[yocto] SELinux doesn't work on t4240qds

zhenhua.luo at freescale.com zhenhua.luo at freescale.com
Thu Jul 24 05:08:30 PDT 2014 

Hi Mark, 

> -----Original Message-----
> From: yocto-bounces at yoctoproject.org [mailto:yocto-
> bounces at yoctoproject.org] On Behalf Of Mark Hatle
> Sent: Wednesday, July 23, 2014 10:41 PM
> To: yocto at yoctoproject.org
> Subject: Re: [yocto] SELinux doesn't work on t4240qds
> 
> On 7/23/14, 7:15 AM, zhenhua.luo at freescale.com wrote:
> > I tried dora(poky + meta-selinux + meta-fsl-ppc), following error
> message appears during kernel boot up, please help.
> >
> > RAMDISK: gzip image found at block 0
> > VFS: Mounted root (ext2 filesystem) on device 1:0.
> > devtmpfs: mounted
> > Freeing unused kernel memory: 340k freed Mount failed for selinuxfs on
> > /sys/fs/selinux:  No such file or directory
> 
> Sounds like the selinuxfs was not enabled -- or the /sys/fs/selinux mount
> mount was not created by default.  I'd start with suspecting the kernel
> configuration, and then look to see if the early init scripts for selinux
> are incorrect and need to add that mount mount.
[Luo Zhenhua-B19537] The selinuxfs is not enabled in kernel, selinux permissive mode can be boot up successfully after enabling this option. 
	The enforce mode can't boot up successfully, I am not sure what's the reason. 
	Following is the log.
          type=1403 audit(1600153052.391:2): policy loaded auid=4294967295 ses=4294967295
          type=1400 audit(1600153052.403:3): avc:  denied  { execmem } for  pid=1 comm="init" scontext=system_u:system_r:kernel_t:s15:c0.c1023 tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process
          Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b

          Call Trace:
          [c0000002f915f890] [c000000000008b2c] .show_stack+0x7c/0x1f0 (unreliable)
          [c0000002f915f960] [c000000000816868] .panic+0xec/0x24c
          [c0000002f915f9f0] [c00000000003d094] .do_exit+0x964/0xa40
          [c0000002f915fae0] [c00000000003e354] .do_group_exit+0x54/0xf0
          [c0000002f915fb70] [c00000000004d0a0] .get_signal_to_deliver+0x1e0/0x670
          [c0000002f915fc70] [c00000000000aa44] .do_signal+0x54/0x2d0
          [c0000002f915fdb0] [c00000000000adf8] .do_notify_resume+0x68/0x80
          [c0000002f915fe30] [c000000000000b18] .ret_from_except_lite+0x44/0x48


