* SELinux doesn't work on t4240qds @ 2014-07-22 15:11 zhenhua.luo 2014-07-22 17:30 ` Mark Hatle 0 siblings, 1 reply; 7+ messages in thread From: zhenhua.luo @ 2014-07-22 15:11 UTC (permalink / raw) To: yocto@yoctoproject.org [-- Attachment #1: Type: text/plain, Size: 1715 bytes --] Hi all, I use the meta-selinux layer to build a core-image-selinux rootfs image, and build kernel with following options enabled. CONFIG_AUDIT=y CONFIG_NETWORK_SECMARK=y CONFIG_EXT2_FS_SECURITY=y CONFIG_EXT3_FS_SECURITY=y CONFIG_EXT4_FS_SECURITY=y CONFIG_JFS_SECURITY=y CONFIG_REISERFS_FS_SECURITY=y CONFIG_JFFS2_FS_SECURITY=y CONFIG_SECURITY_NETWORK=y CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 CONFIG_SECURITY_SELINUX_DISABLE=y CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_AVC_STATS=y CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 I use the generated images to boot up FSL PPC t4240qds board(tried both NFS boot and RAM boot with ext2.gz.u-boot rootfs), the SELinux is not turned on after kernel boot up. following is some information in rootfs. root@t4240qds:~# sestatus SELinux status: disabled root@t4240qds:~# root@t4240qds:~# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # standard - Standard Security protection. # mls - Multi Level Security protection. SELINUXTYPE=mls root@t4240qds:~# cat /proc/cmdline root=/dev/ram rw console=ttyS0,115200 selinux=1 root@t4240qds:~# setenforce 1 setenforce: SELinux is disabled root@t4240qds:~# getenforce Disabled root@t4240qds:~# Can somebody shed some light on the issue? Best Regards, Zhenhua [-- Attachment #2: Type: text/html, Size: 5536 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: SELinux doesn't work on t4240qds 2014-07-22 15:11 SELinux doesn't work on t4240qds zhenhua.luo @ 2014-07-22 17:30 ` Mark Hatle 2014-07-23 2:28 ` zhenhua.luo 0 siblings, 1 reply; 7+ messages in thread From: Mark Hatle @ 2014-07-22 17:30 UTC (permalink / raw) To: yocto On 7/22/14, 10:11 AM, zhenhua.luo@freescale.com wrote: > Hi all, Which release are you using. The last version I used w/ meta-selinux was the 1.5 release. We're planning on updating it to master in the 'near' future [patches welcome!], and I've been told by a few others of success w/ 1.7. Did you enable the 'selinux' distribution flag? If so, it should have enabled all of the components necessary for this stuff to be enabled. --Mark > I use the meta-selinux layer to build a core-image-selinux rootfs image, and > build kernel with following options enabled. > > CONFIG_AUDIT=y > > CONFIG_NETWORK_SECMARK=y > > CONFIG_EXT2_FS_SECURITY=y > > CONFIG_EXT3_FS_SECURITY=y > > CONFIG_EXT4_FS_SECURITY=y > > CONFIG_JFS_SECURITY=y > > CONFIG_REISERFS_FS_SECURITY=y > > CONFIG_JFFS2_FS_SECURITY=y > > CONFIG_SECURITY_NETWORK=y > > CONFIG_SECURITY_SELINUX=y > > CONFIG_SECURITY_SELINUX_BOOTPARAM=y > > CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 > > CONFIG_SECURITY_SELINUX_DISABLE=y > > CONFIG_SECURITY_SELINUX_DEVELOP=y > > CONFIG_SECURITY_SELINUX_AVC_STATS=y > > CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 > > I use the generated images to boot up FSL PPC t4240qds board(tried both NFS boot > and RAM boot with ext2.gz.u-boot rootfs), the SELinux is not turned on after > kernel boot up. > > following is some information in rootfs. > > root@t4240qds:~# sestatus > > SELinux status: disabled > > root@t4240qds:~# > > root@t4240qds:~# cat /etc/selinux/config > > # This file controls the state of SELinux on the system. > > # SELINUX= can take one of these three values: > > # enforcing - SELinux security policy is enforced. > > # permissive - SELinux prints warnings instead of enforcing. > > # disabled - No SELinux policy is