From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Manvendra Pratap Singh <manav.emb@gmail.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: working linux and busybox versions
Date: Thu, 18 Mar 2010 13:24:59 +0900 [thread overview]
Message-ID: <4BA1AB1B.8030901@ak.jp.nec.com> (raw)
In-Reply-To: <482a0d8c1003172104r3ff4dc9csa065de1681b4794a@mail.gmail.com>
(2010/03/18 13:04), Manvendra Pratap Singh wrote:
>
>
> 2010/3/18 KaiGai Kohei <kaigai@ak.jp.nec.com <mailto:kaigai@ak.jp.nec.com>>
>
> (2010/03/17 17:27), Manvendra Pratap Singh wrote:
> >
> >
> > 2010/3/17 KaiGai Kohei <kaigai@ak.jp.nec.com
> <mailto:kaigai@ak.jp.nec.com> <mailto:kaigai@ak.jp.nec.com
> <mailto:kaigai@ak.jp.nec.com>>>
> >
> > (2010/03/17 16:12), Manvendra Pratap Singh wrote:
> > > Hi KaiGai,
> > >
> > > I checked /etc/selinux/base_policy/contexts/default_contexts and
> > > /etc/selinux/base_policy/contexts/users/root both in my rootfs
> > and it is
> > > in correct place. But it still giving me same SID problem. Please
> > give
> > > some idea.
> >
> > Does it have correct format? Does it contains an entry which
> matches
> > with the security context of your logind daemon?
> >
> > If your policy does not define domain-transitions appropriately,
> > all the process may work with kernel_t, init_t or initrc_t.
> > If so, get_default_context() cannot find out configured entry.
> >
> >
> > I am very new to SELinux, so I may not be able to answer your all
> > questions correctly. I compiled base policy and then included it
> in my
> > rootfs ( at /etc/selinux/base_policy). I compiled busbox-1.13.0 and
> > 2.6.29 linux-kernel with SELinux support. I faced lot of errors and
> > problems while compiling busybox with SELinux (utilities) support.
>
> What kind of errors did you see?
> If we cannot build busybox with SELinux support in the recent releases,
> we need to fix them.
>
>
>
> This time I tried with busybox-1.11.3, Please have a look at the errors:
>
> manav@manav-desktop:busybox-1.11.3$ make ARCH=arm
> CROSS_CONFIG=arm-none-linux-gnueabi-
> SPLIT include/autoconf.h -> include/config/*
> GEN include/bbconfigopts.h
> HOSTCC applets/usage
> applets/usage.c: In function 'main':
> applets/usage.c:27: warning: ignoring return value of 'write', declared
> with attribute warn_unused_result
> GEN include/usage_compressed.h
> HOSTCC applets/applet_tables
> In file included from applets/../include/busybox.h:10,
> from applets/applet_tables.c:16:
> applets/../include/libbb.h:56:29: error: selinux/selinux.h: No such file
> or directory
> applets/../include/libbb.h:57:29: error: selinux/context.h: No such file
> or directory
> applets/../include/libbb.h:58:27: error: selinux/flask.h: No such file
> or directory
> applets/../include/libbb.h:59:36: error: selinux/av_permissions.h: No
> such file or directory
> In file included from applets/../include/busybox.h:10,
> from applets/applet_tables.c:16:
> applets/../include/libbb.h:1007: error: expected ')' before 'sid'
> applets/../include/libbb.h:1008: error: expected '=', ',', ';', 'asm' or
> '__attribute__' before 'set_security_context_component'
> applets/../include/libbb.h:1010: error: expected ')' before 'scontext'
> make[1]: *** [applets/applet_tables] Error 1
> make: *** [applets] Error 2
It obviously looks like libselinux is not installed in your environment.
Could you (cross) compile it and install first?
> > then
> > I booted beagle. And faced above problem. I did not try any extra
> code
> > other then base_policy, Because initially I wanted to see the kernel
> > booting with SELinux support and working SELinux utilities
> provided by
> > busybox.
> >
> > What is your policy type? The standard reference policy?, or
> others?
> >
> >
> > I think my policy is standard reference policy.
