[yocto] SELinux with Busybox on morty

Joe MacDonald Joe_MacDonald at mentor.com
Fri Jul 21 12:46:53 PDT 2017 

Hi Justin / Marco,

[Re: SELinux with Busybox on morty] On 17.07.19 (Wed 16:05) Justin Clacherty wrote:

> Hi Joe,
> 
> Is this something you or one of the other meta-selinux devs are able
> to help out with or is it more of an upstream question?

I'll see if I can give this a shot.  :-)

> 
> Cheers,
> Justin.
> 
> 
> > On 17 Jul 2017, at 4:57 pm, Marco Ostini <marco at ostini.org> wrote:
> > 
> > 
> > Hi All,
> > 
> > At the moment I'm attempting to prepare a VM of morty with SELinux
> > running well in enforcing mode. Once bedded down this will be
> > running on an embedded system.
> > 
> > We use Busybox to keep the environment slim.
> > 
> > As you may be aware the file contexts of
> > /etc/selinux/targeted/contexts/files/file_contexts don't include
> > appropriate paths (/sbin + /usr/lib/busybox/sbin/) and relative file
> > contexts for commands provided by Busybox. The /sbin files provided
> > by Busybox are symlinks to their counterparts in
> > /usr/lib/busybox/sbin/.
> > 
> > I've attempted to use semanage to apply file contexts and look up
> > login contexts. Any time I use semanage I receive this message:
> > 
> >    Error: Failed to read //etc/selinux/targeted/policy/policy.30 policy file
> > 
> > In an attempt to mitigate this error I ran semodule --build and
> > while it did rebuild the policy file, it didn't mitigate the error
> > message generated by semanage. At the moment I'm applying temporary
> > file contexts with chcon.
> > 
> > My questions are:
> > 
> > 1. Is it possible to run Busybox (providing init, getty, syslog ...)
> > in SELinux enforcing. If so, where's the policy files?

You haven't mentioned which policy you're currently using so I'm
guessing it is the default you get from meta-selinux, that is
refpolicy-git.  I've been debugging some (I think) unrelated issues with
refpolicy-git this week, so my advice would first to be try out
2.20151208, the current release version we have in tree.  That's
obviously also out of date, but it is currently better tested than the
git recipe.

All that said, yes, we have been, in the past, able to use busybox with
SELinux enforcing enabled, though as you can see from the layer, we've
had to tweak refpolicy to make it work well.  I'm adding a colleague of
mine here, Shrikant, who has done a fair bit of recent work with
meta-selinux as well, he might have some additional insight into the
current status of busybox-based systems.

> > 2. Is there some documentation somewhere on reference builds of
> > Morty with SELinux enforcing ?

There is not at the moment, as far as I know.  It's possible that
someone else currently using that combination can help out with some
guidance, but we haven't done any Morty+SELinux specific documentation.
Since I'm investigating some other issues right now in a slightly
different area, though, I may get some time next week to write up
something quick for this for you, though. If I do, I'll be sure to share
it here.

-- 
-Joe MacDonald.
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20170721/21e56bfd/attachment.pgp>

More information about the yocto mailing list