loaded. > > SELINUX=enforcing > > # SELINUXTYPE= can take one of these two values: > > # standard - Standard Security protection. > > # mls - Multi Level Security protection. > > SELINUXTYPE=mls > > root@t4240qds:~# cat /proc/cmdline > > root=/dev/ram rw console=ttyS0,115200 selinux=1 > > root@t4240qds:~# setenforce 1 > > setenforce: SELinux is disabled > > root@t4240qds:~# getenforce > > Disabled > > root@t4240qds:~# > > Can somebody shed some light on the issue? > > Best Regards, > > Zhenhua > > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: SELinux doesn't work on t4240qds 2014-07-22 17:30 ` Mark Hatle @ 2014-07-23 2:28 ` zhenhua.luo 2014-07-23 12:15 ` zhenhua.luo 2014-07-23 14:37 ` Mark Hatle 0 siblings, 2 replies; 7+ messages in thread From: zhenhua.luo @ 2014-07-23 2:28 UTC (permalink / raw) To: Mark Hatle, yocto@yoctoproject.org Hi Mark, Thanks for your comments. > -----Original Message----- > From: yocto-bounces@yoctoproject.org [mailto:yocto- > bounces@yoctoproject.org] On Behalf Of Mark Hatle > > On 7/22/14, 10:11 AM, zhenhua.luo@freescale.com wrote: > > Hi all, > > Which release are you using. [Luo Zhenhua-B19537] I tried poky daisy + meta-fsl-ppc master + meta-selinux master > The last version I used w/ meta-selinux was the 1.5 release. > > We're planning on updating it to master in the 'near' future [patches > welcome!], and I've been told by a few others of success w/ 1.7. [Luo Zhenhua-B19537] I will try master and dora. > Did you enable the 'selinux' distribution flag? > If so, it should have enabled all of the components necessary for this stuff to be enabled. [Luo Zhenhua-B19537] Yes, selinux is in DISTRO_FEATURES. Best Regards, Zhenhua > --Mark > > > I use the meta-selinux layer to build a core-image-selinux rootfs > > image, and build kernel with following options enabled. > > > > CONFIG_AUDIT=y > > > > CONFIG_NETWORK_SECMARK=y > > > > CONFIG_EXT2_FS_SECURITY=y > > > > CONFIG_EXT3_FS_SECURITY=y > > > > CONFIG_EXT4_FS_SECURITY=y > > > > CONFIG_JFS_SECURITY=y > > > > CONFIG_REISERFS_FS_SECURITY=y > > > > CONFIG_JFFS2_FS_SECURITY=y > > > > CONFIG_SECURITY_NETWORK=y > > > > CONFIG_SECURITY_SELINUX=y > > > > CONFIG_SECURITY_SELINUX_BOOTPARAM=y > > > > CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 > > > > CONFIG_SECURITY_SELINUX_DISABLE=y > > > > CONFIG_SECURITY_SELINUX_DEVELOP=y > > > > CONFIG_SECURITY_SELINUX_AVC_STATS=y > > > > CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 > > > > I use the generated images to boot up FSL PPC t4240qds board(tried > > both NFS boot and RAM boot with ext2.gz.u-boot rootfs), the SELinux is > > not turned on after kernel boot up. > > > > following is some information in rootfs. > > > > root@t4240qds:~# sestatus > > > > SELinux status: disabled > > > > root@t4240qds:~# > > > > root@t4240qds:~# cat /etc/selinux/config > > > > # This file controls the state of SELinux on the system. > > > > # SELINUX= can take one of these three values: > > > > # enforcing - SELinux security policy is enforced. > > > > # permissive - SELinux prints warnings instead of enforcing. > > > > # disabled - No SELinux policy is loaded. > > > > SELINUX=enforcing > > > > # SELINUXTYPE= can take one of these two values: > > > > # standard - Standard Security protection. > > > > # mls - Multi Level Security protection. > > > > SELINUXTYPE=mls > > > > root@t4240qds:~# cat /proc/cmdline > > > > root=/dev/ram rw console=ttyS0,115200 selinux=1 > > > > root@t4240qds:~# setenforce 1 > > > > setenforce: SELinux is disabled > > > > root@t4240qds:~# getenforce > > > > Disabled > > > > root@t4240qds:~# > > > > Can somebody shed some light on the issue? > > > > Best Regards, > > > > Zhenhua > > > > > > > > -- > _______________________________________________ > yocto mailing list > yocto@yoctoproject.org > https://lists.yoctoproject.org/listinfo/yocto ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: SELinux doesn't work on t4240qds 2014-07-23 2:28 ` zhenhua.luo @ 2014-07-23 12:15 ` zhenhua.luo 2014-07-23 14:41 ` Mark Hatle 2014-07-23 14:37 ` Mark Hatle 1 sibling, 1 reply; 7+ messages in thread From: zhenhua.luo @ 2014-07-23 12:15 UTC (permalink / raw) To: yocto@yoctoproject.org I tried dora(poky + meta-selinux + meta-fsl-ppc), following error message appears during kernel boot up, please help. RAMDISK: gzip image found at block 0 VFS: Mounted root (ext2 filesystem) on device 1:0. devtmpfs: mounted Freeing unused kernel memory: 340k freed Mount failed for selinuxfs on /sys/fs/selinux: No such file or directory Unable to load SELinux Policy. Machine is in enforcing mode. Halting now. Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 Call Trace: [c0000002f9143ae0] [c000000000008b2c] .show_stack+0x7c/0x1f0 (unreliable) [c0000002f9143bb0] [c000000000816e48] .panic+0xec/0x24c [c0000002f9143c40] [c00000000003d094] .do_exit+0x964/0xa40 [c0000002f9143d30] [c00000000003e354] .do_group_exit+0x54/0xf0 [c0000002f9143dc0] [c00000000003e404] .SyS_exit_group+0x14/0x20 [c0000002f9143e30] [c000000000000598] syscall_exit+0x0/0x88 Rebooting in 180 seconds.. Best Regards, Zhenhua > -----Original Message----- > From: yocto-bounces@yoctoproject.org [mailto:yocto- > bounces@yoctoproject.org] On Behalf Of zhenhua.luo@freescale.com > Sent: Wednesday, July 23, 2014 10:29 AM > To: Mark Hatle; yocto@yoctoproject.org > Subject: Re: [yocto] SELinux doesn't work on t4240qds > > Hi Mark, > > Thanks for your comments. > > > -----Original Message----- > > From: yocto-bounces@yoctoproject.org [mailto:yocto- > > bounces@yoctoproject.org] On Behalf Of Mark Hatle > > > > On 7/22/14, 10:11 AM, zhenhua.luo@freescale.com wrote: > > > Hi all, > > > > Which release are you using. > [Luo Zhenhua-B19537] I tried poky daisy + meta-fsl-ppc master + meta- > selinux master > > > The last version I used w/ meta-selinux was the 1.5 release. > > > > We're planning on updating it to master in the 'near' future [patches > > welcome!], and I've been told by a few others of success w/ 1.7. > [Luo Zhenhua-B19537] I will try master and dora. > > > Did you enable the 'selinux' distribution flag? > > If so, it should have enabled all of the components necessary for this > stuff to be enabled. > [Luo Zhenhua-B19537] Yes, selinux is in DISTRO_FEATURES. > > > Best Regards, > > Zhenhua > > > --Mark > > > > > I use the meta-selinux layer to build a core-image-selinux rootfs > > > image, and build kernel with following options enabled. > > > > > > CONFIG_AUDIT=y > > > > > > CONFIG_NETWORK_SECMARK=y > > > > > > CONFIG_EXT2_FS_SECURITY=y > > > > > > CONFIG_EXT3_FS_SECURITY=y > > > > > > CONFIG_EXT4_FS_SECURITY=y > > > > > > CONFIG_JFS_SECURITY=y > > > > > > CONFIG_REISERFS_FS_SECURITY=y > > > > > > CONFIG_JFFS2_FS_SECURITY=y > > > > > > CONFIG_SECURITY_NETWORK=y > > > > > > CONFIG_SECURITY_SELINUX=y > > > > > > CONFIG_SECURITY_SELINUX_BOOTPARAM=y > > > > > > CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 > > > > > > CONFIG_SECURITY_SELINUX_DISABLE=y > > > > > > CONFIG_SECURITY_SELINUX_DEVELOP=y > > > > > > CONFIG_SECURITY_SELINUX_AVC_STATS=y > > > > > > CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 > > > > > > I use the generated images to boot up FSL PPC t4240qds board(tried > > > both NFS boot and RAM boot with ext2.gz.u-boot rootfs), the SELinux > > > is not turned on after kernel boot up. > > > > > > following is some information