>
> Hmm... It seems to me reason of the matter is still unclear.
>
> Could you check the following items at least?
> - The security policy was correctly loaded?
> If OK, the kernel exports log messages as Stephen noted.
>
>
>
> yes, I will surely check for this, and let you know the results.
>
>
> - What kind of matter you faced when you build busybox and libselinux?
> If you modified the code, what kind of changes were applied?
>
> - Is the filesystem correctly labeled?
> If files don't have valid security context, SELinux considers all the
> files have "unlabeled_t" context, but it is not expected for reference
> policy.
>
> Right now, I doubt your /sbin/init could not load the security policy
> correctly. SELinux performs permissive mode, if it failed to load the
> policy. So, you can see the login prompt without any fails, because it
> means bootstrap sequence was correctly done.
>
> Also note that /sbin/init applet of busybox also support to load the
> policy at first. If you applied different binary, it needs to be
> replaced.
>
>
> I have replaced the binary.
>
> Thanks guys for your support, let me come up with results.
>
>
> Thanks,
>
> > Thanks,
> >
> > > On Wed, Mar 17, 2010 at 11:38 AM, Manvendra Pratap Singh
> > > <manav.emb@gmail.com <mailto:manav.emb@gmail.com>
> <mailto:manav.emb@gmail.com <mailto:manav.emb@gmail.com>>
> > <mailto:manav.emb@gmail.com <mailto:manav.emb@gmail.com>
> <mailto:manav.emb@gmail.com <mailto:manav.emb@gmail.com>>>> wrote:
> > >
> > > Thanks for reply KaiGai Kohei, I will follow your suggestion
> > and let
> > > you know about it.
> > >
> > > ---
> > > Manav
> > > Hyderabad
> > >
> > > 2010/3/17 KaiGai Kohei <kaigai@ak.jp.nec.com
> <mailto:kaigai@ak.jp.nec.com>
> > <mailto:kaigai@ak.jp.nec.com <mailto:kaigai@ak.jp.nec.com>>
> > > <mailto:kaigai@ak.jp.nec.com <mailto:kaigai@ak.jp.nec.com>
> <mailto:kaigai@ak.jp.nec.com <mailto:kaigai@ak.jp.nec.com>>>>
> > >
> > > (2010/03/17 13:22), Manvendra Pratap Singh wrote:
> > > > Can anyone suggest me good guide for SELinux on omap3
> > > (beagleboard). I
> > > > tried it myself but I am not able to login after booting. On
> > > loging in
> > > > root I get a msg "Cann't get SID for root". Please help me on
> > > this
> > > > issue. Here take a look at boot-log.
> > > >
> > > >
> > > > [ 0.000000] Security Framework initialized
> > > > [ 0.000000] SELinux: Initializing.
> > > >
> > > >
> > > > beagleboard login: root
> > > > login: can't get SID for root
> > >
> > > This message come from logind applet of busybox.
> > >
> > > It tries to fetch the default security context of the
> > root session.
> > >
> > > Put
> "/etc/selinux/<SELINUXTYPE>/contexts/default_contexts" or
> > > "/etc/selinux/<SELINUXTYPE>/contexts/users/root" correctly, and
> > > try it again.
> > >
> > > Thanks,
> > >
> > > >
> > > > Embinux Linux 1.1 beagleboard ttyS2
> > > >
> > > > beagleboard login:
> > > >
> > > >
> > > >
> > > > ---
> > > > Manav
> > > > Hyderabad
> > > >
> > > >
> > > >
> > > > On Thu, Mar 11, 2010 at 3:38 PM, Manvendra Pratap Singh
> > > > <manav.emb@gmail.com <mailto:manav.emb@gmail.com>
> <mailto:manav.emb@gmail.com <mailto:manav.emb@gmail.com>>
> > <mailto:manav.emb@gmail.com <mailto:manav.emb@gmail.com>
> <mailto:manav.emb@gmail.com <mailto:manav.emb@gmail.com>>>
> > > <mailto:manav.emb@gmail.com <mailto:manav.emb@gmail.com>
> <mailto:manav.emb@gmail.com <mailto:manav.emb@gmail.com>>
> > <mailto:manav.emb@gmail.com <mailto:manav.emb@gmail.com>
> <mailto:manav.emb@gmail.com <mailto:manav.emb@gmail.com>>>>> wrote:
> > > >
> > > > Thanks for the information. I asked about working busybox
> > > and linux
> > > > kernel versions because when I am enabling selinux in busybox
> > > > (1.13.0), it is giving me lot of compilation errors and I
> > > think some
> > > > code is also missing. Although the kernel (2.6.29) which
> > > I am using
> > > > is working fine. If you tell anything more on this then
> > > it will be a
> > > > great help.