Best Regards,

Zhenhua

 
> --Mark
> 
> > Unable to load SELinux Policy. Machine is in enforcing mode. Halting
> now.
> > Kernel panic - not syncing: Attempted to kill init!
> > exitcode=0x00000100
> >
> > Call Trace:
> > [c0000002f9143ae0] [c000000000008b2c] .show_stack+0x7c/0x1f0
> > (unreliable) [c0000002f9143bb0] [c000000000816e48] .panic+0xec/0x24c
> > [c0000002f9143c40] [c00000000003d094] .do_exit+0x964/0xa40
> > [c0000002f9143d30] [c00000000003e354] .do_group_exit+0x54/0xf0
> > [c0000002f9143dc0] [c00000000003e404] .SyS_exit_group+0x14/0x20
> > [c0000002f9143e30] [c000000000000598] syscall_exit+0x0/0x88 Rebooting
> > in 180 seconds..
> >
> >
> > Best Regards,
> >
> > Zhenhua
> >
> >
> >> -----Original Message-----
> >> From: yocto-bounces at yoctoproject.org [mailto:yocto-
> >> bounces at yoctoproject.org] On Behalf Of zhenhua.luo at freescale.com
> >> Sent: Wednesday, July 23, 2014 10:29 AM
> >> To: Mark Hatle; yocto at yoctoproject.org
> >> Subject: Re: [yocto] SELinux doesn't work on t4240qds
> >>
> >> Hi Mark,
> >>
> >> Thanks for your comments.
> >>
> >>> -----Original Message-----
> >>> From: yocto-bounces at yoctoproject.org [mailto:yocto-
> >>> bounces at yoctoproject.org] On Behalf Of Mark Hatle
> >>>
> >>> On 7/22/14, 10:11 AM, zhenhua.luo at freescale.com wrote:
> >>>> Hi all,
> >>>
> >>> Which release are you using.
> >> [Luo Zhenhua-B19537] I tried poky daisy + meta-fsl-ppc master + meta-
> >> selinux master
> >>
> >>> The last version I used w/ meta-selinux was the 1.5 release.
> >>>
> >>> We're planning on updating it to master in the 'near' future
> >>> [patches welcome!], and I've been told by a few others of success w/
> 1.7.
> >> [Luo Zhenhua-B19537] I will try master and dora.
> >>
> >>> Did you enable the 'selinux' distribution flag?
> >>> If so, it should have enabled all of the components necessary for
> >>> this
> >> stuff to be enabled.
> >> [Luo Zhenhua-B19537] Yes, selinux is in DISTRO_FEATURES.
> >>
> >>
> >> Best Regards,
> >>
> >> Zhenhua
> >>
> >>> --Mark
> >>>
> >>>> I use the meta-selinux layer to build a core-image-selinux rootfs
> >>>> image, and build kernel with following options enabled.
> >>>>
> >>>> CONFIG_AUDIT=y
> >>>>
> >>>> CONFIG_NETWORK_SECMARK=y
> >>>>
> >>>> CONFIG_EXT2_FS_SECURITY=y
> >>>>
> >>>> CONFIG_EXT3_FS_SECURITY=y
> >>>>
> >>>> CONFIG_EXT4_FS_SECURITY=y
> >>>>
> >>>> CONFIG_JFS_SECURITY=y
> >>>>
> >>>> CONFIG_REISERFS_FS_SECURITY=y
> >>>>
> >>>> CONFIG_JFFS2_FS_SECURITY=y
> >>>>
> >>>> CONFIG_SECURITY_NETWORK=y
> >>>>
> >>>> CONFIG_SECURITY_SELINUX=y
> >>>>
> >>>> CONFIG_SECURITY_SELINUX_BOOTPARAM=y
> >>>>
> >>>> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
> >>>>
> >>>> CONFIG_SECURITY_SELINUX_DISABLE=y
> >>>>
> >>>> CONFIG_SECURITY_SELINUX_DEVELOP=y
> >>>>
> >>>> CONFIG_SECURITY_SELINUX_AVC_STATS=y
> >>>>
> >>>> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
> >>>>
> >>>> I use the generated images to boot up FSL PPC t4240qds board(tried
> >>>> both NFS boot and RAM boot with ext2.gz.u-boot rootfs), the SELinux
> >>>> is not turned on after kernel boot up.
> >>>>
> >>>> following is some information in rootfs.
> >>>>
> >>>> root at t4240qds:~# sestatus
> >>>>
> >>>> SELinux status:                 disabled
> >>>>
> >>>> root at t4240qds:~#
> >>>>
> >>>> root at t4240qds:~# cat /etc/selinux/config
> >>>>
> >>>> # This file controls the state of SELinux on the system.
> >>>>
> >>>> # SELINUX= can take one of these three values:
> >>>>
> >>>> #     enforcing - SELinux security policy is enforced.
> >>>>
> >>>> #     permissive - SELinux prints warnings instead of enforcing.
> >>>>
> >>>> #     disabled - No SELinux policy is loaded.
> >>>>
> >>>> SELINUX=enforcing
> >>>>
> >>>> # SELINUXTYPE= can take one of these two values:
> >>>>
> >>>> #     standard - Standard Security protection.
> >>>>
> >>>> #     mls - Multi Level Security protection.
> >>>>
> >>>> SELINUXTYPE=mls
> >>>>
> >>>> root at t4240qds:~# cat /proc/cmdline
> >>>>
> >>>> root=/dev/ram rw console=ttyS0,115200 selinux=1
> >>>>
> >>>> root at t4240qds:~# setenforce 1
> >>>>
> >>>> setenforce: SELinux is disabled
> >>>>
> >>>> root at t4240qds:~# getenforce
> >>>>
> >>>> Disabled
> >>>>
> >>>> root at t4240qds:~#
> >>>>
> >>>> Can somebody shed some light on the issue?
> >>>>
> >>>> Best Regards,
> >>>>
> >>>> Zhenhua
> >>>>
> >>>>
> >>>>
> >>>
> >>> --
> >>> _______________________________________________
> >>> yocto mailing list
> >>> yocto at yoctoproject.org
> >>> https://lists.yoctoproject.org/listinfo/yocto
> >> --
> >> _______________________________________________
> >> yocto mailing list
> >> yocto at yoctoproject.org
> >> https://lists.yoctoproject.org/listinfo/yocto
> 
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto

More information about the yocto mailing list