in rootfs. > > > > > > root@t4240qds:~# sestatus > > > > > > SELinux status: disabled > > > > > > root@t4240qds:~# > > > > > > root@t4240qds:~# cat /etc/selinux/config > > > > > > # This file controls the state of SELinux on the system. > > > > > > # SELINUX= can take one of these three values: > > > > > > # enforcing - SELinux security policy is enforced. > > > > > > # permissive - SELinux prints warnings instead of enforcing. > > > > > > # disabled - No SELinux policy is loaded. > > > > > > SELINUX=enforcing > > > > > > # SELINUXTYPE= can take one of these two values: > > > > > > # standard - Standard Security protection. > > > > > > # mls - Multi Level Security protection. > > > > > > SELINUXTYPE=mls > > > > > > root@t4240qds:~# cat /proc/cmdline > > > > > > root=/dev/ram rw console=ttyS0,115200 selinux=1 > > > > > > root@t4240qds:~# setenforce 1 > > > > > > setenforce: SELinux is disabled > > > > > > root@t4240qds:~# getenforce > > > > > > Disabled > > > > > > root@t4240qds:~# > > > > > > Can somebody shed some light on the issue? > > > > > > Best Regards, > > > > > > Zhenhua > > > > > > > > > > > > > -- > > _______________________________________________ > > yocto mailing list > > yocto@yoctoproject.org > > https://lists.yoctoproject.org/listinfo/yocto > -- > _______________________________________________ > yocto mailing list > yocto@yoctoproject.org > https://lists.yoctoproject.org/listinfo/yocto ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: SELinux doesn't work on t4240qds 2014-07-23 12:15 ` zhenhua.luo @ 2014-07-23 14:41 ` Mark Hatle 2014-07-24 12:08 ` zhenhua.luo 0 siblings, 1 reply; 7+ messages in thread From: Mark Hatle @ 2014-07-23 14:41 UTC (permalink / raw) To: yocto On 7/23/14, 7:15 AM, zhenhua.luo@freescale.com wrote: > I tried dora(poky + meta-selinux + meta-fsl-ppc), following error message appears during kernel boot up, please help. > > RAMDISK: gzip image found at block 0 > VFS: Mounted root (ext2 filesystem) on device 1:0. > devtmpfs: mounted > Freeing unused kernel memory: 340k freed > Mount failed for selinuxfs on /sys/fs/selinux: No such file or directory Sounds like the selinuxfs was not enabled -- or the /sys/fs/selinux mount mount was not created by default. I'd start with suspecting the kernel configuration, and then look to see if the early init scripts for selinux are incorrect and need to add that mount mount. --Mark > Unable to load SELinux Policy. Machine is in enforcing mode. Halting now. > Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000100 > > Call Trace: > [c0000002f9143ae0] [c000000000008b2c] .show_stack+0x7c/0x1f0 (unreliable) > [c0000002f9143bb0] [c000000000816e48] .panic+0xec/0x24c > [c0000002f9143c40] [c00000000003d094] .do_exit+0x964/0xa40 > [c0000002f9143d30] [c00000000003e354] .do_group_exit+0x54/0xf0 > [c0000002f9143dc0] [c00000000003e404] .SyS_exit_group+0x14/0x20 > [c0000002f9143e30] [c000000000000598] syscall_exit+0x0/0x88 > Rebooting in 180 seconds.. > > > Best Regards, > > Zhenhua > > >> -----Original Message----- >> From: yocto-bounces@yoctoproject.org [mailto:yocto- >> bounces@yoctoproject.org] On Behalf Of zhenhua.luo@freescale.com >> Sent: Wednesday, July 23, 2014 10:29 AM >> To: Mark Hatle; yocto@yoctoproject.org >> Subject: Re: [yocto] SELinux doesn't work on t4240qds >> >> Hi Mark, >> >> Thanks for your comments. >> >>> -----Original Message----- >>> From: yocto-bounces@yoctoproject.org [mailto:yocto- >>> bounces@yoctoproject.org] On Behalf Of Mark Hatle >>> >>> On 7/22/14, 10:11 AM, zhenhua.luo@freescale.com wrote: >>>> Hi all, >>> >>> Which release are you using. >> [Luo Zhenhua-B19537] I tried poky daisy + meta-fsl-ppc master + meta- >> selinux