Standard Security protection.
>>>
>>> # mls - Multi Level Security protection.
>>>
>>> SELINUXTYPE=mls
>>>
>>> root at t4240qds:~# cat /proc/cmdline
>>>
>>> root=/dev/ram rw console=ttyS0,115200 selinux=1
>>>
>>> root at t4240qds:~# setenforce 1
>>>
>>> setenforce: SELinux is disabled
>>>
>>> root at t4240qds:~# getenforce
>>>
>>> Disabled
>>>
>>> root at t4240qds:~#
>>>
>>> Can somebody shed some light on the issue?
>>>
>>> Best Regards,
>>>
>>> Zhenhua
>>>
>>>
>>>
>>
>> --
>> _______________________________________________
>> yocto mailing list
>> yocto at yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto
More information about the yocto
mailing list