> > > >
> > > >
> > > > --
> > > > Manav
> > > > Hyderabad
> > > >
> > > >
> > > >
> > > > On Wed, Mar 10, 2010 at 11:19 PM, Stephen Smalley
> > > <sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>
> <mailto:sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>>
> > <mailto:sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>
> <mailto:sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>>>
> > > > <mailto:sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>
> <mailto:sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>>
> > <mailto:sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>
> <mailto:sds@tycho.nsa.gov <mailto:sds@tycho.nsa.gov>>>>> wrote:
> > > >
> > > > On Wed, 2010-03-10 at 22:44 +0530, Manvendra Pratap
> > > Singh wrote:
> > > > > Hi Stephen,
> > > > >
> > > > > May be I could not make myself clear to you. My question was
> > > > not about
> > > > > linux on omap3, it was about SELinux on omap3. Anyways thanks
> > > > for your
> > > > > reply. I will check the links given by you.
> > > >
> > > > SELinux isn't platform-specific, and is a component
> > > of the Linux 2.6
> > > > kernel.
> > > >
> > > > --
> > > > Stephen Smalley
> > > > National Security Agency
> > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > KaiGai Kohei <kaigai@ak.jp.nec.com
> <mailto:kaigai@ak.jp.nec.com>
> > <mailto:kaigai@ak.jp.nec.com <mailto:kaigai@ak.jp.nec.com>>
> <mailto:kaigai@ak.jp.nec.com <mailto:kaigai@ak.jp.nec.com>
> > <mailto:kaigai@ak.jp.nec.com <mailto:kaigai@ak.jp.nec.com>>>>
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Manav
> > > Hyderabad
> >
> >
> > --
> > KaiGai Kohei <kaigai@ak.jp.nec.com
> <mailto:kaigai@ak.jp.nec.com> <mailto:kaigai@ak.jp.nec.com
> <mailto:kaigai@ak.jp.nec.com>>>
> >
> >
> >
> >
> > --
> > Manav
> > Hyderabad
>
>
> --
> KaiGai Kohei <kaigai@ak.jp.nec.com <mailto:kaigai@ak.jp.nec.com>>
>
>
>
>
> --
> Manav
> Hyderabad
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2010-03-18 4:35 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-10 12:13 working linux and busybox versions Manvendra Pratap Singh
2010-03-10 15:43 ` Stephen Smalley
[not found] ` <482a0d8c1003100914j2709ab7epad0956ca4aa75081@mail.gmail.com>
[not found] ` <1268243344.3678.38.camel@moss-pluto.epoch.ncsc.mil>
[not found] ` <482a0d8c1003110208g9843309s83e41c6319ff8271@mail.gmail.com>
2010-03-17 4:22 ` Manvendra Pratap Singh
2010-03-17 4:54 ` KaiGai Kohei
[not found] ` <482a0d8c1003162308r3989a64by797220bf38dffdb3@mail.gmail.com>
2010-03-17 7:12 ` Manvendra Pratap Singh
2010-03-17 7:48 ` KaiGai Kohei
2010-03-17 8:27 ` Manvendra Pratap Singh
2010-03-18 0:19 ` KaiGai Kohei
2010-03-18 4:04 ` Manvendra Pratap Singh
2010-03-18 4:24 ` KaiGai Kohei [this message]
2010-03-17 13:58 ` Stephen Smalley
2010-03-17 14:18 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BA1AB1B.8030901@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=manav.emb@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.