master >> >>> The last version I used w/ meta-selinux was the 1.5 release. >>> >>> We're planning on updating it to master in the 'near' future [patches >>> welcome!], and I've been told by a few others of success w/ 1.7. >> [Luo Zhenhua-B19537] I will try master and dora. >> >>> Did you enable the 'selinux' distribution flag? >>> If so, it should have enabled all of the components necessary for this >> stuff to be enabled. >> [Luo Zhenhua-B19537] Yes, selinux is in DISTRO_FEATURES. >> >> >> Best Regards, >> >> Zhenhua >> >>> --Mark >>> >>>> I use the meta-selinux layer to build a core-image-selinux rootfs >>>> image, and build kernel with following options enabled. >>>> >>>> CONFIG_AUDIT=y >>>> >>>> CONFIG_NETWORK_SECMARK=y >>>> >>>> CONFIG_EXT2_FS_SECURITY=y >>>> >>>> CONFIG_EXT3_FS_SECURITY=y >>>> >>>> CONFIG_EXT4_FS_SECURITY=y >>>> >>>> CONFIG_JFS_SECURITY=y >>>> >>>> CONFIG_REISERFS_FS_SECURITY=y >>>> >>>> CONFIG_JFFS2_FS_SECURITY=y >>>> >>>> CONFIG_SECURITY_NETWORK=y >>>> >>>> CONFIG_SECURITY_SELINUX=y >>>> >>>> CONFIG_SECURITY_SELINUX_BOOTPARAM=y >>>> >>>> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 >>>> >>>> CONFIG_SECURITY_SELINUX_DISABLE=y >>>> >>>> CONFIG_SECURITY_SELINUX_DEVELOP=y >>>> >>>> CONFIG_SECURITY_SELINUX_AVC_STATS=y >>>> >>>> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 >>>> >>>> I use the generated images to boot up FSL PPC t4240qds board(tried >>>> both NFS boot and RAM boot with ext2.gz.u-boot rootfs), the SELinux >>>> is not turned on after kernel boot up. >>>> >>>> following is some information in rootfs. >>>> >>>> root@t4240qds:~# sestatus >>>> >>>> SELinux status: disabled >>>> >>>> root@t4240qds:~# >>>> >>>> root@t4240qds:~# cat /etc/selinux/config >>>> >>>> # This file controls the state of SELinux on the system. >>>> >>>> # SELINUX= can take one of these three values: >>>> >>>> # enforcing - SELinux security policy is enforced. >>>> >>>> # permissive - SELinux prints warnings instead of enforcing. >>>> >>>> # disabled - No SELinux policy is loaded. >>>> >>>> SELINUX=enforcing >>>> >>>> # SELINUXTYPE= can take one of these two values: >>>> >>>> # standard - Standard Security protection. >>>> >>>> # mls - Multi Level Security protection. >>>> >>>> SELINUXTYPE=mls >>>> >>>> root@t4240qds:~# cat /proc/cmdline >>>> >>>> root=/dev/ram rw console=ttyS0,115200 selinux=1 >>>> >>>> root@t4240qds:~# setenforce 1 >>>> >>>> setenforce: SELinux is disabled >>>> >>>> root@t4240qds:~# getenforce >>>> >>>> Disabled >>>> >>>> root@t4240qds:~# >>>> >>>> Can somebody shed some light on the issue? >>>> >>>> Best Regards, >>>> >>>> Zhenhua >>>> >>>> >>>> >>> >>> -- >>> _______________________________________________ >>> yocto mailing list >>> yocto@yoctoproject.org >>> https://lists.yoctoproject.org/listinfo/yocto >> -- >> _______________________________________________ >> yocto mailing list >> yocto@yoctoproject.org >> https://lists.yoctoproject.org/listinfo/yocto ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: SELinux doesn't work on t4240qds 2014-07-23 14:41 ` Mark Hatle @ 2014-07-24 12:08 ` zhenhua.luo 0 siblings, 0 replies; 7+ messages in thread From: zhenhua.luo @ 2014-07-24 12:08 UTC (permalink / raw) To: Mark Hatle; +Cc: yocto@yoctoproject.org Hi Mark, > -----Original Message----- > From: yocto-bounces@yoctoproject.org [mailto:yocto- > bounces@yoctoproject.org] On Behalf Of Mark Hatle > Sent: Wednesday, July 23, 2014 10:41 PM > To: yocto@yoctoproject.org > Subject: Re: [yocto] SELinux doesn't work on t4240qds > > On 7/23/14, 7:15 AM, zhenhua.luo@freescale.com wrote: > > I tried dora(poky + meta-selinux + meta-fsl-ppc), following error > message appears during kernel boot up, please help. > > > > RAMDISK: gzip image found at block 0 > > VFS: Mounted root (ext2 filesystem) on device 1:0. > > devtmpfs: mounted > > Freeing unused kernel memory: 340k freed Mount failed for selinuxfs on > > /sys/fs/selinux: No such file or directory > > Sounds like the selinuxfs was not enabled -- or the /sys/fs/selinux mount > mount was not created by default. I'd start with suspecting the kernel > configuration, and then look to see if the early init scripts for selinux > are incorrect and need to add that mount mount. [Luo Zhenhua-B19537] The selinuxfs is not enabled in kernel, selinux permissive mode can be boot up successfully after enabling this option. The enforce mode can't boot up successfully, I am not sure what's the reason. Following is the log. type=1403 audit(1600153052.391:2): policy loaded auid=4294967295 ses=4294967295 type=1400 audit(1600153052.403:3): avc: denied { execmem } for pid=1 comm="init" scontext=system_u:system_r:kernel_t:s15:c0.c1023 tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=process Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b Call Trace: [c0000002f915f890] [c000000000008b2c] .show_stack+0x7c/0x1f0 (unreliable) [c0000002f915f960] [c000000000816868] .panic+0xec/0x24c [c0000002f915f9f0] [c00000000003d094] .do_exit+0x964/0xa40 [c0000002f915fae0] [c00000000003e354] .do_group_exit+0x54/0xf0 [c0000002f915fb70] [c00000000004d0a0] .get_signal_to_deliver+0x1e0/0x670 [c0000002f915fc70] [c00000000000aa44] .do_signal+0x54/0x2d0 [c0000002f915fdb0] [c00000000000adf8] .do_notify_resume+0x68/0x80 [c0000002f915fe30] [c000000000000b18] .ret_from_except_lite+0x44/0x48 Best Regards, Zhenhua > --Mark > > > Unable to load SELinux Policy. Machine is in enforcing mode. Halting > now. > > Kernel panic - not syncing: Attempted to kill init! > > exitcode=0x00000100 > > > > Call Trace: > > [c0000002f9143ae0] [c000000000008b2c] .show_stack+0x7c/0x1f0 > > (unreliable) [c0000002f9143bb0] [c000000000816e48] .panic+0xec/0x24c > > [c0000002f9143c40] [c00000000003d094] .do_exit+0x964/0xa40 > > [c0000002f9143d30] [c00000000003e354] .do_group_exit+0x54/0xf0 > > [c0000002f9143dc0] [c00000000003e404] .SyS_exit_group+0x14/0x20 > > [c0000002f9143e30] [c000000000000598] syscall_exit+0x0/0x88 Rebooting > > in 180 seconds.. > > > > > > Best Regards, > > > > Zhenhua > > > > > >> -----Original Message----- > >> From: yocto-bounces@yoctoproject.org [mailto:yocto- > >> bounces@yoctoproject.org] On Behalf Of zhenhua.luo@freescale.com > >> Sent: Wednesday, July 23, 2014 10:29 AM > >> To: Mark Hatle; yocto@yoctoproject.org > >> Subject: Re: [yocto] SELinux doesn't work on t4240qds > >> > >> Hi Mark, > >> > >> Thanks for your comments. > >> > >>> -----Original Message----- > >>> From: yocto-bounces@yoctoproject.org [mailto:yocto- > >>> bounces@yoctoproject.org] On Behalf Of Mark Hatle > >>> > >>> On 7/22/14, 10:11 AM, zhenhua.luo@freescale.com wrote: > >>>> Hi all, > >>> > >>> Which release are you using. > >> [Luo Zhenhua-B19537] I tried poky daisy + meta-fsl-ppc master + meta- > >> selinux master > >> > >>> The last version I used w/ meta-selinux was the 1.5 release. > >>> > >>> We're planning on updating it to master in the 'near' future > >>> [patches welcome!], and I've been told by a few others of success w/ > 1.7. > >> [Luo Zhenhua-B19537] I will try master and dora. > >> > >>> Did you enable the 'selinux' distribution flag? > >>> If so, it should have enabled all of the components necessary for > >>> this > >> stuff to be enabled. > >> [Luo Zhenhua-B19537] Yes, selinux is in DISTRO_FEATURES. > >> > >> > >> Best Regards, > >> > >> Zhenhua > >> > >>> --Mark > >>> > >>>> I use the meta-selinux layer to build a core-image-selinux rootfs > >>>> image, and build kernel with following options enabled. > >>>> > >>>> CONFIG_AUDIT=y > >>>> > >>>> CONFIG_NETWORK_SECMARK=y > >>>> > >>>> CONFIG_EXT2_FS_SECURITY=y > >>>> > >>>> CONFIG_EXT3_FS_SECURITY=y > >>>> > >>>> CONFIG_EXT4_FS_SECURITY=y > >>>> > >>>> CONFIG_JFS_SECURITY=y > >>>> > >>>> CONFIG_REISERFS_FS_SECURITY=y > >>>> > >>>> CONFIG_JFFS2_FS_SECURITY=y > >>>> > >>>> CONFIG_SECURITY_NETWORK=y > >>>> > >>>> CONFIG_SECURITY_SELINUX=y > >>>> > >>>> CONFIG_SECURITY_SELINUX_BOOTPARAM=y > >>>> > >>>> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 > >>>> > >>>> CONFIG_SECURITY_SELINUX_DISABLE=y > >>>> > >>>> CONFIG_SECURITY_SELINUX_DEVELOP=y > >>>> > >>>> CONFIG_SECURITY_SELINUX_AVC_STATS=y > >>>> > >>>> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 > >>>> > >>>> I use the generated images to boot up FSL PPC t4240qds board(tried > >>>> both NFS boot and RAM boot with ext2.gz.u-boot rootfs), the SELinux > >>>> is not turned on after kernel boot up. > >>>> > >>>> following is some information in rootfs. > >>>> > >>>> root@t4240qds:~# sestatus > >>>> > >>>> SELinux status: disabled > >>>> > >>>> root@t4240qds:~# > >>>> > >>>> root@t4240qds:~# cat /etc/selinux/config > >>>> > >>>> # This file controls the state of SELinux on the system. > >>>> > >>>> # SELINUX= can take one of these three values: > >>>> > >>>> # enforcing - SELinux security policy is enforced. > >>>> > >>>> # permissive - SELinux prints warnings instead of enforcing. > >>>> > >>>> # disabled - No SELinux policy is loaded. > >>>> > >>>> SELINUX=enforcing > >>>> > >>>> # SELINUXTYPE= can take one of these two values: > >>>> > >>>> # standard - Standard Security protection. > >>>> > >>>> # mls - Multi Level Security protection. > >>>> > >>>> SELINUXTYPE=mls > >>>> > >>>> root@t4240qds:~# cat /proc/cmdline > >>>> > >>>> root=/dev/ram rw console=ttyS0,115200 selinux=1 > >>>> > >>>> root@t4240qds:~# setenforce 1 > >>>> > >>>> setenforce: SELinux is disabled > >>>> > >>>> root@t4240qds:~# getenforce > >>>> > >>>> Disabled > >>>> > >>>> root@t4240qds:~# > >>>> > >>>> Can somebody shed some light on the issue? > >>>> > >>>> Best Regards, > >>>> > >>>> Zhenhua > >>>> > >>>> > >>>> > >>> > >>> -- > >>> _______________________________________________ > >>> yocto mailing list > >>> yocto@yoctoproject.org > >>> https://lists.yoctoproject.org/listinfo/yocto > >> -- > >> _______________________________________________ > >> yocto mailing list > >> yocto@yoctoproject.org > >> https://lists.yoctoproject.org/listinfo/yocto > > -- > _______________________________________________ > yocto mailing list > yocto@yoctoproject.org > https://lists.yoctoproject.org/listinfo/yocto ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: SELinux doesn't work on t4240qds 2014-07-23 2:28 ` zhenhua.luo 2014-07-23 12:15 ` zhenhua.luo @ 2014-07-23 14:37 ` Mark Hatle 1 sibling, 0 replies; 7+ messages in thread From: Mark Hatle @ 2014-07-23 14:37 UTC (permalink / raw) To: zhenhua.luo@freescale.com, yocto@yoctoproject.org On 7/22/14, 9:28 PM, zhenhua.luo@freescale.com wrote: > Hi Mark, > > Thanks for your comments. > >> -----Original Message----- >> From: yocto-bounces@yoctoproject.org [mailto:yocto- >> bounces@yoctoproject.org] On Behalf Of Mark Hatle >> >> On 7/22/14, 10:11 AM, zhenhua.luo@freescale.com wrote: >>> Hi all, >> >> Which release are you using. > [Luo Zhenhua-B19537] I tried poky daisy + meta-fsl-ppc master + meta-selinux master This makes me suspect a kernel issues. The last time I looked at meta-fsl-ppc, it had a custom kernel (didn't use the linux-yocto kernel). It appears (based on your original message) that all of the needed values were enabled: http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-kernel/linux/linux-yocto/selinux.cfg So I'm at a loss to explain the issue. The only other suggestion would be to pass 'selinux=1' or is it 'enforce=1' on the command line and see if that starts the system up in enforcing mode. >> The last version I used w/ meta-selinux was the 1.5 release. >> >> We're planning on updating it to master in the 'near' future [patches >> welcome!], and I've been told by a few others of success w/ 1.7. (I meant 1.6 above BTW, since there is no 1.7 yet.) > [Luo Zhenhua-B19537] I will try master and dora. Try dora, it's possible there is something minor that isn't right. >> Did you enable the 'selinux' distribution flag? >> If so, it should have enabled all of the components necessary for this stuff to be enabled. > [Luo Zhenhua-B19537] Yes, selinux is in DISTRO_FEATURES. That should be was was needed. The first boot should provision the system and reboot. After that things should be enabled and functional. --Mark > > Best Regards, > > Zhenhua > >> --Mark >> >>> I use the meta-selinux layer to build a core-image-selinux rootfs >>> image, and build kernel with following options enabled. >>> >>> CONFIG_AUDIT=y >>> >>> CONFIG_NETWORK_SECMARK=y >>> >>> CONFIG_EXT2_FS_SECURITY=y >>> >>> CONFIG_EXT3_FS_SECURITY=y >>> >>> CONFIG_EXT4_FS_SECURITY=y >>> >>> CONFIG_JFS_SECURITY=y >>> >>> CONFIG_REISERFS_FS_SECURITY=y >>> >>> CONFIG_JFFS2_FS_SECURITY=y >>> >>> CONFIG_SECURITY_NETWORK=y >>> >>> CONFIG_SECURITY_SELINUX=y >>> >>> CONFIG_SECURITY_SELINUX_BOOTPARAM=y >>> >>> CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1 >>> >>> CONFIG_SECURITY_SELINUX_DISABLE=y >>> >>> CONFIG_SECURITY_SELINUX_DEVELOP=y >>> >>> CONFIG_SECURITY_SELINUX_AVC_STATS=y >>> >>> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 >>> >>> I use the generated images to boot up FSL PPC t4240qds board(tried >>> both NFS boot and RAM boot with ext2.gz.u-boot rootfs), the SELinux is >>> not turned on after kernel boot up. >>> >>> following is some information in rootfs. >>> >>> root@t4240qds:~# sestatus >>> >>> SELinux status: disabled >>> >>> root@t4240qds:~# >>> >>> root@t4240qds:~# cat /etc/selinux/config >>> >>> # This file controls the state of SELinux on the system. >>> >>> # SELINUX= can take one of these three values: >>> >>> # enforcing - SELinux security policy is enforced. >>> >>> # permissive - SELinux prints warnings instead of enforcing. >>> >>> # disabled - No SELinux policy is loaded. >>> >>> SELINUX=enforcing >>> >>> # SELINUXTYPE= can take one of these two values: >>> >>> # standard - Standard Security protection. >>> >>> # mls - Multi Level Security protection. >>> >>> SELINUXTYPE=mls >>> >>> root@t4240qds:~# cat /proc/cmdline >>> >>> root=/dev/ram rw console=ttyS0,115200 selinux=1 >>> >>> root@t4240qds:~# setenforce 1 >>> >>> setenforce: SELinux is disabled >>> >>> root@t4240qds:~# getenforce >>> >>> Disabled >>> >>> root@t4240qds:~# >>> >>> Can somebody shed some light on the issue? >>> >>> Best Regards, >>> >>> Zhenhua >>> >>> >>> >> >> -- >> _______________________________________________ >> yocto mailing list >> yocto@yoctoproject.org >> https://lists.yoctoproject.org/listinfo/yocto ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2014-07-24 12:08 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2014-07-22 15:11 SELinux doesn't work on t4240qds zhenhua.luo 2014-07-22 17:30 ` Mark Hatle 2014-07-23 2:28 ` zhenhua.luo 2014-07-23 12:15 ` zhenhua.luo 2014-07-23 14:41 ` Mark Hatle 2014-07-24 12:08 ` zhenhua.luo 2014-07-23 14:37 ` Mark Hatle
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.